Skip to content
BastionSec
Contact us
ISO 42001

Govern your AI before you're asked to. Sell and win grants, in order.

ISO/IEC 42001, the AI management system (AIMS), and AI policies, in synergy with the EU AI Act and ISO 27001. Built by people who actually use AI, and govern it on themselves too.

  • We tell you upfront, honestly, whether it's worth it now.
  • Consistent: we govern AI on ourselves too.
Check if you're AI-readyAI governance checklist

AI is in your product. The "how do you govern it?" question is coming.

An EU grant rewarding those with AI governance. An enterprise customer who, after the usual security questionnaire, now adds questions about models, training data, bias, transparency. The EU AI Act phasing in. You have AI in the product but no formalized governance, and you wonder whether ISO 42001 is the right answer or just another new standard to chase.

What's holding you back

  • ISO 42001 is new (2023): little clarity on what's really needed.
  • Few providers do it well.
  • Fear of buying something immature or spending without a clear return.

ISO 42001, EU AI Act, ISO 27001: what they are and how they fit

ISO/IEC 42001: the certification of an AIMS (AI management system): policies, risk & impact assessment, AI system inventory, data/bias/transparency governance, AI supplier management. It's voluntary and shows customers and grant bodies you govern AI in a structured way.

EU AI Act: a regulation (legal obligation, escalating for high-risk systems). It's not a certification: it's obligations. ISO 42001 helps you prepare, but doesn't replace AI Act compliance.

ISO/IEC 27001, information security: the AIMS often builds on the ISMS. If you have (or want) 27001, 42001 integrates well.

When you reach out we separate what's a legal obligation (AI Act, where it applies to you) from what's a voluntary competitive advantage (ISO 42001), and tell you where to start.

Go deeper

The standard, and who delivers it.

ISO 42001: the service

Support to the AIMS and AI policies, integrated where ISO 27001 is in place.

Go to service

What ISO 42001 is

AIMS, its relationship with the EU AI Act, distinct scopes: the informational pillar.

Understand the standard

ISO 27001: the framework

The information security the AIMS builds on, with no duplication.

Go to service

Built by people who actually use AI

  • AI-ready analysis: we understand where and how you use AI, what grants/customers ask, what applies.
  • AIMS + AI policies: AI system inventory, AI risk & impact assessment, data/bias/transparency governance, AI supplier management.
  • Synergy with ISO 27001 / EU AI Act: one framework, no duplication.
  • Support to the accredited body's audit. We don't certify it ourselves.
  • Consistency: we actually use AI, including to speed up our own work, and we govern it on ourselves. You'll find it in our Trust Center.
"Human-Led, AI-Powered" here is the method: AI speeds up the repetitive part, people analyze and validate. Every deliverable is reviewed by an expert; data stays protected.

The objections of those who build AI

Is it worth it now, or too early?

It depends: if you have EU grants rewarding it, customer requests on AI governance, or AI in product with sensitive data, yes. Otherwise maybe not, and we'll say so. That's exactly why we talk it through first: no fake urgency.

Do you know how to do it? It's new for everyone

It's true it's new, and we say so openly. Our edge is that we actually use AI every day and govern it on ourselves: we're not improvising a standard read off a slide. And we lean on the solid ISO 27001 framework.

Is it just AI marketing?

Sober tone, zero buzzwords. ISO 42001 is a real, technical standard (AIMS); the EU AI Act is law. We talk policies, risk assessment and inventory, not "revolutionary AI".

Are ISO 42001 and the EU AI Act the same thing?

No. The EU AI Act is a regulation (a legal obligation for those in scope, with escalating duties on high-risk systems). ISO 42001 is a voluntary certification of an AI management system: it helps you prepare and demonstrate it, but doesn't replace AI Act compliance.

Does it integrate with ISO 27001?

Yes, very well: the AIMS often builds on the ISO 27001 ISMS. If you have (or want) 27001, we build 42001 on the same framework, no duplication.

Is it needed for EU grants?

Increasingly, structured AI governance is a requirement or a scoring advantage in EU grants. We check the grants you're targeting and exactly what they ask.

How we start (honest about timing and the market)

First we check whether it's actually worth it. Then we build.

  1. 1

    AI-ready analysis

    We check whether and when it's actually worth moving.

  2. 2

    AIMS + AI policies

    Integrated with ISO 27001 where present. Preparing an AIMS is similar to ISO 27001 (a few months given adequate readiness), then the body's audit.

  3. 3

    Audit and maintenance

    Accredited body's audit → certification. AI governance evolves with your product and the law.

Honesty: ISO 42001 is young and the ecosystem (bodies, market) is maturing. That's why we tell you upfront whether you're a case where moving now makes sense (early-mover with a clear return) or whether it's better to wait. No "~3 months" promised blind, no body or customer name without consent.

Continue the path

EU compliance

The EU AI Act within the EU framework (GDPR · NIS2 · DORA).

Learn more

How we work

"Human-Led, AI-Powered" as method: AI speeds up, the expert validates.

See our method

Continuous security

AI governance evolves over time: maintenance and updates.

Explore the retainer

Find out if your AI is ready, or what's missing.

Tell us your situation: we honestly tell you whether ISO 42001 is worth it now, and where to start.

Check if you're AI-ready