ISO 42006 Explained: How Auditor Accreditation Works for ISO 42001

If you are buying an ISO 42001 audit, the question that matters more than the auditor's marketing is whether the certification body is accredited under ISO/IEC 42006:2025. That is the standard that defines what a competent ISO 42001 audit actually looks like. It is the gate between a real certificate and a self-declared sticker.

This explainer covers what ISO 42006 does, how it relates to ISO 42001 and ISO 17021-1, which accreditation bodies recognise it, and which certification bodies have earned accreditation under it so far. If you are a buyer or a vendor evaluating whether your CB is the real deal, this is the checklist.

What ISO 42006 actually is

The full title is ISO/IEC 42006:2025, Information Technology — Artificial Intelligence — Requirements for bodies providing audit and certification of artificial intelligence management systems. It was published on July 7, 2025 by ISO/IEC JTC 1/SC 42, the same technical committee that wrote ISO 42001. The first edition runs 31 pages (IEC Webstore).

It does not replace ISO 42001. It supplements it. ISO 42001 sets the requirements organisations meet to operate an AI Management System. ISO 42006 sets the requirements certification bodies meet to audit and certify organisations against ISO 42001 (IEC Webstore). One is for the organisation under audit. The other is for the auditor.

ICAEW put the scope tightly: "ISO/IEC 42006 is not a standard for any and all AI audit and assurance activities. It applies specifically to audit of an AI management system against ISO/IEC 42001" (ICAEW). That distinction matters. A CB accredited under ISO 42006 is qualified to audit AIMS conformance. It is not automatically qualified to perform algorithm audits, bias audits, or product conformity assessments under the EU AI Act.

ISO 42001 vs ISO 42006 in one paragraph

ISO/IEC 42001:2023, published December 18, 2023, is the standard organisations get certified to. It defines the requirements for establishing, implementing, maintaining, and continually improving an AI Management System (ANAB). ISO/IEC 42006:2025, published July 7, 2025, is the standard certification bodies get accredited to. If you are an organisation, ISO 42001 is your bar. If you are a CB, ISO 42006 is yours.

How ISO 42006 sits on top of ISO 17021-1

ISO 42006 does not float on its own. It layers AI-specific requirements on top of ISO/IEC 17021-1, the long-standing general management-system audit and certification standard (IEC Webstore). 17021-1 sets the baseline. Things like impartiality, competence of personnel, audit duration, complaint handling, and certification decision processes. ISO 42006 adds the AI-specific requirements on top: AIMS-specific competencies, treatment of AI controls in Annex A of ISO 42001, how to assess organisations whose AI estate spans multiple data centres or regulatory jurisdictions.

Certification of AIMS under ISO 42006 is treated as a third-party conformity assessment activity in the sense of ISO/IEC 17000:2020 clause 4.5. It is also designed to be integratable into broader conformity assessment schemes under ISO/IEC 17065 for products, processes, or services (ISO).

What the standard requires of audit teams

The competency requirements in ISO 42006 are stricter than most people expect, but with a sensible twist: it requires team-level competence, not unicorn individual auditors.

Individual auditors are not required to have a complete range of AI expertise. The audit team as a whole must have appropriate competence covering the AIMS scope (ISO/IEC FDIS 42006 sample text). Each team member must have knowledge of ISO/IEC 42001 and other normative documents, AIMS documentation structures, and the relevant certification scheme. Collectively the team must understand every control in ISO/IEC 42001:2023 Annex A and how they are implemented.

That team-level rule matters in practice. It means a CB can field a lead auditor with deep management-system experience, an AI specialist who understands model risk and lifecycle controls, and a domain expert for the sector under audit. None of them needs to be all three at once.

Accreditation bodies that recognise ISO 42006

Three accreditation bodies have moved publicly on ISO 42006 so far. They are the gatekeepers for certificates that buyers should actually trust.

ANAB (ANSI National Accreditation Board, USA). Lists ISO/IEC 42006:2025 as a required criteria document for certification bodies seeking accreditation to certify ISO 42001 AIMS (ANAB). ANAB granted its first ISO 42001 accreditation to Schellman on September 24, 2024, before the final ISO 42006 publication, under the then-FDIS draft. ANAB-accredited certs are what most US buyers ask for.

UKAS (United Kingdom Accreditation Service). Granted BSI the world's first UKAS accreditation for ISO/IEC 42001 certification under ISO 42006 in January 2026 (BMTA). UKAS-accredited certs carry weight with UK and Commonwealth buyers.

RvA (Raad voor Accreditatie, Netherlands). Accredited BSI as an ISO 42001 CB in December 2024 (BSI). RvA-accredited certs are commonly accepted across the EU.

Other EU accreditation bodies, including DAkkS in Germany and AENOR in Spain, are at various stages of building their ISO 42006 schemes. Expect more accreditations through 2026.

Certification bodies accredited under ISO 42006

The list below covers the CBs with verifiable, source-traceable ISO 42006 accreditations as of mid-May 2026. New accreditations are coming in steadily; ask any CB you are evaluating to share their accreditation certificate directly.

Schellman Compliance, LLC. First ISO 42001 CB accredited by ANAB, announced September 24, 2024 (Schellman). Schellman has certified AWS, KPMG International, and Clario, among others. Its track record at the enterprise scale is the longest in the market.

A-LIGN. One of the first CBs to receive ISO 42001 accreditation. A-LIGN states it is "one of the first to receive ISO 42001 accreditation" (A-LIGN). A-LIGN certified Synthesia.

BSI (British Standards Institution). First CB accredited by UKAS, in January 2026, and also accredited by RvA from December 2024 (BSI). Dual UKAS plus RvA is the strongest cross-jurisdiction accreditation on the market right now. BSI certified KPMG Australia (its first ISO 42001 cert) and Teleperformance.

Coalfire. Announced as one of the first ANAB-accredited CBs to certify ISO 42001 in July 2025 (Coalfire). Coalfire pairs ISO 42001 audits with deep model testing services.

TÜV SÜD. Has issued ISO 42001 certificates including Unique AG in Switzerland, certified March 7, 2025 under certificate number 99 420 00001 (Unique AG certificate).

TÜV Nord Poland. Certified TTMS, the first Polish company with ISO 42001, in February 2026 (TTMS).

AENOR (Spain). Certified GMV on April 14, 2026 (GMV).

For the running list of who is certified by which CB, see our ISO 42001 certified companies list.

How to evaluate a CB before you sign

Most ISO 42001 quotes you receive will look similar on paper. Ask the questions that separate accredited audits from generic GRC reviews.

1. Which accreditation body recognises your ISO 42006 accreditation, and on what date was it granted? Ask for the accreditation certificate. ANAB, UKAS, and RvA publish their accredited body lists publicly. Verify directly.
2. How does your audit team meet the team-level competency requirements in ISO 42006? Ask who will be on your audit, what their AI background is, and whether they have certified other organisations in your sector.
3. What is the surveillance audit schedule? ISO 42001 follows the typical 17021-1 three-year cycle with annual surveillance audits. A vendor offering certification without ongoing surveillance is offering something other than an ISO 42001 cert.
4. Will the audit report cover ISO 42001 Annex A controls explicitly? It should. The controls are how the AIMS is operationalised. A report that only opines on clauses 4–10 and omits Annex A is incomplete.
5. Can you confirm in writing the audit was conducted under ISO/IEC 42006:2025 rather than under a draft? Buyers in regulated industries increasingly ask for the published-standard version.

Why ISO 42006 matters even if you do not pursue ISO 42001

Two reasons. First, the regulatory tailwinds. The EU AI Act's broader compliance framework references harmonised standards, and ISO 42001 plus ISO 42006 is the closest thing to a globally recognised AI governance bar. Procurement teams in the EU and UK are already requesting ISO 42001 in vendor questionnaires. Second, the assurance economics. Certification under an ISO 42006-accredited body is one of the cheaper ways for an AI vendor to demonstrate operational maturity to a Fortune 500 buyer. It is a sales tool as much as a compliance tool.

If you are weighing ISO 42001 against the NIST AI Risk Management Framework, see our NIST AI RMF vs ISO 42001 comparison. If you are choosing between Big Four firms and boutique audit shops, our AI audit firms comparison lays out the trade-offs.

One final note. ISO 42006 is a young standard. Expect its interpretation to evolve through 2026 and 2027 as ANAB, UKAS, and other accreditation bodies publish supplementary criteria documents and as CBs refine their audit programmes through experience. Treat your CB's interpretation as a living conversation, not a fixed deliverable.

References

1. IEC Webstore. ISO/IEC 42006:2025. https://webstore.iec.ch/en/publication/108460
2. ANAB. ISO/IEC 42001 Artificial Intelligence Management Systems Accreditation Program. https://anab.ansi.org/accreditation/iso-iec-42001-artificial-intelligence-management-systems/
3. Schellman. Schellman Becomes 1st ISO 42001 ANAB Accredited Certification Body. September 24, 2024. https://www.schellman.com/blog/news/schellman-becomes-1st-iso-42001-anab-accredited-certification-body
4. BSI. BSI Becomes the First Certification Body Accredited by UKAS and RvA. November 2025. https://www.bsigroup.com/en-GB/insights-and-media/media-centre/press-releases/2025/november/bsi-becomes-the-first-certification-body-accredited-by-ukas-and-rva-to-deliver-certification-for-isoiec-42001/
5. BMTA. BSI Achieves First UKAS Accreditation for AI Management System Certification. January 27, 2026. https://bmta.co.uk/2026/01/27/bsi-achieves-first-ukas-accreditation-for-ai-management-system-certification/
6. Coalfire. Coalfire Pioneers ISO 42001 AI Certification and Deep Model Testing. July 7, 2025. https://coalfire.com/insights/news-and-events/press-releases/aims-certification-coalfire-pioneers-iso-42001-ai-certification-and-deep-model-testing
7. ICAEW. New standard for firms certifying AI management systems. August 2025. https://www.icaew.com/insights/viewpoints-on-the-news/2025/aug-2025/new-standard-for-firms-certifying-ai-management-systems
8. ISO/IEC FDIS 42006 sample text. https://cdn.standards.iteh.ai/samples/44546/9667c43f106e4758b2f1f04e7e3249a3/ISO-IEC-FDIS-42006.pdf
9. A-LIGN. ISO 42001 service page. https://www.a-lign.com/service/iso-42001
10. ISO. ISO/IEC 42006 standard page. https://www.iso.org/standard/42006