How to Get ISO 42001 Certified
ISO 42001 certification is an 8-step process: gap assessment, scope definition, Annex A control implementation, model registry and risk register build, internal audit, management review, Stage 1 audit, and Stage 2 audit. A typical program takes 6 to 12 months and results in a three-year certificate.
The 8-step certification process
- Gap assessment. Compare current AI governance practice to ISO 42001 requirements. Produce a gap report that lists missing policies, controls, roles, and evidence — with an owner and target date for each gap.
- Define your AIMS scope. Decide which parts of the organization, which AI systems, and which lifecycle stages the AI management system covers. Document the internal and external issues that shape the scope and the interested parties whose expectations you must address.
- Implement Annex A controls. Select applicable Annex A controls based on your risk assessment. Build the policies, procedures, and records each one requires. Excluded controls must be justified in the Statement of Applicability.
- Build the model registry and risk register. Inventory every AI system in scope. For each, record purpose, data, users, risk classification, and controls. Populate the risk register with identified risks, likelihood, impact, treatment plan, and owner.
- Internal audit. Conduct at least one full internal audit against ISO 42001 requirements and against your own procedures. The audit must be performed by staff independent of the area being audited, and findings must be tracked to closure.
- Management review. Top management formally reviews the AIMS: audit results, risk landscape, incidents, changes, and opportunities for improvement. Decisions and actions are recorded — this is required evidence for the audit.
- Stage 1 certification audit. The certification body reviews documentation. They confirm scope, policy, risk assessment, Statement of Applicability, management review records, and internal audit results are present and aligned to the standard. Any findings must be closed before Stage 2.
- Stage 2 certification audit and certification. The auditor samples evidence across the AIMS to confirm the system operates as documented. If no major nonconformities remain, the certification body issues the ISO 42001 certificate, valid for three years subject to annual surveillance.
Realistic timeline
| Starting point | Typical duration |
|---|---|
| No existing management system | 9 to 12 months |
| ISO 27001 already certified | 4 to 8 months |
| With a governance platform like Zilonex Govern | 3 to 6 months |
Cost drivers
- Internal effort — the largest line item; expect 0.5 to 2 FTE across the program
- Consultancy — optional; useful when in-house AI governance experience is thin
- Governance platform — a tool like Zilonex Govern replaces spreadsheets and cuts internal effort significantly
- Certification audit fees — set by the certification body; depends on scope and audit days
- Ongoing surveillance audits — annual, at a fraction of the initial audit cost
Common failure points
- Scope drawn too broadly, creating unmanageable evidence load
- Incomplete Statement of Applicability with unjustified exclusions
- Risk register that is not maintained after go-live
- Missing evidence of management review decisions and actions
- Internal audit performed by staff who own the area being audited
- Post-market monitoring plan that exists on paper but produces no records
Frequently asked questions
How long does ISO 42001 certification take?
A typical program takes 6 to 12 months from kickoff to certificate. Organizations already certified to ISO 27001 tend to complete in 4 to 8 months because they can extend the existing management system rather than build a new one.
How much does ISO 42001 certification cost?
Budget in three buckets: internal effort (usually the largest cost), optional consultancy support, and the certification audit itself. Certification audit fees typically run in the low-to-mid five figures depending on organization size and scope. Consultancy can double or triple that.
Who audits ISO 42001?
Accredited certification bodies. Since ISO 42001 is new, the number of accredited bodies is limited but growing. Confirm the auditor works with a recognized accreditation body before signing an audit contract.
What is the difference between Stage 1 and Stage 2 audits?
Stage 1 is a documentation review — the auditor checks that policies, procedures, risk assessment, applicability statement, and management system documents exist and are aligned to the standard. Stage 2 is an implementation review — auditors sample evidence to confirm the AIMS is actually operating as documented.
Do I need to implement every Annex A control?
No. Annex A controls are reference controls. You apply the ones justified by your risk assessment. Any excluded control must be documented in the Statement of Applicability with the reason it does not apply.
Can I combine ISO 42001 with ISO 27001?
Yes, and this is the recommended path for organizations already ISO 27001 certified. The two standards share the same 10-clause structure, so a single integrated management system with combined internal audits and management review is achievable.
How is the certificate maintained?
The initial certificate is valid for three years, subject to annual surveillance audits. A recertification audit is required at the end of the three-year cycle to renew.
Cut ISO 42001 timelines in half
Zilonex Govern comes with an ISO 42001 control library, model registry, risk register, and audit evidence store — pre-built.
Start Zilonex Govern free for 14 days