How to Get ISO 42001 Certified

ISO 42001 certification is an 8-step process: gap assessment, scope definition, Annex A control implementation, model registry and risk register build, internal audit, management review, Stage 1 audit, and Stage 2 audit. A typical program takes 6 to 12 months and results in a three-year certificate.

The 8-step certification process

  1. Gap assessment. Compare current AI governance practice to ISO 42001 requirements. Produce a gap report that lists missing policies, controls, roles, and evidence — with an owner and target date for each gap.
  2. Define your AIMS scope. Decide which parts of the organization, which AI systems, and which lifecycle stages the AI management system covers. Document the internal and external issues that shape the scope and the interested parties whose expectations you must address.
  3. Implement Annex A controls. Select applicable Annex A controls based on your risk assessment. Build the policies, procedures, and records each one requires. Excluded controls must be justified in the Statement of Applicability.
  4. Build the model registry and risk register. Inventory every AI system in scope. For each, record purpose, data, users, risk classification, and controls. Populate the risk register with identified risks, likelihood, impact, treatment plan, and owner.
  5. Internal audit. Conduct at least one full internal audit against ISO 42001 requirements and against your own procedures. The audit must be performed by staff independent of the area being audited, and findings must be tracked to closure.
  6. Management review. Top management formally reviews the AIMS: audit results, risk landscape, incidents, changes, and opportunities for improvement. Decisions and actions are recorded — this is required evidence for the audit.
  7. Stage 1 certification audit. The certification body reviews documentation. They confirm scope, policy, risk assessment, Statement of Applicability, management review records, and internal audit results are present and aligned to the standard. Any findings must be closed before Stage 2.
  8. Stage 2 certification audit and certification. The auditor samples evidence across the AIMS to confirm the system operates as documented. If no major nonconformities remain, the certification body issues the ISO 42001 certificate, valid for three years subject to annual surveillance.

Realistic timeline

Starting pointTypical duration
No existing management system9 to 12 months
ISO 27001 already certified4 to 8 months
With a governance platform like Zilonex Govern3 to 6 months

Cost drivers

Common failure points

  1. Scope drawn too broadly, creating unmanageable evidence load
  2. Incomplete Statement of Applicability with unjustified exclusions
  3. Risk register that is not maintained after go-live
  4. Missing evidence of management review decisions and actions
  5. Internal audit performed by staff who own the area being audited
  6. Post-market monitoring plan that exists on paper but produces no records

Frequently asked questions

How long does ISO 42001 certification take?

A typical program takes 6 to 12 months from kickoff to certificate. Organizations already certified to ISO 27001 tend to complete in 4 to 8 months because they can extend the existing management system rather than build a new one.

How much does ISO 42001 certification cost?

Budget in three buckets: internal effort (usually the largest cost), optional consultancy support, and the certification audit itself. Certification audit fees typically run in the low-to-mid five figures depending on organization size and scope. Consultancy can double or triple that.

Who audits ISO 42001?

Accredited certification bodies. Since ISO 42001 is new, the number of accredited bodies is limited but growing. Confirm the auditor works with a recognized accreditation body before signing an audit contract.

What is the difference between Stage 1 and Stage 2 audits?

Stage 1 is a documentation review — the auditor checks that policies, procedures, risk assessment, applicability statement, and management system documents exist and are aligned to the standard. Stage 2 is an implementation review — auditors sample evidence to confirm the AIMS is actually operating as documented.

Do I need to implement every Annex A control?

No. Annex A controls are reference controls. You apply the ones justified by your risk assessment. Any excluded control must be documented in the Statement of Applicability with the reason it does not apply.

Can I combine ISO 42001 with ISO 27001?

Yes, and this is the recommended path for organizations already ISO 27001 certified. The two standards share the same 10-clause structure, so a single integrated management system with combined internal audits and management review is achievable.

How is the certificate maintained?

The initial certificate is valid for three years, subject to annual surveillance audits. A recertification audit is required at the end of the three-year cycle to renew.

Cut ISO 42001 timelines in half

Zilonex Govern comes with an ISO 42001 control library, model registry, risk register, and audit evidence store — pre-built.

Start Zilonex Govern free for 14 days