You've decided to pursue ISO 42001 certification. Good. Now what?
I've led over 200 ISO certification projects across a range of standards, and the moment between "we're going to do this" and "here's how we actually do it" is where most organizations stall. The decision felt like the hard part. It wasn't. The hard part is turning a 40-page international standard into a living, auditable system inside your organization — with real people, real deadlines, and a certification body that doesn't grade on effort.
This guide walks through every phase of ISO 42001 implementation. Not the theory. Not the business case. The actual steps, the realistic timelines, the documentation you'll need, and the mistakes I've watched organizations make over and over again. If you're the person responsible for making this happen — whether you're a quality manager, an IT lead, or a consultant advising a client — this is the playbook.
Who This Guide Is For
I wrote this for the people doing the work. Quality managers building the AI Management System (AIMS) from scratch. IT and security leads figuring out which controls apply and how to implement them. Consultants who need a structured approach they can adapt to different client environments.
If you're still evaluating whether your organization needs ISO 42001 at all, start with What is ISO 42001? instead. This guide assumes you've already made the decision and you need the roadmap.
If your question is more strategic — how AI governance fits into your broader regulatory posture, or how to make the case to your board — regulatedai.consulting covers that angle. What follows here is tactical.
ISO 42001 at a Glance
Quick orientation before we get into phases. ISO/IEC 42001:2023 was published in December 2023 by the International Organization for Standardization. It's the world's first certifiable standard for AI management systems.
If you've implemented ISO 27001 or ISO 9001, the structure will feel familiar. ISO 42001 follows the Harmonized Structure (Annex SL), which means it uses the same 10-clause framework as every modern ISO management system standard. Clauses 1-3 are introductory. Clauses 4-10 are auditable — that's where your implementation work lives.
What makes ISO 42001 different from the management systems you may already know:
- Annex A contains AI-specific controls. These aren't the generic information security controls from 27001. They address AI system lifecycle management, data governance for AI, transparency, human oversight, bias and fairness, and more.
- Annex B provides implementation guidance for those controls — it's not normative, but it's genuinely useful. Read it.
- AI impact assessments are required. This goes beyond traditional risk assessment into evaluating the societal and individual impact of your AI systems.
For a detailed walkthrough of each clause, see our clause-by-clause breakdown. Now let's get into the implementation itself.
Phase 1: Gap Analysis and Readiness Assessment
Typical duration: 4-6 weeks
Every implementation starts with understanding what you already have. I cannot overstate how important this is. Organizations that skip the gap analysis — or treat it as a formality — invariably spend more time and money downstream fixing things they could have planned for upfront.
Here's what a thorough gap analysis looks like in practice:
Map your existing governance against ISO 42001 clauses. Pull out your current policies, procedures, risk registers, and governance documents. Walk through clauses 4-10 and Annex A, and honestly assess where you stand. For each requirement, score it: compliant, partially compliant, or gap.
Identify your AI systems. This is almost always harder than people expect. Most organizations undercount their AI systems by 40-60% in the initial pass. The data science team's models are obvious. The AI features embedded in your SaaS tools are not. The chatbot marketing deployed six months ago without telling IT — that one surfaces later. We've written a complete guide to building your AI inventory because this step alone deserves its own process.
Score and prioritize. The output of your gap analysis should be a gap assessment report with a prioritized remediation plan. Not a list of everything that's wrong — a sequenced plan that tells you what to fix first, second, and third based on risk, effort, and dependencies.
If you want to do a preliminary self-check before bringing in outside help, our readiness self-assessment gives you a structured way to gauge where you stand.
Phase 2: AI System Inventory and Risk Classification
Typical duration: 3-4 weeks
Have you ever asked a department head how many AI systems their team uses, and then compared their answer to what their cloud infrastructure logs show? The gap is always revealing.
The AI inventory is the foundation of your entire AIMS. If it's incomplete, every risk assessment, every control selection, every audit finding downstream will be built on partial information.
What goes in the inventory. Every AI system: in-house models, SaaS platforms with AI features, APIs you consume (OpenAI, Google Vertex, AWS Bedrock — all of them), legacy ML models still running in production, RPA tools with intelligent components, and productivity tools like Microsoft Copilot or Google Workspace AI features that your people use for business processes.
What to capture for each system. At minimum: a unique system ID, plain-language name and description, named business owner, named technical owner, data inputs and sources, decision or output type, whether it's third-party or in-house, and its risk classification.
Risk classification. I recommend using the EU AI Act risk tiers because they align well with ISO 42001's risk-based approach and because the EU AI Act's high-risk system obligations take effect by August 2026 — so you'll need this classification anyway:
- Unacceptable risk — systems that pose clear threats to safety or fundamental rights (prohibited under the EU AI Act)
- High risk — AI used in critical infrastructure, employment, credit scoring, law enforcement, education, and similar domains
- Limited risk — systems with specific transparency obligations (chatbots, deepfakes)
- Minimal risk — low-risk applications like spam filters or basic recommendation engines
AI impact assessments. For each high-risk system, conduct a formal AI impact assessment. Document who is affected, how decisions are influenced, what could go wrong, and what safeguards exist. This isn't a checkbox exercise — auditors will review these assessments for substance.
For a deeper dive on building the inventory itself, see our AI inventory guide.
Phase 3: Documentation and Policy Development
Typical duration: 6-8 weeks
This is the phase where I watch organizations make two opposite mistakes. Some create a 500-page documentation library that nobody reads and nobody follows. Others write a two-page AI policy and think they're done. The right answer is somewhere in the middle, and it depends entirely on your organization's size, complexity, and AI maturity.
Mandatory documents
ISO 42001 requires certain documented information. These are non-negotiable — an auditor will ask for them:
- AI policy — your organization's commitments and principles for responsible AI use
- Risk assessment methodology — how you identify, evaluate, and treat AI-related risks
- Statement of Applicability — which Annex A controls apply to your organization and why (see our Statement of Applicability guide)
- AI impact assessment procedure — how and when you evaluate the impact of your AI systems
- Roles and responsibilities — who is accountable for what within the AIMS
- AIMS scope — the boundaries of your management system
- Objectives and plans — what you're trying to achieve and how you'll measure it
Supporting documents
Beyond the mandatory set, most organizations need:
- Acceptable use policy for AI tools
- Vendor AI management procedure (how you evaluate and monitor third-party AI)
- AI incident response procedure
- Data governance procedures specific to AI training data, inputs, and outputs
- Change management procedure for AI systems
- Training and competence records
For a complete list with templates and tips, see our documentation requirements guide.
One thing I tell every client: auditors want evidence of a working system, not a library. A concise, well-maintained procedure that people actually follow will always score better than a comprehensive manual that sits on a shelf. Write for the people who need to use the documents, not for the auditor. If your people use them, the auditor will be satisfied.
Phase 4: Controls Implementation and Training
Typical duration: 8-12 weeks
This is the longest phase, and appropriately so. This is where your AIMS stops being a set of documents and starts being an operational system.
Implementing Annex A controls
Your Statement of Applicability from Phase 3 determines which Annex A controls you need to implement. The key control areas in ISO 42001 include:
- AI system lifecycle management — controls governing design, development, deployment, monitoring, and decommissioning
- Data management — controls for data quality, data provenance, and data governance specific to AI
- Transparency and explainability — controls ensuring that AI system behavior can be understood and communicated to affected parties
- Human oversight — controls defining when and how humans review, intervene, or override AI decisions
- Bias and fairness monitoring — controls for detecting, measuring, and mitigating bias in AI outputs
- Third-party AI management — controls for evaluating, onboarding, and monitoring vendor AI systems
Don't try to implement everything at once. Prioritize your high-risk AI systems first. Get those controls operational, tested, and documented before working your way down to limited and minimal risk systems. Auditors understand that a management system matures over time — what they need to see is that your highest-risk areas are genuinely controlled.
Training
ISO 42001 requires that people performing work within the AIMS are competent. In practice, this means three tiers of training:
- Leadership awareness — top management needs to understand their role, the AIMS objectives, and what "commitment" actually requires of them (hint: it's more than signing a policy document)
- Practitioner training — the people implementing and operating AI controls need hands-on training in the specific procedures, tools, and assessment methods they'll use
- All-staff AI policy training — everyone in scope needs to understand the AI policy, the acceptable use guidelines, and how to report AI incidents
Keep records of all training. Auditors will sample training records and verify that the people they interview during the Stage 2 audit are competent in their roles.
Phase 5: Internal Audit and Management Review
Typical duration: 4-6 weeks
This phase is where you find out whether everything you've built actually works. I think of it as the dress rehearsal before the certification audit — except it's a mandatory dress rehearsal that the standard explicitly requires.
Internal audit
Your internal audit must happen before the certification audit. It needs to cover every applicable clause (4-10) and every Annex A control in your Statement of Applicability. A few requirements that trip people up:
- Auditor independence. The person auditing a process cannot be the same person who built or operates that process. If your quality manager designed the AIMS, they can't audit it. In small organizations, this often means bringing in an external internal auditor — which sounds paradoxical, but it's common practice.
- Audit evidence. The internal audit isn't a review of documents alone. Auditors should interview process owners, review records, observe operations, and verify that what's documented is what's actually happening.
- Nonconformities. Document every finding. For each nonconformity, document the root cause and the corrective action. Close as many findings as you can before the certification audit. Open findings are fine — they show the system is working — but unaddressed findings from months ago suggest the system isn't.
For a structured approach, use our internal audit checklist.
Management review
Top management must formally review the AIMS before the certification audit. This isn't optional and it isn't a rubber stamp. The management review needs to cover AIMS performance, internal audit results, the status of corrective actions, changes in context or risk, and resource adequacy. The output needs to include decisions and actions — not just "reviewed and noted."
Document the management review minutes thoroughly. This is one of the first things a certification auditor will ask for, because it tells them whether leadership is genuinely engaged or just playing along.
Phase 6: The Certification Audit
Typical duration: 2-4 weeks
The certification audit happens in two stages, conducted by an accredited certification body. Here's what to expect from each.
Stage 1: Document review
The Stage 1 audit is primarily a readiness check. The certification auditor reviews your AIMS documentation — policies, procedures, the Statement of Applicability, risk assessments, the AI inventory, management review minutes. They're looking for completeness and alignment with ISO 42001 requirements. They'll also review your AIMS scope to ensure it's appropriate.
Stage 1 is typically conducted remotely and takes 1-2 days depending on your organization's size. The auditor will issue a Stage 1 report identifying any areas of concern that need to be addressed before Stage 2. If there are significant gaps, they may delay the Stage 2 audit until those gaps are closed.
Stage 2: Implementation audit
This is the real audit. The Stage 2 auditor is looking for evidence that your AIMS is operational — that the policies and procedures you documented in Phase 3 are actually being followed in practice. They will:
- Interview process owners, AI system operators, and leadership
- Sample records: training logs, risk assessments, AI impact assessments, incident reports, change records
- Review your AI inventory and verify a sample of entries against reality
- Examine corrective actions from your internal audit
- Assess whether your Annex A control implementations are effective
What do auditors actually look for? Evidence of operation. I have watched organizations fail Stage 2 audits not because their documentation was wrong, but because they couldn't produce evidence that anyone was actually doing what the documentation described. A beautifully written bias monitoring procedure is worthless if nobody can show you the last three months of bias monitoring results.
Common Stage 2 findings and how to avoid them
- Incomplete AI inventory. The auditor asks about an AI tool they noticed during interviews and it's not in the inventory. Avoid this by doing thorough technical discovery in Phase 2.
- Missing training records. Someone involved in AI governance can't demonstrate competence. Avoid this by tracking all training and keeping certificates or sign-off records.
- Stale risk assessments. Risk assessments were done once and never updated despite changes. Build review triggers into your process.
- Management review that lacks substance. Minutes that say "reviewed AI performance — no issues" without any actual data or decisions. Make management reviews real discussions with real data.
- No evidence of monitoring. Controls are documented but there's no evidence anyone is checking whether they're working. Build monitoring into your operating rhythm from Phase 4 onward.
After certification
Certification isn't the finish line — it's the starting line for ongoing maintenance. Expect:
- Surveillance audits annually (a subset of the full audit scope)
- Recertification audit every 3 years (a full-scope audit similar to the initial certification)
Your AIMS needs to be a living system that evolves as your AI portfolio changes. Organizations that treat certification as a one-time event inevitably struggle at their first surveillance audit.
Timeline and Budget Realities
I get asked about timeline and cost in every initial conversation. Here's what I've seen across more than 200 engagements, broken down by organization size.
| Organization Size | Typical Timeline | Total Budget Range |
|---|---|---|
| Small (under 500 employees) | 6-9 months | $50K - $150K |
| Mid-market (500-5,000 employees) | 9-12 months | $150K - $400K |
| Enterprise (5,000+ employees) | 12-18 months | $400K - $1M+ |
These ranges include consultant fees (if you use one), internal labor costs, technology investments, and the certification body's audit fees. The audit fees alone typically run $15K-$50K depending on scope and organization size.
A few things that consistently affect both timeline and budget:
- Existing management system maturity. Organizations already certified to ISO 27001 or ISO 9001 can move significantly faster because the management system infrastructure (document control, internal audit, management review, corrective action) already exists. In those cases, you're adding AI-specific content to an existing framework rather than building from scratch.
- Number and complexity of AI systems. An organization with 5 well-documented AI systems will move faster than one with 50 scattered across departments.
- Leadership engagement. I've seen projects stall for months waiting for a management review meeting that leadership kept deprioritizing. Top management commitment isn't a platitude — it directly affects your timeline.
- Shadow AI. Every organization has AI tools that nobody officially tracks. The time it takes to discover and bring these into the AIMS is the single most unpredictable variable in any implementation timeline.
Mistakes That Delay Certification
I could fill an entire article with implementation mistakes. (In fact, we have — see common ISO 42001 gaps and how to close them.) But here are the ones I've seen delay certification timelines most consistently:
Starting documentation before completing the gap analysis. It seems productive to start writing policies immediately. It isn't. Without a gap analysis, you don't know what you already have, what needs updating, and what needs to be built from scratch. I've seen organizations write an AI policy, then discover during the gap analysis that they already had one buried in their IT governance framework — just needing updates rather than a full rewrite.
Treating ISO 42001 as an IT project. AI governance is enterprise-wide. AI systems are used by marketing, HR, finance, operations, legal — not just the technology team. Scoping ISO 42001 as an IT initiative guarantees you'll miss systems, miss stakeholders, and face resistance when you try to impose controls on business units that weren't involved in the planning.
Ignoring shadow AI. The systems nobody officially tracks. The generative AI tools employees signed up for with their personal emails. The AI features that were enabled by default in a SaaS upgrade nobody noticed. If you don't actively look for shadow AI, your inventory will be incomplete and your auditor will find it before you do.
Over-documenting. I have reviewed AIMS documentation sets that were 500+ pages. Nobody reads them. Nobody follows them. The auditor opens a procedure, asks the process owner to describe what they do, and the process owner describes something completely different from what's written. Write procedures that are short enough to be useful and specific enough to be followed.
Skipping the AI inventory or doing it superficially. A two-page spreadsheet with system names and owners isn't an AI inventory. Risk classification, data inputs, decision types, human oversight levels, third-party status — all of this needs to be captured. A thin inventory leads to thin risk assessments, which leads to audit findings.
Not securing top management commitment early. You need leadership to approve the AI policy, allocate resources, participate in management review, and visibly support the AIMS. If you wait until Phase 5 to engage leadership, you'll spend weeks chasing approvals that should have been sorted in Phase 1.
Waiting until the last month for internal audit. The internal audit almost always surfaces findings that need corrective action. If you schedule it one month before the certification audit, you won't have time to close those findings properly. Give yourself at least 4-6 weeks between internal audit completion and the Stage 1 audit date.
Frequently Asked Questions
ISO 27001 addresses information security management — protecting the confidentiality, integrity, and availability of data. ISO 42001 addresses AI management — governing the responsible development, deployment, and use of artificial intelligence systems. They share the same Harmonized Structure (Annex SL), so the management system framework feels familiar if you've done 27001. But ISO 42001 introduces requirements around bias monitoring, transparency, human oversight, and AI impact assessments that have no equivalent in 27001. Many organizations pursue both, and the shared structure makes integration straightforward.
Yes. ISO 42001 applies to organizations that develop, provide, or use AI systems. If you use AI exclusively through vendors — SaaS platforms, AI APIs, or outsourced services — you still need to govern how those systems are selected, monitored, and managed within your operations. Clause 8.4 specifically addresses externally provided AI systems. Your AIMS would focus on vendor management, acceptable use policies, risk assessment of vendor AI, and monitoring outputs rather than model development. In my experience, vendor-only organizations can often achieve certification faster because their scope is narrower.
There's no fixed number. Your Statement of Applicability determines which Annex A controls apply based on your risk assessment and the nature of your AI systems. You must justify every inclusion and exclusion. In practice, most organizations find that 60-80% of Annex A controls are applicable, but it varies significantly depending on whether you develop AI, deploy it, or only use third-party tools. The key is that your selections are risk-based and documented — not arbitrary. See our Statement of Applicability guide for a detailed walkthrough.
Not necessarily. Small and mid-sized organizations often distribute AI governance responsibilities across existing functions — IT, compliance, legal, operations — with a designated coordinator or committee to maintain oversight. Larger organizations with extensive AI portfolios typically benefit from a dedicated team. What the auditor cares about is that responsibilities are documented, people are competent, and accountability is clear. The org chart structure is up to you.
Outright failure is rare with proper preparation. More commonly, auditors issue nonconformities — major or minor. Minor nonconformities can typically be resolved with a corrective action plan submitted within 90 days, without a full re-audit. Major nonconformities require demonstrated correction and may trigger a follow-up audit of the affected areas. If multiple major nonconformities are found, the certification body may require a partial or full re-audit. This is exactly why the internal audit and management review in Phase 5 matter so much — they're your opportunity to find and fix issues before the certification body does.
Where to Start
If I had to compress this entire guide into one piece of advice, it would be this: start with the gap analysis and the AI inventory. Everything else depends on those two outputs. Without knowing where you stand and what AI systems you're governing, every subsequent phase is guesswork.
If you're building this from scratch and want structured support, our ISO 42001 implementation service walks you through every phase with dedicated project management and hands-on documentation support. If you're further along and need help with a specific phase — AI risk assessment, certification preparation, or pharma-specific AI governance — we do that too.
The organizations that get through certification efficiently are the ones that treat it as a structured project with clear phases, realistic timelines, and honest assessments of their starting position. This isn't a mystery. It's a project. And like any project, it goes better with a plan.
Last updated: 2026-04-07
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.