The new ISO/IEC 42006:2025 specifies competence and process requirements for bodies certifying AI Management Systems under ISO/IEC 42001. This tightens audit quality and sets expectations procurement teams can reference in RFPs.
Why this matters
Certification bodies assessing ISO/IEC 42001 must meet additional competency and rigour criteria. Buyers can now ask vendors which accredited body they plan to use and align evidence packages accordingly.
Impact on obligations
Provider
Align policies, oversight, risk and improvement cycles to ISO/IEC 42001 and prepare for audits conducted under 42006.
Deployer
Reference 42006 in supplier requirements to ensure credible audits.
Importer
Prefer certifications issued by bodies operating under 42006.
What to evidence
- Policy and oversight records
- Risk registers
- Improvement cycles
- Audit trails sealed in Evidence Bundles
Key artefacts explained:
- DSSE: Dead Simple Signing Envelope — portable signature format
- STH: Signed Tree Head — tamper-evident checkpoint in transparency log
- TSA: Time-Stamp Authority — independent timestamp receipt
- WORM: Write Once Read Many — immutable storage for audit trails