ISO/IEC 42001 AI Management System Certification for Maritime Organisations

A maritime organisation that adopts AI eventually faces a procurement question, a due-diligence question, or a board question that sounds like this: how do you govern the AI you use, and can you prove it? ISO/IEC 42001 is the first international standard built to answer that question with an independent certificate.

ISO/IEC 42001:2023, published in December 2023, is the world's first certifiable AI management system standard. It is built on the same Annex SL "harmonized structure" that underpins ISO 9001 and ISO/IEC 27001, which means Clauses 4 to 10 are the auditable requirements, and Annex A's thirty-eight reference controls across nine control objectives are selected through a Statement of Applicability driven by AI risk and impact assessments. For a maritime organisation already running an ISM Code safety management system, an ISO 9001 quality system, or an ISO/IEC 27001 information security system, certification typically runs three to twelve months and follows the familiar Stage 1, Stage 2, annual surveillance, and three-year recertification cycle.^[1][2]

ISO/IEC 42001 does not certify any single AI model. It certifies the system of governance an organisation runs around all of its AI.

Accredited certification is available and maturing quickly, with around 100 organisations certified by January 2026. BSI was the first body to hold triple UKAS, RvA, and ANAB accreditation. Schellman was the first ANAB-accredited body. DNV, the body most directly connected to maritime assurance, has been accredited since 2024. The publicly certified organisations include Anthropic, AWS, Microsoft, Google Cloud, IBM, KPMG, and BCG. As at mid-2026, a targeted search across major shipping lines, ports, ship managers, P&I clubs, marine insurers, classification societies as the certified entity, shipbuilders, and maritime AI vendors returned no public ISO/IEC 42001 certifications. Maritime is, today, an open field.^[3][4][5]

This report sets out what the standard requires, how the certification process runs, what it costs and how long it takes, how it relates to the EU AI Act and other regulatory regimes, and how it integrates with the management systems maritime organisations already operate. One point sits above the rest and is returned to throughout: ISO/IEC 42001 is a governance baseline and a trust signal. It is not, on its own, a statement of legal conformity with the EU AI Act. That role falls to a separate standard, prEN 18286, now in development.

The full title is ISO/IEC 42001:2023, Information technology, Artificial intelligence, Management system. It was published in December 2023 by ISO and IEC, developed under the joint technical committee ISO/IEC JTC 1/SC 42. ISO describes its scope as specifying requirements and providing guidance for establishing, implementing, maintaining, and continually improving an AI management system within an organisation, and it applies to any organisation that develops, provides, or uses AI, regardless of size or sector.^[1]

A management system, not a product certificate

Like ISO 9001 for quality and ISO/IEC 27001 for information security, ISO/IEC 42001 certifies a system of governance rather than any single model, algorithm, or product. It certifies the policies, accountabilities, risk processes, lifecycle controls, monitoring, internal audits, and management reviews that surround an organisation's AI. That distinction carries three consequences for maritime buyers. Certification answers how an organisation manages AI, which is the procurement and due-diligence question. The certificate does not exempt an autonomous-vessel or decision-support product from class-society approval, IMO and IACS rules, or flag-state requirements. And because the architecture is risk-based, a smaller maritime organisation with a narrow AI footprint can certify a tightly scoped system at moderate cost.^[1]

Built on a structure maritime organisations already know

Clauses 4 to 10 share identical numbering, titles, and core text with every other ISO management system standard. For an organisation already running ISO 9001, ISO 14001, ISO 45001, or ISO/IEC 27001, the management-system scaffolding already exists: context, leadership, risk-based planning, support, operation, performance evaluation, and improvement. Practitioners across the accredited bodies estimate that an existing ISO/IEC 27001 system provides between thirty and seventy per cent reusable governance overlap. An ISM Code safety management system provides a different but valuable head start: a culture of documented procedures, internal audit, management review, and external assurance.^[1][2]

The substance of the standard sits in two places. The ten clauses set the auditable requirements. Annex A sets the reference controls an organisation selects from. Understanding how these two parts work together is the key to scoping a certification.

The ten clauses

Clauses 1 to 3 cover scope, normative references, and terms, and they import ISO/IEC 22989 definitions as binding. Clauses 4 to 10 are the auditable requirements:

• Clause 4, Context. Internal and external context, interested parties, and the definition of which AI systems, business units, and sites the management system covers.
• Clause 5, Leadership. Top-management commitment, the AI policy (5.2), and clear roles, responsibilities, and authorities.
• Clause 6, Planning. Actions to address risks and opportunities, the AI risk assessment (6.1.2), AI risk treatment (6.1.3) referencing Annex A, the AI system impact assessment (6.1.4), and AI objectives.
• Clause 7, Support. Resources, competence, awareness, communication, and documented information.
• Clause 8, Operation. Operational planning and control, operational AI risk assessment and treatment, and AI system impact assessment in production.
• Clause 9, Performance evaluation. Monitoring, measurement, analysis, internal audit, and management review.
• Clause 10, Improvement. Nonconformity, corrective action, and continual improvement.

The AI-specific additions live inside that scaffolding. Clauses 6 and 8 are expanded beyond what the familiar ISO standards cover, to address the way AI interacts with individuals and the public, through the AI policy, the AI risk assessment, and the AI system impact assessment.^[1]

Annex A: thirty-eight controls, nine objectives

Annex A provides thirty-eight reference controls grouped under nine control objectives. The dominant published count across the accredited bodies is thirty-eight controls and nine objectives, with a small number of secondary sources citing thirty-seven or ten depending on numbering convention. The nine objectives are:

1. Policies related to AI (A.2). Management direction, the AI policy, alignment with other policies, and policy review.
2. Internal organisation (A.3). AI roles and responsibilities, and a channel for reporting concerns.
3. Resources for AI systems (A.4). Documentation of data, tooling, computing, and human resources.
4. Assessing impacts of AI systems (A.5). The impact-assessment process, and impacts on individuals, groups, and society.
5. AI system life cycle (A.6). Objectives and processes for responsible design and development.
6. Data for AI systems (A.7). Data management, acquisition, quality, provenance, and preparation.
7. Information for interested parties (A.8). System documentation, information for users, and external and incident reporting.
8. Use of AI systems (A.9). Processes for responsible and intended use.
9. Third-party and customer relationships (A.10). Allocating responsibilities with suppliers and customers.

The Statement of Applicability

Annex A is informative, which means the controls are a reference set rather than a mandatory checklist. The organisation selects controls based on its AI risk assessment and records the result in a Statement of Applicability, where every control appears as either included or excluded, with a documented justification for each exclusion. Auditors treat an SoA with poorly justified exclusions as a major nonconformity risk. Annex B provides implementation guidance, Annex C lists AI objectives and risk sources such as model drift and bias, and Annex D explains integration with other management systems, contemplating organisations that run the AI system alongside an existing ISO/IEC 27001 system.^[1]

Certification follows the standard two-stage ISO/IEC 17021-1 model, adapted for AI by ISO/IEC 42006. The phases below describe the full journey from readiness to certificate.

The auditors will request a defined set of records throughout: the system scope, the AI policy, AI objectives, the risk assessment methodology and results, the risk treatment plan, the Statement of Applicability, impact assessment records, roles and responsibilities, competence and training records, operational procedures, monitoring records, the internal audit programme, management review records, nonconformity and corrective action records, and supplier governance records.^[2]

Timelines

End-to-end timelines cluster at three to twelve months, and the single biggest accelerator is an existing ISO/IEC 27001 system, which brings the range down to three to six months. The drivers of variation are the number and risk class of AI systems in scope, the maturity of existing management systems and data governance, and whether the organisation acts as an AI provider, producer, or user.^[2]

Costs, treated as indicative

Published cost ranges diverge by an order of magnitude, because this is a maturing market with limited transparent pricing. The figures below are indicative only. The reliable course of action is to obtain quotes from at least three accredited bodies.

Audit days are calculated under IAF MD 5, based on effective personnel, sites, and AI system complexity.^[2]

Accreditation is the dividing line

A credible certificate comes from a certification body that is itself accredited. The chain runs from the International Accreditation Forum, to national accreditation bodies such as UKAS, ANAB, RvA, DAkkS, and JAS-ANZ, to the certification bodies, to the certified organisation. An accredited certificate is recognised under the IAF Multilateral Recognition Arrangement. An unaccredited one is not, and enterprise buyers and regulators treat it as insufficient. ISO/IEC 42006:2025 sets the rules these bodies operate under, with AI-specific requirements on auditor competence and audit-time calculation.

The publicly accredited bodies as at mid-2026 include BSI, the first with triple UKAS, RvA, and ANAB accreditation; Schellman, the first ANAB-accredited body and the auditor of Anthropic, Microsoft, and KPMG among others; DNV, accredited by RvA since 2024 and the body most directly connected to maritime assurance; A-LIGN; LRQA, UKAS-accredited in 2025; Bureau Veritas; SGS; and TÜV SÜD. Always verify a body's accreditation status against the accreditation body's public register and confirm that ISO/IEC 42001 sits within its explicit scope.^[2][6]

Only ISO/IEC 42001 is certifiable. A family of supporting standards underpins its implementation as guidance.

ISO/IEC 42005, published in 2025, and ISO/IEC 42006, also published in 2025, are the two most relevant companions for an organisation pursuing certification: the first shapes the impact assessments the standard requires, and the second sets the rules the auditor follows.^[7][8]

Certification sits alongside regulation. It supports compliance and signals good governance, and in one important case it can be mistaken for a legal conformity statement it does not provide. This section sets out the relationships clearly.

The EU AI Act, the critical distinction

ISO/IEC 42001 is not a harmonised standard under the EU AI Act and does not confer presumption of conformity under Article 40. Article 17 of the AI Act requires providers of high-risk AI systems to maintain a quality management system, and the harmonised standard being developed to fulfil that role is prEN 18286, Artificial intelligence, Quality management system for EU AI Act regulatory purposes. On 30 October 2025, prEN 18286 became the first harmonised AI standard to enter public enquiry, developed by CEN-CENELEC committee JTC 21 under accelerated procedures, with a target of Q4 2026 for publication. Presumption of conformity will arise only once a final standard is cited in the Official Journal of the EU. Annex D of prEN 18286 maps to ISO/IEC 42001 Annex A, so a 42001-certified organisation can carry its existing controls across.^[9][10]

ISO/IEC 42001 builds the management-system spine and the evidence the AI Act will demand. The legal conformity statement is a separate instrument, and it is still in development.

The practical posture is straightforward. Implement ISO/IEC 42001 to build the management-system spine and produce the evidence the AI Act will require, and track prEN 18286 as the standard that delivers the legal conformity position. A certificate from a vendor that implies 42001 already satisfies the AI Act warrants caution.

The United States and Australia

In the United States, ISO/IEC 42001 maps cleanly onto the NIST AI Risk Management Framework's Govern, Map, Measure, and Manage functions, and several state laws, including the Colorado AI Act and the Texas Responsible AI Governance Act, recognise alignment with frameworks like 42001 as evidence of reasonable care.^[11] In Australia, the Voluntary AI Safety Standard and the December 2025 National AI Plan explicitly align with AS ISO/IEC 42001:2023 and the NIST framework, and the National AI Plan confirms Australia will rely on existing frameworks rather than a standalone AI Act.^[12]

AI now runs across the maritime value chain, and ISO/IEC 42001 is designed to integrate with the management systems the sector already operates rather than replace them.

Where AI already sits

Shipping operators use AI in route and voyage optimisation, bunker and emissions management, predictive maintenance, AI-assisted bridge decision support, and crew and HR systems. Ports and terminals use it in berth allocation, port-call optimisation, gate recognition, and autonomous yard equipment. Classification societies are deploying AI-powered visual analysis for corrosion and crack detection, drone and ROV remote surveys, and digital twins. Marine insurers and P&I interests use AI in claims triage, fraud detection, and underwriting. Shipbuilders use it in generative design and robotic welding quality assurance. And maritime professional services use it in chartering platforms, document automation, sanctions screening, and ESG reporting.

Integration with existing maritime systems

ISO/IEC 42001 extends the management-system thinking maritime organisations already practise:

• ISM Code safety management system. Cyber risks have been required in the safety management system since IMO Resolution MSC.428(98) took effect on 1 January 2021. Adding AI governance into the same thinking, particularly for autonomous and decision-support systems used on board, is a natural extension.^[13]
• ISO 9001 and ISO 14001. Both share the Annex SL structure with 42001, so the scaffolding is already in place.
• ISO/IEC 27001. Annex D of 42001 explicitly contemplates integration with an information security system. For cyber programmes aligned with IACS Recommendation No. 166 and the IMO maritime cyber risk guidelines, an information security system plus an AI system is the most coherent posture.
• IACS UR E26 and E27. Cyber resilience requirements for new ships contracted on or after 1 July 2024.
• USCG Cybersecurity in the Marine Transportation System final rule. Effective 16 July 2025, alongside equivalent flag-state cyber regimes.^[14]

Classification society activity

DNV is the most directly engaged. It is accredited by RvA as a certification body for ISO/IEC 42001, publishes a guide to certification and a recommended practice on AI assurance (DNV-RP-0671), released an October 2025 position paper on the assurance of AI-enabled systems drawing on its maritime and energy heritage, and has delivered ISO/IEC 42001 training at the Arab Academy for Science, Technology and Maritime Transport, generating the first peer-reviewed maritime-sector case study. Bureau Veritas offers certification globally and is the parent of an IACS classification society. LRQA, originally part of the Lloyd's Register group, achieved UKAS accreditation in 2025. As at mid-2026, no instruments from the IMO or IACS reference ISO/IEC 42001, and the IMO MASS Code remains on a trajectory toward a non-mandatory version, experience-building from 2026 to 2028, and mandatory adoption later.^[5][15]

As at mid-2026, no maritime operator, port, classification society as the certified entity, P&I club, marine insurer, or shipbuilder has been publicly identified as certified to ISO/IEC 42001. Maritime is an open field.

The open field

As at mid-2026, no maritime operator, port, classification society as the certified entity, P&I club, marine insurer, or shipbuilder has been publicly identified as certified to ISO/IEC 42001. The closest signals are DNV's role as an accredited certification body and its maritime training. An early-mover certification by a major shipping line, port authority, classification society, or marine insurer would be first of kind, a procurement and reputation asset of the same character as early ISO 14001 and ISO/IEC 27001 adoption in their day.^[5]

Each maritime segment carries a different AI footprint, and therefore a different starting point for scoping a management system. The table maps segments to their characteristic AI use cases and the natural scope and integration path for ISO/IEC 42001.

Across every segment, the most effective cost-control lever is a deliberately narrow initial scope. Certifying a full enterprise AI estate in the first cycle is the most common cause of cost overrun.

Certification is an organisational undertaking, and the factors below determine whether a programme moves or stalls.

Common failure points

The recurring failure points are inventory gaps that surface at Stage 1, unclear accountability with no designated AI risk owner or concerns-reporting channel, immature impact assessments, documentation produced as the goal rather than as evidence of working controls, treating certification as a one-off project rather than an ongoing system, and auditor capacity constraints, with demand outstripping accredited auditor supply through 2025 and 2026.

The dates below track the development of the standard and the certification market. Rows marked Active are in force now.

The steps below move an organisation from a low-cost, high-signal first action through to a scoped and audited management system.

Stage 1, within 60 days

Stage 2, within 6 months

Stage 3, months 6 to 12

Benchmarks that would change the strategy

If prEN 18286 is published in the Official Journal as a harmonised standard before a planned Stage 2 date, sequence prEN 18286 conformity work alongside the 42001 programme, using the Annex D mapping, to capture presumption of conformity under the AI Act. If a major shipping peer, classification society, or port announces certification first, accelerate, because the procurement-differentiation argument compresses quickly. If the AI footprint expands materially during implementation, pause and re-scope, since scope creep at Stage 2 is the most common cause of cost overrun. And if auditor capacity at the preferred body slips past six months, consider engaging a second accredited body in parallel.

This is a first-edition report, written for a fast-moving certification market. The positions below are accurate as at June 2026 and carry the qualifications noted.

Number of Annex A controls. Thirty-eight controls in nine objectives is the dominant published count. A minority of sources cite thirty-seven controls or ten objectives, reflecting numbering convention. Validate against the standard itself.

Cost and timeline ranges. These diverge widely across published sources in a market with limited pricing transparency. Treat every figure as indicative and confirm through accredited-body quotes.

EU AI Act legal effect. ISO/IEC 42001 is not a harmonised standard under the AI Act and does not confer presumption of conformity. prEN 18286 is the harmonised standard in development, in public enquiry since 30 October 2025 and targeted for Q4 2026. This is the single most important caveat in this report.

Accreditation and adoption move quickly. The list of accredited bodies and certified organisations expands monthly. Verify accreditation status on the accreditation body's public register before contracting, and treat any adoption count as a point-in-time figure.

Maritime adoption. As at mid-2026, no maritime operator, port, P&I club, marine insurer, classification society as the certified entity, or shipbuilder has been publicly identified as certified. This may change rapidly, and the absence is itself a planning input.

Certification certifies the system, not the model. A certificate does not exempt an autonomous-vessel system from class approval, IMO and IACS rules, or flag-state requirements, and it does not certify the safety or fitness for purpose of any AI product. Personnel certification, such as a Lead Implementer qualification, prepares people but does not certify the organisation.

This report is open to peer review, industry feedback, and correction. If you identify positions that would benefit from refinement, I welcome hearing from you.

ISO/IEC 42001 gives a maritime organisation a way to answer the AI governance question with independent evidence rather than assertion. It certifies the system of governance around an organisation's AI: the policy, the accountability, the risk and impact assessments, the controls, the monitoring, and the review. It is built on a structure the maritime sector already runs through ISM, ISO 9001, and ISO/IEC 27001, which means the path to certification builds on foundations most operators already hold.

Maritime is an open field. An early-mover certification would be first of kind, a procurement and reputation asset of the same character as early ISO 14001 and ISO/IEC 27001 adoption in their day.

Two points carry the most weight. The first is a boundary: ISO/IEC 42001 is a governance baseline and a trust signal, and the legal conformity statement for the EU AI Act is a separate instrument, prEN 18286, still in development. Treating the certificate as a regulatory shield is the error to avoid. The second is an opportunity: as at mid-2026 no maritime operator, port, classification society, or insurer has been publicly certified. The leaderboard is empty, and the organisation that moves first holds the advantage.

Implement the standard to build the management-system spine and the evidence regulators will ask for. Scope it narrowly, integrate it with the systems already in place, and move while the field is open.

The practical route is clear. Build an AI system inventory, brief the board on the governance-versus-conformity distinction, confirm which existing certifications can carry the scope, run an accredited-body gap analysis, and scope the first certification narrowly around a defined cohort or service line. The maritime sector has always treated assurance as a discipline. Extending that discipline to how AI is governed is the natural next step, and one this sector is well-equipped to take first.

1. [1]ISO/IEC 42001:2023, Information technology, Artificial intelligence, Management system
2. [2]ISO/IEC 42006:2025, Requirements for bodies providing audit and certification of AI management systems
3. [3]BCG, Among First 100 Organizations Globally Certified for ISO/IEC 42001 (27 January 2026)
4. [4]Anthropic achieves ISO 42001 certification (13 January 2025); AWS and Google Cloud ISO/IEC 42001 certifications
5. [5]KPMG Australia, first organisation certified by BSI (17 October 2024); accredited bodies and certified organisations overview
6. [6]ISO/IEC 42006 and the role of accreditation bodies (UKAS, ANAB, RvA, BSI, DNV)
7. [7]ISO/IEC 42005:2025, AI system impact assessment
8. [8]ISO/IEC 23894:2023, Guidance on AI risk management, and the ISO/IEC 42000-series overview
9. [9]prEN 18286, Quality management system for EU AI Act regulatory purposes (CEN-CENELEC, public enquiry from 30 October 2025)
10. [10]CMS, Analysis of prEN 18286 and its Annex D mapping to ISO/IEC 42001
11. [11]NIST AI Risk Management Framework (January 2023)
12. [12]National AI Plan and Guidance for AI Adoption, Department of Industry, Science and Resources
13. [13]IMO Resolution MSC.428(98), Maritime Cyber Risk Management in Safety Management Systems; ISM Code
14. [14]USCG Cybersecurity in the Marine Transportation System final rule (effective 16 July 2025); IACS UR E26 and E27
15. [15]DNV, ISO/IEC 42001 certification and AI assurance (recommended practice DNV-RP-0671)