What Each Framework Is (and Isn't)
ISO/IEC 42001:2023
The first international standard for AI management systems. Published December 2023 by ISO/IEC JTC 1/SC 42. It's a certifiable management system standard following the Annex SL structure — the same skeleton as ISO 27001, 9001, and 14001. It tells you what you shall do to manage AI responsibly. 39 Annex A controls across 4 themes. Organisations can achieve third-party certification through accredited certification bodies.
NIST AI RMF 1.0
A voluntary risk management framework published January 2023 by the US National Institute of Standards and Technology. Organised around 4 functions (Govern, Map, Measure, Manage) with 19 categories and roughly 72 subcategories. It tells you how to think about AI risk. You can't get "NIST AI RMF certified" — no such certification exists. Complemented by the AI RMF Playbook and NIST AI 600-1, the Generative AI Profile published July 2024.
What neither framework does: Neither is designed specifically for EU AI Act compliance. Neither covers conformity assessment, CE marking, database registration, or mandatory incident reporting. They provide the governance backbone — the regulation provides the legal obligations. For the full crosswalk, see the Framework Mapping Guide.
ISO 42001 vs NIST AI RMF: Head-to-Head
16 dimensions compared. Bookmark this table — it's the reference document your GRC team will keep coming back to.
| Dimension | ISO/IEC 42001:2023 | NIST AI RMF 1.0 |
|---|---|---|
| Origin | ISO/IEC (international) | NIST (US federal) |
| Published | December 2023 | January 2023 |
| Type | Management system standard | Voluntary risk management framework |
| Certifiable | Yes (third-party audit by accredited body) | No (no NIST certification exists) |
| Structure | Clauses 4–10 (Annex SL) + 39 Annex A controls | 4 functions, 19 categories, ~72 subcategories |
| Prescriptiveness | High — “shall” requirements | Low — descriptive, flexible |
| Integrates with | ISO 27001, ISO 9001, ISO 14001 (shared Annex SL) | NIST CSF 2.0, NIST SP 800-53, other NIST frameworks |
| Risk approach | AIMS-integrated risk treatment with Statement of Applicability | Risk management lifecycle (Map → Measure → Manage) |
| Documentation burden | Heavy (management system docs, SOA, audit records) | Light (profiles, playbooks, flexible format) |
| Cost to implement | Higher ($15K–$40K for certification + implementation) | Lower (no certification cost, flexible adoption) |
| Time to implement | 4–9 months (depending on existing systems) | 2–6 months (flexible, no formal milestones) |
| EU AI Act alignment | Stronger for QMS (Article 17), risk treatment, documentation | Stronger for risk identification (MAP) and measurement (MEASURE) |
| US regulatory alignment | Recognised internationally | De facto US federal/defence standard |
| Best for | EU-facing companies, regulated industries, certification-seeking orgs | US-centric operations, flexible adoption, risk methodology needed |
| Adoption signal | 76% of organisations plan to adopt (Sprinto 2025) | Widely adopted in US federal/defence context |
| GenAI coverage | General (covers all AI types) | Specific: NIST AI 600-1 GenAI Profile (July 2024) |
How to Decide: Five Scenarios That Determine Your Choice
This isn't an either/or decision for most organisations. It's a sequencing decision. The question is which to start with, not which to choose exclusively.
Scenario 1: You Already Have ISO 27001
Implement ISO 42001. Same Annex SL structure, shared infrastructure — policies, internal audit, management review, document control. You're extending your existing management system, not building a new one. Integration is straightforward: 4–6 months if your ISMS is mature.
Scenario 2: You Serve EU Customers or Face EU Procurement
ISO 42001 first. EU procurement increasingly asks for certifiable AI governance evidence. ISO 42001 certification is the clearest proof. NIST AI RMF is recognised but not certifiable — procurement teams can't verify it through an independent audit.
Scenario 3: You Need Risk Methodology Without Certification
NIST AI RMF first. It's faster to adopt, more flexible, and the Playbook provides concrete implementation guidance. You can always add ISO 42001 certification later once you've established the risk management discipline.
Scenario 4: You Need Both EU and US AI Governance
Implement both. ISO 42001 provides the management system backbone. NIST AI RMF provides the risk identification and measurement methodology inside the ISO 42001 framework. Use NIST MAP/MEASURE as your operational playbook for ISO 42001 Clauses 6 and 8.
Scenario 5: You're a Startup With Limited Resources
Start with NIST AI RMF. It's free, flexible, and doesn't require formal certification. Get your risk management discipline established first. Add ISO 42001 when customer or investor pressure justifies the certification investment.
| Your Situation | Start With | Why |
|---|---|---|
| Have ISO 27001 | ISO 42001 | Shared Annex SL infrastructure, fastest path |
| EU customers / procurement | ISO 42001 | Certifiable proof for procurement requirements |
| Need risk methodology only | NIST AI RMF | Faster, flexible, free, concrete playbook |
| EU + US dual governance | Both (ISO 42001 backbone + NIST methods) | Complementary, not competing |
| Startup, limited resources | NIST AI RMF | Zero cost, add certification when justified |
Integration model: ISO 42001 provides the management system backbone; NIST AI RMF provides the risk methodology engine inside it.
Using Both Frameworks: The Integration Model
ISO 42001 gives you the system structure: policies, roles, risk treatment process, controls, internal audit, management review, continual improvement. That satisfies EU AI Act Article 17 (quality management system) better than any alternative. NIST AI RMF gives you the risk methodology engine: its GOVERN function parallels ISO 42001 Clause 5. MAP and MEASURE provide more granular risk identification and assessment techniques than ISO 42001 Clause 6.1 alone. MANAGE aligns with ISO 42001 Clause 8.
ISO 42001 Clause 6 (Planning) → Use NIST MAP for risk identification
ISO 42001 Clause 8.2 (AI risk treatment) → Use NIST MEASURE for quantitative assessment
ISO 42001 Clause 9 (Performance evaluation) → Use NIST MANAGE for ongoing monitoring methodology
ISO 42001 Clause 10 (Improvement) → Use NIST GOVERN for organisational governance cadence
Framework Analysis Tool
ISO/NIST Gap AnalyzerMap your current controls against both frameworks and identify EU AI Act gaps
Full three-way mapping: For the complete ISO 42001 ↔ NIST AI RMF ↔ EU AI Act crosswalk, see the Framework Mapping Guide.
FAQ: ISO 42001 vs NIST AI RMF
No. NIST AI RMF is a voluntary framework. NIST does not certify organisations and no accredited certification exists. ISO 42001 is the certifiable standard, audited by accredited third-party certification bodies.
No. ISO 42001 covers roughly 60 to 70 percent of the management system and governance requirements. Conformity assessment, CE marking, database registration, mandatory incident reporting, and specific documentation formats remain EU AI Act specific gaps.
With existing ISO 27001: 4 to 6 months to implementation, 2 to 3 months for certification audit. Without existing management system: 6 to 9 months. Certification audit itself: 2 to 5 days depending on scope.
Implementation: internal team time plus optional consultant at 10,000 to 30,000 USD. Certification audit: 5,000 to 15,000 USD. Annual surveillance: 3,000 to 8,000 USD. Total first year: 15,000 to 40,000 USD for a mid-market organisation. Recertification every 3 years.
The Generative AI Profile, published July 2024. A companion to NIST AI RMF addressing 12 unique generative AI risks including confabulation, data privacy, and environmental impact, mapped to the AI RMF functions. Relevant for organisations deploying LLMs or generative AI.
ISO 42001 manages AI-specific risks. ISO 27001 manages information security risks. If your AI systems process sensitive data, you benefit from both. They share Annex SL structure, making integration efficient. Some organisations pursue integrated audits.
Need Broader AI Governance Support?
EU AI Compass focuses on free EU AI Act tools and guides. For broader cross-framework support covering governance frameworks and implementation approaches, visit Move78 International.
Visit Move78 InternationalDisclaimer & Limitations
This guide is for educational and informational purposes only. It does not constitute legal, regulatory, or certification advice. EU AI Compass tools are educational aids. Consult qualified legal counsel and your certification body before making compliance decisions. Move78 International Limited is not a certification body. All regulatory references are accurate as of the publication date. ISO 42001 cost and timeline estimates are indicative and vary by scope, location, and certification body.