Home Blog
Services
IT Audit
IT Budget Audit
vCIOInterim IT ManagementCounter-ExpertiseBackup Testing and Recovery ReadinessIncident RecoveryStrategic PlanningProvider Relationship ManagementExpert WitnessLaw 25 ComplianceSME OfferHuman ResourcesHR Compliance and IT PoliciesLaw 27 CompliancePay Equity and CompensationIT PlacementISO 27001 SupportCAN/DGSI 104 SupportSOC 2 Readiness SupportCPCSC SupportTGV Certification SupportQuebec Edtech ComplianceCyber Insurance SupportCrisis Tabletop ExerciseISO/IEC 42001 AI Governance
ContactSchedule a callOur TeamAbout Us
Français
HomeBlogServicesContactSchedule a callOur TeamAbout Us
Français

ISO/IEC 42001 Support — AI Governance as a Natural Extension of ISO 27001

The first international AI management system standard — structured like ISO 27001, applicable to your existing setup.

From gap analysis to full certification readiness, depending on your current maturity.

ISO/IEC 42001:2023 is the first international standard for an Artificial Intelligence Management System (AIMS), published in December 2023. It applies to organizations that develop, provide, or use AI systems, and requires a structured framework to manage transparency, accountability, bias, security, and privacy across the AI system lifecycle. Factero supports two profiles of organizations: those pursuing ISO 42001 certification as a standalone effort, and those approaching it as a natural extension of an existing ISO 27001 program. The two standards are deliberately aligned in structure (same Annex SL, risk-based approach, Statement of Applicability), allowing a large portion of the existing framework to be reused. (Source: ISO/IEC 42001:2023, published by ISO and IEC.)
Talk to an expert

Who is it for?

SaaS vendors and AI startups selling to demanding clients (North American or European enterprise accounts, public bodies) starting to require structured AI governance evidence in their security questionnaires.

Regulated vendors (healthcare, education, public services) whose product includes an AI component — scribe, transcription, detection, predictive analytics — and who must document governance of these components to meet institutional client requirements.

Canadian subsidiaries of multinationals whose parent company imposes corporate AI governance requirements and demands compliance with an internationally recognized standard.

Growing SMEs deploying third-party LLMs (AI assistants, copilots, agents) internally and seeking to govern their use — data sent to models, human oversight, bias management, traceability of AI-assisted decisions.

Professional services firms (legal, accounting, consulting) integrating AI into client deliverables and required to demonstrate responsible oversight — particularly sensitive when deliverables touch on regulated matters or confidential information.

Organizations already certified or pursuing ISO 27001 who want to leverage that foundation to approach ISO 42001 without rebuilding a management system from scratch.

Boards and leadership teams wanting to anticipate rather than react to AI governance requirements rapidly spreading across vendor questionnaires, client contracts, and major market expectations.

When does it help?

If you recognize yourself in any of these situations, this service is designed for you.
  • Your product includes an AI component (LLM, classification model, predictive model, recommendation engine) and a major client is starting to ask structured questions about your governance of that AI.
  • You deployed third-party LLMs internally (AI assistants, copilots) and realize you have no formal framework — who can use what, which data must not be sent to models, how output quality is verified, how human oversight is maintained on important decisions.
  • You are ISO 27001 certified (or pursuing it) and a partner or client mentions ISO 42001 in a contractual conversation — you want to understand what it actually entails and how much of your current setup is reusable.
  • Your parent company or an investor requests an alignment plan with an international AI governance standard, and you must respond within a reasonable timeframe with a concrete plan.
  • You want to distinguish your commercial offering by demonstrating structured AI oversight — particularly in a market where most vendors cannot demonstrate it in a verifiable way.
  • You need an honest gap analysis before deciding whether ISO 42001 certification makes sense for you — not a sales pitch, an independent reading of what actually applies in your context.
  • You are a vendor to public organizations starting to embed AI requirements in their management frameworks (health, education, ministries) and you want to anticipate rather than wait for a contractual demand.

What will you receive?

Checkbox icon

A gap analysis against ISO 42001's 38 Annex A controls organized in 9 groups (A.2 to A.10) — AI policy, internal organization, resources, AI system lifecycle, data management, information for interested parties, human oversight, suppliers and partners, and customer relationships. (Source: ISO/IEC 42001:2023, Annex A.)

Checkbox icon

A reuse matrix from ISO 27001 (where applicable): what carries over as-is from your existing ISO 27001 framework, what must be adapted, what must be created specifically for the AIMS. The aligned Annex SL structure and shared risk-based approach enable significant practical reuse.

Checkbox icon

A documented Statement of Applicability (SoA): controls applicable to your context, controls excluded with justification, additional controls specific to your situation. As with ISO 27001, the AIMS is a risk-based system — not all Annex A controls necessarily apply to every organization.

Checkbox icon

A mapping of AI systems in use across your organization — proprietary models, vendor models, third-party LLMs used via API or embedded in product integration, AI built into SaaS software. This mapping is the foundation of any AIMS and often reveals ungoverned AI uses no one had inventoried.

Checkbox icon

A documented AI policy — acceptable use of third-party LLMs, data that can or cannot be sent to models, expected level of human oversight by decision criticality, traceability of AI outputs in important decisions.

Checkbox icon

A framework for managing the AI system lifecycle — pre-deployment assessment, in-operation oversight, AI incident management (erroneous outputs, detected biases, performance drift), decommissioning criteria when a system no longer meets commitments.

Checkbox icon

A risk and impact assessment structured per Annex A requirements, including typical risk sources (data quality, training biases, production drift, model vendor dependency, legal risks from AI outputs) and associated treatment measures.

Checkbox icon

Depending on the engagement scope — either a gap analysis report with prioritized remediation plan (short engagement), or full readiness through certification by an ISO 17021 accredited body, including Stage 1 and Stage 2 audit preparation.

Not a good fit?

  • If your organization neither uses nor develops AI systems, ISO 42001 doesn't apply to you. Purely office use of consumer AI features (email writing, search) generally doesn't justify a formal AIMS. We'll discuss it openly at the discovery call.
  • If you're looking for a firm to deploy AI in your organization (tool selection, integration, team training, change management), this isn't our service. Our role is to structure the governance and management framework for AI, not to drive operational deployment. For deployment, IT transformation or integration consulting firms are better positioned.
  • If you're looking for a quick certification to tick a box in a client questionnaire, without intent to build a real management system, ISO 42001 won't work. The standard requires an operational management system with evidence of effectiveness, not just theoretical documentation. ISO 17021 auditors verify actual application.
  • If your organization is very small (under 5 people) and your AI use is limited to a few consumer tools, the ISO 42001 effort is likely disproportionate. A simpler internal framework — LLM use policy, human oversight on critical outputs, governance of data sent to models — may suffice. We can help you structure that lighter level without pursuing formal certification.

How does the process work?

A rigorous and transparent approach, step by step.
Scoping and AI inventory
We start with clear scoping: what is the intended AIMS scope? Which AI systems are in use across your organization — models you develop, vendor models integrated, third-party LLMs accessed via API, AI embedded in your SaaS software? This inventory is the AIMS foundation. In almost every engagement, we uncover AI uses no one had formally inventoried — this is normal and precisely what the exercise is for.
Annex A gap analysis
We assess your current setup against the 38 Annex A controls organized in 9 groups. For each control: what's already in place (often reusable from ISO 27001 if you have it), what must be adapted, what must be created. The result is a precise gap map with a prioritized remediation plan. (Source: ISO/IEC 42001:2023, Annex A.)
Statement of Applicability
As with ISO 27001, the AIMS is risk-based: not all Annex A controls necessarily apply to every organization. We document your Statement of Applicability with you — which controls apply, which are excluded with justification, which are added beyond Annex A if your context warrants it. This is one of the central deliverables the auditor will examine.
Policy and governance
We draft with you the AI policy and associated procedures: acceptable use of third-party LLMs, classification of data that can or cannot be sent to models, expected level of human oversight by decision criticality, model vendor management, traceability of AI outputs in important decisions. The policy is calibrated to your reality, not a generic template.
Lifecycle and risk management
We structure the AI system lifecycle management framework — pre-deployment assessment, in-operation oversight, AI incident management, decommissioning criteria. We document the risk and impact assessment required by the standard: typical risk sources (data quality, biases, drift, vendor dependencies, legal risks), treatment measures, monitoring indicators.
Internal audit and readiness
Before the official audit by an ISO 17021 accredited certification body, we conduct a complete internal audit of the AIMS covering all 38 applicable controls. Residual gaps are identified, corrected, and documentation is consolidated. The goal: no surprises at Stage 1 or Stage 2 of the certification audit.
Audit support
During Stage 1 audits (AIMS design review, typically 1-2 days) and Stage 2 (operational effectiveness, typically 1-3 weeks depending on scope), Factero stays by your side to prepare interviews, organize expected evidence, translate auditor questions, and coordinate responses. Our role ends at certificate issuance — or at the documented decision not to pursue it. (Source: ISO 17021 certification process.)

Frequently Asked Questions

Answers to the questions our clients ask before reaching out.
What is ISO/IEC 42001 exactly?
ISO/IEC 42001:2023 is the first international AI management system standard, jointly published by ISO and IEC in December 2023. It specifies requirements for establishing, implementing, maintaining, and continually improving an AIMS (Artificial Intelligence Management System) within organizations that develop, provide, or use AI systems. As ISO 27001 does for information security, ISO 42001 does for AI governance: policy, organization, risk management, controls, audit, continuous improvement. The standard is structured in 10 main clauses (4 through 10 are operative) plus a normative Annex A listing 38 controls organized into 9 groups (A.2 to A.10). (Source: ISO/IEC 42001:2023.)
How does it differ from ISO 27001? Can we reuse our existing setup?
Yes, reuse is significant — this is precisely what the standard was designed to enable. ISO 42001 uses the same Annex SL structure as ISO 27001 (the common structure across all ISO management system standards). Clauses 4 to 10 (context, leadership, planning, support, operation, performance evaluation, improvement) are nearly identical in architecture, even if the specific content differs. The approach is risk-based in both cases, with a documented Statement of Applicability. An organization already ISO 27001 certified has, in practice, completed a significant portion of the path to ISO 42001 on management system structure. What must be built specifically for the AIMS: AI system inventory, AI policy, AI-specific risk assessment, AI system lifecycle management framework, specific Annex A controls. Factero produces an explicit reuse matrix at the start of the engagement to show exactly what carries over and what must be created.
How do we know if ISO 42001 applies to our organization?
ISO 42001 applies to organizations that develop, provide, or use AI systems — the definition is broad by design. In practice, ask yourself four questions: (1) Do you develop a product that includes an AI component (proprietary model, fine-tuning, AI agent, automatic classification)? (2) Do you provide a service that relies partly on AI — your own model or an integrated third-party model? (3) Do you use AI in your internal processes (AI assistants, copilots, LLM-based automation) beyond occasional consumer use? (4) Are your clients, partners, or parent company starting to ask for AI governance elements in their questionnaires? If you answer yes to at least one of these structurally, ISO 42001 potentially applies and warrants a gap analysis. If you answer no to all, the standard probably isn't for you today — and we'll tell you so openly at the discovery call.
We use third-party LLMs (AI assistants, copilots). Does that change anything?
Yes — it's one of the most common use cases and one of the most sensitive points of a well-built AIMS. When you use a third-party LLM via API or an integrated platform, you are a user of an AI system whose training, biases, updates, and internal governance you don't control. The AIMS must therefore structure several specific elements: (1) governance of data sent to the model — which data classifications can be sent via API, which must never be; (2) model vendor assessment and selection — vendor governance, vendor certifications, contractual conditions on submitted data, independence from training; (3) human oversight on critical outputs — important decisions never come out of an AI without documented human validation; (4) traceability — which AI system contributed to which decision, retained for audit. Factero has a structured approach for organizations using third-party LLMs, which is in practice the majority of SMEs today.
How many controls to implement? How are they organized?
The standard's Annex A contains 38 controls organized into 9 thematic groups (A.2 to A.10). The groups cover: policies related to AI, internal organization for AI, necessary resources, impact assessment of AI systems, AI system lifecycle, data for AI systems, information for interested parties, use of AI systems, and relationships with third parties and customers. Not all 38 controls necessarily apply to every organization — that's the spirit of the Statement of Applicability: based on your risk assessment, you determine which controls apply, which are excluded with justification, and which may need to be added. The standard's Annex B provides implementation guidance for each Annex A control — it is informative not normative, but auditors reference it in practice. (Source: ISO/IEC 42001:2023, Annexes A and B.)
How does the certification process work?
The process follows ISO 17021 — the same framework as ISO 27001 and ISO 9001 certifications. Concretely, the audit unfolds in two stages: Stage 1 (typically 1 to 2 days): the auditor assesses AIMS readiness, particularly system design, policies, and documentation; validates you're ready for Stage 2 and identifies gaps to fix before. Stage 2 (typically 1 to 3 weeks depending on scope): the auditor examines AIMS operational effectiveness, conducts staff interviews, observes processes, and evaluates real performance against the standard's requirements and applicable Annex A controls. At the end, the certification body issues (or not) the ISO 42001:2023 certificate, typically valid for three years with annual surveillance audits. The body must be ISO 17021 accredited by an IAF member — verifiable via the IAF CertSearch registry. (Source: ISO 17021 certification process.)
How long does the engagement take?
Variable depending on your starting point — the honest range goes from a few weeks for a gap analysis alone to 12 to 18 months for a full engagement starting from scratch. For a gap analysis alone (point-in-time, without implementation support): expect a few weeks depending on your organization's size and the number of AI systems to map. For a full engagement as an extension of existing ISO 27001: significantly faster than from scratch, because much of the management structure is already in place and reusable. For a full engagement starting from scratch without prior ISO 27001: longer, because the AIMS and ISMS must be partially built in parallel. Factero gives a realistic estimate at the discovery call once the initial mapping is done — not before. The standard is recent (published end of 2023) and cumulative implementation experience is still developing; we prefer to engage honestly rather than promise an arbitrary duration.
What does it cost?
The Factero engagement covers the entire readiness path — scoping and AI inventory, gap analysis against the 38 controls, Statement of Applicability, AI policy, lifecycle, risk assessment, internal audit, Stage 1 and Stage 2 audit preparation. Costs not included and paid directly by you: (1) the fees of the ISO 17021 accredited certification body you choose (variable by body, scope size, and audit duration); (2) internal technical investments identified by the gap analysis (AI call logging tools, oversight platforms, team training); (3) your internal team's time — always the main investment in a certification process, as with ISO 27001. Note: ISO 42001 being recent, the accredited body market is still developing and rates may evolve — we orient you toward relevant bodies without any commission or commercial arrangement, in accordance with our Charter of Independence.
Should we really start now? The standard is very recent.
The standard is recent — published December 2023 — and that's precisely why timing can be interesting. Three elements to weigh: (1) the first certified organizations in 2024 and 2025 (including known hyperscalers like AWS) have paved the way; vendor questionnaires are starting to mention ISO 42001; recent benchmarks indicate a majority of organizations plan to use ISO 42001 or an equivalent as their AI governance framework; (2) pioneering organizations certifying now gain commercial advantage during the period when certification remains rare — as was the case for ISO 27001 15 years ago and SOC 2 10 years ago; (3) conversely, cost and complexity will likely become more predictable in 18 to 24 months as accredited bodies multiply and cumulative experience broadens. Factero doesn't push anyone to certify prematurely. The gap analysis is the right entry point: it gives you an independent reading of your situation and a plan, with no commitment to certify.
What methodology do you use?
Factero draws directly on the ISO/IEC 42001:2023 standard and its annexes — Annex A for controls, Annex B for implementation guidance, Annex C for typical risk sources, Annex D for sector-specific crosswalks. The approach follows the same structure we apply for ISO 27001 — scoping, gap analysis, Statement of Applicability, framework construction, internal audit, audit preparation — adapted to AI specifics (lifecycle, training data, human oversight, bias management, AI output traceability). The principal associate holds the CISA certification (Certified Information Systems Auditor) — international reference in information systems auditing, which covers audit methods for systems including those integrating AI components. For organizations pursuing ISO 27001 simultaneously or beforehand, we harmonize both efforts to avoid redundant work.
Is it confidential?
Yes, and particularly important for this service. Your organization's AI system inventory, AI policy, any training data, and risk assessments are sensitive information, sometimes competitively critical. Each engagement is governed by a formal confidentiality agreement signed before any work begins. No element — AI inventory, policy, Statement of Applicability, gaps identified, remediation plan — is shared with any third party, vendor, or partner without your explicit written authorization, in accordance with our privacy protection policy and Law 25 requirements. Materials transmitted to certification bodies are shared under your control and with your validation.
Why Factero for this engagement — what sets you apart?
Before signing with a firm on this type of engagement, verify a few fundamental elements. A serious firm demonstrates them without hesitation and in writing. The firm itself is certifiedFactero holds the CyberSecure Canada (CAN/DGSI 104:2021 / Rev 1:2024) certification, publicly verifiable through the IAF CertSearch registry and through our Trust Center. We apply to our own organization the same standards we support for our clients. A firm guiding you toward an ISO certification should, by consistency, hold one itself. Incorporated and established since 2022Factero Service Conseil is duly incorporated with the Quebec Enterprise Registrar (REQ) since 2022, with no insolvency or bankruptcy proceedings on record. The legal status of any candidate firm can be verified free of charge through the REQ; insolvency and bankruptcy proceedings appear in the registry of the Office of the Superintendent of Bankruptcy Canada (osb-bsf.ic.gc.ca). Complete team and operational continuityFactero relies on an interdisciplinary team covering information technology, human resources, and accounting — the three dimensions that intersect in most governance engagements. An ISO 42001 engagement extends over several months; the firm supporting you must have the team depth to go the distance, not just the availability of a single person. Professional liability and cyber insuranceFactero maintains active professional liability (E&O) and cyber insurance coverage, adapted to its IT governance and cybersecurity consulting activities. A firm that recommends cyber insurance to you should, by consistency, hold one itself. Ask for the certificate before signing. Written and public independence — Our engagements are governed by a public Charter of Independence that prohibits commissions, rebates, and commercial arrangements with vendors, brokers, or markets. For ISO 42001 in particular, we receive no commission from certification bodies, AI governance tool vendors, or LLM platform providers. Public procurement registrationFactero is registered with the SEAO (Quebec) and the Ontario Tenders Portal — a process that involves regulatory verifications and up-to-date tax attestations. These criteria are not commercial arguments. They are the minimum conditions to require of any candidate firm. The absence of a clear answer to any of these questions is, in itself, an answer.
Our advice remains independent. See our Charter of Independence.

Related services

IT Audit Interim IT Management ISO 27001 Support See more

Need to move forward on this?

Let's discuss your specific situation. No commitment, just expert advice.
Talk to an expert