How to Get ISO 42001 Certification

Getting ISO 42001 certification is not just about passing an audit. It is about building an AI management system that shows how your organization governs artificial intelligence in real work, with evidence that a certification body can review.

For many companies, the hard part is not the certificate itself. The hard part is knowing where to start, what documents are needed, what happens in Stage 1 and Stage 2 audit, and how long the process may take.

This guide explains how to get ISO 42001 certification step by step, from scope and gap assessment to documentation, implementation, audit, certification decision, and surveillance.

Isofranchise helps organizations explore suitable ISO 42001 certification pathways through its global network. Certification is delivered by the relevant issuing certification body. Isofranchise is not an accreditation body, does not publish ISO standards, and does not directly issue ISO 42001 certificates.

Last updated: 5

Request ISO 42001 Certification Quote

ISO 42001 certification steps at a glance

If you want to get ISO 42001 certification, the process usually starts with scope definition and gap assessment, then moves into AI governance documentation, implementation, internal audit, management review, Stage 1 audit, Stage 2 audit, and surveillance audits.

Stage What happens Main output

1. Scope

Define which AI systems, sites, teams, and services are included.

ISO 42001 scope statement

2. Gap assessment

Compare current AI governance against ISO 42001 requirements.

Gap report and action plan

3. AI inventory

List AI systems, owners, use cases, risk level, suppliers, and monitoring methods.

AI system inventory

4. Documentation

Create AI policy, risk method, controls, and required records.

AIMS documents

5. Implementation

Put controls into practice and collect evidence.

Operational evidence

6. Internal audit

Check whether the AI management system is ready for external audit.

Internal audit report

7. Management review

Leadership reviews performance, risks, resources, and improvements.

Management review minutes

8. Certification audit

Complete Stage 1 and Stage 2 audits with the chosen certification body.

Audit result and certification decision

9. Surveillance

Maintain the system through surveillance audits and improvement.

Ongoing certification maintenance
ISO 42001 certification process showing scope, gap assessment, documentation, audits, certification decision, and surveillance

Step 1: Define the ISO 42001 certification scope

Scope definition is the first serious step. Without a clear scope, the process becomes confusing for your team, the auditor, and later for buyers who need to understand what your certificate actually covers.

Your ISO 42001 scope should answer:

  • Which AI systems are covered?
  • Which products, services, departments, or sites are included?
  • Are internal AI tools included?
  • Are customer-facing AI features included?
  • Are third-party AI systems or vendors included?
  • Which country, site, or business unit is covered?
  • What is outside the scope?

A SaaS company may include AI-enabled product features, engineering controls, AI risk review, data governance, supplier controls, monitoring, and customer-facing AI documentation.

A company using only internal AI tools may have a narrower scope, but it still needs to show how AI risks are identified, reviewed, controlled, and improved.

Do not make the scope broad just to sound impressive. A realistic scope is easier to implement, easier to audit, and easier to explain to buyers.

Step 2: Complete an ISO 42001 gap assessment

A gap assessment compares your current AI governance practices against ISO 42001 requirements.

This helps you understand what already exists and what needs to be created, improved, or evidenced before certification audit.

A proper ISO 42001 gap assessment should review:

  • AI policy and objectives
  • AI system inventory
  • AI risk assessment process
  • AI roles and responsibilities
  • AI lifecycle controls
  • data governance
  • model or system monitoring
  • supplier and vendor controls
  • incident handling
  • internal audit readiness
  • management review readiness
  • evidence available for external audit

The gap assessment should not be a generic checklist exercise. It should be tied to your actual AI systems, business risks, users, buyers, and operating model.

Step 3: Build an AI system inventory

Before you can manage AI properly, you need to know where AI is being used. An AI system inventory helps your organization identify systems, tools, models, vendors, and AI-enabled workflows that may fall within scope.

Inventory field What to record

AI system or tool name

Name of the AI-enabled system, tool, model, or platform.

Business owner

Person or team responsible for the business use case.

Technical owner

Person or team responsible for technical operation.

Purpose

What the AI system is used for.

User impact

Internal use, customer-facing use, or decision-support use.

Data used

Data categories, data source, and data sensitivity.

Supplier dependency

Third-party platform, API, model, or vendor.

Risk level

Low, medium, high, or defined internal rating.

Monitoring method

How performance, incidents, or outputs are reviewed.

Step 4: Prepare ISO 42001 documentation

ISO 42001 certification requires documented evidence. The exact documentation depends on your scope and how your AI management system is designed, but most organizations need a core document set.

  • AI management system scope
  • AI policy
  • AI objectives
  • AI risk assessment method
  • AI risk register
  • AI impact assessment records
  • AI roles and responsibilities
  • AI system inventory
  • data governance controls
  • AI lifecycle controls
  • supplier and vendor controls
  • monitoring and performance review records
  • AI incident handling process
  • training records
  • internal audit records
  • management review records
  • corrective action records

Do not create documents only for the audit. A short document that people actually use is better than a long policy that no team follows.

What documents should be ready before the certification audit?

Before the external audit, your organization should be able to show that AI governance is not just written in a policy but actually working. The auditor will usually ask for evidence in these areas.

Evidence area Examples of evidence

Scope and context

scope statement, interested parties, AI use-case boundaries

Leadership

AI policy approval, governance roles, leadership review notes

Planning

AI risk criteria, AI risk register, objectives, treatment plans

Support

training records, competence records, communications, document control

Operation

AI lifecycle controls, supplier reviews, change records, deployment checks

Performance evaluation

monitoring records, internal audit results, management review

Improvement

nonconformities, corrective actions, incident learning, improvement log

Step 5: Implement AI governance controls

After documentation, your AI governance controls need to work in practice.

This is where many organizations struggle. They may have policies, but little evidence that teams are following them.

Your implementation should cover the areas below.

AI governance roles

Define who owns AI governance, who approves AI use, who reviews AI risk, who manages technical controls, who handles legal or privacy review, and who escalates AI-related incidents.

AI risk management

Create a repeatable method to identify, assess, treat, monitor, and review AI-related risks. This may include risks linked to data, bias, safety, security, misuse, transparency, model performance, and third-party tools.

AI lifecycle control

Show how AI systems are reviewed across planning, design, development, testing, deployment, monitoring, change, and retirement.

Data governance

Define how data quality, suitability, privacy concerns, access, retention, and use limitations are managed for AI systems.

Supplier and vendor control

Many organizations rely on third-party AI tools, APIs, platforms, or models. ISO 42001 readiness should include supplier review, vendor risk checks, contract review where relevant, and monitoring of supplier changes.

Monitoring and improvement

Define how AI systems are monitored after deployment. This may include performance review, user feedback, incident trends, model drift, accuracy concerns, risk triggers, and corrective actions.

Step 6: Train relevant teams

ISO 42001 is not only for the person managing certification. AI governance often involves leadership, product, engineering, legal, information security, procurement, HR, customer success, and business teams.

Training should be practical. Relevant teams should understand:

  • what AI systems are in scope
  • what the AI policy requires
  • how AI risks are reported
  • who approves new AI use cases
  • when supplier review is needed
  • how incidents or concerns are escalated
  • what evidence needs to be maintained

Training records should be kept as audit evidence.

Step 7: Conduct an internal audit

Before the external certification audit, your organization should conduct an internal audit.

The internal audit checks whether the AI management system is implemented and whether it meets the planned requirements.

An internal audit should review:

  • scope accuracy
  • AI policies and objectives
  • AI risk records
  • AI system inventory
  • supplier controls
  • monitoring evidence
  • training records
  • corrective actions
  • leadership involvement
  • management review readiness

The goal is not to “pass yourself.” The goal is to find weak areas before the external auditor does.

Step 8: Complete management review

Management review is where leadership checks whether the AI management system is suitable, effective, and improving.

The review should cover:

  • AI risk status
  • internal audit results
  • nonconformities
  • corrective actions
  • monitoring results
  • changes in AI systems
  • supplier or technology changes
  • resource needs
  • improvement opportunities

This step matters because ISO 42001 is a management system standard. Leadership involvement should be visible, not symbolic.

Step 9: Choose the ISO 42001 certification body route

After your internal system is ready, choose the certification body route carefully.

ISO publishes ISO/IEC 42001, but ISO does not certify organizations. Certification is carried out by independent certification bodies. Where accreditation applies, an accreditation body assesses the certification body for defined scopes.

Before choosing a route, check:

  • who the issuing certification body is
  • whether accreditation applies to the relevant scope
  • which accreditation body is involved, where applicable
  • whether the route matches buyer expectations
  • whether the certificate can be verified
  • whether the audit timeline fits your business need
  • whether surveillance audit requirements are clear

Do not choose a certification route only because it sounds international. The certification body, accredited scope, certificate verification route, and buyer expectations should line up.

For more detail, read the page on choosing an accredited ISO 42001 certification body.

Step 10: Complete Stage 1 audit

Stage 1 is usually the readiness and documentation review.

The auditor checks whether your organization is prepared for Stage 2.

Stage 1 check Common failure point

Scope

Scope is too broad, unclear, or not tied to actual AI use.

Documented information

Documents exist but do not match business practice.

AI inventory

AI systems are missing, duplicated, or not risk-rated.

Risk method

Risk criteria are generic and not AI-specific.

Internal audit

Internal audit has not been completed or lacks evidence.

Management review

Leadership review is missing or only symbolic.

Step 11: Complete Stage 2 audit

Stage 2 is the main certification audit.

The auditor checks whether your AI management system is implemented and effective. This usually includes interviews, document review, evidence sampling, and process testing.

Stage 2 focus Evidence to prepare

Leadership involvement

approved policy, role assignments, management review actions

AI risk assessment

risk records, risk treatment decisions, impact assessments

AI lifecycle controls

design reviews, change logs, deployment approvals, monitoring records

Supplier management

supplier reviews, vendor risk assessments, contracts or controls

Training and competence

training records, attendance, competence criteria

Corrective action

nonconformity records, root cause, actions, effectiveness checks

Step 12: Close corrective actions, if required

If the certification audit identifies nonconformities, your organization must review the finding, identify the cause, take corrective action, and provide evidence that the issue has been addressed. Certification can move forward only after required corrective actions are accepted by the certification body.

Step 13: Receive the certification decision

After the audit, the certification body reviews the audit results and makes the certification decision.

If the AI management system meets the requirements and any required corrective actions are accepted, the certification body may issue the ISO 42001 certificate.

The certificate should clearly show:

  • certified organization name
  • certification standard
  • certification scope
  • sites covered
  • certificate number
  • issue date
  • expiry date
  • issuing certification body
  • accreditation details, where applicable

A buyer should be able to verify the certificate through the issuing certification body, accreditation body directory, or IAF CertSearch where applicable.

Step 14: Maintain certification through surveillance audits

ISO 42001 certification does not end after the certificate is issued.

Management system certifications usually include surveillance audits during the certification cycle. These audits check whether your AI management system is still working and improving.

Surveillance audits may review:

  • changes in AI use
  • new AI systems
  • updated AI risks
  • monitoring records
  • corrective actions
  • supplier changes
  • internal audits
  • management reviews
  • incident records
  • continual improvement evidence

AI systems change quickly, so surveillance readiness matters.

How long does ISO 42001 certification take?

Organization type Typical readiness pattern Planning range

Small AI-enabled business

Limited scope, few systems, simple evidence set.

3 to 5 months if documentation is mature.

Mid-size SaaS or IT company

Multiple AI use cases, supplier dependencies, several teams involved.

5 to 8 months in many cases.

Large or multi-site organization

Multiple departments, complex AI systems, higher risk workflows.

7 to 12 months or more depending on scope.

These are planning ranges, not guarantees. Timeline depends on scope clarity, evidence maturity, internal audit readiness, certification body availability, and corrective actions.

What affects ISO 42001 certification cost?

ISO 42001 certification cost should not be treated as one fixed price for every organization.

A small company using AI in one product feature will not need the same audit effort as a multi-site organization using AI across product, HR, analytics, customer support, risk, and operations.

Cost depends on:

  • organization size
  • number of sites
  • number of employees
  • AI system complexity
  • number of AI use cases
  • risk level of AI systems
  • existing ISO certification
  • documentation readiness
  • audit duration
  • certification body route
  • surveillance audit needs

Before requesting a quote, prepare these details:

  • country and target buyer market
  • number of employees
  • number of sites
  • AI systems or AI-enabled services in scope
  • whether ISO 27001 or ISO 9001 is already implemented
  • current documentation readiness
  • desired certification timeline

This helps the certification route estimate audit effort, preparation needs, and surveillance requirements more accurately.

Request ISO 42001 Certification Quote

ISO 27001 to ISO 42001 certification path

If your organization already has ISO 27001, you may have a useful foundation for ISO 42001.

You may already have:

  • risk management process
  • internal audit process
  • management review process
  • supplier controls
  • incident handling
  • document control
  • security governance
  • corrective action process

ISO 42001 adds AI-specific focus, including:

  • AI risk and impact assessment
  • AI policy and AI accountability
  • AI supplier and third-party tool governance
  • AI-related issue and incident response
  • AI management system audit evidence
  • AI governance performance review
  • AI lifecycle and monitoring controls

ISO 42001 does not replace ISO 27001. It extends governance into AI-specific risks, controls, evidence, and decision-making.

Common mistakes in ISO 42001 certification

  • Starting with documents before defining scope.
  • Treating ISO 42001 like ISO 27001 with AI wording added.
  • Ignoring third-party AI tools.
  • Having no AI system inventory.
  • Keeping leadership out of the process.
  • Skipping internal audit.
  • Choosing a route only by price.

ISO 42001 and buyer readiness

Many companies explore ISO 42001 because buyers are asking stronger questions about AI governance.

A buyer may ask:

  • Where is AI used in your product or service?
  • Who owns AI governance?
  • How are AI risks reviewed?
  • How do you manage third-party AI tools?
  • How do you monitor AI system performance?
  • How do you handle AI-related incidents?
  • How can your certificate be verified?

ISO 42001 certification can help structure these answers, but it does not remove the need for legal, privacy, cybersecurity, or sector-specific review where those apply.

Example scenario: SaaS company preparing for ISO 42001

This is an example scenario, not a real case study.

A 60-employee SaaS company uses AI in customer workflow automation and analytics. The company already has ISO 27001, but its AI governance is informal. Product teams review AI risks differently, vendor checks are not AI-specific, and there is no single AI system inventory.

The company starts with a gap assessment. It identifies missing AI policy, incomplete AI risk criteria, weak supplier review, no formal AI monitoring process, and no management review for AI governance. It then defines scope, builds an AI inventory, creates risk and impact records, updates supplier controls, trains teams, conducts internal audit, and completes management review before Stage 1 and Stage 2 audit.

Start your ISO 42001 certification process

Your first step depends on your current stage. If you are early, start with a readiness discussion. If you already use AI in important business processes, request a gap assessment. If you are ready for certification, request a tailored ISO 42001 quote.

Request ISO 42001 Certification Quote

For consultants, auditors, and ISO partners

ISO 42001 is also a growing opportunity for consultants, auditors, and regional partners who work with SaaS, IT, fintech, healthcare, outsourcing, analytics, cybersecurity, and AI-enabled businesses.

Partners do not become accreditation bodies by joining the network. Partners should not claim they can issue accredited certificates independently unless the correct certification body route and scope are in place.

Isofranchise helps route partner opportunities through the appropriate certification pathway.

Frequently asked questions

The procedure usually includes scope definition, gap assessment, AI system inventory, documentation, implementation, team training, internal audit, management review, Stage 1 audit, Stage 2 audit, certification decision, and surveillance audits.

Common documents include AI scope, AI policy, AI objectives, AI risk method, AI risk register, AI system inventory, roles and responsibilities, data governance controls, supplier controls, monitoring records, internal audit records, management review records, and corrective action records.

The timeline depends on organization size, AI system complexity, number of AI use cases, documentation readiness, internal audit status, management review status, and certification body availability.

No. ISO 27001 is not mandatory before ISO 42001. However, companies with ISO 27001 may have a stronger starting point because they already understand risk review, internal audit, management review, supplier controls, document control, and corrective actions.

ISO 42001 certification is issued by an independent certification body after a successful audit. ISO publishes ISO/IEC 42001, but ISO does not certify organizations.

Stage 1 usually checks readiness, scope, documentation, internal audit status, management review status, and whether the organization is prepared for Stage 2.

Stage 2 checks whether the AI management system is implemented and effective. Auditors review evidence, interview relevant teams, and assess whether controls are working in practice.

Yes. ISO 42001 can be integrated with ISO 27001 where management system processes overlap. However, ISO 42001 still needs AI-specific scope, risk, policy, lifecycle, monitoring, supplier, and accountability evidence.

Yes. A gap assessment helps you understand what is already in place, what is missing, how much preparation is needed, and what timeline is realistic before certification audit.

Some parts of ISO 42001 certification preparation, such as gap assessment, documentation review, training, and readiness discussion, may be handled online. The certification audit route depends on the certification body, organization scope, sites, risk level, and audit requirements. The certificate should still clearly show the issuing certification body, scope, sites covered, and verification route where applicable.