ISO 42001

ISO 42001: AI Management System Certification

Complete guide to ISO 42001 AI management system certification. Requirements, certification process, mapping to EU AI Act, and integration with ISO 27001.

Legalithm Team24. März 202625 Min. Lesezeit

TeilenLinkedIn X

Lesezeit25 min

ThemaISO 42001

AktualisiertMärz 2026

Inhaltsverzeichnis

ISO 42001 Certification: The Complete Guide to AI Management Systems

The EU AI Act (Regulation 2024/1689) creates binding obligations. But a regulation does not ship with a user manual. It tells you what you must achieve — risk management, technical documentation, human oversight, quality management — without prescribing how to build the organisational machinery that delivers those outcomes day after day. That is where ISO/IEC 42001 enters the picture.

Published in December 2023, ISO/IEC 42001 is the world's first international management-system standard dedicated to artificial intelligence. It provides a certifiable framework — modelled on the familiar Annex SL high-level structure used by ISO 27001, ISO 9001, and other management-system standards — for establishing, implementing, maintaining, and continually improving an AI management system (AIMS). For organisations navigating the AI Act's August 2026 compliance deadline, an ISO 42001 certification is fast becoming the single most valuable structural investment they can make.

This guide explains everything you need to know: what the standard requires, how it maps to the EU AI Act, what the certification journey looks like, how it integrates with standards you may already hold, and — critically — what it does not cover.

TL;DR — ISO 42001 in brief

ISO/IEC 42001:2023 is the first certifiable international standard for AI management systems. It was published by ISO and IEC in December 2023.
It applies to any organisation that develops, provides, or uses AI systems — regardless of size, sector, or geography.
The standard follows the Annex SL high-level structure, making it directly integrable with ISO 27001, ISO 9001, and ISO 27701.
It includes Annex A controls specifically designed for AI — covering bias, transparency, data governance, human oversight, and system lifecycle management.
ISO 42001 certification covers an estimated 70–80 % of the organisational and process requirements of the EU AI Act for high-risk systems, particularly Article 9 risk management and Article 17 quality management.
Certification does not equal full AI Act compliance. Critical gaps remain around Article 10 data governance specifics, CE marking, and conformity assessment procedures.
The typical certification timeline is 12–18 months from gap analysis to certificate issuance.
Certification is granted by accredited third-party bodies and is valid for three years, subject to annual surveillance audits.
Organisations that already hold ISO 27001 can leverage existing ISMS infrastructure to accelerate AIMS implementation significantly.

What is ISO 42001?

ISO/IEC 42001:2023 — Artificial Intelligence — Management System is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an AI management system (AIMS) within an organisation. It was published on 18 December 2023 by a joint ISO/IEC technical committee (JTC 1/SC 42 — Artificial Intelligence) and represents the culmination of several years of development involving experts from over 50 countries.

The standard is technology-agnostic. It does not dictate which AI techniques to use or which infrastructure to deploy on. Instead, it provides a management-system wrapper — policies, processes, roles, risk assessments, controls, documentation, monitoring, and audit — that ensures AI is governed responsibly throughout its lifecycle.

Who does it apply to?

ISO 42001 is designed for any organisation involved in AI — whether as a developer, provider, deployer, or integrator. This includes AI product companies, enterprises deploying third-party or in-house AI systems, public-sector bodies using AI for decision-making, and AI consultancies or system integrators.

The standard is sector-neutral and scalable. A three-person startup developing a single ML model can implement it, as can a multinational deploying hundreds of AI systems across jurisdictions. The scope of the AIMS is defined by the organisation itself (Clause 4.3).

Why now?

The regulatory landscape has shifted decisively. The EU AI Act's high-risk obligations begin applying on 2 August 2026. The NIST AI RMF, China's AI governance rules, the UK's pro-innovation framework, and Canada's AIDA are all advancing. ISO 42001 gives organisations a single operational framework satisfying the process and governance expectations of multiple regulatory regimes simultaneously. For a broader comparison, see our guide on AI regulation: EU vs US vs UK vs China.

ISO 42001 structure and key requirements

ISO 42001 follows the Annex SL harmonised structure — the same high-level architecture used by ISO 27001 (information security), ISO 9001 (quality), ISO 14001 (environment), and ISO 27701 (privacy). If your organisation already operates one of these management systems, the structure will be immediately familiar. If not, the architecture is logical and well-documented.

The standard is organised into Clauses 4–10 (normative requirements) plus Annex A (a reference set of AI-specific controls) and Annexes B–D (implementation guidance).

Context of the organisation (Clause 4)

Clause 4 requires the organisation to understand its internal and external context as it relates to AI, including regulatory requirements, stakeholder expectations, and the competitive landscape. Specifically, the organisation must:

Identify interested parties — regulators, customers, data subjects, employees, civil-society organisations — and determine their needs and expectations related to AI.
Define the scope of the AIMS: which AI systems, organisational units, locations, and processes are covered.
Document the AI system lifecycle stages relevant to the organisation's activities.

This clause is foundational. Every subsequent requirement — risk assessment, controls selection, performance evaluation — depends on a clearly defined scope and context. Organisations that skip or underinvest in Clause 4 invariably struggle later.

Leadership and AI policy (Clause 5)

Top management must demonstrate leadership and commitment to the AIMS. This is not ceremonial. The standard requires management to:

Establish an AI policy that includes commitments to responsible AI principles, compliance with applicable requirements, and continual improvement.
Ensure that roles, responsibilities, and authorities for the AIMS are assigned, communicated, and understood.
Integrate AIMS requirements into the organisation's business processes.
Ensure adequate resources — budget, personnel, tools — are available.

The AI policy serves as the anchor document. It should articulate the organisation's position on fairness, transparency, accountability, safety, and privacy in AI — and it must be communicated to all relevant personnel. For guidance on structuring a broader AI governance programme around these commitments, see our guide on building an AI governance framework.

Planning — risk and opportunity assessment (Clause 6)

Clause 6 is the analytical core of the standard. It requires the organisation to:

Conduct an AI risk assessment that identifies risks and opportunities related to the AIMS and the AI systems within scope. Risks must be evaluated for likelihood and impact, considering the full AI lifecycle.
Maintain an AI risk treatment plan that specifies which risks will be treated, which controls will be applied, and what residual risk is accepted.
Set AIMS objectives — measurable targets that drive improvement (e.g., "reduce model bias incidents by 30 % year-over-year" or "achieve 100 % documentation coverage for high-risk systems within 6 months").

The risk assessment methodology must be systematic and repeatable. Many organisations adopt a risk matrix approach (likelihood × impact) with AI-specific risk categories: performance degradation, bias and discrimination, privacy violations, security vulnerabilities, opacity and explainability failures, and societal impact.

Clause 6 aligns directly with Article 9 of the EU AI Act, which mandates a risk management system that operates throughout the entire lifecycle of a high-risk AI system. An ISO 42001 risk assessment, properly scoped, provides the documented foundation that Article 9 requires.

Support — resources, competence, awareness (Clause 7)

Clause 7 addresses the organisational infrastructure needed to operate the AIMS:

Resources: Budget, tools, compute infrastructure, and personnel.
Competence: Personnel working within the AIMS must have demonstrable competence in AI, risk management, and governance. The organisation must identify competence requirements, provide training, and retain evidence of competence.
Awareness: All relevant staff must be aware of the AI policy, their contribution to the AIMS, and the implications of non-conformity.
Communication: Internal and external communication processes related to AI governance must be defined.
Documented information: The AIMS must be supported by documented information — policies, procedures, records, assessments, and audit reports. This documentation must be controlled, versioned, and accessible.

The documentation requirements of Clause 7 map closely to the EU AI Act's Article 11 technical documentation obligations. Organisations that build robust Clause 7 documentation practices will find that generating Annex IV technical documentation becomes a downstream exercise rather than a standalone project. For a practical template, see our Annex IV technical documentation guide.

Operation — AI risk treatment (Clause 8)

Clause 8 moves from planning to execution. The organisation must:

Implement the risk treatment plan defined in Clause 6.
Apply the Annex A controls selected during risk treatment (see below).
Manage operational changes — new AI systems, model updates, data pipeline modifications — through defined change-management processes.
Conduct an AI system impact assessment for systems that may have significant impacts on individuals, groups, or society.

The AI system impact assessment is one of the standard's most distinctive elements. It requires organisations to evaluate — before deployment and periodically thereafter — the potential impacts of an AI system on affected individuals and communities, including impacts on fundamental rights, safety, wellbeing, and the environment. This assessment is conceptually aligned with the fundamental rights impact assessment (FRIA) required by Article 27 of the EU AI Act for certain deployers.

Performance evaluation (Clause 9)

Clause 9 requires the organisation to:

Monitor, measure, analyse, and evaluate the performance of the AIMS and of individual AI systems. Metrics must be defined, data collected, and results analysed at planned intervals.
Conduct internal audits of the AIMS at planned intervals to verify that the system conforms to the standard's requirements and is effectively implemented.
Perform management reviews where top management evaluates the AIMS's suitability, adequacy, and effectiveness — and makes decisions about improvement actions, resource allocation, and strategic direction.

Internal audits must be conducted by auditors who are independent of the activities being audited. In smaller organisations, this may require external support. Audit findings must be documented and tracked to closure.

Improvement (Clause 10)

Clause 10 closes the Plan-Do-Check-Act (PDCA) loop. The organisation must:

Address nonconformities through corrective actions — investigating root causes, implementing fixes, and verifying effectiveness.
Pursue continual improvement of the AIMS's suitability, adequacy, and effectiveness.

Nonconformities can arise from internal audits, management reviews, incident reports, or external feedback. The standard does not specify a particular improvement methodology, but the PDCA cycle embedded in the Annex SL structure provides the operational rhythm.

Annex A — AI controls reference

Annex A is perhaps the most operationally significant part of the standard. It provides a catalogue of AI-specific controls organised into functional domains. Unlike the generic controls of ISO 27001's Annex A, these controls are purpose-built for AI governance:

Domain	Focus areas	Example controls
A.2 — AI policies	Organisational AI policies	AI policy, acceptable use, roles and responsibilities
A.3 — Internal organisation	Governance structure	AI governance committee, resource allocation
A.4 — Resources for AI systems	Data, tools, infrastructure	Data quality management, compute resource planning
A.5 — Assessing AI system impacts	Impact assessment, human oversight	Pre-deployment impact assessment, human-in-the-loop controls, override mechanisms
A.6 — AI system lifecycle	Development, testing, deployment, retirement	Requirements specification, design documentation, V&V, monitoring, decommissioning
A.7 — Data for AI systems	Data governance across the lifecycle	Data provenance, data quality, data bias assessment, data protection
A.8 — Information for interested parties	Transparency and communication	Disclosure of AI use, explainability, user instructions
A.9 — Use of AI systems	Responsible use by deployers	Intended-use documentation, misuse prevention
A.10 — Third-party and customer relationships	Supply-chain governance	Supplier assessment, contractual requirements, customer guidance

The organisation must produce a Statement of Applicability (SoA) — analogous to the ISO 27001 SoA — that lists each Annex A control, states whether it is applicable, justifies exclusions, and references the implementation evidence. This document becomes a core audit artefact.

How ISO 42001 maps to EU AI Act requirements

One of the strongest arguments for ISO 42001 certification is its structural alignment with the EU AI Act's Chapter III requirements for high-risk AI systems. The mapping is not perfect — the standard and the regulation serve different purposes — but the overlap is substantial.

The following table maps key AI Act articles to the corresponding ISO 42001 clauses and Annex A controls:

EU AI Act requirement	Article	ISO 42001 clause / control	Coverage
Risk management system	Article 9	Clause 6.1 (risk assessment), Clause 8.1 (risk treatment), Annex A.5 (impact assessment)	High — lifecycle risk identification, assessment, treatment, and residual risk acceptance are core to both
Data and data governance	Article 10	Annex A.4 (resources), Annex A.7 (data for AI systems)	Moderate — ISO 42001 addresses data quality and bias; AI Act adds specific requirements on training, validation, and testing datasets
Technical documentation	Article 11	Clause 7.5 (documented information), Annex A.6 (lifecycle documentation)	High — documentation controls are comprehensive, though Annex IV prescribes specific content
Record-keeping / logging	Article 12	Clause 7.5, Clause 9.1 (monitoring and measurement)	Moderate — logging requirements are implicit in monitoring but not as technically prescriptive
Transparency and information	Article 13	Annex A.8 (information for interested parties)	High — disclosure, explainability, and user communication are directly addressed
Human oversight	Article 14	Annex A.5 (human oversight, override mechanisms)	High — human-in-the-loop, human-on-the-loop, and override controls are covered
Accuracy, robustness, cybersecurity	Article 15	Annex A.6 (V&V, testing), Annex A.7 (data quality)	Moderate — standard addresses testing and validation; AI Act is more specific on accuracy metrics and adversarial robustness
Quality management system	Article 17	Clauses 4–10 (entire AIMS)	High — the AIMS is the QMS for AI; Article 17 requirements are almost entirely subsumed
Post-market monitoring	Article 72	Clause 9 (performance evaluation), Clause 10 (improvement)	High — continuous monitoring, audit, and corrective action map directly
Incident reporting	Article 73	Clause 10.1 (nonconformity), Annex A.6 (lifecycle management)	Moderate — standard requires incident handling; AI Act mandates specific reporting to authorities within defined timelines

Key takeaway: ISO 42001 provides strong structural coverage of Articles 9, 11, 13, 14, and 17. Coverage is moderate for Articles 10, 12, 15, and 73, where the AI Act adds technical specificity beyond the standard's management-system scope. The standard does not address conformity assessment procedures (Article 43), CE marking (Article 48), or EU database registration (Article 49).

For a complete overview of high-risk system requirements, see our EU AI Act compliance checklist.

The certification process

ISO 42001 certification is granted by an accredited certification body (also called a registrar or conformity assessment body) following a formal audit. The process typically spans 12–18 months from initiation to certificate issuance. Below is a breakdown of each phase.

Phase 1: Gap analysis (months 1–2)

Before building anything, you need to know where you stand. A gap analysis compares your current AI governance practices against ISO 42001's requirements and identifies deficiencies.

Activities:

Review existing AI policies, procedures, and documentation.
Inventory all AI systems within the intended AIMS scope.
Map current controls to Annex A requirements.
Assess organisational readiness — leadership commitment, resource availability, competence levels.
Produce a gap analysis report with prioritised remediation actions.

Many organisations engage a consultant or use a compliance platform for this phase. The output is a remediation roadmap that feeds directly into Phase 2.

If you do not yet have a comprehensive inventory of your AI systems, start there. Our guide on building an AI systems inventory walks through the process step by step.

Phase 2: Implementation (months 3–8)

This is the heaviest phase. The organisation builds, documents, and operationalises the AIMS.

Key deliverables:

AI policy and supporting policy documents (acceptable use, data governance, incident response).
Risk assessment methodology and completed risk assessments for all in-scope AI systems.
Risk treatment plan with selected Annex A controls and justifications.
Statement of Applicability (SoA) covering all Annex A controls.
AI system impact assessments for systems with significant potential impact.
Documented procedures for development, testing, deployment, monitoring, change management, and decommissioning.
Competence framework with training records.
Communication plan for internal and external stakeholders.
Internal audit programme design.
Management review agenda and cadence.

Implementation timelines vary significantly. An organisation with an existing ISO 27001 ISMS can often leverage 40–60 % of its documented processes (risk methodology, document control, internal audit programme, management review procedures) and focus implementation effort on AI-specific additions. A greenfield implementation takes longer.

Phase 3: Internal audit (months 9–10)

Before inviting the certification body, the organisation must conduct at least one complete internal audit cycle covering all clauses and applicable Annex A controls.

Requirements:

Auditors must be independent of the activities being audited.
The audit must verify both conformity (do documented processes exist?) and effectiveness (are they actually working?).
All findings must be classified (major nonconformity, minor nonconformity, observation) and tracked.
Corrective actions for nonconformities must be implemented and verified before proceeding to certification audit.

A management review must also be conducted after the internal audit, with top management evaluating the AIMS's performance and approving any changes.

Phase 4: Certification audit (months 11–14)

The certification audit is conducted by the accredited certification body in two stages:

Stage 1 — documentation review:

The certification body reviews AIMS documentation: policies, risk assessments, SoA, procedures, internal audit reports, management review minutes.
They assess whether the AIMS is sufficiently designed and ready for Stage 2.
Stage 1 may be conducted remotely and typically takes 1–3 days depending on scope.
A Stage 1 report identifies any issues that must be resolved before Stage 2.

Stage 2 — on-site (or hybrid) audit:

Auditors verify that the AIMS is implemented and effective — not just documented.
They interview personnel, observe processes, review records, and test controls.
They assess whether AI systems within scope are being governed in accordance with the AIMS.
Stage 2 typically takes 3–8 days depending on scope, number of AI systems, and organisational complexity.
Findings are classified as major nonconformities, minor nonconformities, or opportunities for improvement.

Major nonconformities must be resolved before the certificate can be issued. Minor nonconformities must be addressed within a defined timeframe (typically 90 days). If no major nonconformities are found — or once they are resolved — the certification body issues the ISO 42001 certificate, valid for three years.

Phase 5: Ongoing surveillance

Certification is not a one-time event. The certification body conducts surveillance audits — typically annually — to verify that the AIMS remains conformant and effective. A full recertification audit is required before the three-year certificate expires.

Between audits, the organisation must continue operating the AIMS: conducting risk assessments for new AI systems, performing internal audits, holding management reviews, handling incidents, and driving continual improvement.

Timeline summary

Phase	Duration	Key output
Gap analysis	Months 1–2	Gap report, remediation roadmap
Implementation	Months 3–8	Complete AIMS documentation and operational processes
Internal audit + management review	Months 9–10	Audit report, corrective actions, management review minutes
Certification audit (Stage 1 + Stage 2)	Months 11–14	ISO 42001 certificate
Surveillance audits	Annually	Continued certification
Recertification	Every 3 years	Renewed certificate

Cost considerations: Certification costs vary based on organisation size, scope, and certification body. Expect EUR 15,000–40,000 for the certification body's fees (Stage 1 + Stage 2) for a mid-sized organisation. Implementation costs — consulting, tooling, personnel time — typically range from EUR 50,000–200,000 for greenfield implementations and EUR 20,000–80,000 where an existing ISO 27001 system provides a foundation.

Integration with other ISO standards

One of ISO 42001's most significant design decisions is its adoption of the Annex SL high-level structure. This makes it natively integrable with other management-system standards, reducing duplication and enabling organisations to operate a single integrated management system (IMS).

ISO 27001 — Information security management

The integration between ISO 42001 and ISO/IEC 27001:2022 is the most natural and the most common. Both standards share:

Identical clause structures (Clauses 4–10).
The same risk assessment and treatment methodology framework (though applied to different risk domains).
The same requirements for documented information, internal audit, management review, and continual improvement.
Complementary Annex A controls — ISO 27001 addresses information-security controls; ISO 42001 addresses AI-specific controls.

Practical benefit: An organisation with a certified ISO 27001 ISMS can extend it to cover AI by:

Expanding the scope statement to include AI systems and AI-related processes.
Conducting AI-specific risk assessments using the existing risk methodology.
Adding ISO 42001's Annex A controls to the existing SoA (or maintaining a separate AI SoA).
Extending internal audit and management review to cover AI governance topics.

This approach can reduce implementation effort by 40–60 % and allows the organisation to pursue a combined certification audit.

ISO 9001 — Quality management

ISO 9001:2015 provides the process-management and quality-assurance infrastructure that underpins Article 17 of the EU AI Act. ISO 42001 complements ISO 9001 by adding AI-specific risk assessment, impact assessment, and Annex A controls. Organisations with ISO 9001 certification already have mature change-management, nonconformity-handling, and continual-improvement processes — all directly reusable within the AIMS.

ISO 27701 — Privacy information management

ISO/IEC 27701:2019 extends ISO 27001 to cover personal data protection, providing an operational bridge to GDPR compliance. Since AI systems frequently process personal data, integrating ISO 27701 with ISO 42001 creates a unified governance layer for security, privacy, and AI — addressing the intersection that creates the most regulatory complexity. For more on the GDPR-AI Act overlap, see our analysis of EU AI Act vs GDPR.

Benefits of an integrated management system

Benefit	Impact
Single risk methodology	One approach to risk assessment across security, privacy, and AI — reducing methodology confusion and enabling cross-domain risk aggregation
Unified documentation	One document-control system, one internal audit programme, one management review — less overhead, more coherence
Combined audits	Certification bodies can audit multiple standards in a single engagement, reducing audit fatigue and cost
Cross-functional efficiency	Teams use one governance framework rather than navigating parallel systems
Regulatory alignment	The IMS satisfies overlapping requirements of the AI Act, GDPR, NIS2, DORA, and sector-specific regulations in a single structure

Does ISO 42001 make you AI Act compliant?

This is the question every compliance leader asks — and the honest answer is: no, but it gets you most of the way there.

What ISO 42001 certification covers

An ISO 42001 certificate demonstrates that the organisation has a functioning, audited AI management system that addresses:

Systematic AI risk management (aligning with ~80 % of Article 9 requirements).
Quality management for AI (aligning with the majority of Article 17).
Technical documentation practices (aligning substantially with Article 11 and Annex IV).
Human oversight controls (aligning with Article 14).
Transparency and disclosure practices (aligning with Article 13).
Post-market monitoring and improvement (aligning with Article 72).

Critical gaps that certification does not fill

Even with ISO 42001 certification in hand, the following AI Act obligations require additional work:

Article 10 — data governance specifics. The AI Act prescribes detailed requirements for training, validation, and testing datasets — statistical properties, bias detection, data representativeness, and gap-filling techniques. ISO 42001's Annex A.7 addresses data governance at a higher level. Organisations must supplement their AIMS with Article 10-specific data governance procedures.
Article 43 — conformity assessment. ISO 42001 certification is not a conformity assessment under the AI Act. High-risk system providers must still complete either self-assessment (Annex VI) or a notified-body assessment (Annex VII). For a full breakdown of which route applies to your systems, see our guide on conformity assessment: self-assessment vs notified body.
Article 47–49 — declaration of conformity, CE marking, and EU database registration. These are regulatory-administrative obligations that no management-system standard can substitute. They require specific procedural compliance with the AI Act's provisions.
Article 73 — serious incident reporting. The AI Act mandates reporting to market surveillance authorities within specific timelines. ISO 42001 requires incident management but does not prescribe the regulatory reporting workflow. See our guide on post-market monitoring and incident reporting.
Article 50 — transparency obligations for specific AI systems. Requirements for labelling AI-generated content, disclosing interactions with AI systems, and marking deepfakes are specific regulatory obligations not addressed by ISO 42001. See our transparency obligations guide.

Certification as evidence, not proof

Under the AI Act, ISO 42001 certification serves as strong supporting evidence that the organisation has implemented the process and governance requirements expected of providers and deployers. In enforcement proceedings it demonstrates due diligence; in market surveillance interactions it builds credibility. But it is not a legal shield — authorities will evaluate compliance on the merits.

CEN/CENELEC are developing harmonised standards under the AI Act. Compliance with a harmonised standard will create a presumption of conformity with the corresponding AI Act requirements. ISO 42001, as an international (ISO/IEC) standard rather than a European (EN) harmonised standard, does not create this presumption automatically — but the harmonised standards are widely expected to draw heavily on ISO 42001's structure.

Real-world implementation scenarios

Scenario 1: SaaS company with an AI-powered HR screening tool

A mid-sized SaaS provider offers an AI recruitment screening platform used by enterprise clients across the EU. The system falls under Annex III, point 4(a) — high-risk AI in employment. The company has no existing ISO certifications.

Implementation approach:

Months 1–2: Gap analysis reveals no formal risk management, no documented AI policies, and no impact assessment process. The gap report identifies 47 remediation items.
Months 3–8: The company builds an AIMS from scratch — AI policy, risk assessment methodology, Annex A control implementation, documentation framework, bias testing programme (see AI bias testing guide), and monitoring dashboards.
Months 9–10: First internal audit cycle identifies 3 minor nonconformities related to competence records and data-quality documentation. Corrective actions are completed.
Months 11–13: Certification body completes Stage 1 (remote, 2 days) and Stage 2 (on-site, 4 days). One minor nonconformity on change-management documentation is identified and resolved.
Month 14: ISO 42001 certificate issued. The company then uses the AIMS documentation as the foundation for its self-assessment conformity assessment under Annex VI.

Total cost: ~EUR 120,000 (consulting: EUR 40,000; internal personnel time: EUR 60,000; certification body fees: EUR 20,000).

Scenario 2: Financial institution extending ISO 27001 to cover AI

A large European bank holds ISO 27001 and ISO 27701 certifications. It deploys AI for credit scoring (Annex III, point 5(a)), fraud detection, and customer service chatbots. The CISO sponsors the initiative.

Implementation approach:

Months 1–2: Gap analysis focuses on the delta between existing ISMS/PIMS and ISO 42001 requirements. Gaps are concentrated in AI-specific risk assessment, Annex A controls, and AI system impact assessment — the management-system infrastructure is already in place.
Months 3–6: The bank extends its risk methodology to cover AI-specific risk categories, implements Annex A controls, conducts impact assessments for high-risk AI systems, and adds AI governance to the existing management review agenda.
Months 7–8: Internal audit covers ISO 42001 requirements in a combined audit with the existing ISO 27001/27701 programme.
Months 9–11: Combined certification audit. The certification body audits ISO 27001, ISO 27701, and ISO 42001 in a single engagement.
Month 12: ISO 42001 certificate issued alongside renewed ISO 27001/27701 certificates.

Total cost: ~EUR 70,000 (consulting: EUR 15,000; internal personnel time: EUR 35,000; combined certification body fees: EUR 20,000).

Scenario 3: AI startup preparing for market entry

A 15-person AI startup is building a medical-image analysis tool — a high-risk AI system under both the AI Act and the Medical Device Regulation. Investors and hospital procurement teams are asking about governance maturity.

Implementation approach:

The startup uses ISO 42001 as a design blueprint from day one — structuring development processes, documentation, and risk management around the standard's requirements rather than pursuing full certification immediately.
After 12 months, with the product approaching market readiness, the startup initiates formal certification. Because the AIMS was built in from the start, the gap analysis reveals minimal remediation needs.
Certification strengthens the startup's procurement position and provides a governance foundation for the notified-body conformity assessment required for the medical device pathway.

For startups and SMEs navigating the AI Act, our compliance guide for startups and SMEs provides practical scaling strategies.

Frequently asked questions

Is ISO 42001 certification mandatory?

No. ISO 42001 certification is voluntary. The EU AI Act does not mandate any specific certification. However, certification provides strong evidence of governance maturity and can significantly reduce the burden of demonstrating compliance to market surveillance authorities, customers, and procurement teams.

How long does certification take?

Typically 12–18 months from gap analysis to certificate issuance. Organisations with existing ISO 27001 or ISO 9001 certifications can often accelerate this to 8–12 months by leveraging existing infrastructure.

What does certification cost?

Total costs range from EUR 50,000–200,000 depending on organisation size, existing certifications, number of AI systems in scope, and consulting needs. Certification body fees alone typically range from EUR 15,000–40,000 for a mid-sized organisation.

Which certification bodies can audit ISO 42001?

Any certification body that is accredited by a national accreditation body (member of the International Accreditation Forum) to audit ISO 42001. As of early 2026, major certification bodies offering ISO 42001 audits include BSI, TÜV, Bureau Veritas, SGS, DNV, and LRQA. Verify accreditation before engaging a certification body.

Can ISO 42001 certification substitute for a conformity assessment under the AI Act?

No. ISO 42001 certification and AI Act conformity assessment serve different purposes. Conformity assessment (under Article 43) is a regulatory procedure that verifies a specific AI system against the AI Act's technical requirements. ISO 42001 certification verifies an organisation's management system. The two are complementary, not interchangeable. For details on the conformity assessment process, see our guide on self-assessment vs notified body.

Does ISO 42001 apply to organisations outside the EU?

Yes. ISO 42001 is an international standard — it applies to any organisation worldwide. For non-EU organisations that sell AI systems into the EU market, certification demonstrates governance maturity to EU customers and regulators even before the AI Act's extraterritorial provisions are triggered. Additionally, the standard aligns with governance expectations under the NIST AI RMF (US), the UK AI governance framework, and other emerging regulatory regimes.

Next steps

ISO 42001 certification is a significant undertaking, but it is one of the highest-leverage investments an organisation can make as AI regulation accelerates globally. It provides the organisational machinery — policies, risk processes, controls, audit disciplines, and improvement cycles — that turns compliance from a reactive scramble into a repeatable capability.

If you are evaluating ISO 42001 for your organisation, start with these steps:

Inventory your AI systems. You cannot govern what you do not know exists. Use our AI systems inventory guide to get started.
Assess your current maturity. Run a quick AI Act risk assessment to understand where your systems fall in the risk classification and what obligations apply.
Evaluate integration opportunities. If you already hold ISO 27001, ISO 9001, or ISO 27701, plan an integrated implementation to maximise efficiency.
Build the business case. Frame ISO 42001 not just as a compliance cost but as a competitive differentiator — particularly for organisations selling AI into regulated industries or EU markets.
Engage early. With the AI Act's high-risk obligations taking effect on 2 August 2026, organisations that begin ISO 42001 implementation now will be certified before the deadline. Those that wait until mid-2026 will not.

For a comprehensive comparison of compliance tools that can support your ISO 42001 and AI Act implementation, see our AI Act compliance software comparison.

This guide is provided for informational purposes and does not constitute legal advice. Organisations should consult qualified legal counsel and accredited certification bodies for decisions specific to their circumstances.

ISO 42001

AI Management System

Certification

AI Act

Compliance

AI Governance

Standards

Prüfen Sie die Compliance Ihres KI-Systems

Kostenlose Bewertung ohne Signup. Erhalten Sie Ihre Risikoklassifizierung in wenigen Minuten.

Kostenlose Bewertung starten

Weiterlesen

Agentic AI Governance and Compliance

Complete guide to agentic AI governance. Singapore framework, EU AI Act application to AI agents, accountability gaps, technical controls, and enterprise compliance.

EU AI Act Compliance Software Tools Compared (2026)

Objective comparison of EU AI Act compliance tools in 2026. Covers GRC platforms, AI governance, open-source scanners, and workflow tools with pricing and criteria.

Colorado AI Act and US State AI Laws Guide

Complete guide to Colorado SB 205 AI Act and US state AI laws. Algorithmic discrimination, developer and deployer duties, NIST defense, and compliance steps.