How to Get ISO 42001 Certified

If you're building with AI and want to show prospects you're committed to developing, deploying, and using AI in a responsible way, ISO 42001 does just that.

The standard covers the implementation and governance of its Artificial Intelligence Management System (AIMS) and is gaining steam as more and more businesses begin to rely on AI for building out product features and internal processes.

If you've decided that ISO 42001 is the right next step for your business, here's everything you need to know about getting certified.

The ISO 42001 Certification Process at a Glance

Certification breaks into six stages, and we'll cover each one in detail below:

1. Define your scope and your role in the AI supply chain.
2. Run a gap analysis against the standard and its Annex A controls.
3. Build the AIMS: the AI policy, your risk and impact assessments, and the Statement of Applicability.
4. Operate the controls and collect evidence that they work.
5. Pass an internal audit and a management review.
6. Pass the Stage 1 and Stage 2 external audits.

ISO 42001 certification is valid for three years, with a surveillance audit each year. The certificate itself is great for showing prospects and customers you have the right procedures and processes in place but there's also a lot of internal value to be gained as you work to build your AI Management System.

Map Your Scope and AI Role Before Anything Else

Certification starts with two decisions: what you're certifying, and who you are in the AI supply chain. It's essential to get these decisions right as everything else downstream is impacted.

Your whole company doesn't have to be in scope for the audit, only the products or business units that build or use AI. Once you've decided what's in scope, you document that boundary and then certify against it.

Then you define your role. ISO 42001 asks whether your business is an AI provider, producer, customer, or partner. Here's what each means:

• AI provider: you supply an AI platform, product, or service to others.
• AI producer: you develop, test, deploy, or operate the AI system.
• AI customer: you use an AI system, often one built by someone else.
• AI partner: you support the system as an integrator or data provider.

Most companies hold more than one role. An AI startup selling its own product is usually both a producer and a provider, and the role you land on decides which Annex A controls apply. You want to scope wide enough that you reflect the role your business plays but also be cautious not to scope too wide as every extra system adds more risk assessments and time in audit.

Run a Gap Analysis Against the Standard and Annex A

A gap analysis compares what you do today against the standard's requirements in Clauses 4 through 10 and its 38 Annex A reference controls. The output is a prioritized list of what's missing, which becomes your remediation roadmap.

Annex A holds 38 controls across nine categories, covering areas like data quality, data provenance, the AI system lifecycle, and the information you owe the people your AI affects. You don't have to adopt all 38. You choose which ones apply and justify the rest later, in the Statement of Applicability.

This is where an existing security program pays off. ISO 42001 uses the same management-system skeleton as ISO 27001, with identical clause numbering, so if you hold SOC 2 or ISO 27001 a lot of the plumbing already exists. Access control, vendor reviews, monitoring, and an internal-audit habit all carry over. The new work is AI-specific, like the impact assessment and data provenance. I tell teams that AI governance isn't a separate program bolted onto security. It's an extension of the one they already run.

Build the AIMS and Write Your Statement of Applicability

The AI Management System is the core part of ISO 42001. It requires you to set up an AI policy, run your risk and impact assessments, put the required controls in place, and produce the Statement of Applicability.

The Statement of Applicability (SoA) is a document that lists every Annex A control, states whether you've included or excluded it, and justifies each decision. It's the first thing your auditors will review and sets the tone for the whole audit, so you want your SoA to be as detailed and thorough as possible.

Where many teams get caught out is the AI system impact assessment. It requires you to assess how your AI usage could impact the people who use it (your internal team and customers/users) and the public at large. You need to consider things like foreseeable misuse and any possible bias or unfair outcomes for a specific group. Once you've worked through that, you document your findings and decide how to treat each risk.

The full list of documents you'll need to produce are:

• An AI policy
• A risk assessment methodology with defined criteria
• A risk assessment and treatment report
• An AI system impact assessment methodology
• Your AIMS objectives
• The Statement of Applicability

Where ISO 42001 starts to pay off early is forcing your organization to produce these documents as you'll have to think through questions about who can access training data, how outputs get validated, what happens when an AI model makes a bad call, and who owns the fix. Often, these problems are overlooked when they happen, ISO 42001 ensures you have a plan in place.

Operate the Controls and Gather Evidence

Ideally your controls should be in place and operational for two to three months before an auditor reviews them. While this timeline isn't fixed or required, it generally means that auditors can trust what you're putting in front of them. A policy drafted one week before the audit, without much evidence, likely won't make it through the audit.

The ISO 42001 certification audit checks the effectiveness of your policies and controls, not how you intend for them to work. So it's best to have a period of operating evidence to take into audit with you like monitoring logs and dated decision records rather than a single snapshot taken just before your audit starts.

Clear Your Internal Audit and Management Review

Before any external auditor shows up, the standard requires you to audit yourself and have leadership formally review the system. Both the internal audit and the management review are required clauses, not optional extras.

Treat it as a dress rehearsal and your last cheap chance to catch problems. A nonconformity you find here costs a few days to fix. The same one found in Stage 2 can cost you the timeline.

Choose an Accredited Auditor

An ISO 42001 certificate is issued by an accredited, independent firm that audits your AIMS and signs off that it matches all the requirements. There are a handful of ISO 42001 certification bodies right now, including A-LIGN, Schellman, and BSI, with more being added.

The audit happens in two stages:

• Stage 1 reviews your documentation and readiness.
• Stage 2 tests whether the system works in practice.

Stage 1 usually only takes a few days or a week. The auditor is looking to ensure everything you need is in place and to surface any missing documents or concerns (like a thin SoA). At Stage 2, the auditor is looking at the effectiveness of your policies and controls in practice. If Stage 2 raises major nonconformities, you get a separate window to fix them, often around 90 days, before the certificate is issued.

The nonconformities commonly raised during Stage 2 include:

• A thin impact assessment
• A scope that doesn't match the Statement of Applicability
• Evidence that doesn't reach back far enough to prove the controls were operating
• Controls that exist on paper but not in the logs

Plan for the Timeline, Cost, and Common Delays

Typically, ISO 42001 can take three to twelve months from start to finish. This timeline includes:

• Gap analysis: 2 to 6 weeks
• AIMS design and documentation: 4 to 12 weeks
• Evidence collection and monitoring: 2 to 12 weeks
• Internal audit and management review: 2 to 5 weeks
• External audit, Stage 1 and Stage 2: 3 to 5 weeks
• Corrective actions: 2 to 6 weeks

When it comes to how much it'll cost, it's a wide range depending on the size and complexity of your business and how much is in scope for your audit. A small company may be able to get ISO 42001 certified for $10-15,000, though typical startup costs tend to run from $15-40,000 all in. The two things that tend to shorten the timeline and reduce costs the most include tight scoping and the maturity of your existing security program — if you already have SOC 2 or ISO 27001 in place, you're likely adding ISO 42001 on top of already solid foundations.

Maintain Your AIMS After the Audit

Your ISO 42001 certificate will be valid for three years after your audit but compliance isn't a set it and forget it thing. Each year ISO requires a short surveillance audit to confirm the system is still operating before you have to recertify after three years. So there's work to be done to ensure your AIMS stays compliant.

Your AIMS also needs to stay up to date as your products change. If you integrate new models or expand your AI feature set, it should be reflected in your documentation. Being consistent with how you update your policies, procedures, and controls will also save you a bunch of time and stress as you approach your annual surveillance audit or your next full ISO 42001 audit.

Now's the Time to Get Ahead

AI is still relatively new. But it's already becoming an important part of procurement processes, so if you want to assure partners that you're committed to developing, deploying, and using AI in a responsible way, ISO 42001 is the way. And right now, it's still a differentiator for many organizations.

As of early 2026, large firms were still announcing they were among the first hundred organizations in the world to certify, so moving on ISO 42001 now puts you ahead of the pack and shows your customers that you care about AI governance.

If you're mapping out ISO 42001 and want to see what the scope and timeline would look like for your company specifically, talk to our team.

ISO 42001 Frequently Asked Questions

Is ISO 42001 certification mandatory?

Like SOC 2 and ISO 27001, ISO 42001 is a voluntary standard, not a law. However, AI governance is increasingly becoming a part of the procurement process for B2B enterprise buyers. So while ISO 42001 isn't mandated or legally required, it can help to set you apart from the competition and build trust with buyers.

Can you certify against ISO 42001 and ISO 27001 at the same time?

You can work towards both ISO 42001 and ISO 27001 at the same time, and if both are on your roadmap it might be more efficient to work towards both concurrently. For many teams they may be managed separately with separate audits, you can generally save some time and money by pursuing both at the same time.

How much does ISO 42001 certification cost?

ISO 42001 will generally run anywhere from $10-40,000 (sometimes more) for a startup. If you're a very small company it can sometimes be less and if you're a larger organization with more complex systems and more in scope it may run higher.