ISO/IEC — International Organization for Standardization
ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) collaborate on information technology standards. Joint Technical Committee 1 (JTC 1) and its Subcommittee 42 (SC 42) on Artificial Intelligence are responsible for AI-related standards.
AI Security Role
ISO/IEC produces the only certifiable AI management system standard (IEC 42001:2023), giving it unique significance in compliance-driven contexts. ISO standards require paying membership and are not freely available, limiting community access compared to NIST or OWASP.
Q1 2026 Activity
- ISO/IEC 42006:2025 — finalized requirements for AI management system audit and certification bodies; enables consistent third-party certification
- ISO/IEC 27090 — AI cybersecurity guidance; FDIS ballot opened March 12, 2026; publication expected mid-2026; guidance-only (not certifiable)
- ISO/IEC 42001 base standard unchanged; no amendment or revision planned for 2026
Key Standards
| Standard | Description | Status |
|---|---|---|
| ISO/IEC 42001:2023 | AI Management System (certifiable) | Published; active |
| ISO/IEC 42006:2025 | AI AIMS audit body requirements | Published Q1 2026 |
| ISO/IEC 27090 | AI cybersecurity guidance | FDIS ballot (mid-2026 publication) |
| ISO/IEC 23894 | AI risk management guidance | Active |
| ISO/IEC 27001 | Information security management | Active; no AI-specific controls |
EU AI Act Relationship
ISO/IEC 42001 is positioned as a primary compliance pathway for the EU AI Act, but the harmonized standards being developed by CEN/CENELEC (prEN 18282, ETSI prEN 304 223) are separate from ISO 42001 and still in development (targeting end 2026).