AI Management System · ISO/IEC 42001

ISO 42001 software, built by an auditor

Govern your AI to the world's first certifiable AI management system standard. PICMS ships all 38 ISO 42001 Annex A controls with an AI-narrated Statement of Applicability, automatic evidence-to-clause mapping and gap analysis — and runs ISO 42001 alongside ISO 9001 and 27001 as one integrated system.

Start Free Trial Book a Demo

The world's first certifiable AI management system standard

ISO/IEC 42001:2023 does for artificial intelligence what ISO 27001 did for information security — a structured, auditable management system for governing the risks of AI.

ISO/IEC 42001:2023 is the Artificial Intelligence Management System (AIMS) standard — the first management-system standard an organisation can be certified against for how it develops, provides or uses AI. Like every modern ISO management-system standard, it is built on the Annex SL high-level structure: clauses 4 to 10 cover context of the organisation, leadership, planning, support, operation, performance evaluation and improvement. If you already run ISO 9001 or ISO 27001, that backbone will be familiar.

What makes ISO 42001 specific to AI is Annex A — a reference set of 38 controls grouped around responsible-AI governance: an AI policy and roles, AI impact assessment, the AI system life cycle, data management and quality, transparency and information for users, and human oversight of automated decisions. As with ISO 27001, you produce a Statement of Applicability declaring which of the 38 controls apply to your organisation and how each one is implemented.

UK SMEs adopting AI need a credible governance answer

AI has moved from experiment to embedded — in customer service, in product features, in the back office. The moment a small business puts AI in front of customers or uses it to make decisions, the questions follow: How is that AI governed? What happens when it gets something wrong? Who is accountable? What data trained it, and is it accurate and fair? Those questions now arrive in procurement questionnaires, supplier-assurance reviews and insurer due-diligence, not just from regulators.

ISO 42001 gives a UK SME a recognised, defensible answer. Working to the standard means you have:

  • A documented AI policy and clear roles and responsibilities for AI in the business.
  • AI impact and risk assessment — a structured look at what could go wrong, for whom, and how it is mitigated.
  • Data and transparency controls — how training and operational data is managed, and what users are told about the AI they interact with.
  • Human oversight of automated or AI-assisted decisions, so a person remains accountable.

It also sits naturally beside the standards you may already hold. ISO 42001 dovetails with ISO 27001 information security and with UK GDPR obligations — the same governance discipline, extended to the specific risks of AI.

From blank page to audit-ready Statement of Applicability

PICMS turns the hardest part of ISO 42001 — documenting 38 controls from scratch — into a review exercise, then keeps the evidence behind them live.

AI-narrated SoA, all 38 controls

Every ISO 42001 Annex A control is pre-loaded. Set applicability and status, and PICMS drafts a narrated justification for each — you review and edit rather than starting from a blank page. Download the finished Statement of Applicability as an auditor-ready document.

AI evidence-to-clause mapping

Upload an AI policy, impact assessment or model card and PICMS identifies it and links it automatically to the right ISO 42001 control and clause — the SoA points straight through to the records behind it.

Gap analysis

See exactly which of the 38 controls you have evidence for, which are partial, and which still need work — before the certification body does. Create corrective actions directly from any gap.

One integrated system

Because ISO 42001 shares Annex SL clauses 4–10 with ISO 9001 and 27001, PICMS runs them together — one context analysis, one risk process, one internal audit, one management review for everything in scope.

AI audit logs

PICMS records AI resource usage — input and output tokens, bias-check status and result — giving you a running evidence trail for the AI-governance controls that ask you to monitor your own systems.

Certification readiness

Per-control readiness scoring and a mandatory-document checklist so you know your audit risk for ISO 42001 well before the visit — empty controls score zero, not a false pass.

ISO 42001 software FAQs

What is ISO 42001?

ISO/IEC 42001:2023 is the world's first certifiable management-system standard for artificial intelligence — the AI Management System (AIMS) standard. It follows the same Annex SL high-level structure as ISO 9001 and ISO 27001 (clauses 4 to 10) and adds Annex A, a reference set of 38 controls covering AI governance topics such as AI policy, roles and responsibilities, impact assessment, data management, transparency and human oversight. An organisation produces a Statement of Applicability declaring which of the 38 controls apply and how each is implemented.

Why do UK SMEs adopting AI need ISO 42001?

As UK SMEs embed AI into products, customer service and operations, customers, insurers and procurement teams increasingly ask how that AI is governed. ISO 42001 gives a recognised framework for demonstrating responsible-AI governance: documented AI policy, AI impact and risk assessment, data-quality controls, transparency to users, and human oversight of automated decisions. For a small business, it is a credible answer to the question "how do you manage the risks of your AI?" — and it sits naturally alongside ISO 27001 information security and UK GDPR obligations.

How does PICMS handle the ISO 42001 Annex A Statement of Applicability?

PICMS ships all 38 ISO 42001 Annex A controls pre-loaded. For each control you set applicability and implementation status, and PICMS's AI drafts a narrated justification you can review and edit — turning a blank-page exercise into a review exercise. The completed Statement of Applicability is downloadable as an auditor-ready document. Evidence you upload is mapped automatically to the relevant control, so the SoA links straight through to the records behind it.

Can PICMS run ISO 42001 alongside ISO 9001 and ISO 27001?

Yes. Because ISO 42001, ISO 9001 and ISO 27001 share the Annex SL clauses 4 to 10, PICMS runs them as one integrated management system rather than three separate ones — a single context analysis, one risk process, one internal audit programme and one management review covering every standard in scope. The Professional tier (£449/month) includes three standards; the Certification tier (£699/month) includes five. AI evidence mapping and gap analysis work across all of them at once.

Does PICMS make my organisation ISO 42001 certified?

No. ISO certification is issued only by accredited certification bodies following an independent audit. PICMS does not issue certificates and does not replace third-party audits or legal advice. What it does is help you demonstrate alignment with ISO 42001 and keep your AI-governance evidence audit-ready — so that when the certification audit happens, the Statement of Applicability, impact assessments and AI audit logs the auditor needs are already in one place, current and traceable.

What PICMS does not do

  • PICMS does not issue ISO 42001 certificates. Only accredited certification bodies do that, after an independent audit. PICMS gets you ready and keeps you ready.
  • PICMS does not govern your AI for you. It records and structures your AI-governance work — your team still has to decide your AI policy, run the impact assessments, and keep a human accountable for automated decisions.
  • PICMS is not legal advice. It does not substitute for qualified guidance on your obligations under UK GDPR, the EU AI Act or any sector regulation.

What PICMS does is give you, your team and your auditor a single source of truth for ISO 42001 — so the certification visit verifies a system that is already in good order.

Related reading

Govern your AI to ISO 42001 — without the blank page.

14 days free, full feature access, no credit card surprise. All 38 Annex A controls pre-loaded, AI-narrated, and integrated with the rest of your ISO management system.

Start Free Trial Book a Demo View Pricing