ISO/IEC 42006:2025

International
Standard
ISO/IEC 42006
First edition
Information technology — Artificial
2025-07
intelligence — Requirements
for bodies providing audit and
certification of artificial intelligence
management systems
Technologies de l'information — Intelligence artificielle —
Exigences pour les organismes procédant à l'audit et à la
certification des systèmes de gestion de l'intelligence artificielle
Reference number
© ISO/IEC 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2025 – All rights reserved
ii
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Principles . 2
5 General requirements . 2
5.1 Legal and contractual matters .2
5.2 Management of impartiality .2
5.2.1 General .2
5.2.2 Conflicts of interest.2
5.3 Liability and financing .3
5.3.1 General .3
5.3.2 Liability .3
6 Structural requirements . 3
7 Resource requirements . 3
7.1 Competence of personnel .3
7.1.1 General .3
7.1.2 Generic technical competence requirements .3
7.1.3 Specific technical competence requirements .4
7.2 Personnel involved in the certification activities .7
7.2.1 General .7
7.2.2 Demonstration of knowledge and experience .7
7.3 Use of individual external auditors and external technical experts .8
7.4 Personnel records .8
7.5 Outsourcing .8
8 Information requirements . 8
8.1 Public information . .8
8.2 Certification documents .9
8.2.1 General .9
8.2.2 AIMS certification documents .9
8.3 Reference to certification and use of marks .9
8.4 Confidentiality .9
8.4.1 General .9
8.4.2 Access to the documentation of the organization .9
8.5 Information exchange between a certification body and its clients .9
9 Process requirements . 9
9.1 Pre-certification activities .9
9.1.1 General .9
9.1.2 Audit programme .10
9.1.3 Scope of certification .10
9.1.4 Determining audit time .10
9.1.5 Multi-site sampling . .10
9.1.6 Multiple management systems .10
9.2 Planning audits .11
9.2.1 Determining audit objectives, scope and criteria .11
9.2.2 Audit team selection and assignments .11
9.2.3 Audit plan .11
9.2.4 Deployment of remote audit . 12
9.3 Initial certification . 12
9.3.1 General . 12

© ISO/IEC 2025 – All rights reserved
iii
9.3.2 Initial certification audit . 12
9.4 Conducting audits . 13
9.5 Certification decision . . . 13
9.6 Maintaining certification . 13
9.6.1 General . 13
9.6.2 Surveillance activities . 13
9.6.3 Re-certification . 13
9.6.4 Special audits . 13
9.6.5 Suspending, withdrawing or reducing the scope of certification .14
9.7 Appeals .14
9.8 Complaints.14
9.9 Client records .14
10 Management system requirements for certification bodies . 14
10.1 Options.14
10.2 Option A: General management system requirements .14
10.3 Option B: Management system requirements in accordance with ISO 9001 .14
Annex A (normative) Audit time .15
Annex B (informative) Examples for audit time calculations .20
Annex C (informative) Template for a certification document .29
Bibliography .31

© ISO/IEC 2025 – All rights reserved
iv
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not
received notice of (a) patent(s) which may be required to implement this document. However, implementers
are cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held
responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO’s adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 42, Artificial Intelligence.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2025 – All rights reserved
v
Introduction
A management system for organizations providing, developing or using artificial intelligence (AI) systems
or placing them on the market as suppliers is set up according to ISO/IEC 42001. It entails, but is not limited
to, various special aspects regarding the management of risks, data protection, data quality, information and
cyber security, ethics as well as the validation and verification of algorithms. Also, the life cycle processes for
[1]
traditional software systems need to include AI-specific life cycle characteristics defined in ISO/IEC 5338
which can be considered.
The object of conformity assessment in ISO/IEC 42001 and the necessary combination and complex
interface functions in a management system according to ISO/IEC 42001 result in specific requirements
for the certification bodies and their processes when they certify such management systems. Certification
bodies can use this document to perform their roles in the auditing and certification of organizations with
AI management systems (AIMS).
The certification of a management system according to ISO/IEC 42001 can be embedded in a conformity
[2]
assessment scheme for products, processes and services according to ISO/IEC 17065 in support of
[3] [4]
ISO/IEC 17067, ISO/IEC 17030 applies if it is intended to mark the AI product, process or service with a
mark of conformity. The certification document(s) for the AI management system according to ISO/IEC 42001
can be utilised within a ISO/IEC 17065 scheme according to ISO/IEC 17065:2012, 7.4.5 to avoid double tests.
Accreditation bodies and peer assessors can use this document to assess the minimum requirements for
personnel competence in certification bodies along with their certification processes.

© ISO/IEC 2025 – All rights reserved
vi
International Standard ISO/IEC 42006:2025(en)
Information technology — Artificial intelligence —
Requirements for bodies providing audit and certification of
artificial intelligence management systems
1 Scope
This document specifies additional requirements to ISO/IEC 17021-1. The requirements contained in this
document, when implemented, support the demonstration of competence, consistency and reliability by
the bodies performing auditing and certification of an artificial intelligence management system (AIMS)
according to ISO/IEC 42001 for organizations that provide, develop or use AI systems.
Certification of AIMS is a third-party conformity assessment activity (as described in ISO/IEC 17000:2020,
4.5), and bodies performing this activity are third-party conformity assessment bodies.
This document also provides the necessary information and confidence to customers about the way
certification has been granted.
NOTE This document can be used as a criteria document for accreditation or peer assessment.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 17000:2020, Conformity assessment — Vocabulary and general principles
ISO/IEC 17021-1:2015, Conformity assessment — Requirements for bodies providing audit and certification of
management systems — Part 1: Requirements
ISO/IEC 42001:2023, Information technology — Artificial intelligence — Management system
ISO/IEC 22989:2022, Information technology — Artificial intelligence — Artificial intelligence concepts and
terminology
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 17000, ISO/IEC 17021-1,
ISO/IEC 42001, ISO/IEC 22989 and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
artificial intelligence management system
AIMS
set of interrelated or interacting elements of an organization to establish policies and objectives, as well as
processes to achieve those objectives, in the provision, development or use of an AI system

© ISO/IEC 2025 – All rights reserved
4 Principles
The principles of ISO/IEC 17021-1:2015, Clause 4 apply.
5 General requirements
5.1 Legal and contractual matters
The requirements of ISO/IEC 17021-1:2015, 5.1 apply.
5.2 Management of impartiality
5.2.1 General
The requirements of 5.2.2 and of ISO/IEC 17021-1:2015, 5.2 apply.
5.2.2 Conflicts of interest
5.2.2.1 General
In addition to the requirements of ISO/IEC 17021-1:2015, 5.2.5, certification bodies shall not provide
consulting for management systems related to artificial intelligence, information security, data protection
(e.g. in the form of an external data protection officer or data protection check) or risk management to their
ISO/IEC 42001 certification clients.
5.2.2.2 Examples of activities without conflict of interest
Certification bodies particularly may carry out the following activities without them being considered as
consultancy or having a potential conflict of interest:
a) when arranging and participating as a lecturer in publicly available training courses (excluding inhouse
trainings for organizations or client specific trainings) related to artificial intelligence management
systems, management systems, or auditing, certification bodies provide only generic and publicly
available information;
b) activities preceding the audit to identify the object of certification only when the sole purpose of which
is to determine the scope of the audit and the client’s readiness for a certification audit at that scope.
5.2.2.3 Examples of activities with conflict of interest
In order to prevent potential conflict of interest when addressing the duties listed above, the certification
body shall not perform at least the following:
a) provide company-specific advice as consultancy service;
b) conduct activities which themselves take the form of an audit or lead to recommendations or advice that
would be contrary to 5.2.2.1, or justify a reduction of the ultimate time of the certification audit;
c) recommend specific solutions or advice regarding AIMS, AI systems or AI-specific processes, services
and products.
The certification body shall not carry out any internal audits for the client to be certified. The restriction on
conducting internal audits shall not be circumvented by renaming the activity as inspection, assessment or
similar.
NOTE Certification bodies can add value during certification and surveillance audits (e.g. by identifying
opportunities for improvement, as they become evident during the audit, without recommending specific solutions)
without it being considered as consultancy or having a potential conflict of interest.

© ISO/IEC 2025 – All rights reserved
5.3 Liability and financing
5.3.1 General
The requirements of 5.3.2 and of ISO/IEC 17021-1:2015, 5.3 apply.
5.3.2 Liability
In addition to the requirements of ISO/IEC 17021-1:2015, 5.3.1, certification bodies shall be able to
demonstrate a contract with an insurance policy or an alternative mechanism. Either option shall provide
an appropriate amount of cover (i.e. insured amount, limitation of liability) for personal injury, property
damage and financial loss in proportion to the turnover (i.e. annual gross revenue) of the clients under audit
or certification.
NOTE When determining the appropriate amount of insurance, the potential for damage to the certification body
is relevant. The characteristics of the certification body’s clients and their AI systems, which are the subject of the
AIMS to be certified, have an influence on the certification body’s damage potential. This is not product liability. The
liability at issue here is exclusively intended to cover damages arising from the breach of organizational obligations
resulting from non-compliance with ISO/IEC 42001 during certification.
6 Structural requirements
The requirements of ISO/IEC 17021-1:2015, Clause 6 apply.
7 Resource requirements
7.1 Competence of personnel
7.1.1 General
The requirements of ISO/IEC 17021-1:2015, 7.1 apply. In addition, the technical competence requirements for
the audit team and personnel involved in the AIMS certification process provided in 7.1.2 and 7.1.3 shall apply.
7.1.2 Generic technical competence requirements
The certification body shall define the competence requirements for each certification function as referenced
in ISO/IEC 17021-1:2015, Table A.1. Basic knowledge of the client’s business and typical business processes
knowledge is defined in ISO/IEC 17021-1:2015, Table A.1.
Table 1 specifies the additional knowledge and skills that a certification body shall define for the certification
functions. “X” indicates that the certification body shall define the criteria and depth of knowledge and
skills. The knowledge and skill requirements specified in Table 1 are explained in more detail in 7.1.3 and
are cross-referenced in parentheses in Table 1.
In addition to the technical knowledge requirements specified in Table 1, the certification body shall define
criteria, including the knowledge and skills of the audit team that is necessary for the client organization
and the technical area(s) regarding the scope of the client’s AIMS.
Where additional specific criteria including competence requirements have been established in this
document, a specific standard or certification scheme incorporating ISO/IEC 42001, these shall be applied.
NOTE 1 For an AIMS, the term “technical area” includes the products, processes and services in the scope of
the AIMS certification. The technical area(s) are defined in terms of the technical fields of AI within the scope of
certification (e.g. computer vision and image recognition, natural language processing (NLP), data mining, etc.), the
application of the AI system(s) within the scope of certification (e.g. fraud detection, automated vehicles, healthcare,
retail, etc.) or a combination of the two.

© ISO/IEC 2025 – All rights reserved
NOTE 2 Certification of an AIMS is based on multiple, diverse competencies which are potentially not present in
one natural person. The certification body typically appoints and deploys competent people that fulfil all the required
competence criteria as a competent group, if applicable, and throughout all functions of the certification process.
The certification body determines separate characteristics for knowledge and skills, whereas skills are based on
knowledge.
Table 1 — Table of knowledge and skills in addition to ISO/IEC 17021-1:2015, Annex A
Certification function
Conducting the ap- Reviewing audit Auditing and lead-
plication review to reports and mak- ing the audit team
determine audit team ing certification
Knowledge and skills
competence required, decisions
to select the audit
team members, and to
determine the audit
time
General requirements for AIMS X (7.1.3.1.2) X (7.1.3.1.1)
Artificial intelligence management system X (7.1.3.2.3) X (7.1.3.2.2) X (7.1.3.2.1)
standards/normative documents / certifica-
tion schemes
AI and AIMS related legal obligations X (7.1.3.3.3) X (7.1.3.3.2) X (7.1.3.3.1)
Artificial intelligence and AIMS specific ter- X (7.1.3.4.3) X (7.1.3.4.2) X (7.1.3.4.1)
minology, principles, practices, tools, methods
and techniques
Client business sector X (7.1.3.5.3) X (7.1.3.5.2) X (7.1.3.5.1)
Client products, processes and organization X (7.1.3.6.2) X (7.1.3.6.1)
7.1.3 Specific technical competence requirements
7.1.3.1 General requirements for AIMS
7.1.3.1.1 Auditing
The certification body shall have criteria for verifying the competence of audit team members that ensures
that at least they have the skills to apply their knowledge of:
a) artificial intelligence;
b) the technical aspects of the activity to be audited;
c) management systems and business management practices, concepts and the interrelationship between
policy, objectives and results;
d) the principles of auditing;
[5]
NOTE Further information on the principles of auditing can be found in ISO 19011 .
e) AIMS monitoring, measurement, analysis and evaluation.
The above requirements a) to e) apply to all individual auditors in the audit team. However, b) can be shared
among members in the audit team.
The audit team members shall, collectively, have skills appropriate to the requirements above, which can be
demonstrated through experience of their application.
The audit team members shall, collectively, be competent in tracing and identifying indications of incidents with
serious negative effects on affected persons in the client’s AIMS back to the appropriate elements of the AIMS.

© ISO/IEC 2025 – All rights reserved
Individual auditors are not required to have a complete range of experience of all areas of artificial
intelligence, but the audit team as a whole shall have appropriate competence to cover the AIMS scope being
audited.
7.1.3.1.2 Reviewing audit reports and making certification decisions
The personnel responsible for reviewing audit reports and making certification decisions within the
certification body shall have knowledge of the requirements of 7.1.3.1.1. This also applies for the team of
personnel handling appeals.
7.1.3.2 Artificial intelligence management system standards/normative documents /
certification schemes
7.1.3.2.1 Auditing
Each member of the audit team shall have knowledge of:
a) ISO/IEC 42001 and other normative documents used in the certification process;
b) AIMS-specific documentation structures, hierarchy and interrelationships;
c) other normative documents used in the certification process;
d) relevant certification schemes and necessary evaluation criteria for the conformity assessment.
The audit team members shall, collectively, have knowledge of all controls contained in ISO/IEC 42001:2023,
Annex A and their implementation.
7.1.3.2.2 Reviewing audit reports and making certification decisions
Personnel reviewing audit reports and making certification decisions shall have knowledge of list items a)
to d) in 7.1.3.2.1. This also applies for the team of personnel handling appeals.
7.1.3.2.3 Conducting the application review to determine the required audit team competence, to
select the audit team members and to determine the audit time
The personnel responsible for conducting the application review, selecting the audit team, determining
the needed audit competence and determining the audit time shall have knowledge of list items a) to d) in
7.1.3.2.1.
7.1.3.3 AI and AIMS related legal obligations
7.1.3.3.1 Auditing
The certification body audit team shall have knowledge of the legal obligations that apply to artificial
intelligence.
7.1.3.3.2 Reviewing audit reports and making certification decisions
Personnel reviewing audit reports and making certification decisions shall have knowledge of 7.1.3.3.1. This
also applies for the team of personnel handling appeals.
7.1.3.3.3 Conducting the application review to determine the required audit team competence, to
select the audit team members and to determine the audit time
The personnel responsible for conducting the application review, selecting the audit team, determining the
needed audit competence and determining the audit time shall have knowledge of 7.1.3.3.1.

© ISO/IEC 2025 – All rights reserved
7.1.3.4 Artificial intelligence and AIMS specific terminology, principles, practices, tools, methods
and techniques
7.1.3.4.1 Auditing
Each member of the audit team shall have knowledge of:
a) generic concepts and terminology of AI based on ISO/IEC 22989 as well as on the AI system life cycle
[1]
processes based on ISO/IEC 5338 ;
b) AIMS-specific documentation structures, hierarchy and interrelationships;
c) processes applicable to AIMS;
d) artificial intelligence management and governance structures including roles and responsibilities in the
provision, development and use of an AI system;
The audit team members shall, collectively, have knowledge of:
e) risk management processes, including assessment and mitigation procedures (in particular knowledge
[6]
of ISO/IEC 23894 );
f) impact assessment, risk assessment, data quality, and bias related to artificial intelligence management,
[7]
if applicable information and data security (in particular knowledge of ISO/IEC 22989, ISO/IEC 42005,
[6] [8] [9] [10] [11]
ISO/IEC 23894, ISO/IEC 5259-3, ISO/IEC TR 24027:2021, ISO/IEC 27001, and ISO/IEC 27701 ).
7.1.3.4.2 Reviewing audit reports and making certification decisions
Personnel reviewing audit reports and making certification decisions shall have knowledge of the list items
a) to f) in 7.1.3.4.1. This also applies for the team of personnel handling appeals.
7.1.3.4.3 Conducting the application review to determine the required audit team competence, to
select the audit team members and to determine the audit time
The personnel responsible for conducting the application review, selecting the audit team, determining
the needed audit competence and determining the audit time shall have knowledge of list items a) to c) in
7.1.3.4.1.
7.1.3.5 Client business sector
7.1.3.5.1 Auditing
Each member of the audit team shall have knowledge of:
a) generic terminology, processes, technologies and risks related to the client business sector;
b) artificial intelligence management related tools, methods, techniques and their application;
c) policies and business requirements for artificial intelligence management;
d) relevant business sector practices;
The audit team members shall, collectively, have knowledge of:
e) codes of conduct as well as good practices and procedures on trustworthy AI (e.g. related to
[12]
ISO/IEC TR 24028 ) within the specific industry;
f) software development processes.

© ISO/IEC 2025 – All rights reserved
7.1.3.5.2 Reviewing audit reports and making certification decisions
Personnel reviewing audit reports and making certification decisions shall have knowledge of list items a)
to f) in 7.1.3.5.1. This also applies for the team of personnel handling appeals.
7.1.3.5.3 Conducting the application review to determine the required audit team competence, to
select the audit team members and to determine the audit time
The personnel responsible for conducting the application review, selecting the audit team, determining the
needed audit competence and determining the audit time shall have knowledge of list item a) in 7.1.3.5.1.
7.1.3.6 Client products, processes and organization
7.1.3.6.1 Auditing
The audit team members shall, collectively, have knowledge of:
a) the effect of organization type, governance, structure, functions and relationships on development and
implementation of the AIMS and certification activities, including outsourcing;
b) technologies (including algorithms), methods, processes and tools that encompass data science and the
discipline of AI as well as specific AI processes such as machine learning.
7.1.3.6.2 Reviewing audit reports and making certification decisions
Personnel reviewing audit reports and making certification decisions shall have knowledge of list items a)
to b) in 7.1.3.6.1. This also applies for the team of personnel handling appeals.
7.2 Personnel involved in the certification activities
7.2.1 General
The requirements of 7.2.2 and of ISO/IEC 17021-1:2015, 7.2 apply.
7.2.2 Demonstration of knowledge and experience
7.2.2.1 General considerations
The certification body shall demonstrate that each auditor has acquired knowledge and skills through each of:
a) recognized AIMS-specific qualifications;
b) registration as an auditor, where applicable;
c) participation in AIMS training courses, where applicable, and attainment of relevant personal
qualifications;
d) up-to-date professional development records;
e) AIMS audits witnessed by another competent and authorized AIMS auditor, where applicable.
7.2.2.2 Selecting auditors
In addition to 7.1.2 and 7.1.3, the process for selecting auditors shall ensure that each auditor:
a) has professional education or training to an equivalent level of university education;
b) has at least four years of full-time practical workplace experience in information technology or data
protection and at least one year related to AI systems;

© ISO/IEC 2025 – All rights reserved
c) has successfully completed at least 24 hours of training that included AIMS audits and audit management.
After the training, the trainee should be capable of applying and transforming their knowledge of
[5]
ISO/IEC 19011 and ISO/IEC 42006 on the specific certification case;
d) has gained auditing experience prior to acting as an auditor for AIMS, evident by auditing management
[13] [10]
systems (such as but not limited to ISO 9001 and ISO/IEC 27001 ). This experience shall have
been gained in at least ten audit days or of at least three management system audits (stage 1 and
stage 2) as auditor or auditor in-training, and the experience shall be performed in the last five years.
This experience shall have been gained as an auditor under the supervision and evaluation of a more
experienced auditor (see ISO/IEC 17021-1:2015, 9.2.2.1.4) in the course of participation in at least one
initial certification or re-certification audit and at least one surveillance audit. The participation shall
include review of documentation and risk assessment, implementation assessment, and audit reporting;
e) maintains current knowledge related to AI systems and auditing through ongoing professional
development and audits.
The criteria a) to e) also apply to the team of personnel reviewing audit reports and making certification
decisions as well as to the team of personnel handling appeals.
NOTE The person responsible for the certification decision can have more general knowledge and does not need
to have the same technical competencies as the person reviewing the audit report [especially no knowledge of list item
b) to e)], as long as these functions are performed by different employees. Conversely, this means that the competencies
for the assessment of the audit report apply, if the person responsible for reviewing the audit report and the person
responsible for certification are the same person.
7.2.2.3 Selecting auditors for leading the team
In addition to 7.2.2.1 and 7.2.2.2, the criteria for selecting an auditor for leading the team shall ensure that
the auditor has actively participated as auditor in all stages of at least three management system audits. The
participation shall include initial scoping and planning, document review, review of risk assessment and its
implementation, and formal audit reporting.
The audit team leader shall meet these requirements, through previous experience in supervised audits
performed by an experienced AIMS auditor who has conducted at least three ISO/IEC 42001 audits.
For a transition period of up to two years after the year of publication of this standard, it is permissible
to replace participation in at least three ISO/IEC 42001 (AIMS) audits with participation in at least three
[10]
ISO/IEC 27001 (ISMS) audits.
7.3 Use of individual external auditors and external technical experts
The requirements of ISO/IEC 17021-1:2015, 7.3 apply.
7.4 Personnel records
The requirements of ISO/IEC 17021-1:2015, 7.4 apply.
7.5 Outsourcing
Outsourcing in accordance with ISO/IEC 17021-1:2015, 7.5 is not permitted within the scope of certification
according to ISO/IEC 42001.
8 Information requirements
8.1 Public information
The requirements of ISO/IEC 17021-1:2015, 8.1 apply.

© ISO/IEC 2025 – All rights reserved
8.2 Certification documents
8.2.1 General
The requirements of 8.2.2 and of ISO/IEC 17021-1:2015, 8.2 apply.
8.2.2 AIMS certification documents
Certification documents shall be signed by the authorised person who has been assigned that responsibility
and shall additionally to ISO/IEC 17021-1:2015, 8.2.2 entail the following:
a) version of the statement of applicability (SoA) on which the certification is based;
b) the information that the AIMS certificate does not authorize the labelling of products, processes and
services.
A comprehensive example of all information within a certification document template is displayed in
Annex C.
8.3 Reference to certification and use of marks
The requirements of ISO/IEC 17021-1:2015, 8.3 apply.
8.4 Confidentiality
8.4.1 General
The requirements of 8.4.2 and of ISO/IEC 17021-1:2015, 8.4 apply.
8.4.2 Access to the documentation of the organization
Prior to the certification audit, the certification body shall ask the client to report if any AIMS related
information (such as AIMS records of information about design and effectiveness of controls or access
to source code and raw data) cannot be made available for review by the audit team because it contains
confidential or sensitive information. The certification body shall determine whether the AIMS can be
adequately audited in the absence of such information. If the certification body concludes that it is not
possible to adequately audit the AIMS without reviewing the identified confidential or sensitive information,
it shall advise the client that the certification audit cannot take place until appropriate access arrangements
are granted.
The certification body and the client shall mutually establish and implement safeguards for protected
information or sensitive information, intellectual property, trade secrets and the technical means and
infrastructures to be used in the certification agreement in accordance with ISO/IEC 17021-1:2015, 5.1.2.
8.5 Information exchange between a certification body and its clients
The requirements of ISO/IEC 17021-1:2015, 8.5 apply.
9 Process requirements
9.1 Pre-certification activities
9.1.1 General
The requirements of 9.1.
...