ISO 42001 certification is granted to an organisation, not to an AI system. A certificate attests that the organisation operates a conformant AI Management System (AIMS) — that is, a management system that meets the requirements of Clauses 4 through 10 and applies the relevant controls from Annex A. It does not attest that any individual model, dataset, or AI system is safe, fair, or accurate in isolation.
Certification is performed by an accredited certification body, audited against the published Standard, and valid for three years subject to annual surveillance audits. The process follows the same pattern as ISO 27001 and ISO 9001 certification under ISO/IEC 17021-1, the international standard governing bodies that certify management systems.
“Bodies providing audit and certification of management systems shall meet the requirements of ISO/IEC 17021-1 and the relevant scheme-specific requirements.” — ISO/IEC 17021-1:2015, Foreword
ISO 42001 definitions
| Term | Meaning |
|---|---|
| Certification body | An accredited organisation authorised to audit management systems and issue certificates. Distinct from accreditation bodies, which accredit certification bodies. |
| Accreditation body | A national body that assesses certification bodies against ISO/IEC 17021-1 and scheme-specific requirements. National accreditation bodies are signatories to the IAF MLA (International Accreditation Forum Multilateral Recognition Arrangement). |
| Stage 1 audit | The first audit stage — documentation and readiness review. Identifies gaps before Stage 2. |
| Stage 2 audit | The second audit stage — implementation audit, including evidence sampling and interviews. Determines the certification decision. |
| Surveillance audit | Reduced-scope audit conducted annually after certification to verify ongoing conformity. |
| Recertification audit | Full reassessment performed before certificate expiry at the three-year mark. |
| Nonconformity | A failure to meet a requirement. Classified as major or minor. |
| Major nonconformity | A nonconformity that affects the AIMS’s ability to achieve intended outcomes. Must be resolved before certification or recertification. |
| Minor nonconformity | A nonconformity that does not affect the AIMS’s overall function. Must be addressed but does not block certification. |
Selecting an accredited ISO 42001 certification body
The certification body market for ISO 42001 is new and still forming. As of mid-2026, accreditation for ISO 42001 specifically is held by a growing but still limited number of bodies. Selection requires more diligence than it would for an established standard.
Three checks are essential:
| Check | Why it matters |
|---|---|
| Accreditation for ISO 42001 specifically | Many bodies offering ISO 42001 audits hold accreditation for ISO 27001 or ISO 9001 but not yet for ISO 42001. A certificate issued without scheme-specific accreditation may not be recognised by customers or partners. |
| Accreditation by an IAF MLA signatory | National accreditation bodies that are signatories to the IAF MLA produce internationally recognised certificates. Examples: UKAS (UK), ANAB (US), DAkkS (Germany), Accredia (Italy), JAS-ANZ (Australia and New Zealand). |
| Sector experience | ISO 42001 is technology-neutral but sector context shapes implementation. Bodies with auditors experienced in your sector — healthcare, financial services, public sector — produce more useful audits than bodies without that experience. |
Accreditation status should be verified directly with the relevant national accreditation body, not taken on the certification body’s representation. National accreditation bodies publish searchable directories of accredited certification bodies and their accredited scopes.
A practical sequence:
- Identify three to five candidate certification bodies.
- Verify accreditation for ISO 42001 with the relevant national accreditation body.
- Request proposals covering audit days, audit team experience, and total fees including surveillance and recertification.
- Review the proposed lead auditor’s experience with AI governance specifically — not only with management system certification.
- Confirm the audit team includes a competent technical assessor where the AI portfolio is complex.
The cheapest proposal is rarely the right choice. Audit-day calculations under ISO/IEC 17021-1 set a floor — bodies pricing significantly below the floor are either under-scoping the audit or are not pricing accreditation costs into their fee. Both are warning signs.
ISO 42001 certification cycle
| Phase | What happens | Typical timing |
|---|---|---|
| Application and contract | Scope agreed; audit days calculated; contract signed | 4–8 weeks before Stage 1 |
| Stage 1 audit | Documentation review; readiness assessment; identification of gaps | 1–3 days on site or remote |
| Stage 1 to Stage 2 gap | Organisation addresses Stage 1 findings; certification body confirms readiness | 4–12 weeks |
| Stage 2 audit | Implementation audit; evidence sampling; interviews; finding determination | 2–6 days on site |
| Certification decision | Independent review of audit findings; certificate issued | 4–8 weeks after Stage 2 |
| Surveillance audit (year 1) | Reduced-scope audit; sampling against a subset of controls | 1–3 days |
| Surveillance audit (year 2) | Reduced-scope audit; different sample | 1–3 days |
| Recertification audit (year 3) | Full reassessment before certificate expiry | 2–4 days |
The three-year certificate is the headline output, but the cycle is operationally continuous. Surveillance audits sample different controls each year, and the certification body expects to see evidence of ongoing operation — new internal audit reports, recent management review minutes, updated risk assessments, current Statement of Applicability, closed corrective actions — at every visit.
Stage 1 — Documentation review
Stage 1 is the readiness assessment. It is not the certification decision; it is the audit that determines whether the organisation is ready for Stage 2. The audit covers documentation, scope, and operational readiness.
What Stage 1 examines:
| Area | What auditors look for |
|---|---|
| AIMS scope | Clear statement of what is in and out of scope; consistency with operations |
| AI policy | Approved, communicated, specific to AI, providing framework for objectives |
| Documented information | Procedures, records, controlled documents covering each clause |
| Statement of Applicability | Completeness; justification for inclusions and exclusions; consistency with risk treatment plan |
| Risk and impact assessments | Methodology documented; assessments performed; results retained |
| Internal audit programme | Programme established; at least one cycle complete or imminent |
| Management review | At least one review held or scheduled before Stage 2 |
| Readiness for Stage 2 | Operational evidence available for sampling |
Stage 1 typically produces findings categorised as observations, opportunities for improvement, or — in serious cases — major or minor nonconformities. Major nonconformities at Stage 1 usually delay Stage 2 until they are addressed.
Common Stage 1 outcomes:
- Ready for Stage 2 with minor adjustments — most organisations that prepared thoroughly fall here.
- Ready for Stage 2 after specific actions — Stage 1 identifies one or two material gaps; the organisation addresses them and Stage 2 proceeds.
- Not ready — major gaps in documentation, scope, or evidence make Stage 2 premature. Stage 2 is rescheduled.
Stage 1 can be conducted remotely in many cases, particularly for the documentation review elements. Stage 2 is typically on site, though hybrid arrangements have become more common.
Stage 2 — Implementation audit
Stage 2 is the certification decision audit. The audit team verifies that the AIMS is operating as documented — not just that documentation exists, but that controls are implemented, evidence is being produced, and people are performing the activities the procedures specify.
The audit team performs five types of work:
| Activity | What it tests |
|---|---|
| Document sampling | Procedures, policies, plans, and registers exist, are current, and are controlled |
| Record sampling | Operational records — risk assessments, impact assessments, technical documentation, logs, training records, incident records — are produced as the procedures require |
| Interviews | Staff understand the AI policy, their roles, and the procedures they operate; competence is genuine rather than asserted |
| Walkthroughs | End-to-end traces — for example, an AI system from inception through impact assessment, design documentation, V&V, deployment gate, operation, and monitoring — show the AIMS operating coherently |
| Sampling against the SoA | Selected controls are tested against the Statement of Applicability for implementation and evidence |
Sampling under ISO/IEC 17021-1 is not exhaustive. The audit team selects a representative sample of controls, AI systems, business units, and lifecycle stages. The sample size is calibrated to audit days and AIMS scope. Organisations that prepare for full audit of every control are over-preparing; organisations that prepare for sampling of obvious controls are under-preparing. The right preparation is even readiness across the AIMS, with depth on the controls and AI systems most likely to be sampled — typically those tied to identified risks, the most complex AI systems, and the controls with highest audit weight (see the Annex A controls walkthrough).
Stage 2 produces a finding report. Findings are classified as:
| Classification | Meaning | Effect on certification |
|---|---|---|
| Major nonconformity | A requirement is materially unmet | Must be resolved before certification; may require follow-up audit |
| Minor nonconformity | A requirement is partly unmet; system function not affected | Must have corrective action plan accepted; closure verified at next surveillance |
| Observation | A potential issue; not a current nonconformity | Tracked; addressed at the organisation’s discretion |
| Opportunity for improvement | A suggestion | Tracked; no action required |
Major nonconformities at Stage 2 are uncommon for organisations that conducted thorough Stage 1 preparation. Where they occur, they typically result from the audit revealing a gap between documented procedure and actual operation — evidence that the AIMS exists on paper but does not run.
Surveillance audits
After certification, the certification body conducts surveillance audits annually in years 1 and 2. The audit is shorter than Stage 2 and samples a subset of the AIMS rather than auditing every clause. The certification body designs the surveillance programme so that, across the three-year cycle, the entire AIMS is audited at least once.
Surveillance audits typically check:
| Area | Common focus |
|---|---|
| Internal audit | Programme operating; recent audits performed; findings closed |
| Management review | Most recent review minutes; required inputs covered; outputs produced |
| Nonconformity and corrective action | Register active; corrective actions closing with effectiveness verification |
| Statement of Applicability | Updated for changes; consistent with current risk treatment |
| Selected Annex A controls | Sampled against operational evidence |
| Changes to AIMS scope | New AI systems, business units, or capabilities included where relevant |
Surveillance audits are the most common point at which previously certified organisations lose certification. The cause is rarely a single dramatic failure — it is the gradual decline of an AIMS that was implemented for Stage 2 and then maintained at a lower level than the Standard requires.
ISO 42001 recertification
In year 3, the certification body performs a recertification audit. The scope is broader than surveillance — closer to Stage 2 — and produces a new three-year certificate. Recertification audits typically take less time than the original Stage 2 because the certification body already knows the AIMS, but they cover the full scope rather than a sample.
Recertification timing matters. The new certificate must be issued before the existing one expires; otherwise there is a gap in certification. Most certification bodies schedule recertification audits two to four months before expiry to allow time for finding closure and certification decision.
Evidence ISO 42001 auditors expect to see
A functioning AIMS produces a defined set of artefacts. The table below covers the documents auditors most consistently request and examine across Stage 1, Stage 2, and surveillance.
| Document | Source clause | Why auditors examine it |
|---|---|---|
| AIMS scope statement | 4.3 | First document requested; defines what is being audited |
| Interested parties register | 4.2 | Input to risk, impact, communication |
| AI policy | 5.2 | Leadership commitment evidence |
| Roles and responsibilities documentation | 5.3 | Authority for AIMS operation |
| AI objectives | 6.2 | Measurable, time-bound, owned |
| Risk assessment methodology | 6.1.2 | Foundation of risk treatment |
| AI risk register | 6.1.2, 8.2 | Identified risks; analysis; evaluation |
| Risk treatment plan | 6.1.3 | Treatment options, control selection, residual risk |
| Statement of Applicability | 6.1.3 | The working surface of the audit |
| AI impact assessment methodology | 6.1.4 | Distinct from risk methodology |
| AI impact assessments per AI system | 6.1.4, 8.4 | Effects on individuals, groups, societies |
| Competence framework and records | 7.2 | Evidenced competence per role |
| Training and awareness records | 7.2, 7.3 | Staff awareness of policy and AIMS |
| Communication procedures and logs | 7.4 | Internal and external communication |
| Documented information control procedures | 7.5 | Version control, retention, access |
| AI system lifecycle procedures | 8.1, Annex A.6 | Process spine of the AIMS |
| Technical documentation per AI system | Annex A.6.2.7 | Design, V&V, deployment, monitoring |
| Event logs | Annex A.6.2.8 | Traceability and audit |
| Supplier assessments and contracts | Annex A.10 | Third-party AI governance |
| Monitoring and measurement records | 9.1 | Operational metrics; AIMS performance |
| Internal audit programme and reports | 9.2 | At least one cycle pre-Stage 2 |
| Management review minutes | 9.3 | Most concrete evidence of leadership engagement |
| Nonconformity and corrective action register | 10.2 | System responsiveness to findings |
The five documents most heavily scrutinised across the certification cycle are the AI policy, the Statement of Applicability, the AI impact assessments, the internal audit reports, and the management review minutes. Together they evidence the AIMS’s structural integrity, its risk-driven control selection, its substantive engagement with impact, its independent self-assessment, and its leadership ownership.
Typical nonconformities
Across practitioner experience with ISO 42001 audits, a recurring set of nonconformities accounts for a disproportionate share of findings. The pattern is similar across certification bodies and across the first two years of the Standard’s certification market.
| Nonconformity | Where it surfaces | Underlying cause |
|---|---|---|
| SoA as inventory rather than risk-driven | Stage 1, Stage 2 | Worked through Annex A in order without reference to identified risks |
| Impact assessment as risk assessment | Stage 2 sampling | 6.1.4 conflated with 6.1.2; impact treated as business risk |
| Borrowed AI policy | Stage 1 documentation | Adapted from ethics statement or ISO 27001 policy; fails framework-for-objectives requirement |
| Diffuse accountability | Stage 2 interviews | Committee responsibility without named individual owner |
| Competence asserted, not evidenced | Stage 2 sampling | CVs without training records, qualifications, or demonstrated experience |
| Internal audit by the implementer | Stage 1, Stage 2 | Person who built the AIMS audits it; objectivity violation |
| Management review as standing leadership meeting | Stage 1, Stage 2 | Generic meeting minutes; required 9.3 inputs and outputs not addressed |
| Corrections logged as corrective actions | Stage 2 register sample | Symptoms fixed without root cause analysis or recurrence prevention |
| Effectiveness review missing | Surveillance | Corrective actions closed without verification they worked |
| External communication of limitations omitted | Stage 2 documentation | 7.4 external limb missed; particularly the obligation to communicate known limitations to interested parties |
| Third-party AI treated as ordinary procurement | Stage 2 sampling | A.10 controls under-implemented; foundation model and SaaS dependencies inadequately governed |
| Lifecycle without stages | Stage 2 walkthroughs | “Concept to deployment” described without defined stages, gates, or evidence per stage |
| Assessments as snapshots | Surveillance | Risk and impact assessments performed once and not repeated; fails 8.2 and 8.4 cadence requirements |
The first three — SoA as inventory, impact assessment as risk assessment, borrowed AI policy — are the most frequent and the most consequential. Each reflects a failure to internalise the Standard’s worldview rather than a gap in documentation. Addressing them requires rethinking the AIMS, not adding paperwork.
How to prepare for audit
Audit readiness is the work of the eight to twelve weeks before Stage 1. The implementation phase produced the AIMS; readiness work confirms that what was produced will hold up to external scrutiny.
A practical readiness sequence:
| Step | Purpose |
|---|---|
| 1. Pre-audit gap review | Internal walkthrough of every clause and every applicable Annex A control against documentation and evidence |
| 2. SoA reconciliation | Verify that each applied control traces to identified risks and that exclusions are justified |
| 3. Internal audit cycle complete | At least one full internal audit performed; findings closed or in active closure |
| 4. Management review held | At least one management review with required 9.3 inputs and outputs documented |
| 5. Evidence index | Document mapping each clause and each applied control to the records that evidence it |
| 6. Mock interviews | Control owners and AIMS owner rehearse explanations and walkthroughs |
| 7. Document version freeze | Documentation versions stabilised before Stage 1 to avoid moving targets |
The evidence index is the most useful single artefact. It lets the audit team navigate the AIMS quickly, lets the organisation respond to evidence requests without searching, and surfaces gaps before the auditor does. Organisations that produce a credible evidence index for Stage 1 typically have a smoother Stage 2.
Mock interviews are the second most useful. The Stage 2 audit tests whether named control owners can explain their controls and produce evidence. Owners who have rehearsed perform meaningfully better than owners who encounter the auditor for the first time.
FAQ
How long does certification take from kickoff to certificate?
For organisations starting from scratch — no existing management system, no AI governance in place — the typical timeline is twelve to eighteen months: six to twelve months for implementation, then three to six months for the audit cycle (Stage 1, gap closure, Stage 2, certification decision). Organisations integrating with mature ISO 27001 or ISO 9001 systems compress the implementation phase and can complete the cycle in nine to twelve months.
What does certification cost?
Certification costs vary by certification body, AIMS scope, and audit days required. Audit-day calculations under ISO/IEC 17021-1 produce a floor based on organisation size and complexity. Typical Stage 1 and Stage 2 combined audit days for a mid-sized organisation run from six to twelve days; surveillance audits run two to four days each. Total certification body fees over the three-year cycle for a mid-sized organisation are commonly in the £20,000–£60,000 range, with implementation costs (internal effort, consulting, tooling) typically several times higher. The total cost depends heavily on starting maturity and scope.
Can I be certified for only some of my AI systems?
Yes. AIMS scope under Clause 4.3 is defined by the organisation, and the scope statement defines which AI systems, business units, geographies, and lifecycle stages are covered. Certification certificates list the scope. The certified scope may be narrower than the organisation’s full AI footprint, but the scope statement must be transparent — under-scoping to make certification easier is permitted, but customers and partners read scope statements and discount certificates that exclude material AI activity.
What happens if I fail Stage 2?
“Failure” usually means major nonconformities that block certification. The certification body typically schedules a follow-up audit (sometimes called a Stage 3 or a verification audit) to verify that the major nonconformities have been resolved. The original Stage 2 audit results stand for closed minor findings. Re-doing the full Stage 2 is rare; verification of resolved major nonconformities is the more common path.
Are remote audits permitted?
Stage 1 can usually be performed remotely. Stage 2 is typically partly or fully on site, particularly the implementation audit and walkthrough elements, though certification bodies vary in remote-audit policy and IAF guidance permits significant remote auditing where conditions are met. Surveillance audits are frequently remote in part. The pandemic-era expansion of remote auditing has not been fully reversed.
Can my certification body also provide consulting?
No. ISO/IEC 17021-1 requires impartiality. A certification body that provides management system consulting to an organisation cannot certify the same organisation’s management system. This is a structural requirement, not a guideline. Organisations using consultants for implementation must use a different organisation for certification.
What is the difference between accredited and unaccredited certification?
An accredited certification is issued by a certification body that has itself been assessed against ISO/IEC 17021-1 by a national accreditation body. Unaccredited certifications — sometimes offered at lower cost by bodies without accreditation for ISO 42001 specifically — produce a certificate that may not be recognised by customers, partners, or regulators. The cost difference is rarely worth the risk; verify accreditation status before engagement.
How are findings tracked between audits?
The certification body issues a findings report after each audit. Minor nonconformities require a corrective action plan, which the certification body reviews and accepts; closure is verified at the next surveillance audit. Major nonconformities require resolution before certification or recertification proceeds. The organisation’s own nonconformity register under Clause 10.2 should track these findings alongside internally identified ones.
Does ISO 42001 certification help with EU AI Act compliance?
It provides substantial evidence for the Act’s quality management system requirement under Article 17, and it produces records and processes that support Article 9 (risk management), Article 10 (data governance), Article 11 (technical documentation), Article 12 (logging), Article 13 (transparency to deployers), Article 14 (human oversight), and Article 72 (post-market monitoring). It does not substitute for the Act’s conformity assessment, CE marking, or any specific obligation. The two regimes are complementary; pursuing certification while preparing for the Act is the common pattern for organisations with EU market exposure.
What disqualifies a certification body?
Failure to hold accreditation for ISO 42001 specifically; accreditation by a body that is not an IAF MLA signatory; a conflict of interest (the body provided consulting to the organisation); persistent failure to follow ISO/IEC 17021-1 procedures. The first is the most common — bodies offering ISO 42001 audits without accreditation for the scheme are common in the early market and produce certificates of limited value.
