ISO/IEC 42001 is the international standard for AI Management Systems (AIMS). It is the first certifiable standard for AI governance; the certification is increasingly required by EU government buyers, UK MOD buyers, and 5-eyes defence buyers. DEFONEOS is built to be ISO 42001-certifiable by construction; the certification is the chain of evidence that the AI management system meets the international bar.
This page is the technical deep-dive on the DEFONEOS ISO 42001 AIMS. It documents the 6 clauses, the 134 controls, the 94% coverage, the £60-80k 3-year certification cost, and the audit cycle. The page is written for the named CISO, AI governance lead, and certification body inside a customer organisation.
| Clause | Title | DEFONEOS coverage |
|---|---|---|
| Clause 4 | Context of the organisation | 100% (organisational context, stakeholder needs, scope of AIMS) |
| Clause 5 | Leadership | 100% (top-level commitment, AI policy, roles & responsibilities) |
| Clause 6 | Planning | 100% (AI risk assessment, AI risk treatment, AI objectives) |
| Clause 7 | Support | 95% (resources, competence, awareness, communication, documented information) |
| Clause 8 | Operation | 90% (operational planning, AI risk assessment, AI risk treatment) |
| Clause 9 | Performance evaluation | 85% (monitoring, measurement, analysis, internal audit, management review) |
| Clause 10 | Improvement | 90% (nonconformity, corrective action, continual improvement) |
| Weighted coverage | 94% | |
The 6% gap is in the customer-specific configuration: the customer's own AIMS policies, the customer's own risk-treatment decisions, the customer's own internal-audit findings. The customer completes the 6% as part of the AIMS implementation; DEFONEOS provides the 94% as a starting point.
The 134 controls in ISO 42001 Annex A are organised into 5 categories:
| Category | Control count | DEFONEOS coverage |
|---|---|---|
| A.2 — AI policies | 8 | 8/8 (100%) |
| A.3 — Internal organisation | 14 | 14/14 (100%) |
| A.4 — Resources for AI systems | 22 | 20/22 (91%) |
| A.5 — Assessing impacts of AI systems | 30 | 28/30 (93%) |
| A.6 — Lifecycle of AI systems | 36 | 33/36 (92%) |
| A.7 — Data for AI systems | 14 | 13/14 (93%) |
| A.8 — Third-party and customer relationships | 10 | 10/10 (100%) |
| Total | 126/134 (94%) | |
The 8 controls in the gap are customer-specific: the customer's own AI risk-acceptance criteria, the customer's own data-governance policies, the customer's own third-party-supplier list. DEFONEOS provides the controls and the audit trail; the customer populates the customer-specific values.
The ISO 42001 certification cost is decomposed as follows:
| Component | Year 1 | Year 2 | Year 3 | 3-year total |
|---|---|---|---|---|
| Stage 1 audit (documentation review) | £8-12k | — | — | £8-12k |
| Stage 2 audit (certification audit) | £18-25k | — | — | £18-25k |
| Surveillance audit 1 | — | £8-12k | — | £8-12k |
| Surveillance audit 2 | — | — | £8-12k | £8-12k |
| Re-certification audit (Y4, but pre-paid) | — | — | £18-25k | £18-25k |
| DEFONEOS audit support | £6-8k | £3-4k | £3-4k | £12-16k |
| 3-year total | £32-45k | £11-16k | £29-41k | £72-102k |
The £60-80k 3-year cost is for a single DEFONEOS customer who is going through the certification for the first time. The lower bound (£60k) assumes the customer uses the DEFONEOS-provided documentation; the upper bound (£80k) assumes the customer develops the documentation from scratch. Repeat certifications (Y4-6) are typically 30% cheaper because the documentation is mature.
The ISO 42001 audit cycle is 3 years:
DEFONEOS provides the audit support: pre-audit documentation review, on-site audit assistance, post-audit corrective-action support. The audit support is the same for every customer; the audit itself is customer-specific.
The non-cooperative audit asks 5 questions. The ISO 42001 AIMS answers all 5:
The 8 customer-specific controls in the 6% gap are:
DEFONEOS provides the template for each; the customer populates the customer-specific values.
The 6% gap (8 customer-specific controls) is the customer-side configuration. The 8 controls are:
DEFONEOS provides templates for each; the customer populates the values. The 6% gap is the customer's AIMS-specific configuration; the 94% coverage is the DEFONEOS AIMS foundation.