What is the primary objective of ISO/IEC 42001:2023?

The primary objective of ISO/IEC 42001:2023 is to establish requirements for an Artificial Intelligence Management System (AIMS) to manage AI risks and opportunities responsibly across the full AI lifecycle. Published in December 2023 by ISO/IEC JTC 1/SC 42, it employs the Plan-Do-Check-Act (PDCA) methodology and High-Level Structure (HLS) via Clauses 4-10, addressing AI-specific issues like bias, transparency, and model drift through Annex A controls (38 in 10 themes).

Who is legally or professionally required to comply with ISO/IEC 42001:2023?

ISO/IEC 42001:2023 applies universally to any organization developing, providing, or using AI-based products/services, regardless of size, type, or complexity. It covers all roles—AI developers, providers, producers, users—with role-based scoping (e.g., Clause 4.3 defines boundaries, excluding non-applicable activities if justified). No legal mandates exist, but professional drivers include EU AI Act alignment for high-risk systems and procurement requirements like Microsoft's SSPA.

Does ISO/IEC 42001:2023 require an external audit or third-party certification?

ISO/IEC 42001:2023 does not require external audits or third-party certification, but certification via accredited bodies demonstrates conformance. Organizations pursue voluntary audits (e.g., two-stage process by BSI or Schellman) for credibility, with 3-year validity and annual surveillance; early adopters like Microsoft Copilot and UiPath achieved it in 5-11 months.

How often should an assessment for ISO/IEC 42001:2023 be performed?

Assessments for ISO/IEC 42001:2023 must be performed continually via PDCA, with monitoring per Clause 9, internal audits, and management reviews at planned intervals. Clause 10 requires addressing nonconformities and improvements; best practices include annual AI Impact Assessments (AIIAs) for high-risk systems, model-drift KPIs (e.g., F1-score delta ≤0.03), and 12 months of metrics for audits.

What are the consequences of non-compliance with ISO/IEC 42001:2023?

Non-compliance with ISO/IEC 42001:2023 results in loss of certification (if pursued), reputational damage, procurement exclusion, and heightened regulatory risks. No direct penalties exist as it is voluntary, but gaps expose organizations to AI risks like bias incidents, EU AI Act fines for high-risk systems, insurance premium hikes (up to 15%), and failed tenders (e.g., Microsoft's SSPA rejects non-equivalent evidence).

Can ISO/IEC 42001:2023 be mapped to other international frameworks?

Yes, ISO/IEC 42001:2023 maps seamlessly to other frameworks due to its Annex SL High-Level Structure (HLS). Clause 4-10 align with ISO 9001 and ISO/IEC 27001 (64% evidence overlap for certified orgs), NIST AI RMF (e.g., risk via Clause 6), and ISO 31000; tools like Pivot-Data crosswalks enable "One-MMS" integration, cutting implementation from 12 to 4.5 months.

What is the first step to begin implementing ISO/IEC 42001:2023?

The first step to implement ISO/IEC 42001:2023 is determining the context of the organization and AIMS scope per Clause 4. Conduct a cross-functional gap analysis of internal/external issues (Clause 4.1), interested parties (4.2), and boundaries (4.3, e.g., role as provider/user), justifying exclusions; prioritize leadership commitment (Clause 5) for policy development.

What is the primary objective of AS9110C?

AS9110C's primary objective is to enable aviation maintenance organizations to consistently provide products and services meeting customer and applicable statutory/regulatory requirements while enhancing customer satisfaction through effective QMS application and continual improvement. It incorporates ISO 9001:2015's Annex SL structure (Clauses 4–10) with aviation-specific additions like configuration management, product safety, counterfeit parts prevention, traceability, preservation, and human factors controls, ensuring continuing airworthiness in MRO environments.

Who is legally or professionally required to comply with AS9110C?

AS9110C applies to aviation maintenance organizations, including repair stations, MRO providers, and OEMs with autonomous MRO operations, regardless of size. It targets those providing maintenance, repair, overhaul, or continuing airworthiness services for civil/military aircraft, where certification supports IAQG OASIS listing, customer contracts, and regulatory alignment (e.g., FAA/EASA approvals), though not a direct legal mandate.

Does AS9110C require an external audit or third-party certification?

Yes, AS9110C requires third-party certification through accredited bodies, with initial Stage 1/2 audits followed by surveillance. The QMS must be fully operational for at least three months, including a full internal audit cycle and management review, before certification; ongoing audits verify Clauses 4–10 conformance, including operational controls like traceability and risk management.

How often should an assessment for AS9110C be performed?

AS9110C requires internal audits at planned intervals based on process risk, status, and results, with management reviews at least annually. Critical processes (e.g., configuration management, counterfeit prevention) demand higher frequency; full recertification occurs every three years, plus annual surveillance audits post-certification.

What are the consequences of non-compliance with AS9110C?

Non-compliance with AS9110C risks loss of certification, exclusion from IAQG OASIS, contract ineligibility, and regulatory sanctions like repair station certificate suspension. It exposes organizations to safety incidents, rework costs, litigation from airworthiness failures, and market barriers from OEM/airline requirements.

Can AS9110C be mapped to other international frameworks?

Yes, AS9110C aligns directly with ISO 9001:2015 via shared Annex SL structure and terminology (e.g., documented information, external providers). IAQG correlation matrices facilitate mapping, enabling integrated QMS without exclusions where requirements apply within scope.

What is the first step to begin implementing AS9110C?

The first step is to define QMS scope, determine internal/external issues (Clause 4), and conduct a gap analysis against Clauses 4–10. Justify any non-applicable requirements, map regulatory approvals (e.g., licenses, ratings), and prioritize high-risk areas like operational planning (Clause 8) using audit checklists.

Standards Comparison

ISO/IEC 42001:2023 vs AS9110C

ISO/IEC 42001:2023

Voluntary

2023

International standard for artificial intelligence management systems

AS9110C

Mandatory

2016

International standard for aviation maintenance quality management.

Quick Verdict

ISO/IEC 42001:2023 provides AI governance frameworks for all organizations worldwide, while AS9110C delivers quality management for aerospace MROs. Companies adopt 42001 for ethical AI compliance and trust; AS9110C for regulatory alignment, safety, and market access.

AI Management

ISO/IEC 42001:2023

ISO/IEC 42001:2023 Artificial Intelligence Management Systems

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Mandates AI Impact Assessments for high-risk systems
Provides 38 AI-specific controls in Annex A
Employs PDCA cycle for continual AI improvement
Uses High-Level Structure for ISO integration
Manages risks across full AI lifecycle stages

Quality Management

AS9110C

AS9110C: Quality Management Systems for Aviation Maintenance

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Risk-based thinking in strategic and operational planning
Configuration management and product traceability controls
Counterfeit and suspect parts prevention processes
Human factors integration in root cause analysis
Dedicated safety policy and leadership accountability

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

ISO/IEC 42001:2023 Details

What It Is

ISO/IEC 42001:2023 Artificial Intelligence Management Systems is the world's first international certification standard for establishing, implementing, and improving an Artificial Intelligence Management System (AIMS). It provides a risk-based framework using Plan-Do-Check-Act (PDCA) methodology and High-Level Structure (HLS) to govern AI responsibly across its lifecycle, applicable to any organization involved in AI development, provision, or use.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operations, evaluation, and improvement.
Annex A lists 38 AI-specific controls for risks like bias, transparency, and resiliency.
Built on PDCA and HLS for integration with ISO 9001/27001.
Optional third-party certification via accredited audits.

Why Organizations Use It

Drives ethical AI, regulatory alignment (e.g., EU AI Act), risk mitigation, and innovation. Enhances trust, reputation, procurement advantages, and insurance savings.

Implementation Overview

Phased gap analysis, policy development, AIIAs, training, and audits. Suited for all sizes/sectors; 6-12 months typical, faster with existing ISO systems.

AS9110C Details

What It Is

AS9110C (AS9110:2016 Rev C) is an international quality management system (QMS) certification standard for aviation maintenance organizations, such as repair stations and MRO providers. It builds on ISO 9001:2015 with aerospace-specific requirements for continuing airworthiness, using a risk-based thinking approach via PDCA and Annex SL structure.

Key Components

Core clauses 4–10 covering context, leadership, planning, support, operation, evaluation, improvement.
Aviation additions: configuration management, counterfeit parts prevention, human factors, traceability, preservation.
No fixed control count; focuses on documented information and process effectiveness.
Certification via IAQG-accredited bodies with audits.

Why Organizations Use It

Meets customer/OEM contracts and regulatory alignment (FAA/EASA).
Mitigates safety risks, ensures traceability for airworthiness.
Enhances market access via OASIS listing, improves on-time delivery.
Builds stakeholder trust through proven QMS maturity.

Implementation Overview

Phased: gap analysis, process design, training, audits (6-12 months typical).
Applies to MROs globally, any size.
Requires internal audits, management review before Stage 1/2 certification.

Key Differences

Aspect	ISO/IEC 42001:2023	AS9110C
Scope	AI Management Systems across full AI lifecycle	Aerospace maintenance, repair, overhaul processes
Industry	All sectors, universal AI applicability worldwide	Aerospace MRO organizations globally
Nature	Voluntary international certification standard	Voluntary aerospace quality management certification
Testing	Third-party audits, AIIAs, performance metrics	Internal audits, management reviews, surveillance audits
Penalties	Loss of certification, reputational damage	Loss of certification, regulatory/contract exclusion

Scope

ISO/IEC 42001:2023

AI Management Systems across full AI lifecycle

AS9110C

Aerospace maintenance, repair, overhaul processes

Industry

ISO/IEC 42001:2023

All sectors, universal AI applicability worldwide

AS9110C

Aerospace MRO organizations globally

Nature

ISO/IEC 42001:2023

Voluntary international certification standard

AS9110C

Voluntary aerospace quality management certification

Testing

ISO/IEC 42001:2023

Third-party audits, AIIAs, performance metrics

AS9110C

Internal audits, management reviews, surveillance audits

Penalties

ISO/IEC 42001:2023

Loss of certification, reputational damage

AS9110C

Loss of certification, regulatory/contract exclusion

Frequently Asked Questions

Common questions about ISO/IEC 42001:2023 and AS9110C

ISO/IEC 42001:2023 FAQ

AS9110C FAQ

You Might also be Interested in These Articles...

Proving CIS Controls v8.1 Works: A KPI & Evidence Framework for Board Reporting, Audits, and Continuous Assurance

Prove CIS Controls v8.1 effectiveness with KPI catalog, evidence checklist & reporting cadence. Ideal for board reports, audits & cyber-insurance. Measure outco

TISAX Tabletop Exercises for EV Battery Suppliers: Ransomware Drill Scripts and AAR Templates with 2025 ENX Podcast Breakdown

Practical TISAX tabletop scripts for EV battery suppliers facing 'Very High' ASLP. Download ransomware AAR templates, get 2024 ENX lessons & 2025 podcast on VDA

NIST CSF 2.0 Govern Function Deep Dive: Building Executive Cybersecurity Governance from Scratch

Step-by-step blueprint for NIST CSF 2.0 Govern function: templates, RACI matrices, metrics to elevate cybersecurity governance to boardroom level. Reduce breach

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how ISO/IEC 42001:2023 and AS9110C compare against other standards

Other ISO/IEC 42001:2023 Comparisons

Other AS9110C Comparisons

What It Is

Key Components

Clauses 4-10 cover context, leadership, planning, support, operations, evaluation, and improvement.

Annex A lists 38 AI-specific controls for risks like bias, transparency, and resiliency.

Built on PDCA and HLS for integration with ISO 9001/27001.

Optional third-party certification via accredited audits.

What It Is

Key Components

Core clauses 4–10 covering context, leadership, planning, support, operation, evaluation, improvement.

Aviation additions: configuration management, counterfeit parts prevention, human factors, traceability, preservation.

No fixed control count; focuses on documented information and process effectiveness.

Certification via IAQG-accredited bodies with audits.

Aspect

ISO/IEC 42001:2023

AS9110C

Scope

AI Management Systems across full AI lifecycle

Aerospace maintenance, repair, overhaul processes

Industry

All sectors, universal AI applicability worldwide

Aerospace MRO organizations globally

Nature

Voluntary international certification standard

Voluntary aerospace quality management certification

Testing

Third-party audits, AIIAs, performance metrics

Internal audits, management reviews, surveillance audits

Penalties

Loss of certification, reputational damage

Loss of certification, regulatory/contract exclusion