ISO/IEC 42001:2023

Get ahead of AI risk with a certified governance framework

Using AI without oversight? ISO 42001 helps you manage risk, prove accountability, and stay ahead of regulation—before clients or regulators start asking questions.
Six people working on laptops in a vibrant, lounge-style office space with colourful furniture, hanging lights, and lush plants. The setting includes a yellow ceiling, red lamp, and a bright yellow couch, creating a relaxed and creative atmosphere.

Artificial intelligence is moving fast. Many businesses are already using AI tools in marketing, customer service, product development and operations — often without clear oversight, policies or controls.

ISO/IEC 42001:2023 is the first international standard for managing AI responsibly.

It provides a framework for organisations to design, implement and maintain an Artificial Intelligence Management System (AIMS) that is ethical, transparent and secure.

LeftBrain is already helping tech scaleups and creative businesses prepare for ISO 42001, combining practical controls with strategic advice to keep you ahead of regulation and risk.

What is ISO 42001?

ISO/IEC 42001:2023 is a new standard designed to help organisations:

  • Identify and manage AI-related risks
  • Create a framework for responsible AI use
  • Build trust with customers, clients and regulators
  • Align with legal and regulatory requirements such as GDPR and intellectual property law
  • Document how AI is integrated into business processes, products and services

It builds on the structure of ISO 27001 and ISO 9001 but focuses specifically on AI systems, tools and behaviours.

Why ISO 42001 matters now

AI adoption is increasing across every industry.

From ChatGPT to custom machine learning models, businesses are using AI to write code, produce content, generate insights and automate decisions — often with little understanding of the risks.

ISO 42001 helps your organisation:

  • Define acceptable and non-acceptable uses of AI
  • Avoid reputational damage from misuse or overreliance
  • Respond to client and supply chain pressure for AI governance
  • Improve internal visibility of where and how AI is used
  • Align innovation with security, privacy and fairness

Being early to adopt ISO 42001 sends a strong signal that your business takes AI seriously.

Common AI risks we help manage

Our team has already identified five key risk areas for small to medium UK businesses:

Data privacy and security

AI tools can accidentally expose sensitive customer data, financial information or proprietary content.

Inaccuracy and bias

AI-generated outputs may be misleading or factually incorrect. Decisions made based on poor data or unchecked tools can harm performance and trust.

Workforce impact

AI-driven automation can improve efficiency but may also require upskilling or reskilling teams to avoid disconnection or resistance.

Over reliance on AI

Heavy dependence on AI systems without human review can lead to poor judgement and reduced accountability.

Compliance and legal exposure

Unregulated AI use can breach GDPR, copyright law or ethical standards, leading to fines or reputational risk.

We help you understand these risks and put controls in place that reflect your business context and risk tolerance.

Who ISO 42001 is for

While the standard is especially relevant for companies developing AI-based products or services, it also applies to businesses:

  • Using AI in marketing, automation or content production
  • Integrating AI into customer support or onboarding
  • Adopting AI tools like ChatGPT, GitHub Copilot or Midjourney
  • Managing supply chain pressure to demonstrate AI governance
  • Preparing for tender or client audit requirements

We are currently supporting clients in MarTech, FinTech, HealthTech and design-focused agencies — but the framework works for any business using or planning to use AI.

Our approach to ISO 42001

We treat ISO 42001 as part of your broader risk and compliance strategy.

You do not need to start from scratch. We build on what you already have and introduce AI-specific controls that align with how you work.

Step 1: Discovery

We assess how AI is currently used across your business, even if informally.

This includes platforms, prompts, API integrations and shadow tools.

Step 2: AI risk assessment

We perform a structured risk review based on your tools, teams and data.

This includes identifying exposure to bias, misuse, data leakage or over reliance.

Step 3: Policy and control development

We help you:

  • Define which tools are allowed or blocked
  • Write an AI usage policy that fits your business
  • Document your position on transparency, training data and review
  • Put technical controls in place such as DNS filtering or access management
  • Align with other standards you already follow, such as ISO 27001 or Cyber Essentials

Step 4: Governance and preparation

We guide you through creating an Artificial Intelligence Management System (AIMS) that meets the ISO 42001 requirements.

This includes defining objectives, responsibilities, processes and review mechanisms.

Once UKAS-accredited certification bodies are in place, you will be fully prepared to apply with confidence.

What this unlocks for your business

For leadership

  • Clear oversight of how AI is used
  • Confidence in innovation that is secure and compliant
  • A stronger market position with clients and partners

For operations and compliance

  • Documented AI use and accountability
  • Better employee guidance and enforcement
  • Reduced risk of unintentional breaches

For security and data teams

  • AI use that respects existing data governance policies
  • Technical controls that limit inappropriate use
  • Alignment with ISO 27001 and other frameworks

For your whole team

  • Clear guidance on what AI tools are approved
  • Fewer grey areas and better collaboration
  • Trust that innovation is being handled responsibly

Why LeftBrain

We have already conducted internal audits and risk reviews for our own use of AI and helped clients do the same.

We combine compliance expertise with a practical understanding of how small, fast-moving teams actually use AI.

You get:

  • A tailored risk assessment and AI usage review
  • Practical guidance on tooling, policy and control
  • Help preparing for ISO 42001 certification
  • Ongoing advice as your AI strategy evolves
“With ISO 42001 on the horizon, now is the time to prepare before clients ask the hard questions.”
Lucas Jansen Information Security Analyst, LeftBrain

Related blog posts

Two people chatting indoors by a curved window, one holding a coffee cup and smiling, surrounded by warm-toned décor and potted plants.

Balancing AI risk and innovation: preparing for ISO/IEC 42001:2023

Insights People

Find out why LeftBrain hired a Scrum Master to embed agile practices, improve team delivery, and better align with fast-moving tech clients. Agile isn’t a buzzword – it’s how we deliver.

Read story

Three people standing outdoors with arms around each other, smiling in front of a modern urban backdrop with bare trees and buildings in the distance.

LeftBrain: A National Cyber Security Centre (NCSC) Assured Service Provider

24/7 Security News

We are thrilled to announce that LeftBrain is now a National Cyber Security Centre (NCSC) Assured Service Provider for the delivery of Cyber Essentials services, also known as the Cyber Advisor scheme.

Read story

Group of people enjoying pizza outdoors on a rooftop terrace, with city buildings in the background; open pink pizza boxes on the table read “The Sauciest 12 Inches Of Your Life!” and the mood is cheerful and relaxed.

Celebrating LeftBrain’s ISO 9001 certification!

ISO 27001 News

We are thrilled to announce that LeftBrain is ISO 9001 certified! Aside from being a brilliant excuse for rooftop pizza and beer, we caught up with our Information Security team to find out more.

Read story

Ready to get ahead of the AI curve?

Let’s prepare your business for ISO/IEC 42001 and set smart, secure foundations for innovation.

Speak to an expert