If your company uses, develops or integrates artificial intelligence systems, you have probably already heard of ISO 42001:2023. Published in December 2023 by the International Organization for Standardization (ISO), it is the first international standard that sets out the requirements for an AI management system (AIMS). Its arrival coincides with the gradual entry into force of the European AI Act (EU Regulation 2024/1689) and with growing pressure from clients, public procurement bodies and insurers demanding proof of responsible AI use. The question we get every week at Summum Calidad is always the same: «Can an SME get ISO 42001 certified, or is this only for large corporations?». The answer is yes, and in this article we explain exactly how to do it.
What is ISO 42001 and why does it matter in 2026
ISO/IEC 42001:2023 («Information technology — Artificial intelligence — Management system») defines the requirements that an AI management system must meet in order to develop, provide or use AI products and services responsibly. Its structure follows the ISO Annex SL (the same high-level structure as ISO 9001, ISO 27001 or ISO 14001), which makes integration with existing management systems significantly easier.
In 2026, the standard gains relevance for three concrete reasons:
- European AI Act: in force since August 2024, the most demanding obligations for high-risk AI systems (Annex III) have an original application date of 2 August 2026, although the provisional «Digital Omnibus» agreement (May 2026) proposes extending them to December 2027, pending formal adoption. Certification against ISO 42001 does not equal compliance with the AI Act, but it demonstrates to auditors and authorities that the organisation has formal controls over its AI systems.
- Client and procurement requirements: Spanish public authorities already include AI governance clauses in public tender specifications. Holding the certificate is a real differentiator in bids.
- Reputational risk reduction: incidents related to bias or erroneous automated decisions cause brand damage whose cost far exceeds the investment in certification.
Structure of the standard: what it actually requires
ISO 42001 has 10 main clauses aligned with Annex SL. Clauses 1 to 3 are introductory; clauses 4 to 10 are normative (mandatory for certification):
| Clause | Name | What it requires in practice |
|---|---|---|
| 4 | Context of the organisation | Identify interested parties and the scope of the AIMS; determine whether the organisation is a developer, provider or user of AI. |
| 5 | Leadership | AI policy approved by top management; defined roles and responsibilities (can be a committee or a designated AI officer). |
| 6 | Planning | Assessment of AI-specific risks and impacts; measurable AIMS objectives and plans to achieve them. |
| 7 | Support | Resources, competences, awareness, communication and system documentation. |
| 8 | Operation | Operational controls over the AI lifecycle: design, data, training, deployment, monitoring and retirement. |
| 9 | Performance evaluation | Internal AIMS audit; management review with performance metrics. |
| 10 | Improvement | Management of non-conformities, corrective actions and continual improvement of the system. |
The standard also includes Annex A with 38 reference controls grouped into 9 domains (AI policy, internal organisation, resources, impact assessment, AI system lifecycle, data, information for interested parties, responsible use and third-party relationships). Not all controls are mandatory for every organisation; the AIMS must justify which ones apply and which are excluded through a Statement of Applicability, just as in ISO 27001.
ISO 42001 vs the AI Act: two frameworks that complement each other
A common mistake is to think they are interchangeable. They are not. The AI Act (EU Regulation 2024/1689) is binding legislation with a risk-based classification of systems (unacceptable, high, limited, minimal) and specific legal obligations. ISO 42001 is a voluntary management standard that any organisation can adopt regardless of whether its systems fall within the scope of the AI Act.
The practical relationship between the two frameworks is as follows: complying with ISO 42001 does not exempt an organisation from the obligations of the AI Act, but a certified AIMS provides documented evidence that the organisation has AI governance processes in place, which facilitates regulatory compliance auditing. The European Commission has indicated that harmonised standards under the AI Act (still under development by CEN/CENELEC) will incorporate elements of ISO 42001.
For actual AI Act legal compliance management — system classification, registration in the EUDB, mandatory technical documentation — Summum Consultoría's dedicated AI Act adaptation service covers that ground.
Steps to certify ISO 42001 in an SME: the real process
At Summum Calidad we guide organisations of 15 to 250 employees through a structured process that, starting from scratch, typically takes between 4 and 8 months depending on the starting point and the complexity of AI use within the company. Certification is issued by a certification body accredited by ENAC (AENOR, Bureau Veritas, SGS, Applus+ and others); our role is to prepare the organisation until it is ready for that external audit.
Phase 1 — Initial assessment (weeks 1–3)
The first step is a gap analysis between the organisation's current state and the standard's requirements. We identify which AI systems are in use or under development, who manages them, what documentation exists and which Annex A controls are already in place de facto even if not formalised. In many SMEs that already hold ISO 9001 or ISO 27001, the overlap is 30–40 %, which considerably reduces the effort required.
Phase 2 — AIMS design (weeks 4–10)
With the assessment in hand, we design the management system: AI policy, scope, AI systems inventory, risk and impact map, Statement of Applicability and risk treatment plan. This phase involves the most intensive collaboration with the management team: top management must approve the policy and be convinced that the AIMS is not bureaucracy but a real control tool.
Phase 3 — Implementation and training (weeks 11–22)
We implement the operational controls, train the team responsible for the AIMS and establish monitoring and review mechanisms. An SME does not need a full AI department: a designated AI officer (who can be the same CTO or systems manager) together with clear procedures is sufficient to meet the requirements of clauses 5 and 7.
Phase 4 — Internal audit and management review
Before the certification audit, we carry out a complete internal audit of the AIMS and a formal management review. The result is a report identifying minor non-conformities or areas for improvement that are corrected before the external audit, maximising the chances of achieving certification at the first attempt.
Certification audit (accredited body)
The external audit is conducted by the certification body in two stages: document review (Stage I) and on-site audit (Stage II). If there are no major non-conformities, the organisation receives the ISO 42001 certificate, valid for 3 years with annual surveillance audits.
To learn more about our methodology, visit the ISO 42001 implementation and certification service at Summum Calidad.
Indicative costs: factors that determine the budget
The total cost of an ISO 42001 certification project in an SME has three main components: implementation consultancy, the certification audit by the accredited body and the internal personnel time costs.
| Component | Indicative market range | Variables that affect it |
|---|---|---|
| Implementation consultancy | €8,000 – €25,000 | Size of the organisation, number of AI systems in scope, existence of other already certified ISO systems. |
| Certification audit (accredited body) | €3,000 – €8,000 | Chosen body (AENOR, BV, SGS…), required audit days, number of sites in scope. |
| Surveillance audits (years 2 and 3) | €1,500 – €3,500 / year | Certification body, complexity of AIMS maintenance. |
These ranges are indicative market data based on similar projects published by sector bodies and on our experience accompanying ~200 ISO certifications since 2007. Summum does not publish fees: each project receives a personalised quote after the initial assessment. SMEs that already have ISO 9001 or ISO 27001 in place tend to be at the lower end of the consultancy range, as they can leverage shared documentation and controls.
Which sectors are certifying first
In mid-2026, the sectors with the highest ISO 42001 certification activity in Spain are:
- Financial and insurance sector: regulatory pressure from DORA and EBA guidelines on AI models is driving adoption.
- Healthcare and medical devices: companies with products under MDR 2017/745 that incorporate AI see ISO 42001 as a way to structure the governance required by the AI Act for high-risk systems.
- Industry and manufacturing: manufacturers using computer vision, predictive maintenance or automated quality control, particularly in supply chains that require supplier certification.
- Software and technology: companies that develop or commercialise products with AI components and want to differentiate themselves to B2B clients.
- Public administration and its suppliers: public bodies using AI in decision-making processes and technology providers seeking access to public tenders.
Integration with other ISO management systems
One of the most practical advantages of ISO 42001 is its alignment with Annex SL. If your organisation already holds ISO 9001 (quality), ISO 27001 (information security) or ISO 14001 (environment), the incremental effort to certify ISO 42001 is significantly lower. Clauses 4, 5, 6, 7, 9 and 10 are almost identical in structure; what is specific to ISO 42001 is in clause 8 (operation covering the AI lifecycle) and Annex A (AI controls).
This integration allows a single management manual, an integrated policy, a single internal audit programme and a single management review to be maintained, reducing the overall administrative burden of the integrated system.
Frequently asked questions
Is ISO 42001 mandatory or voluntary?
ISO 42001 is a voluntary standard: no Spanish or European law requires certification. However, the European AI Act (EU Regulation 2024/1689) does impose direct legal obligations on operators of high-risk AI systems, and having an AIMS conforming to ISO 42001 makes it easier to demonstrate compliance to the competent authority. Additionally, clients, public procurement bodies and insurers may require it contractually as a condition of access.
How long does it take to certify ISO 42001 from scratch?
The typical timeline for an SME starting from scratch, with no other ISO management system in place, is 6 to 9 months. If ISO 27001 or ISO 9001 already exists, the timeline shortens to 4–6 months, as documentation, controls and audit culture already in place can be leveraged. The most common bottleneck is not technical but organisational: getting top management to dedicate time to approving the AI policy and the AIMS responsibilities.
Does every company that uses AI need to certify ISO 42001?
No. The standard is useful when the organisation develops, deploys or manages AI systems in processes that involve real risk (decisions affecting people, critical processes, systems with continuous machine learning) or when there is a commercial or regulatory expectation to demonstrate governance. An SME that uses ChatGPT or Copilot to draft emails probably does not need a certified AIMS. A company that uses AI to assess credit applications, screen candidates or control quality on a production line does have solid grounds for certification.
Does Summum Calidad issue the ISO 42001 certificate?
No. Summum Calidad is a consultancy, not a certification body. We guide the organisation through the entire design, implementation and audit preparation process, but the certificate is issued by an ENAC-accredited body (such as AENOR, Bureau Veritas, SGS, Applus+ or others). This separation is fundamental: the certificate has value precisely because it is granted by an independent, accredited entity — not by whoever implemented the system.