Does this satisfy the EU AI Act?

ISO 42001 is the closest standard alignment. We map every 42001 control to the relevant EU AI Act article and DPDP automated-decision provisions.

AI Governance · World's First AI Management Standard

ISO/IEC 42001 — AI Management System

Demonstrate responsible AI to customers, regulators and boards.

ISO/IEC 42001 (2023) is the first international standard for AI Management Systems — covering governance, risk, lifecycle, transparency and stakeholder impact. Macksofy implements 42001 alongside the EU AI Act / DPDP / sectoral guidance for organisations shipping AI to enterprise.

Request Audit Talk to a consultant

Download sample audit report

CERT-In format · anonymised

Aligned to

ISO/IEC 42001:2023
EU AI Act (risk-tier mapping)
NIST AI Risk Management Framework
Macksofy AI Risk Taxonomy
DPDP / GDPR — automated decision-making provisions

Why this matters

Compliance is leverage, not paperwork.

Boards, customers and regulators are asking 'how do you govern your AI?' Answers like 'we have an internal policy' no longer cut it. ISO 42001 audited certification — alongside DPDP / EU AI Act readiness — is fast becoming a procurement-stage requirement, especially for AI sold into BFSI, healthcare and government.

Applicability

AI / ML product companies + LLM application builders
Banks + insurers using AI for underwriting / claims
Healthtech using AI for diagnostics / triage
Edtech / hiring-tech using AI for evaluation
Cloud + SaaS embedding generative AI features

Standards & frameworks

Aligned to the regulations that matter.

ISO/IEC 42001:2023

EU AI Act (risk-tier mapping)

NIST AI Risk Management Framework

Macksofy AI Risk Taxonomy

DPDP / GDPR — automated decision-making provisions

Methodology

How we run a ISO 42001 engagement.

Interactive walkthrough — every phase clickable, every activity documented, every artefact regulator-ready.

REV.01 · METHODOLOGY SCHEMATIC

NODES 04

INSPECTOR · NODE-01

1 · AI inventory + risk tiering

Inventory of AI systems + use cases
Risk tiering (EU AI Act categories)
Stakeholder impact assessment

Deliverables

Everything you need to satisfy auditors.

AI inventory + risk-tier register
AI policy + 7+ procedures
Bias / fairness / explainability evidence pack
Incident playbook + audit log spec
Stage 1 / 2 audit support
EU AI Act gap mapping

Recent engagements

AI-led Healthtech (India + GCC)

First ISO 42001 + EU AI Act readiness

Outcome: Cleared diligence at two strategic investors and one EU enterprise deal on the strength of certified AI governance

At a glance

The shape of a ISO 42001 engagement.

Every number below is grounded in how Macksofy actually runs the engagement — not aspirational marketing copy.

Methodology phases

Documented activities

Auditor-ready deliverables

0 day

Day retest window

Audit pillars

What we actually examine.

Each pillar is a distinct workstream inside the engagement — scoped, evidenced, and signed off independently before the audit pack is assembled.

Coverage breakdown

AI policy & governance3 pts
AI risk assessment & impact3 pts
Data & model lifecycle3 pts
Bias, fairness, transparency3 pts
AI incident handling3 pts
AI compliance & assurance3 pts

Pillar 01

AI policy & governance

The first thing 42001 auditors ask: who owns AI risk at your organisation?

AI policy + ethics charter
AI governance board + RACI
AI use-case inventory

Pillar 02

AI risk assessment & impact

AI system risk is not classical InfoSec risk. We assess it as a distinct domain.

AIIA — AI Impact Assessment
Model risk tiering (low / med / high)
Stakeholder-impact analysis

Pillar 03

Data & model lifecycle

From dataset to deployment to decommissioning.

Training-data lineage + consent
Model versioning + reproducibility
Decommissioning & retention policy

Pillar 04

Bias, fairness, transparency

The differentiator from any prior ISO standard.

Bias-testing methodology + thresholds
Explainability artefacts per model
Human-in-the-loop checkpoints

Pillar 05

AI incident handling

What happens when the model goes wrong in production.

AI-incident detection + escalation
Model rollback / kill-switch evidence
Affected-party notification playbook

Pillar 06

AI compliance & assurance

Internal audit + third-party assurance specific to AI systems.

AI internal-audit programme
Vendor-AI due diligence
Annual AI-system attestation

Engagement timeline

From kick-off to regulator-ready report.

The horizontal flow below shows the typical week-by-week shape of a ISO 42001 engagement. Click any station for detail in the methodology section above.

Week 1

AI inventory + risk tiering

Week 2

AIMS design

Week 3

Controls implementation

Week 4

Internal audit + certification

What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

CERT-In Empanelled

Govt of India · MeitY

EC-Council ATC

Authorized Training

ISO 27001 Certified

Info Security Mgmt

“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”

Aisha Khan

Information Security Manager · Listed Fintech · BKC, Mumbai

“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”

Inspector K. Joshi

Cyber Cell · Maharashtra Police · Mumbai

“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”

Vivek Iyer

DevSecOps Lead · Healthcare SaaS · Hyderabad

Read all 612 reviews on Google →

FAQ

Things compliance leads ask before signing.

Adoption is rapid — major procurement teams in BFSI, healthcare and government are starting to ask for it. Early movers gain a 12–18 month differentiation window.

Other audit engagements

Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.