ISO/IEC 42001 Certification: The Complete Path to AIMS in 2026
How to achieve ISO/IEC 42001:2023 certification: clause-by-clause walkthrough of all 10 clauses and 38 Annex A controls, Stage 1 and Stage 2 audit details, evidence requirements, cost ranges sourced from public data, and accredited certification body options.
By AI Compliance Vendors Editorial · Published April 21, 2026 · Last verified April 21, 2026
If you have achieved ISO 27001 certification for information security, you understand what ISO/IEC 42001 requires: a management system standard that proves an organization's AI governance processes are documented, implemented, measured, and continuously improved. The first international certifiable standard specifically for AI was published by ISO on 18 December 2023. It is now the functional equivalent of SOC 2 for AI — increasingly required in enterprise procurement, regulated sector due diligence, and EU AI Act conformity evidence packages.
This guide is written for the compliance manager, DPO, or CISO who owns the certification program. It walks clause by clause, covers what auditors actually test, names accredited certification bodies, and gives defensible cost and timeline ranges sourced from published third-party data.
What ISO/IEC 42001:2023 requires at a glance
ISO/IEC 42001:2023 is the first edition, published December 2023. It specifies requirements for an Artificial Intelligence Management System (AIMS) — the organizational framework for governing AI systems responsibly throughout their lifecycle.
The standard follows the same Annex SL Harmonized Structure used by ISO 27001 (information security), ISO 9001 (quality), and ISO 14001 (environmental). Organizations with existing ISO management system certifications can integrate an AIMS into their existing framework with reduced duplication.
Three things make 42001 distinct from a generic management system standard: 1. AI-specific risk assessment (Clause 6.1.2): Requires assessing AI-specific risks — bias, fairness, safety, opacity — not just generic organizational risks per Glocert International's clause analysis. 2. AI system impact assessment (Clause 6.1.4 and Clause 8.4): Requires assessing consequences to individuals and society — a human rights–oriented obligation. 3. Annex A AI-specific controls (38 controls): Unlike ISO 27001's Annex A (information security controls), ISO 42001's Annex A addresses AI system lifecycle, data quality, algorithmic accountability, and transparency per ISMS.online's Annex A analysis.
The standard applies to organizations that develop AI systems, provide AI systems (including as a service), or use AI systems in their operations. See /best/iso-42001-software and the /frameworks/iso-iec-42001 framework page.
Clauses 4-10: a clause-by-clause walkthrough
ISO 42001 has 10 clauses. Clauses 1–3 cover scope, normative references, and definitions. Clauses 4–10 contain the auditable requirements, as detailed in Glocert International's ISO 42001 Requirements Guide.
Clause 4: Context of the Organization
The organization must determine external and internal issues relevant to its AI activities and stakeholder needs. For AI, this specifically includes: the regulatory landscape (EU AI Act, sector-specific regulations), technological maturity, societal expectations, and the interests of AI-affected individuals. The scope statement (Clause 4.3) must name which AI systems are included, which business units are in scope, and any geographic boundaries.
Clause 5: Leadership
Top management must be visibly engaged. This means: establishing and communicating an AI policy (Clause 5.2) that explicitly addresses responsible AI principles (fairness, transparency, accountability), allocating adequate resources, and naming roles with specific authority for AI risk assessment and incident management (Clause 5.3). Auditors test this by interviewing executives — not just reviewing the org chart.
Clause 6: Planning
This is where the AI-specific requirements begin: - Clause 6.1.2 (AI Risk Assessment): Define and apply an AI risk assessment process covering the AI system lifecycle. Document results. - Clause 6.1.3 (AI Risk Treatment): Select treatment options (mitigate, accept, transfer, avoid); compare selected controls against Annex A to identify gaps; produce a Statement of Applicability (SoA). The SoA is a key audit artifact — it lists every Annex A control, states whether it is applicable, and provides justification for any exclusions. - Clause 6.1.4 (AI System Impact Assessment): Assess impacts on individuals and society, including fundamental rights. Analogous to a DPIA under GDPR but broader in scope. - Clause 6.2 (AI Objectives): Set measurable objectives — for example, bias reduction targets, accuracy thresholds, or transparency disclosure timelines.
Clause 7: Support
The organization must demonstrate: adequate personnel with AI-specific competencies (including bias assessment, ethical AI principles, and relevant regulatory requirements); awareness training programs; and documented communication plans. Documented information (Clause 7.5) requirements mirror ISO 27001 — all policies, procedures, records, and evidence must be controlled, versioned, and retained.
Clause 8: Operation
This is where controls are actually implemented: - Clause 8.1: Operational planning — processes must exist for each AI system in scope. - Clause 8.2 and 8.3: AI risk assessments and risk treatment plans must be performed at planned intervals or when significant changes occur. - Clause 8.4: Impact assessments must be conducted and documented. - Annex A controls are operationalized here: All controls selected in the SoA must be demonstrably implemented.
Per Schellman's certification process blog, auditors spend the most time in Clause 8. Evidence of actual control operation — logs, test results, meeting minutes, training records, incident records — is tested here.
Clause 9: Performance Evaluation
Three sub-components: - Clause 9.1: Determine what to monitor, how, when, and who is responsible. For AI this typically includes model accuracy metrics, bias metrics, user complaints, and regulatory change tracking. - Clause 9.2 (Internal Audit): Conduct planned internal audits to verify conformance with ISO 42001 and effectiveness of the AIMS. Internal auditors must be independent of the processes being audited. - Clause 9.3 (Management Review): Top management must review the AIMS at planned intervals. Management review minutes are a key Stage 2 audit artifact.
Clause 10: Improvement
- Clause 10.1 (Continual Improvement): The AIMS must be improved over time. Static governance frameworks fail this clause.
- Clause 10.2 (Nonconformity and Corrective Action): Documented processes for identifying nonconformities, investigating root causes, implementing corrective actions, and verifying effectiveness. Corrective action records are reviewed in surveillance audits.
Annex A controls: the 9 control objectives
ISO 42001's Annex A contains 38 individual controls organized into 9 control domains. Based on ISMS.online's Annex A Controls guide and InfosecTrain's clause analysis:
| Domain | Code | Control objective |
|---|---|---|
| Policies Related to AI | A.2 | Document a policy for AI development or use; align with organizational strategy and ethical considerations |
| Internal Organization | A.3 | Define roles and responsibilities; create mechanisms for stakeholder concerns about AI systems |
| Resources for AI Systems | A.4 | Identify and document essential resources: data, tooling, computing, human expertise |
| Assessing Impacts of AI Systems | A.5 | Structured impact assessment throughout AI system lifecycle; identify, analyze, evaluate, and treat impacts |
| AI System Life Cycle | A.6 | Define and govern AI system stages: development, deployment, operation, monitoring, decommissioning |
| Data for AI Systems | A.7 | Define data quality requirements; document data provenance and lineage throughout the AI lifecycle |
| Information for Interested Parties | A.8 | Communicate essential information to users and stakeholders; maintain an incident communication plan |
| Use of AI Systems | A.9 | Document processes for responsible AI use aligned with ethical standards, legal requirements, and organizational policy |
| Third-Party and Customer Relationships | A.10 | Allocate responsibilities between the organization, partners, suppliers, and customers |
The ISMS.online analysis notes that InfosecTrain's review confirms 38 individual controls exist within these 9 domains. The Statement of Applicability (SoA) is a mandatory document listing every Annex A control, whether it is applicable, and justification for exclusions. Auditors scrutinize exclusion justifications carefully.
Who should pursue certification (and who shouldn't)
Strong candidates for certification: - B2B AI product companies selling into enterprise or regulated markets — procurement teams now include ISO 42001 in security questionnaires - Financial services, healthcare, insurance, and public sector organizations deploying AI in high-stakes decisions - Organizations building toward EU AI Act compliance — ISO 42001 certification provides strong conformity evidence under the Act's recitals per Regulation (EU) 2024/1689 - Organizations with existing ISO 27001 certification — integration dramatically reduces incremental effort
Organizations that should wait: - Pre-product startups with no deployed AI systems — scope definition becomes artificial - Organizations whose AI use is purely internal and low-risk with no regulatory exposure - Organizations whose AI footprint is entirely third-party SaaS with no development or customization — Annex A.10 becomes the primary obligation, which may not warrant full AIMS certification - Organizations that cannot commit the internal resource to sustain an AIMS — a certificate obtained without genuine ongoing governance is a liability, not an asset
Accredited certification bodies (BSI, Schellman, A-LIGN, LRQA, etc.)
ISO 42001 certification must be conducted by an accredited certification body. Accreditation is issued by national accreditation bodies (e.g., ANAB in the US, UKAS in the UK). You can search for accredited ISO 42001 certification bodies via the ANAB directory.
Active certification bodies for ISO 42001 as of April 2026 include:
| Body | HQ | Known for | Link |
|---|---|---|---|
| BSI Group | UK / global | Early ISO 27001 authority; physical/digital hybrid audits | bsigroup.com/iso-42001 |
| Schellman | US | Technology-focused; no-surprises audit policy; formal ISO 42001 practice | schellman.com/iso-42001 |
| LRQA | UK / global | Maritime, energy, and infrastructure history; now AI Management System practice | lrqa.com/iso-42001 |
| A-LIGN | US | GRC-focused; tech sector; combined 27001/42001 audit programs | |
| SGS | Switzerland | Multi-sector; large global footprint | |
| Bureau Veritas | France / global | Industrial and enterprise; training programs available |
Before selecting a certification body: verify their ISO 42001 accreditation status via your national accreditation body; ask for references from organizations of comparable size and sector; assess whether their auditors have practical AI/ML experience (not just management systems expertise).
Stage 1 and Stage 2 audits: what actually happens
The ISO 42001 certification process follows the same two-stage model used for ISO 27001, per guidance from Schellman and Glocert International:
Stage 1: Documentation and readiness review
Duration: Typically 1–2 days per Schellman's process description.
What happens: The certification body reviews documented information — AIMS scope, AI policy, risk management methodology, impact assessment framework, and the Statement of Applicability. Roles, governance structures, and documented risk and impact assessment methodologies are reviewed.
Outputs: A formal report identifying Areas of Concern (AOCs) or potential nonconformities. If significant AOCs are found, the organization may need additional preparation time.
Timeline to Stage 2: Typically 4–12 weeks. Per Schellman's guidance, this should not exceed 6 months; if it does, Stage 1 may need to be repeated.
Stage 2: Implementation effectiveness audit
Duration: Can last anywhere between 3–9+ days depending on organization size, per Schellman.
What happens: The auditor tests whether the AIMS is not just documented but actually operating. This includes: - Evidence that AI risk assessments have been conducted for in-scope systems - Evidence that Annex A controls are implemented and effective (sampling of control records) - Review of Clause 8 operational planning — process criteria, control evidence, impact assessment documentation - Assessment of Clause 9 — internal audit records, monitoring data, management review minutes - Interviews with control owners, AIMS owners, and relevant personnel
Key Stage 2 evidence artifacts: Risk assessment results; risk treatment plan; Statement of Applicability with implementation evidence; AI impact assessment records; training records; internal audit report; management review minutes; corrective action records; monitoring/measurement results.
Outcome: Certificate issued (3-year validity) if no open nonconformities. Major nonconformities must be resolved before certification.
Surveillance audits
After certification, annual surveillance audits are required per Schellman and Vanta's certification guide. These typically require approximately 1/3 of the initial certification audit time — roughly 2–5+ days. Surveillance reviews focus on: corrective actions from previous audits; Clauses 8–10 operational controls; sampling of Annex A controls; continued scope validity; and evidence of continual improvement.
A full recertification audit is required every 3 years.
Evidence you'll be asked to produce
Based on the Glocert International certification process guide and Schellman's blog, auditors will request:
- AIMS scope document — defines system boundaries and exclusions
- AI policy (Clause 5.2) — signed by executive leadership
- Roles and responsibilities matrix (Clause 5.3)
- Risk assessment methodology and completed risk assessments (Clauses 6.1.2, 8.2)
- Risk treatment plan (Clause 6.1.3) with control decisions linked to Annex A
- Statement of Applicability with inclusion/exclusion justifications for all 38 Annex A controls
- AI impact assessment records (Clause 6.1.4, 8.4) for in-scope systems
- AI objectives (Clause 6.2) with measurable targets and progress tracking
- Competency records — training, qualifications, awareness activities (Clause 7.2, 7.3)
- Operational process documentation for each AI system lifecycle stage (Clause 8.1, A.6)
- Data quality and provenance records (A.7) for training/operational data
- Transparency documentation for AI system users (A.8)
- Internal audit report and evidence (Clause 9.2)
- Management review minutes (Clause 9.3)
- Corrective action records (Clause 10.2)
- Monitoring and measurement records (Clause 9.1) — model performance, bias metrics, incident logs
Tool support: automation platforms that help
Several platforms from the vendor roster specifically support ISO 42001 certification workflows:
[Vanta](/vendors/vanta) — Trust Management Platform with ISO 42001 compliance support. Vanta's ISO 42001 cost guide cites 1,200+ automated hourly tests, pre-built AI risk scenarios, and 400+ integrations for automated evidence collection. The platform includes a dedicated auditor portal, reducing coordination overhead during Stage 1 and Stage 2 audits.
[Drata](/vendors/drata) — AI-Native Trust Management Platform with multi-framework GRC coverage. Drata.com — contact sales for ISO 42001 module pricing.
[Scrut Automation](/vendors/scrut-automation) — Security-first GRC for modern risk and compliance. Offers AWS Marketplace pricing starting at $15,000/year for organizations up to 20 employees per Scrut's marketplace listing.
[Modulos AI](/vendors/modulos-ai) — Built for EU AI Act and ISO 42001, with a governance graph connecting controls, evidence, and frameworks without duplicate entry. Offers a free starter plan and enterprise tier from CHF 15,000 per EIN Presswire. Available at modulos.ai.
[FairNow](/vendors/fairnow) — Covers ISO 42001 and 25+ AI laws with automated evidencing per fairnow.ai. Includes AI certification support workflows.
[Holistic AI](/vendors/holistic-ai) — Continuous audit trails, policy-as-code, and evidence logs mapped to ISO 42001 per holisticai.com.
Realistic timeline and cost (sourced ranges, no fabricated numbers)
Cost ranges below are sourced from Vanta's ISO 42001 certification cost guide and ISMS.online's cost breakdown:
| Cost component | Small org (<50 staff) | Mid-market (50–500) | Enterprise (500+) |
|---|---|---|---|
| Gap analysis / readiness | $3,000–$10,000 | $10,000–$25,000 | $25,000–$75,000+ |
| Implementation and internal audit | $10,000–$20,000 | $20,000–$40,000 | $40,000–$150,000+ |
| Certification audit (Stage 1 + Stage 2) | $7,000–$12,000 | $12,000–$20,000 | $20,000–$50,000+ |
| Total initial certification | ~$20,000–$42,000 | ~$42,000–$85,000 | $85,000–$275,000+ |
| Annual surveillance audit | $1,500–$3,500 | $3,500–$7,500 | $7,500–$20,000 |
[ISMS.online](https://www.isms.online/iso-42001/certification/certification-cost/) cites a minimum realistic cost of approximately £8,000–£10,000 for small organizations with some existing governance. [Vanta](https://www.vanta.com/collection/iso-42001/iso-42001-certification-cost) cites overall certification costs from "several thousand dollars to $75,000+, excluding ongoing maintenance." These ranges are indicative; contact accredited certification bodies directly for quotes specific to your scope.
Timeline:
| Stage | Typical duration |
|---|---|
| Gap analysis | 2–4 weeks |
| AIMS implementation | 3–6 months |
| Stage 1 audit | 1–2 days, 4–12 weeks before Stage 2 |
| Stage 2 audit | 3–9+ days |
| Certificate issuance | 1–4 weeks post-Stage 2 resolution |
| Total first certification | 6–12 months from project start |
Organizations with existing ISO 27001 programs typically achieve certification in 4–6 months by reusing management system infrastructure. Greenfield programs run 9–15 months.
Maintaining certification: surveillance and recertification
Certification is not a one-time event. The three-year cycle per Vanta and Schellman requires:
Year 1 and Year 2: Annual surveillance audits - Auditors review Clauses 8–10 and a subset of Annex A controls - Evidence of corrective action from prior findings is reviewed - Monitoring data and management review records are tested - Duration: approximately 1/3 of the initial certification — typically 2–5 days per Schellman
Year 3: Recertification audit - Full reassessment similar to the original Stage 2 audit - Costs are typically 60–80% of initial certification audit fees
Common surveillance audit failures: Corrective actions not implemented or not evidenced; internal audit not conducted since prior surveillance; management review held but not documented; new AI systems deployed without being added to AIMS scope.
FAQ
Q: How does ISO 42001 relate to the EU AI Act? A: ISO 42001 certification is not equivalent to EU AI Act compliance, but it provides strong conformity evidence. The Act's high-risk system obligations (Arts. 9, 10, 17) overlap substantially with ISO 42001 Clauses 6, 8, and Annex A. Certification can be presented to market surveillance authorities as evidence of governance maturity.
Q: Is ISO 42001 required by any regulation? A: As of April 2026, ISO 42001 is not mandated by any major regulation globally. It is referenced in EU AI Act recitals as relevant harmonized guidance, and enterprise procurement requirements increasingly list it alongside SOC 2 and ISO 27001 per Vanta's analysis.
Q: How many companies are ISO 42001 certified? A: No public global registry exists. Certification bodies do not publish their full client lists. The market is early-stage; early adopters are concentrated in AI product companies, financial services, and public sector technology suppliers.
Q: Can you get ISO 42001 certified if you only use AI, not build it? A: Yes. The standard applies to organizations that develop, provide, or use AI systems. If you only use third-party AI, the AIMS scope can be limited accordingly, with A.10 (third-party relationships) being the primary Annex A control domain.
Q: Does ISO 42001 replace a separate AI ethics policy? A: No. The standard requires an AI policy (Clause 5.2) that addresses responsible AI principles including fairness, transparency, and accountability. Whether that policy lives within the AIMS documentation or as a standalone organizational policy is a design choice.
Q: What is the difference between ISO 42001 and ISO 27001 for AI purposes? A: ISO 27001 governs information security management. ISO 42001 governs AI management — responsible development, deployment, and use of AI systems. They are complementary, not substitutes. See ISO.org's 27001 page and ISO 42001 page for comparison.
Related: [EU AI Act Compliance Guide](/guides/eu-ai-act-compliance-complete-guide-2026) | [NIST AI RMF Implementation](/guides/nist-ai-rmf-implementation-guide) | [/best/iso-42001-software](/best/iso-42001-software) | [/best/ai-governance-platforms](/best/ai-governance-platforms)