An AI Management System (AIMS) under ISO/IEC 42001 is the documented set of policies, roles, processes, controls and reviews that an organisation uses to govern its AI — analogous to the ISMS that ISO 27001 demands for information security. The AIMS is what the certification body audits; the AI models themselves are not certified. A compliant 2026 AIMS implements the 10 management clauses (Plan-Do-Check-Act structure) and the 38 Annex A controls grouped into 9 categories, mapped to your operational reality. Average Indian implementation: 4–6 months for a 100-person organisation already running ISO 27001.
- AI Management System (AIMS)
- The set of interrelated elements — policy, objectives, processes, controls, documentation, evidence — used to establish, implement, maintain and continually improve the governance of an organisation's AI activities, per ISO/IEC 42001:2023.
- The AIMS is what gets certified, not your models.
- 10 management clauses (PDCA) + 9 Annex A control categories + 38 controls.
- If you already have ISO 27001, ~40% of the AIMS is already partially evidenced.
- The hardest clauses for Indian organisations: 6 (planning), 8.2 (impact assessment), 9 (performance evaluation).
- Build for evidence first, polish later. Auditors check artefacts, not aesthetics.
The 10 management clauses
Clauses 1–3 are scope, normative references and terms. The work lives in clauses 4–10:
- Clause 4 — Context: internal/external issues, interested parties, AIMS scope.
- Clause 5 — Leadership: top-management commitment, AI policy, roles & responsibilities.
- Clause 6 — Planning: AI risks & opportunities, impact assessment process, objectives.
- Clause 7 — Support: resources, competence, awareness, communication, documented information.
- Clause 8 — Operation: operational planning, AI risk treatment, impact assessment, system lifecycle.
- Clause 9 — Performance evaluation: monitoring, internal audit, management review.
- Clause 10 — Improvement: continual improvement, corrective action.
The 9 Annex A control categories
| Category | Focus | # controls |
|---|---|---|
| A.2 Policies for AI | AI policy and supporting policies | 3 |
| A.3 Internal organisation | Roles, responsibilities, separation of duties | 3 |
| A.4 Resources for AI systems | Data, tooling, human resources, compute | 6 |
| A.5 Assessing impacts | AI system impact assessments on stakeholders | 5 |
| A.6 AI system lifecycle | Development, deployment, decommissioning processes | 6 |
| A.7 Data for AI | Data acquisition, quality, provenance | 4 |
| A.8 Information for interested parties | Documentation for users, regulators, affected parties | 4 |
| A.9 Use of AI systems | Acceptable use, third-party AI procurement | 3 |
| A.10 Third-party relationships | Supplier AI risk, customer/contractual issues | 4 |
The implementation sequence that actually works
- Weeks 1–2: Define AIMS scope. Which AI activities are in? Which are out? Auditors will probe this hard.
- Weeks 3–4: Write the AI policy. Get it ratified by top management. Appoint roles.
- Weeks 5–8: Build the AI inventory. Run impact assessments on top-tier systems. See our AI risk assessment template.
- Weeks 9–14: Operationalise Annex A controls. Data governance, lifecycle process, third-party register.
- Weeks 15–18: Internal audit (Clause 9.2). Management review (Clause 9.3). First corrective actions logged.
- Weeks 19–22: Stage 1 audit by certification body. Close findings.
- Weeks 23–26: Stage 2 audit. Certificate issues post-closure of any major non-conformities.
What auditors check first
- AIMS scope statement. Vague or expansive scopes are immediately flagged.
- AI policy + sign-off date. Undated or unsigned = finding.
- AI inventory completeness. Shadow AI is the most common gap.
- Impact assessments on top-tier systems. Aggregate-only or template-only = finding.
- Evidence of Clause 9 — internal audit + management review. Often skipped or done once and never repeated.
- Corrective-action register. A clean register is suspicious; auditors expect to see real corrective actions tracked.
How the AIMS extends your existing management systems
ISO 42001 is designed to interoperate with ISO 27001, 27701 and 9001. The mature pattern in 2026 is a unified management system with shared clause-level structure and category-specific controls. For the certification mechanics see our ISO 42001 certification in India guide — this essay covers what to build; that one covers how to certify it.
Frequently asked
- What is an AI Management System (AIMS)?
- The set of interrelated elements — policy, objectives, processes, controls, documentation, evidence — used to establish, implement, maintain and continually improve the governance of an organisation's AI activities, per ISO/IEC 42001:2023.
- How many controls are in ISO 42001 Annex A?
- 38 controls grouped into 9 categories: policies, internal organisation, resources, impact assessment, AI lifecycle, data, information for interested parties, use of AI systems, and third-party relationships.
- Can ISO 27001 be reused for ISO 42001?
- Partially. ISO 27001 covers about 40% of the AIMS by overlap — Clause 5 (leadership), Clause 7 (support), Clause 9 (audit), Annex A.3 (organisation). It gives almost nothing on Clause 6 (AI risk), Clause 8.2 (impact assessment), or Annex A.5–A.7 — that is where the bulk of new AIMS work lives.
- How long does ISO 42001 AIMS implementation take?
- 22–26 weeks for a 100-person Indian organisation already running ISO 27001. Significantly longer (40+ weeks) if starting without an existing management system.
Stand up your AIMS without rewriting 27001.
Our /compliance/iso-42001 surface scaffolds the AIMS from your existing 27001 evidence and gaps. Dr. Sodhi is lead auditor of record for the full engagement (₹24,499).
Dr. Nitnem Singh Sodhi is a Lead Auditor for ISO/IEC 42001, 27001 and 27701, accredited by ANSI/ABICB since March 2025.
— Bharat NeuroTech · /dr-sodhi