AI Assurance with DQS: Governance, Security and Quality — Aligned.

DQS has audited management systems across 60+ countries for more than 40 years. As a globally accredited certification body, DQS extends that same track record to ISO/IEC 42001 for AI management systems, alongside ISO/IEC 27001 and ISO 9001 where AI governance integrates with existing information security and quality frameworks — giving organisations one coordinated route to demonstrable AI governance maturity.

ISO/IEC 42001-Recognised

Certification body for AI management systems

ISO/IEC 27001-Aligned Audits

Information security integration for AI-handling organisations

ISO 9001 Integration

Documented information and traceability baseline

Flexible Audit Delivery

Remote, hybrid or on-site audits — delivered wherever your AI governance team is based.

DQS AS A TRUSTED PARTNER

Accredited, global and independent — the foundation for credible AI certification.

ISO/IEC 42001 is a new standard. The accreditation, infrastructure and independence behind a DQS certificate are not. Here is what that looks like in numbers.

3,100+ Auditors worldwide

To support global standards like ISO/IEC 42001, ISO/IEC 27001 and ISO 9001 and more.

65,000+ Certified locations

Across all DQS standards — including the AI assurance portfolio.

60+ Countries

Local auditor presence across major markets — Europe, Asia-Pacific, Americas.

40+ Years of experience

Founded 1985 by DGQ and DIN — Germany's first management-system certifier.

iso-42001-certification-hong-kong.png
Loading...

The rules for AI systems have changed. Most governance structures have not.

Three shifts are happening simultaneously. Regulation has arrived — the EU AI Act sets binding obligations for high-risk AI systems, and similar frameworks are developing worldwide. AI systems themselves behave differently from conventional software, requiring governance approaches that match how they actually work. And ISO/IEC 42001 has become the reference standard regulators and customers increasingly expect to see — not in five years, but now.

The Industry Shift

AI governance is now a regulatory gate, not an internal best practice.

Where the EU AI Act applies, high-risk AI systems require documented risk management, technical documentation and human oversight — and this is increasingly assessed alongside existing ISO 9001 and ISO/IEC 27001 scopes rather than as a standalone exercise.

What's at Stake

Fragmented ownership, inconsistent documentation, failed audits.

Without a structured AI management system, organisations risk fragmented ownership across business units, inconsistent documentation, and difficulty demonstrating governance maturity to regulators or customers. Audited in silos, the same evidence gets produced — and questioned — multiple times across different parts of the business.

The DQS Approach

One audit programme across AI governance, security and quality — coordinated, calibrated, audit-ready.

  • One certification body across ISO/IEC 42001, ISO/IEC 27001 and ISO 9001
  • Aligned audit cycles, shared evidence, consistent interpretation across standards and sites
  • Independent of advisory — the separation that makes the certificate credible to regulators and customers

Implementing AI Governance: Putting ISO 42001 into Practice

Practical perspectives on integrating AI governance into operational management systems.

Find out how

AI governance does not sit in one standard — or one team.

The standards that cover AI governance overlap with information security, quality management and sector-specific regulation — not because the frameworks are redundant, but because AI systems touch all of these at once. Which combination applies depends on what you build, what you deploy, and which markets you operate in.

  • ISO/IEC 42001 — AI management system; covers risk classification, accountability and continuous monitoring
  • ISO/IEC 27001 — Information security; covers the data AI systems are trained on and process
  • ISO 9001 — Documented information and process control; the traceability baseline most AI governance builds on
  • EU MDR 2017/745 — Where AI functionality is embedded in a medical device
  • EU AI Act risk-tier obligations — regulatory driver; but the obligation framework ISO/IEC 42001 is most commonly used to address

WHICH REQUIREMENTS APPLY TO YOU

Your role in the AI value chain determines where to begin.

Your AI governance requirements depend on your role in the value chain — whether you build AI systems, deploy them operationally, distribute them, or embed them in regulated products. Here is where each role typically lands.

AI Provider / Developer

AI development

  • ISO/IEC 42001 certification — baseline
  • ISO/IEC 27001 — where development data is sensitive
  • ISO 9001 — documentation and traceability baseline
Deployer

AI in operations

  • ISO/IEC 42001 certification — governance of systems in use
  • ISO 9001 — alongside existing quality processes
Importer / Distributor

AI distribution

  • ISO/IEC 42001 alignment — governance of systems sourced from third parties
  • Conformity documentation expectations under the EU AI Act 
Regulated Products

AI in med-tech

  • ISO/IEC 42001 certification
  • EU MDR 2017/745 conformity assessment, where applicable
Financial Services / Public Sector

AI in finance

  • ISO/IEC 42001 certification
  • ISO/IEC 27001 — ICT risk and information security baseline for financial entities
  • DORA — digital operational resilience obligations for AI systems used in financial services
  • Sector-specific governance frameworks (e.g. NIST AI RMF context for US entities)

Trust in AI is no longer built through technology alone. Organisations increasingly require governance structures that remain transparent, scalable and auditable across international operations and regulatory environments.

Ingo Unger International Business Development Manager
THE AI ASSURANCE PORTFOLIO

Four certifiable layers — what each one covers and why it matters.

Each standard answers a different question — about governance, data, process control, or sector-specific compliance. 

CORE

Here is how the layers fit together.

Each layer is independently certifiable — and can be scoped individually or as part of one coordinated programme. Together they cover what regulators, customers and your own teams will ask when they review your AI programme.

AI Management System
AIMS

ISO/IEC 42001 establishes the management system for AI governance — risk management, documented information, roles and responsibilities, and continuous monitoring across the AI lifecycle.

ISO/IEC 42001 Certification — AI Management System covers risk classification, governance accountability, data management oversight, and monitoring requirements across the AI lifecycle. Applicable to organisations that develop, deploy or substantially modify AI systems. 

Your benefit: demonstrate AI governance maturity to regulators, customers and partners — with a recognised international baseline.

Data & Information Security
ISMS

How AI training data, model outputs and operational data are protected.

ISO/IEC 27001 Certification — Information Security Management addresses data security controls relevant to AI training data, model inputs and outputs, and system access. Commonly held alongside ISO/IEC 42001 where AI systems process sensitive or personal data. 

Your benefit: demonstrate secure handling of the data your AI systems depend on.

Quality & Documentation Baseline
QMS

The documentation and traceability foundation most AI governance requirements build on.

ISO 9001 Certification — Quality Management provides the documented information, process control and continuous improvement structure that ISO/IEC 42001 builds upon for organisations with an existing QMS. 

Your benefit: integrate AI governance into a structure you may already operate, rather than building a parallel system.

AI in Regulated Products
MED

EU MDR 2017/745 Conformity Assessment 

Where AI functionality is embedded in a medical device, conformity assessment under EU MDR applies in addition to AI-specific governance. Relevant for manufacturers of AI-enabled diagnostic, monitoring or decision-support devices. 

Your benefit: align AI governance with existing regulated-product compliance obligations rather than managing them separately.

Regulating AI under the EU MDR: Ensuring Compliance & Innovation

How AI governance intersects with regulatory requirements in medical and highly regulated operational environments.

Un­der­stand more
How the Requirements Fit Together

Every stakeholder is asking a different question about your AI systems.

A regulator wants to know your AI systems are under control. A customer wants to know their data is protected. Your own teams want to know who is responsible when something changes. These are not the same question — and no single standard answers all of them. That is why the right AI governance programme covers more than one layer.

Is your AI governance recognised and auditable?
AI Management System

ISO/IEC 42001 certification covers risk management, documented information and accountability across the AI lifecycle.

Is your data well governed?
Data Governance

ISO/IEC 27001 certification covers data security controls; ISO/IEC 42001 adds AI-specific data management requirements on top.

Can you demonstrate technical documentation and traceability?
Documentation & Traceability

ISO 9001 and ISO/IEC 42001 documented-information requirements together support the technical documentation expectations regulators increasingly look for.

Is human oversight built in?
Human Oversight

ISO/IEC 42001's roles-and-responsibilities clauses establish accountability for AI system oversight.

Is the system monitored after deployment?
Continuous Monitoring

ISO/IEC 42001's continuous improvement processes cover ongoing review as models, data and operational conditions change.

Is AI embedded in a regulated product?
Sector-Specific Regulation

EU MDR 2017/745 and other sector frameworks apply in addition to AI-specific governance, where relevant.

Is this recognised across multiple jurisdictions?
Multi-Jurisdictional Alignment

ISO/IEC 42001 is increasingly used as a common operational baseline referenced across the EU AI Act, the US NIST AI RMF, and emerging frameworks in China, Japan, South Korea and Brazil.

FinTech AI Governance in a Regulated Market

How organisations are addressing accountability, oversight and governance expectations in evolving international AI frameworks.

Learn more

Why regulation is driving demand for an AI Management Layer

EU AI Act applicability depends on the specific use case and risk classification set out in the Act — it is not a blanket requirement for every AI system or every organisation. Where it does apply, understanding your organisation's role as a provider, deployer or importer is the right starting point for determining what is expected of you.

ISO/IEC 42001 is widely referenced as the operational basis for demonstrating these obligations are met, though it is not itself an EU AI Act-issued certification. EU AI Act applicability depends on the specific use case and risk classification set out in the Act — it is not a blanket requirement for every AI system or every organisation.

Risk-based classification — clear obligations at every tier.

The Four Risk Tiers

The classification of AI systems determines the level of governance, documentation and oversight required. While the model provides a high-level structure, organisations must translate these categories into concrete operational measures.

1

Unacceptable Risk (Prohibited)

AI systems in this category are considered incompatible with fundamental rights and societal protections under the EU AI Act. These applications are prohibited because they present an unacceptable level of risk to individuals, public safety or democratic values. Organisations must therefore ensure that prohibited use cases are identified and excluded through appropriate governance and review mechanisms.

→ Your benefit: governance screening that filters out prohibited use cases before they create legal or reputational exposure.
2

High Risk (Strict regulatory requirements)

High-risk AI systems are subject to the most extensive regulatory obligations due to their potential impact on health, safety and fundamental rights. These systems typically require structured risk management, technical documentation, monitoring mechanisms and clearly defined human oversight throughout the AI lifecycle to ensure ongoing compliance and operational control.

→ Your benefit: documented risk management and oversight evidence that holds up to regulator, customer and procurement scrutiny.
3

Limited Risk (Transparency requirements)

Limited-risk AI systems are primarily subject to transparency requirements designed to ensure that users remain aware when interacting with artificial intelligence. Organisations must implement clear communication and disclosure practices, particularly where AI-generated content or automated interactions could otherwise create confusion or reduce transparency for users.

→ Your benefit: proportionate compliance — meeting disclosure obligations without the overhead of controls that don't apply to you.
4

Minimal Risk (Voluntary measures)

Most AI applications fall within the minimal-risk category and are not subject to specific obligations under the EU AI Act. Nevertheless, organisations increasingly recognise the value of implementing voluntary governance measures that support accountability, operational consistency and long-term readiness as regulatory expectations continue to evolve globally.

→ Your benefit: governance maturity built ahead of regulatory tightening, without unnecessary obligations today.
Multi-Jurisdictional AI Governance

One governance structure, adaptable to every market you operate in.

For multinational organisations, AI governance is rarely limited to a single legal framework or operational region — systems may be developed in one country, deployed across several jurisdictions, and integrated into globally distributed processes. While the EU AI Act remains the most comprehensive framework and the most common global reference point, jurisdictions worldwide increasingly share governance principles such as transparency, accountability, risk management and human oversight — even where the legal structure and implementation differ. The challenge isn't understanding each framework individually; it's building a governance system standardised enough for global consistency, yet adaptable enough for local regulatory expectations.

European Union

EU AI Act

The EU AI Act establishes the first comprehensive cross-sector regulatory framework for AI, with risk-based classification, transparency requirements and conformity obligations for high-risk systems. It is increasingly used as a global reference point for AI governance structure.

NIST AI RMF & emerging state regulation
United States

The US relies on a more decentralised approach: the voluntary NIST AI Risk Management Framework, federal executive orders, and a growing patchwork of state-level AI legislation. Emphasis falls on accountability, cybersecurity and operational risk management rather than one binding cross-sector law.

Generative AI and algorithmic governance
China

China has introduced multiple frameworks covering generative AI services, recommendation algorithms and algorithmic governance, with strong emphasis on provider accountability and content governance.

Trustworthy and industrial AI governance
Japan

Japan's approach emphasises voluntary, internationally interoperable governance frameworks focused on operational reliability and industrial innovation.

AI Basic Act
South Korea

South Korea's framework balances innovation with transparency and accountability obligations, with growing emphasis on risk management aligned with international trustworthy-AI discussions.

Emerging AI Governance Frameworks
Brazil & India

Both markets continue to develop AI governance through evolving frameworks rather than a single comprehensive law. Brazil is advancing risk-based AI governance proposals alongside broader digital governance initiatives, with current focus on accountability and oversight for high-impact systems. India relies on a mix of existing statutes — the IT Act, the 2026 IT Rules amendment addressing AI-generated content, and the Digital Personal Data Protection Act — together with the voluntary, principle-based AI Governance Guidelines issued in 2026, while sector regulators such as the RBI and SEBI develop AI-specific supervisory expectations of their own.

Your Approach — Step by Step

Five steps from scattered requirements to one coordinated programme.

Knowing where to start — and in what order — is usually the hardest part. The steps below help you get there without unnecessary rework.

1

Identify your requirements.

Review which AI systems are in scope, their risk classification under the EU AI Act, and how they intersect with existing ISO 9001 or ISO/IEC 27001 management systems.

→ Your benefit: clarity on scope before you invest in implementation work.
2

Assess your current setup.

Review existing management systems, audit cycles and internal AI governance responsibilities.

→ Your benefit: visibility over what already exists and what's missing.
3

Align and consolidate.

Where possible, integrate AI governance into existing certified management systems rather than building a standalone structure.

→ Your benefit: fewer duplicate audits and less internal coordination effort.
4

Prepare for emerging requirements.

EU AI Act phase-in deadlines and evolving frameworks in the US, China, Japan, South Korea and Brazil continue to develop.

→ Your benefit: you're ready when requirements land, not reacting to them.
5

Plan audit capacity early.

Secure ISO/IEC 42001 audit slots with your certification body in line with your regulatory and commercial deadlines.

→ Your benefit: protect your delivery dates and avoid last-minute constraints.

What you get when you certify with DQS.

Every engagement follows the same structure — from the first documentation review through to certificate issuance and ongoing surveillance. Whether you are certifying one standard or several, the process is consistent.

  • Pre-audit gap analysis against ISO/IEC 42001, on request
  • Stage 1 documentation review with written readiness assessment
  • Stage 2 on-site or remote audit by qualified auditors trained in ISO/IEC 42001 and AI governance requirements
  • Internationally accepted ISO/IEC 42001 certificate issued under ANAB accreditation
  • Annual surveillance audits coordinated across your full DQS scope (ISO/IEC 42001, ISO/IEC 27001, ISO 9001)
  • Re-certification audit at the end of each three-year cycle
  • Findings summary & improvement roadmap after every audit
  • Certificate validation 

WHY DQS

One audit partner across AI governance, data security and quality.

Managing AI governance obligations across multiple standards does not have to mean managing multiple certification bodies. DQS covers the full scope within one programme — so audit cycles align, evidence is shared, and findings are consistent across standards.

Loading...

What working with one partner actually looks like:

  • Audit cycles aligned across all standards in your scope — scheduling, evidence and reporting work together rather than against each other.
  • One interpretation across auditors — no conflicting findings between standards, no calibration gaps between visits.
  • Less duplication — the same evidence does not get produced, reviewed and questioned three separate times.
  • One point of contact across your full AI governance scope — from initial scoping through to certificate issuance and surveillance.
  • Independence — DQS is a certification body and does not advise on implementation. That separation is what makes a DQS-issued certificate credible to regulators, customers and procurement teams.

ISO/IEC 42001 Certification Body

ANAB-accredited (ANSI National Accreditation Board) under ISO/IEC 17021-1 for ISO/IEC 42001, the international standard for AI management systems.

ISO/IEC 27001-Aligned Audits

Accredited by DAkkS (Germany) and ANAB (US) for ISO/IEC 27001 certification, with certificates also recognized through additional national accreditation bodies internationally.

ISO 9001 Integration Experience

Backed by DAkkS, ANAB and UKAS accreditation.

Notified Body Status (EU MDR)

German notification under EU Regulation 2017/745 (MDR) via the ZLG, for AI functionality embedded in medical devices.

Sector Depth, Globally

An auditor base with established management-system experience across Europe, Asia-Pacific and the Americas, now extending into AI governance.

Ready to get started?

  • Tell us what you build, deploy or distribute
  • We identify which standards apply to your role and map the scope
  • You get one audit plan, one point of contact, one consistent approach
Request a scoping call
Questions & Answers

Frequently asked questions.

Is ISO/IEC 42001 certification mandatory under the EU AI Act?

No. The EU AI Act does not name ISO/IEC 42001 certification as a legal requirement. Where high-risk AI systems are in scope, however, ISO/IEC 42001 is widely referenced as a structured way to demonstrate the risk management, documentation and human oversight expectations the Act sets out.

Do we need both ISO/IEC 42001 and ISO/IEC 27001?

Many organisations hold both, since they cover different layers. ISO/IEC 42001 addresses AI-specific governance — risk classification, monitoring, human oversight. ISO/IEC 27001 addresses information security broadly, including the data AI systems are trained on and process. Where development data is sensitive, both are commonly held together.

What counts as a high-risk AI system under the EU AI Act?

The Act classifies AI systems into risk tiers — unacceptable, high, limited and minimal. High-risk systems are those affecting health, safety, fundamental rights, or critical infrastructure, such as certain recruitment, credit-scoring, or biometric identification systems. Exact classification depends on the specific use case set out in the Act's annexes.

How does the EU AI Act compare to the US NIST AI RMF?

The EU AI Act is a binding, cross-sector regulation with risk-tiered legal obligations. The NIST AI Risk Management Framework is a voluntary framework widely used in the US, often alongside sector-specific and state-level rules. Organisations operating in both markets typically align internal governance — often through ISO/IEC 42001 — to satisfy both consistently.

Can ISO/IEC 42001, ISO/IEC 27001 and ISO 9001 run through one certification body?

Yes. Where management systems share the common High-Level Structure used across modern ISO standards, audits can be coordinated and, where appropriate, combined into integrated audit cycles with one certification body.

Does ISO/IEC 42001 cover generative AI systems specifically?

ISO/IEC 42001 applies to AI management systems generally and isn't limited to a specific AI technique. It governs the structure around any AI system an organisation develops, deploys or uses — including generative AI — rather than prescribing technique-specific technical controls.

Do AI governance obligations apply if we use third-party AI tools rather than building our own?

The EU AI Act's obligations fall on providers and deployers differently, and deployer obligations may still apply even when the underlying AI model was sourced from a third party. Where an organisation deploys a high-risk AI tool, its own governance obligations under the Act and supporting standards may apply regardless of who built the model.

Can multi-jurisdictional AI governance be managed through one certification programme?

For many organisations, yes. While the EU AI Act, the US NIST AI RMF, and emerging frameworks in China, Japan, South Korea and Brazil differ in legal structure, they share common governance principles — transparency, accountability, risk management, human oversight. ISO/IEC 42001 is increasingly used as a common operational baseline referenced across these frameworks, with regional specifics addressed within the governance system rather than through separate certifications.