The ISO 42001 Family: How the AI Standards Fit Together
ISO/IEC 42001 doesn't stand alone. How 42005, 42006, 23894, 22989 and 38507 work together, and which standard answers which question.
In short
ISO/IEC 42001 is the only certifiable standard in the AI standards family and defines what an AI management system needs. Companion standards go deeper on individual aspects: ISO/IEC 42005 on impact assessment, ISO/IEC 23894 on AI risk management, ISO/IEC 22989 on terminology and ISO/IEC 38507 on governance. ISO 19011 and ISO/IEC 17021-1 govern how auditing and certification are done.
Auf Deutsch lesen: deutsche Fassung
ISO/IEC 42001 is the certification standard for AI management systems, but it doesn't stand alone. Around it sits a family of companion standards, each going deeper on a specific aspect. Once you have the overview, you know where to look something up instead of getting lost.
The central standard: the "what"
ISO/IEC 42001 defines the requirements for the management system, in other words what has to be in place: policy, roles, risk assessment, controls, improvement. It is the only standard in the family you can actually get certified against.
The companion standards: the "how" and "how deep"
- ISO/IEC 42005, AI System Impact Assessment: how to evaluate the consequences for affected people and for society.
- ISO/IEC 23894, AI risk management: deepens the risk work and ties into the generic risk standard ISO 31000.
- ISO/IEC 22989, Terminology and concepts: the shared vocabulary that ISO/IEC 42001 refers to.
- ISO/IEC 23053, Framework for AI/ML systems: the technical vocabulary for the architecture.
- ISO/IEC 38507, Governance implications of AI: the perspective of top management.
- ISO/IEC 42006, Requirements for bodies certifying AIMS: relevant for accreditation, not for the organization being audited.
And the standards for the auditor?
Two further standards are less about content and more about method. ISO 19011 provides the audit methodology for management systems, while ISO/IEC 17021-1 sets the requirements for certification bodies. They don't define what makes a good AI system, but how cleanly an organization is audited and certified.
Rule of thumb: ISO/IEC 42001 says WHAT an AI management system needs. The companion standards say HOW to do the individual parts well. ISO 19011 and ISO/IEC 17021-1 say how the whole thing is audited.
What this means in practice
For an audit or an implementation you don't need the entire library. ISO/IEC 42001 is the anchor; you reach for ISO/IEC 23894 and ISO/IEC 42005 when risk and impact assessment need real depth; ISO/IEC 38507 helps the leadership level. What matters is knowing the right standard for the right question, and that is precisely part of an auditor's competence.
Frequently asked questions
Do I need to know every standard in the ISO 42001 family?+
No. ISO/IEC 42001 is the foundation. You bring in the companion standards selectively when you need to go deeper on a specific topic, such as risk or impact assessment.
Which standard am I certified against?+
Exclusively ISO/IEC 42001. The other standards in the family are guidance documents and not a basis for certification.
Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor & ISO/IEC 27001 Lead Auditor (PECB)
Last updated: 26 May 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.
Sources & further reading
Questions about your own case?
In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act, honestly and without a sales pitch.