Instant downloadAuditor-writtenSecure Stripe checkout

How to Get ISO 42001 Certified: The Process

The ISO 42001 certification process follows the familiar path of an accredited management-system audit, adapted for AI governance. Because ISO 42001 shares its structure with ISO 27001, organisations that hold that certificate will recognise the ISO 42001 certification process immediately. This guide explains each stage, how long it takes, and how to prepare so your first AI-governance audit goes smoothly.

ISO 42001 certification process toolkit
A toolkit that streamlines every stage of the ISO 42001 certification process.

The ISO 42001 certification process

  1. Gap analysis. Compare your current AI governance against the standard to see how far you have to go.
  2. Define scope & context. Decide which AI systems and parts of the organization the AIMS covers, and identify interested parties.
  3. AI risk & impact assessment. Identify AI risks and, distinctively for ISO 42001, assess how your AI systems affect individuals, groups, and society.
  4. Build the AIMS. Write the AI policy and mandatory procedures, select your Annex A controls, and produce your Statement of Applicability.
  5. Implement & operate. Put the controls into practice across the AI lifecycle and run the system so it generates evidence.
  6. Internal audit & management review. Check the AIMS yourself and have leadership formally review it — both are required before certification.
  7. Stage 1 audit. The certification body reviews your documentation for readiness.
  8. Stage 2 audit. The auditor tests whether your AIMS is genuinely implemented and effective.
  9. Certification. Pass, and you receive a certificate typically valid for three years, with annual surveillance audits.

Get audit-ready faster.

The biggest delay is building the AIMS documentation from scratch. The ISO 42001 Toolkit gives you the complete, auditor-written document set ready to tailor — so you spend your time implementing, not drafting.

Get the ISO 42001 Toolkit →

How long does it take?

As with other management systems, expect roughly three to twelve months depending on your scope, how many AI systems are in play, and how much governance you already have. Organizations that already hold ISO 27001 often move faster, because the underlying management-system machinery is already in place.

How to prepare efficiently

  • Keep your initial scope focused on your most significant AI systems; expand later.
  • Start from a complete document set rather than authoring the AI policy, assessments, and procedures from a blank page — see the documentation checklist.
  • Assign a clear owner with authority across data, engineering, legal, and risk.
  • Book your certification body early — accredited AI-standard auditors are in high demand.

Common pitfalls in the ISO 42001 certification process

Because the standard is new, the biggest risk is treating AI governance as paperwork rather than practice. Auditors want to see real AI impact assessments tied to actual systems, evidence of human oversight, and monitoring of models in production — not a generic policy. Teams also underestimate cross-functional involvement: legal, data science, and product all have a role, so governance cannot sit with one person. Run an internal audit and management review before Stage 2, and choose a certification body experienced in ISO 42001 early, as accredited assessors are still relatively scarce. The standard is published by ISO.

Frequently asked questions

Is ISO 42001 certification mandatory?

No — it’s a voluntary standard. But certification is fast becoming a way to prove responsible AI to customers and regulators.

Can we integrate it with an existing certification?

Yes. Because ISO 42001 shares the Harmonized Structure, it integrates neatly with ISO 27001 or ISO 9001, and many bodies offer combined audits.

For the full background, read our complete guide to ISO 42001.

Approached deliberately, the ISO 42001 certification process is manageable: govern your AI in practice, evidence it honestly, and the audit confirms a programme you already run.

Cost tracks effort and scope: a first ISO 42001 certification for an organisation new to management systems costs more than an extension for a company already certified to ISO 27001, which can reuse most of the shared machinery. Get quotes from accredited bodies early, as assessor availability — not price — is often the binding constraint on the ISO 42001 certification process.

Shopping Cart