How long does ISO/IEC 42001 certification take?

From initial decision to certification, organizations typically need 6 to 18 months depending on their starting maturity level. The audit process itself (Stage 1 and Stage 2) usually spans 2 to 6 weeks.

What is the cost of ISO/IEC 42001 certification?

Certification body fees depend on organization size and scope. For a mid-sized organization, expect audit fees between 15,000 and 50,000 euros, plus internal preparation costs.

Can ISO 42001 be combined with ISO 27001 audits?

Yes. Many certification bodies offer combined audits for organizations holding multiple certifications. This reduces audit days, costs, and operational disruption.

What happens if non-conformities are found during the audit?

Minor non-conformities can be addressed with corrective action plans submitted within an agreed timeframe (typically 90 days). Major non-conformities must be resolved before certification can be granted.

Is ISO 42001 recognized under the EU AI Act?

ISO/IEC 42001 is not a harmonized standard under the EU AI Act. However, it provides a strong foundation for meeting the Act's quality management system requirements (Article 17) and demonstrates organizational commitment to responsible AI governance.

Quick answer

ISO/IEC 42001 auditors evaluate your AI management system across leadership commitment, risk assessment, AI impact assessment, data management, operational controls, performance monitoring, and continual improvement processes.

Updated June 2026 · MmowW AI Compliance

ISO/IEC 42001 Audit Requirements: What Auditors Evaluate and How to Prepare (2026)

ISO/IEC 42001 Certification Audit Structure

ISO/IEC 42001 certification follows a two-stage audit process conducted by an accredited certification body. Understanding what auditors evaluate at each stage helps organizations prepare effectively and avoid common pitfalls.

Stage 1 Audit: Documentation Review

The Stage 1 audit is primarily a readiness assessment. Auditors review documentation to determine whether the organization is prepared for a full assessment.

Key Documents Reviewed

AI management system policy and objectives
Scope statement defining the AI systems covered
Risk assessment methodology and results
AI system impact assessments
Statement of applicability for Annex A controls
Data management procedures
Internal audit reports
Management review minutes

Stage 1 typically takes one to two days on-site or remotely. The auditor provides a report identifying any gaps that must be addressed before Stage 2.

Stage 2 Audit: Implementation Assessment

Stage 2 evaluates whether the documented management system is effectively implemented. This involves interviews, observation, and evidence sampling.

Clause-by-Clause Assessment Areas

Clause	Topic	Typical Evidence
4	Context of the organization	Stakeholder analysis, scope documentation
5	Leadership	Policy statements, management meeting records
6	Planning	Risk registers, objectives with measurable targets
7	Support	Competency records, awareness training logs
8	Operation	AI system lifecycle records, change management logs
9	Performance evaluation	Monitoring data, internal audit reports, management reviews
10	Improvement	Corrective action records, trend analysis

Annex A Controls

ISO/IEC 42001 includes Annex A controls specific to AI management. These are grouped into domains that auditors evaluate based on the organization's statement of applicability.

Control Domains

Policies for AI: Documented policies addressing AI-specific considerations
Internal organization: Roles, responsibilities, and competencies for AI
Resources for AI systems: Computing, data, and human resources
AI system impact assessment: Methodology and execution
AI system lifecycle: Development, deployment, monitoring, and retirement
Data for AI systems: Data quality, provenance, and management
Information for interested parties: Transparency and communication
Use of AI systems: Acceptable use and human oversight
Third-party and customer relationships: Supply chain and customer-facing obligations

Common Non-Conformities

Based on early certification experience, the most common audit findings include the following areas.

Incomplete AI system inventory (systems missed from the scope)
Risk assessments that do not address AI-specific risks such as bias, drift, or adversarial attacks
AI impact assessments that lack stakeholder engagement
Insufficient data quality management procedures
Competency gaps in AI governance roles
Monitoring programs that do not track AI-specific performance metrics
Internal audits that apply generic rather than AI-specific criteria

Preparation Checklist

Complete a gap analysis against all ISO/IEC 42001 clauses and Annex A controls
Build or update your AI system inventory
Conduct risk assessments for each AI system in scope
Perform AI impact assessments with documented stakeholder input
Establish data management procedures for AI training and operational data
Train staff in their AI governance responsibilities
Run at least one complete internal audit cycle
Conduct a management review covering AI management system performance
Address all findings from internal audits and management reviews
Prepare evidence files organized by clause and control

Integration with Other Standards

Organizations already certified to ISO 27001, ISO 9001, or ISO 14001 can integrate ISO/IEC 42001 through an integrated management system approach. The shared Annex SL structure means many clauses (context, leadership, support, performance evaluation, improvement) can be addressed through existing processes with AI-specific extensions.

Surveillance and Recertification

After initial certification, organizations undergo surveillance audits (typically annually) and recertification audits (every three years). Surveillance audits sample a subset of requirements, while recertification covers the full scope. Maintaining readiness between audits requires ongoing governance discipline.

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.