What Each Framework Is (and Isn't)
ISO/IEC 42001:2023
The first international standard for AI management systems. Published December 2023 by ISO/IEC JTC 1/SC 42. It's a certifiable management system standard following the Annex SL structure — the same skeleton as ISO 27001, 9001, and 14001. It tells you what you shall do to manage AI responsibly. 39 Annex A controls across 4 themes. Organisations can achieve third-party certification through accredited certification bodies.
NIST AI RMF 1.0
A voluntary risk management framework published January 2023 by the US National Institute of Standards and Technology. Organised around 4 functions (Govern, Map, Measure, Manage) with 19 categories and roughly 72 subcategories. It tells you how to think about AI risk. You can't get "NIST AI RMF certified" — no such certification exists. Complemented by the AI RMF Playbook and NIST AI 600-1, the Generative AI Profile published July 2024.
What neither framework does: Neither is designed specifically for EU AI Act compliance. Neither covers conformity assessment, CE marking, database registration, or mandatory incident reporting. They provide the governance backbone — the regulation provides the legal obligations. For the full crosswalk, see the Framework Mapping Guide.
ISO 42001 vs NIST AI RMF: Head-to-Head
16 dimensions compared. Bookmark this table — it's the reference document your GRC team will keep coming back to.
| Dimension | ISO/IEC 42001:2023 | NIST AI RMF 1.0 |
|---|---|---|
| Origin | ISO/IEC (international) | NIST (US federal) |
| Published | December 2023 | January 2023 |
| Type | Management system standard | Voluntary risk management framework |
| Certifiable | Yes (third-party audit by accredited body) | No (no NIST certification exists) |
| Structure | Clauses 4–10 (Annex SL) + 39 Annex A controls | 4 functions, 19 categories, ~72 subcategories |
| Prescriptiveness | High — “shall” requirements | Low — descriptive, flexible |
| Integrates with | ISO 27001, ISO 9001, ISO 14001 (shared Annex SL) | NIST CSF 2.0, NIST SP 800-53, other NIST frameworks |
| Risk approach | AIMS-integrated risk treatment with Statement of Applicability | Risk management lifecycle (Map → Measure → Manage) |
| Documentation burden | Heavy (management system docs, SOA, audit records) | Light (profiles, playbooks, flexible format) |
| Cost to implement | Higher ($15K–$40K for certification + implementation) | Lower (no certification cost, flexible adoption) |
| Time to implement | 4–9 months (depending on existing systems) | 2–6 months (flexible, no formal milestones) |
| EU AI Act alignment | Stronger for QMS (Article 17), risk treatment, documentation | Stronger for risk identification (MAP) and measurement (MEASURE) |
| US regulatory alignment | Recognised internationally | De facto US federal/defence standard |
| Best for | EU-facing companies, regulated industries, certification-seeking orgs | US-centric operations, flexible adoption, risk methodology needed |
| Adoption signal | 76% of organisations plan to adopt (Sprinto 2025) | Widely adopted in US federal/defence context |
| GenAI coverage | General (covers all AI types) | Specific: NIST AI 600-1 GenAI Profile (July 2024) |
How to Decide: Five Scenarios That Determine Your Choice
This isn't an either/or decision for most organisations. It's a sequencing decision. The question is which to start with, not which to choose exclusively.
Scenario 1: You Already Have ISO 27001
Implement ISO 42001. Same Annex SL structure, shared infrastructure — policies, internal audit, management review, document control. You're extending your existing management system, not building a new one. Integration is straightforward: 4–6 months if your ISMS is mature.
Scenario 2: You Serve EU Customers or Face EU Procurement
ISO 42001 first. EU procurement increasingly asks for certifiable AI governance evidence. ISO 42001 certification is the clearest proof. NIST AI RMF is recognised but not certifiable — procurement teams can't verify it through an independent audit.
Scenario 3: You Need Risk Methodology Without Certification
NIST AI RMF first. It's faster to adopt, more flexible, and the Playbook provides concrete implementation guidance. You can always add ISO 42001 certification later once you've established the risk management discipline.
Scenario 4: You Need Both EU and US AI Governance
Implement both. ISO 42001 provides the management system backbone. NIST AI RMF provides the risk identification and measurement methodology inside the ISO 42001 framework. Use NIST MAP/MEASURE as your operational playbook for ISO 42001 Clauses 6 and 8.
Scenario 5: You're a Startup With Limited Resources
Start with NIST AI RMF. It's free, flexible, and doesn't require formal certification. Get your risk management discipline established first. Add ISO 42001 when customer or investor pressure justifies the certification investment.
| Your Situation | Start With | Why |
|---|---|---|
| Have ISO 27001 | ISO 42001 | Shared Annex SL infrastructure, fastest path |
| EU customers / procurement | ISO 42001 | Certifiable proof for procurement requirements |
| Need risk methodology only | NIST AI RMF | Faster, flexible, free, concrete playbook |
| EU + US dual governance | Both (ISO 42001 backbone + NIST methods) | Complementary, not competing |
| Startup, limited resources | NIST AI RMF | Zero cost, add certification when justified |
Integration model: ISO 42001 provides the management system backbone; NIST AI RMF provides the risk methodology engine inside it.
Using Both Frameworks: The Integration Model
ISO 42001 gives you the system structure: policies, roles, risk treatment process, controls, internal audit, management review, continual improvement. That satisfies EU AI Act Article 17 (quality management system) better than any alternative. NIST AI RMF gives you the risk methodology engine: its GOVERN function parallels ISO 42001 Clause 5. MAP and MEASURE provide more granular risk identification and assessment techniques than ISO 42001 Clause 6.1 alone. MANAGE aligns with ISO 42001 Clause 8.
ISO 42001 Clause 6 (Planning) → Use NIST MAP for risk identification
ISO 42001 Clause 8.2 (AI risk treatment) → Use NIST MEASURE for quantitative assessment
ISO 42001 Clause 9 (Performance evaluation) → Use NIST MANAGE for ongoing monitoring methodology
ISO 42001 Clause 10 (Improvement) → Use NIST GOVERN for organisational governance cadence
Framework Analysis Tool
ISO/NIST Gap AnalyzerMap your current controls against both frameworks and identify EU AI Act gaps
Full three-way mapping: For the complete ISO 42001 ↔ NIST AI RMF ↔ EU AI Act crosswalk, see the Framework Mapping Guide.
FAQ: ISO 42001 vs NIST AI RMF
Can I get NIST AI RMF certified?
Does ISO 42001 certification mean I'm EU AI Act compliant?
How long does ISO 42001 implementation take?
How much does ISO 42001 certification cost?
What is NIST AI 600-1?
Do I need both ISO 42001 and ISO 27001?
Need Guided Framework Implementation?
E2 Workshop ($999): 2–3 weeks of guided ISO 42001 or NIST AI RMF implementation. Advisory ($4,999): full 32-week programme through ISO 42001 certification readiness.
View Workshops & Advisory →Disclaimer & Limitations
This guide is for educational and informational purposes only. It does not constitute legal, regulatory, or certification advice. EU AI Compass tools are educational aids. Consult qualified legal counsel and your certification body before making compliance decisions. Move78 International Limited is not a certification body. All regulatory references are accurate as of the publication date. ISO 42001 cost and timeline estimates are indicative and vary by scope, location, and certification body.