ISO/IEC 42001 — Where Do I Even Start? What Comes First?
July 12, 2026

QueryPie recently achieved ISO/IEC 42001 certification through LRQA, a UKAS-accredited certification body. As the person responsible for it, I still vividly remember how lost I felt during that process. So, hoping to help those who are just about to take their first step, I'd like to share what you should check first.
1. Start by Understanding the Standard's 'Perspective'
ISO/IEC 42001 is not a certification that evaluates the performance of an AI model, the excellence of a specific security feature, or an organization's proficiency in using AI.
In practical terms, ISO/IEC 42001 is an AI management system standard that requires an organization to define why and where it develops, provides, or uses AI; identify relevant interested parties and their needs and expectations; and establish processes to assess, address, and continually improve AI-related risks and impacts.
Many practitioners, trusting their experience with prior certifications such as ISO 27001, skip the standard document and start on a "gut feeling" of "it's probably the same thing." They begin by building documents and controls the familiar way. (Guilty as charged.)
However, if you approach ISO/IEC 42001 that way, you may have to return all the way back to the starting point much later. While the skeleton of the management system (MS) does look similar to 27001, it is 42001's specialized requirements that determine whether your preparation succeeds or fails.
- AI system impact assessment — considering potential impacts on individuals, groups, and society, in addition to risks to the organization
- Management and controls across the AI system life cycle
- Establishment of an AI policy and measurable AI objectives that reflect responsible-AI principles
These requirements cannot be fully understood or implemented through prior certification experience alone. Your first step should be reading the standard itself — and identifying which requirements are unique to 42001.
2. Clearly Define the Scope of Application
As is always the case with any certification, defining the scope is the most important starting point.
Whether you target the organization's entire use of AI, limit it to a specific AI product or service, or even include employees' internal use of AI for their work — the direction of your preparation will vary greatly depending on this.
If the scope is unclear, the rest of the management system will also become inconsistent.
- Which AI systems must be managed
- Which risks and impacts must be assessed
- Who must hold responsibility
- Which legal and contractual requirements must be applied
- What must be monitored and measured
And there's no need to be overly ambitious from the start.
If you expand the scope excessively before your management capabilities and accountability structure are sufficiently in place, the identification of AI systems, risk assessment, and operation of controls may result in a management system that exists only on paper.
At first, I recommend starting in an area where the purpose and responsibility are clear and that you can actually manage — such as the organization's core AI products or services.
What matters is not including every possible scope from the outset, but setting a scope you can genuinely take responsibility for and manage consistently, based on the organization's business purpose and the way it uses AI.
3. Identify Your Stakeholders
Identifying stakeholders is a familiar task you've likely done in other security certifications. In ISO/IEC 42001, however, the scope may extend beyond the organization and its customers to individuals, groups, and broader society that could be affected by the AI system.
An AI system is not a concern for the development and security teams alone.
A wide range of stakeholders are affected by the AI system: product, security, privacy, legal, compliance, operations, and sales, as well as customers, users, external suppliers and partners, investors, and society at large.
Each stakeholder has different requirements and concerns.
The development team may prioritize performance and speed to market; the security team, access control and data protection; the legal and compliance teams, regulatory and contractual adherence; and customers may demand transparency, reliability, and responsible AI operation.
Only by identifying these requirements and concerns at the early stage can subsequent policies, roles and accountability, risk assessments, and controls be designed consistently.
So far, we've looked at three things a company taking its first step toward ISO/IEC 42001 should check first.
The last point I want to emphasize is that you don't have to build a perfect AI management system from the very beginning.
The practical adoption of ISO/IEC 42001 is still at an early stage, and the ways organizations apply it to real-world operations and AI services continue to evolve. Not many organizations start out already holding all the answers. Most companies are at the stage of building — one step at a time — a management system that fits their own business environment and way of using AI.
Therefore, rather than trying to manage every AI system and area of use perfectly from the start, it is important to begin within a clear scope and continually improve the management system based on the problems and experiences discovered during actual operation.
QueryPie began preparing for ISO/IEC 42001 relatively early and encountered many questions, challenges, and lessons along the way. Through that experience, we are building, piece by piece, an AI management system suited to our organization.
If your organization is considering ISO/IEC 42001 certification or facing similar challenges, please feel free to reach out to QueryPie. We would be glad to share the practical lessons and insights we gained through our own certification journey.
So, where should the actual implementation work begin? In the next post, I'll share what I believe should be the practical starting point for ISO/IEC 42001 preparation.
#QueryPie #ISOIEC42001 #AIManagementSystem #AIGovernance
