Glossary · ISO/IEC 42001
ISO 42001 in banking — what it requires and how it is implemented
ISO/IEC 42001:2023 is the first international standard that defines an AI management system (AIMS). For European banking and insurance institutions, it is the most practical operating framework to get ahead of the EU AI Act and to demonstrate model governance to national supervisors and to the board.
Scope
The standard covers any organization developing, deploying or operating AI systems — owned or third-party — regardless of sector. In tier 1 banking and insurance, the typical use cases are:
- Credit scoring and probability of default models (PD/LGD/EAD).
- Actuarial pricing and automated underwriting.
- Real-time transactional fraud detection.
- Automated KYC / AML models.
- Internal generative assistants for private banking and back-office.
- Market risk models (FRTB IMA) and stress testing.
Relevant regulatory milestones
- December 2023: publication of ISO/IEC 42001:2023.
- August 2024: entry into force of the EU AI Act (Regulation 2024/1689).
- February 2025: applicability of prohibitions (AI Act Chapter II).
- August 2025: applicability of obligations for general-purpose AI models (GPAI).
- August 2026: full applicability of obligations for high-risk systems (Annex III). Credit scoring falls here.
- August 2027: applicability for high-risk systems embedded in regulated products (Annex I).
Relationship with DORA and the AI Act
ISO 42001 does not replace DORA or the AI Act — it complements them operationally:
- DORA requires digital operational resilience (Regulation 2022/2554). For AI systems, ISO 42001 documents the lifecycle and tests that DORA expects when describing "critical technology".
- AI Act requires a quality management system for high-risk AI systems (Art. 17). ISO 42001 is aligned point by point with those requirements and is cited by the European Commission as a basis for future harmonized standards.
- For banks, an ISO 42001 AIMS reduces duplicate work: the same documentation serves ECB/EBA inspectors, national supervisors (Bank of Spain, AMF, BaFin, CNBV, CMF) and external audit.
How Vermont Solutions implements it
Vermont Solutions has ISO 42001 Lead Implementers (company certification in progress) and supports financial institutions in the design and certification of their AIMS:
- Gap analysis against the existing ISO 27001 ISMS.
- Design of the AI risk register and impact matrices.
- Role definition (AI owner, governance committee, model owners).
- Documentation of the production model lifecycle.
- Internal audit prior to the external certification audit.
- Coordination with the DPO and with external audit (Big Four or assurance boutique).
Related service
AI Governance · ISO 42001
Vermont's operating framework for banking and insurance covering AIMS design, AI Act / DORA alignment, and certification support.
See AI Governance service →Official sources
- ISO/IEC 42001:2023 (official ISO catalog)
- EU Regulation 2024/1689 (AI Act) on EUR-Lex
- EU Regulation 2022/2554 (DORA) on EUR-Lex
Last updated: 2026-05-27. This glossary entry is editorial content by Vermont Solutions, citable with attribution as "Vermont Solutions". It does not constitute legal advice — for compliance decisions consult professional services.