Preparing for ISO 42001 certification: a practical roadmap
What real preparation for ISO 42001 looks like — how to scope the AI management system, integrate it with existing standards, conduct impact assessments, and avoid the common pitfalls before your first certification audit.
ISO 42001 has gone from a curiosity to a real certification programme remarkably quickly. Published in December 2023, it is the first international management system standard dedicated to artificial intelligence—and the first certification many organisations will be asked to demonstrate as enterprise customers, investors, and regulators start to expect formal evidence of responsible AI practice.
For organisations approaching their first ISO 42001 certification, the practical question is no longer should we? but how do we prepare properly? This piece walks through that preparation as five practical phases. It is written for organisations that have already decided to pursue certification, or are close to deciding, and want a realistic view of what serious preparation actually requires.
If you haven’t yet decided whether ISO 42001 is the right framework for your organisation, our AI Governance and ISO 42001 service pages are a better starting point.
Phase 1: Map your AI estate before anything else
The first mistake most organisations make is trying to scope an AI management system without first knowing what AI they actually have. ISO 42001 covers AI you develop, AI you deploy, and AI you procure and embed into business processes. Each of those scopes has different obligations, and you cannot make sensible decisions about any of them until you have a credible inventory.
A reasonable starting position is an explicit AI inventory exercise covering:
- Systems you develop, whether for internal use, customer-facing products, or research
- Systems you procure and operate — third-party AI tools whose outputs you use in decisions, content, or operations
- Generative AI in widespread workforce use — ChatGPT, Copilot, Claude, internal LLMs, and the long tail of department-specific tools that staff have signed up for without going through procurement
- AI features embedded in other software — analytics, fraud detection, marketing automation, HR screening, productivity tools
For each system, the inventory should capture: purpose, decision criticality, data inputs and outputs, internal owner, external supplier, and whether the system is in scope of any relevant regulation (notably the EU AI Act’s risk classification).
This step typically produces three uncomfortable realisations. First, there is more AI in the organisation than leadership thought. Second, much of it is being used to support decisions of meaningful consequence (hiring, lending, customer outcomes) without dedicated oversight. Third, the inventory itself was needed for several other regulatory obligations already—particularly under GDPR Article 30 and the EU AI Act.
Do not try to scope the AIMS until this inventory exists. Scoping decisions taken without it will need to be revisited.
Phase 2: Decide on the integration model
The single most consequential decision in ISO 42001 preparation is whether to build the AI management system as a standalone programme or as an extension of existing management systems—particularly ISO 27001 if you already have it.
ISO 42001 deliberately mirrors the high-level structure of other ISO management system standards. Its clauses for context, leadership, planning, support, operation, performance evaluation, and improvement map directly to the equivalent clauses in ISO 27001 and ISO 9001. For organisations with a mature ISMS, this means substantial parts of the management system infrastructure can be reused: the policy approval process, the document control structure, the internal audit programme, the management review rhythm, the corrective action workflow.
The trade-offs are real. A fully integrated approach reduces duplication and produces a coherent governance story, but it requires you to extend existing policies and risk methodologies to address AI-specific concerns (bias, explainability, training data provenance, model lifecycle). A standalone AIMS is conceptually cleaner and easier to scope tightly, but creates parallel processes that staff have to remember to follow.
For most organisations with existing ISO 27001 certification, integration is the right answer. For organisations new to ISO management systems, a standalone but cleanly designed AIMS is often more achievable in the time available.
This decision affects almost everything that follows. Take it deliberately, and document why.
Phase 3: Conduct AI system impact assessments
This is where most preparation programmes either work or fall apart. The AI system impact assessment (AISIA) is the core risk-management discipline of ISO 42001—an analysis of each in-scope AI system covering intended uses, potential misuse, data quality, algorithmic characteristics, deployment environment, affected parties, and the spectrum of possible benefits and harms.
ISO 42005 provides a useful template, but the practical work of AISIAs lies in three places.
The hardest impact assessments are not the obvious systems. Customer-facing AI products generally get appropriate scrutiny. The harder cases are HR screening tools, fraud-detection models, and AI-supported decision systems whose outputs are used by employees who don’t realise the output is AI-generated. These often produce the most material individual harms and tend to escape governance until something goes wrong.
Impact assessments need ownership, not just authorship. A risk assessment authored by a consultant or compliance team and then filed away has nominal value. A risk assessment owned by the business team that operates the system—reviewed quarterly, updated when the system changes, referenced in operational decisions—has real value. The standard requires the latter; many organisations produce the former.
Integration with GDPR DPIAs is essential. Many AI systems involve personal data, which triggers GDPR’s Data Protection Impact Assessment requirement under Article 35. AISIAs and DPIAs cover overlapping ground and should be designed to be conducted together, not in parallel. Doing this separately doubles the work without improving the result.
If your AISIAs are not credible to your operations teams, the certification audit will find that out. Spend the time on this phase.
Phase 4: Build accountability and competence
ISO 42001 contains both control and competence requirements that go beyond what most organisations have in place for AI today.
The first requirement is accountability. Someone has to own the AI management system, with sufficient seniority to make decisions across business, technology, legal, and risk functions. In smaller organisations this is often a senior member of the leadership team operating with internal advisors. In larger organisations it may be a named AI officer or an extension of a Chief Risk Officer or Virtual CISO role. What matters is that the role is named, resourced, and supported with a steering group that crosses functions.
The second is competence. The standard expects that people involved in AI development, deployment, and oversight have appropriate training—not generic AI awareness, but role-specific training on the controls and processes that apply to their work. The Annex B implementation guidance is explicit about the categories: developers, deployers, operators, users, and impacted parties. Training programmes designed for ISO 27001 typically need expansion to address these AI-specific audiences.
The third is acceptable use governance for staff use of AI. This is the area most organisations underestimate. Policies covering how employees may use external AI tools (ChatGPT, Copilot, etc.) for what kinds of data—including what is confidential, what is personal, what is regulated—are essential. Without this, the management system is undermined by uncontrolled day-to-day usage that the certification audit will find.
Phase 5: Implement, document, and prepare for certification
The mechanical work of ISO 42001 implementation tracks the familiar shape of any management system certification: documented policies, implemented controls, recorded evidence, internal audits, management review, corrective action, and ultimately a Statement of Applicability covering the 38 controls in Annex A.
Three things distinguish ISO 42001 implementation from earlier ISO certifications:
The Statement of Applicability is more sector-specific. Not every Annex A control will apply to every organisation. A consultancy that uses generative AI for internal productivity has very different applicable controls from a SaaS company that develops AI products. The justification for exclusions matters as much as the implementation of inclusions, and auditors are still calibrating their expectations—be prepared to defend your choices clearly.
Documentation requirements are heavier than expected. The Annex B implementation guidance reads like ISO 27001 Annex A guidance—but applied to AI, where good documentation requires sustained effort to capture model purpose, training data sources, performance characteristics, known limitations, and impact assessments. Many implementations underestimate the documentation work by half.
Internal audits need to be credible. ISO 42001 requires internal audit by people independent of the activity being audited. For most organisations new to AI governance, this means engaging an external audit partner for the internal audits as well—particularly for the first cycle. Doing so is also a useful sanity-check before the certification audit itself, where findings become public to the certification body.
When the management system has been operating for at least three months and internal audits and management review have been completed, you are ready for a Stage 1 certification audit. Stage 2 typically follows within a few months. Plan the calendar from the back: the certification audit window dictates everything upstream.
Common mistakes worth avoiding
In our experience supporting organisations through ISO 42001 implementation, four mistakes recur often enough to call out:
Treating ISO 42001 as a technical standard rather than a management standard. ISO 42001 is fundamentally about governance, not about how to build AI. The Annex A controls are governance controls—policy, training, risk assessment, vendor management—not implementation details for machine learning systems. Implementations led from a technical lens often miss the governance core entirely.
Implementing in isolation from the EU AI Act. The AI Act creates legal obligations on a different schedule from ISO 42001 certification. Designing the AIMS without reference to the AI Act’s risk classifications and conformity assessment requirements creates rework when AI Act obligations come into force. Implementations should design once for both.
Underestimating the cultural change required. Most organisations have a culture that treats AI experimentation as innovation to be encouraged. The shift required for ISO 42001—use case approval processes, impact assessments, documented training data—feels to many teams like a brake on innovation. Without leadership engagement on the cultural shift, the management system becomes a parallel paperwork exercise that staff route around.
Skipping the readiness review. A pre-certification readiness review (a realistic dry-run of the certification audit, conducted by someone independent of the implementation) is consistently the highest-leverage spend in the entire programme. Organisations that have done a readiness review come into certification with confidence. Those that have not are too often surprised.
How long does this realistically take?
First-time ISO 42001 implementations typically take 6 to 12 months from kick-off to certification audit, depending on organisation size, AI estate complexity, and the integration model chosen.
Organisations already certified to ISO 27001 with mature management system infrastructure can often be at the lower end of that range. Organisations new to ISO certification, with a wide AI estate, generally need to plan for the upper end—and should not be persuaded by anyone that the work can be compressed without consequence.
The biggest single factor is honest scoping. A management system genuinely tailored to what the organisation does with AI can be implemented well. A management system that claims to cover everything will struggle to be credibly evidenced anywhere.
Closing thoughts
ISO 42001 is a manageable certification for organisations that approach it deliberately. The standard is well-designed, the Annex B implementation guidance is genuinely helpful, and the work pays a real dividend in terms of operational governance regardless of whether certification is achieved.
What it cannot survive is being treated as a documentation exercise. The audit will look for evidence that the controls are operating, not just that they are written down. The cultural shift towards approval, assessment, and accountability for AI use is the substantive work. Everything else is downstream of that.
For organisations beginning this work, the most useful thing is to map the AI estate honestly, decide on the integration model deliberately, and resource the impact assessment work properly. Get those three right and the rest of the programme follows.