ISO 42001 for SMEs: Step-by-Step Implementation

·

ISO/IEC 42001:2023 sets out requirements for establishing, maintaining and improving an artificial intelligence management system. It serves organizations that develop AI as much as those that provide or use it. An SME doesn't need to reproduce a multinational's bureaucracy: it needs a clear scope, a reliable inventory, risk-based decisions, accountable owners and proportionate evidence.

What an AI management system is

An AIMS — Artificial Intelligence Management System — connects policy, objectives, processes, people, data, technology, suppliers, evaluation and improvement within an AI management system aligned with ISO/IEC 42001. It doesn't certify that every output is correct, nor does it replace the law: it demonstrates that the organization governs AI through an auditable system.

ISO/IEC 42001 follows the same high-level structure as other management-system standards, which makes it easier to integrate with ISO 9001, ISO/IEC 27001 or ISO 14001.

Who it makes sense for

It can add value when the SME:

Certification shouldn't be pursued for marketing alone. There must first be a business case and the capacity to maintain the system.

Step 1. Define the scope

The scope identifies entities, locations, products, processes and roles. "All of the company's AI" can be unmanageable; "development and operation of the client-facing documentation assistant in Spain" is verifiable.

Critical dependencies shouldn't be excluded: data, platform, suppliers, security or support. Interfaces with areas outside the scope are documented.

Key questions to narrow the scope:

  1. Do we develop, provide or use AI?
  2. Which systems create the greatest impact?
  3. Which clients and individuals are affected?
  4. What contractual and legal obligations exist?
  5. Which team can sustain the system?

Step 2. Context and interested parties

Internal and external issues are analysed: strategy, regulation, maturity, dependence on suppliers, competencies, data availability, cybersecurity and social expectations.

Interested parties can include clients, users, staff, affected individuals, regulators, suppliers, shareholders and society. Relevant requirements are recorded, along with how they are reviewed.

Not every expectation becomes an obligation, but the selection must be justified.

Step 3. Inventory of AI systems

The inventory is the backbone. Each record contains:

"Shadow AI" is also recorded: personal accounts, embedded features and unapproved automations.

Step 4. Policy and governance

The policy must be specific: principles, prohibited uses, approval criteria, responsibilities and a commitment to improvement. Declaring "ethical AI" isn't enough.

An indicative RACI structure:

Decision Approves Executes Advises
Onboard a system Management/committee Owner Legal, security and privacy
Accept a risk Defined level Owner AIMS team
Change a model Authorised owner Technical team Risk and security
Manage an incident Designated lead Operations DPO/legal/communications
Retire a system Management/owner Operations Affected parties

An SME can use a small committee, but must avoid decisions with no clear owner.

Step 5. Risks and opportunities

The method covers harms and opportunities for the organization, individuals and society. It should consider:

Each risk has a cause, event, impact, likelihood, control, owner and residual risk. Acceptance thresholds are approved before assessment begins.

Step 6. Impact assessment

The impact assessment analyses the system's effects and foreseeable uses on individuals, groups and society. It's coordinated with a GDPR DPIA, an AI Act FRIA, security or sustainability assessments to avoid duplication.

It should include indirectly affected individuals, reasonably foreseeable unintended uses, failures, benefits, the distribution of impacts and complaint channels.

ISO/IEC 42005 provides specific guidance and can be integrated into the AIMS.

Step 7. Lifecycle

The system must control:

  1. conception and requirements;
  2. acquisition or design;
  3. data and development;
  4. validation;
  5. deployment;
  6. monitoring;
  7. changes;
  8. retirement.

Each gate has criteria. For example, a system doesn't move to production without testing, an owner, documentation, oversight, an incident process and a rollback plan.

Data and quality

Data governance covers provenance, lawfulness, quality, representativeness, labelling, access, retention and limitations. For RAG systems this includes documents and indexes; for third-party models, inputs, outputs and telemetry.

The SME must document what it doesn't know. Missing information from a supplier is itself a risk that may require restrictions.

Suppliers

Due diligence reviews:

The contract must assign responsibilities and notification duties. Accountability can't be outsourced.

Objectives and metrics

Objectives must measure outcomes, not just activity. Examples:

Every metric needs a definition, a source, a frequency, a threshold and an action.

Competence and literacy

Training varies by role. Management needs risk and accountability; development needs evaluation and security; users need limits and verification; procurement needs due diligence; the DPO and legal team need impact and rights.

Evidence must demonstrate competence, not just attendance: exercises, tests, observation or decision reviews.

Minimum viable documentation

An SME can maintain:

Duplicate documents aren't created where controls already exist in ISO 9001 or 27001; they're referenced and integrated instead.

Internal audit

The audit must check real evidence:

The auditor must be objective and must not audit their own work.

Management review

Management reviews context, objectives, audits, incidents, performance, changes, resources and opportunities. The output must contain decisions: priorities, risk acceptance, resources and changes.

Certification

Certification typically includes stage 1 — documentation and scope readiness — and stage 2 — implementation and effectiveness — followed by surveillance. The certification body must be competent and operate under the applicable accreditation scheme.

Certification isn't announced before it's obtained, nor extended to products outside the scope.

The 120-day plan

Days 1-30

Scope, context and inventory. Policy, roles and methodology. Gap analysis against requirements.

Days 31-60

Priority risks and impacts. Suppliers and lifecycle. Controls and metrics.

Days 61-90

Implementation, training and records. Testing and incidents. Tracking objectives.

Days 91-120

Internal audit. Corrective actions. Management review. Certification preparation.

The timeline depends on scope and maturity; it isn't a guarantee.

Common mistakes

  1. Certifying a scope that doesn't represent the business.
  2. Inventorying only in-house models.
  3. Copying a generic policy.
  4. Separating compliance from the technical team.
  5. Measuring activity instead of outcomes.
  6. Not controlling supplier changes.
  7. Duplicating ISO 27001 and 9001.
  8. Leaving the impact assessment until the end.
  9. Auditing without sufficient evidence.
  10. Treating the certificate as the end of the process.

Checklist

Frequently asked questions

Is ISO 42001 mandatory?

It's a voluntary standard, unless a contract or sector requires it. It doesn't replace legal obligations.

Does it only apply to developers?

No. The standard states that it applies to organizations that develop, provide or use AI.

Does it certify a product?

It certifies the management system within a defined scope, not that every output of the product is correct.

Can it be integrated with ISO 27001?

Yes. They share a structure and governance, risk, audit and improvement controls, even though their subject matter differs.

Summum Calidad can support the scope definition, implementation, internal audit and certification preparation for ISO/IEC 42001, coordinated where needed with the AI impact assessment (ISO/IEC 42005), without ever replacing the certification body.