ISO 42001 Certification Process: A Step-by-Step Guide

The ISO 42001 certification process is the structured path organisations follow to achieve internationally recognised certification against the AI management system standard published in December 2023. It covers everything from initial scoping and gap analysis through policy implementation, internal auditing, and final third-party certification audit. Whether your organisation is just beginning to explore AI governance or already has informal practices in place, understanding the full certification process helps you plan resources, set realistic timelines, and avoid the common mistakes that delay or derail projects.

According to BSI’s AI management system guidance, most organisations complete the ISO 42001 certification process in three to twelve months. The timeline depends on three key variables: the size and complexity of your defined AIMS scope, the maturity of your existing AI governance practices, and the availability of internal resources to lead the implementation. Furthermore, organisations already certified against ISO 27001 typically move through the process significantly faster — the shared management system structure reduces duplication of effort across policies, audits, and documentation.

This article walks through every stage of the ISO 42001 certification process in sequence, explaining what each step involves, what outputs it produces, and how to prepare effectively.

Tl; DR:

Concern: Organisations approaching ISO 42001 certification without a clear process roadmap risk wasted effort, missed requirements, and delayed timelines — see the full framework at our ISO 42001 certification hub.
Overview: The ISO 42001 certification process follows eight structured stages — from scope definition and gap analysis through policy implementation, internal audit, and final Stage 2 certification audit.
Solution: CertPro CPA LLC guides organisations through every stage of the process, from initial scoping to certification and ongoing surveillance audits.

Overview of the ISO 42001 Certification Process

Before diving into individual steps, it helps to understand the overall structure of the ISO 42001 certification process. The process follows the same general pattern used across all ISO management system certifications — Plan, Do, Check, Act — and culminates in a two-stage audit conducted by an accredited certification body.

Additionally, the ISO 42001 certification process is not a one-time event. After achieving certification, organisations enter a three-year surveillance cycle — with annual surveillance audits in years one and two, and a full recertification audit in year three. Consequently, building sustainable processes from the start is far more effective than building a minimum viable system just to pass the initial audit.

Stage 1: Define Your AIMS Scope

Scope definition is the foundation of the entire ISO 42001 certification process. Your AIMS scope determines which AI systems, processes, locations, and organisational units fall within the boundaries of your AI management system. Auditors will hold your organisation accountable only to what is included in the declared scope — so getting this right from the start matters enormously.

A well-defined scope is specific enough to be meaningful and defensible, but realistic enough to be achievable with available resources. Overly broad scopes create implementation burdens that slow down the certification process. Overly narrow scopes raise questions during audit about whether significant AI use cases have been excluded to avoid scrutiny.

When defining scope, consider the following factors. First, identify every AI system your organisation currently operates or plans to deploy. Second, assess which of those systems carry the highest risk — in terms of decision impact, data sensitivity, and regulatory exposure. Third, consider whether your scope covers all relevant business units, geographies, and supply chain relationships. Our dedicated AIMS scope definition guide provides a step-by-step framework for this decision.

Stage 2: Gap Analysis and Readiness Assessment

Once scope is defined, the next stage in the ISO 42001 certification process is a formal gap analysis. A gap analysis compares your current AI governance practices against every requirement in the standard — clause by clause and control by control — to identify what is already in place and what needs to be built.

A thorough gap analysis typically covers four dimensions. It reviews your existing documentation — policies, procedures, and records — against what the standard requires. It assesses whether your risk management practices meet the AI-specific requirements of Clause 6. It evaluates whether Annex A controls have been considered and appropriately implemented or excluded. Finally, it examines whether leadership engagement and resource allocation meet the standard’s expectations.

The output of a gap analysis is a prioritised remediation plan — a clear list of what needs to be built, in what order, to achieve certification readiness. Our readiness assessment guide explains how to run a thorough gap analysis and interpret the results effectively.

According to the official ISO standard publication, organisations that invest properly in gap analysis before implementation consistently achieve certification faster and with fewer nonconformities than those who skip this stage.

Stage 3: Policy and Documentation Development

Documentation is the backbone of the ISO 42001 certification process. The standard requires a specific set of mandatory documents — and auditors will check for each one during the Stage 1 documentation review. Missing or inadequate documentation is one of the most common reasons organisations receive nonconformities during their initial audit.

Mandatory Documents Required

• AI Policy — A formal statement of your organisation’s commitment to responsible AI management, approved at senior leadership level
• AIMS Scope Statement — A documented definition of which AI systems, processes, and business units fall within your AIMS boundaries
• AI Risk Register — A living document identifying AI-related risks, their assessed likelihood and impact, and planned treatment actions
• Risk Treatment Plan — Documentation of how each identified risk will be treated, including which Annex A controls apply
• Statement of Applicability — A complete record of every Annex A control, whether it is applicable to your organisation, and the justification for any exclusions
• AI Objectives — Documented, measurable objectives for your AIMS, with plans for how they will be achieved and monitored
• Internal Audit Programme — A scheduled programme of internal audits covering all AIMS requirements within the certification cycle
• Management Review Records — Minutes and outputs from formal management reviews evaluating overall AIMS performance
• Corrective Action Records — Documentation of any nonconformities identified and the corrective actions taken to address them

Our full mandatory documentation checklist covers every required document in detail, including what each one must contain to satisfy auditor requirements.

Stage 4: Implementing Annex A Controls

Annex A is a central component of the ISO 42001 certification process. It contains the full set of AI management controls that organisations must evaluate. For each control, you must determine whether it is applicable to your context, implement it where applicable, and document your reasoning for any exclusions in your Statement of Applicability.

The Annex A controls span eight domains: AI policies, internal organisation for AI, resources for AI systems, assessing AI system impacts, AI system lifecycle controls, human oversight of AI, third-party AI supplier management, and AI system documentation and transparency. Together, these domains address the complete lifecycle of AI governance — from strategy and risk through to operation and accountability.

Implementing controls is not a documentation exercise alone. Each control requires operational evidence — records, logs, meeting minutes, review outputs — that demonstrates the control is genuinely operating as intended. Auditors look for this operational evidence during Stage 2, not just policy documents. Our Annex A controls breakdown explains what implementing each control domain looks like in practice.

Stage 5: Training and Awareness

One of the most frequently underestimated stages in the ISO 42001 certification process is staff training and awareness. The standard requires that everyone whose work affects your AIMS — directly or indirectly — understands your AI policy, knows their role in the management system, and is aware of the implications of not meeting AIMS requirements.

In practice, this means running structured awareness programmes for staff who interact with AI systems, providing role-specific training for those with defined AIMS responsibilities, and maintaining records of both. Auditors regularly interview staff during Stage 2 audits to verify that awareness is genuine — not just documented on paper.

Additionally, leadership training is important. Senior managers must understand not just that an AIMS exists, but why it matters, what the key risks are, and what their specific responsibilities are under the standard. This is especially relevant to Clause 5 leadership obligations, which auditors scrutinise carefully.

Stage 6: Internal Audit

The internal audit is a mandatory stage in the ISO 42001 certification process and a direct requirement of Clause 9. Its purpose is to verify that your AIMS is operating as designed — that controls are in place, documentation is current, and staff are following defined procedures — before the external certification body arrives.

A well-run internal audit covers every clause of the standard and every Annex A control within your scope. It identifies gaps, weaknesses, or nonconformities that need to be resolved before Stage 1 and Stage 2. Crucially, internal auditors must be independent of the areas they audit — you cannot audit your own work. This independence requirement often means engaging an external resource for at least part of the internal audit programme.

The output of an internal audit is a formal audit report listing findings, nonconformities, and recommended corrective actions. Each nonconformity must be addressed and closed before the certification audit. Our full ISO 42001 audit guide covers both internal and external audit requirements in detail.

Stage 7: Management Review

Before proceeding to the certification audit, a formal management review is required under Clause 9.3. This is a structured meeting at senior leadership level that evaluates the overall performance and effectiveness of the AIMS. It is not an informal team check-in — it must follow a defined agenda and produce documented outputs that demonstrate leadership engagement.

The management review agenda must cover: results of internal audits, AI risk assessment status, progress against AI objectives, any changes in external or internal context affecting the AIMS, corrective action status, and opportunities for continual improvement. The outputs — typically meeting minutes and action logs — become part of your AIMS evidence base that auditors review during Stage 1.

Stage 8: The Certification Audit — Stage 1 and Stage 2

Stage 1: Documentation Review

Stage 1 is typically conducted remotely. The certification body reviews your AIMS documentation — your scope statement, AI policy, risk register, Statement of Applicability, internal audit programme, management review records, and supporting policies — against the standard’s requirements. The auditor is checking whether your documented system is complete and coherent before committing to a full on-site audit.

If Stage 1 identifies significant documentation gaps, the Stage 2 audit date may be postponed to allow remediation. Minor observations are typically noted and addressed before or during Stage 2. Consequently, organisations that have conducted thorough internal audits before Stage 1 rarely encounter surprises at this stage.

Stage 2: On-Site Certification Audit

Stage 2 is the full operational audit. The certification body visits your organisation — physically or virtually — and verifies that your AIMS is genuinely operating as documented. Auditors interview staff, review operational records, observe processes, and test whether controls are working effectively in practice rather than just on paper.

Stage 2 auditors typically follow a structured audit plan that maps to the clauses of the standard. They will verify leadership commitment, risk management practices, Annex A control implementation, internal audit effectiveness, and evidence of continual improvement. Staff interviews are a key tool — auditors want to confirm that awareness and competence are real, not rehearsed.

If no major nonconformities are raised during Stage 2, the certification body issues your ISO/IEC 42001:2023 certificate. The certificate is valid for three years, subject to annual surveillance audits.

Post-Certification: Surveillance Audits and Recertification

Achieving certification is not the end of the ISO 42001 certification process — it is the beginning of a three-year cycle. Annual surveillance audits in years one and two verify that your AIMS continues to meet the standard’s requirements and that continual improvement is genuine. A full recertification audit in year three covers the complete scope of the standard.

Organisations that treat their AIMS as a live, operational governance system — updating risk registers, conducting regular internal audits, running management reviews, and addressing nonconformities promptly — consistently pass surveillance audits without difficulty. Those that treat certification as a one-time documentation exercise typically struggle.

Furthermore, any significant changes to your AI systems, organisational structure, or regulatory environment during the certification cycle may require you to update your AIMS scope or documentation and notify your certification body. Proactive communication with your certification body avoids audit surprises.

Common Mistakes in the ISO 42001 Certification Process

• Defining scope too broadly — Including every AI system across the entire organisation in scope from day one creates an implementation burden that overwhelms available resources and delays certification.
• Treating documentation as the goal — Writing policies and procedures without implementing operational controls produces a documentation exercise that fails Stage 2 audit when auditors look for evidence of live operation.
• Underestimating the Annex A review — Rushing through the Statement of Applicability without genuinely assessing each control leads to exclusions that auditors question and inclusions that are not actually implemented.
• Neglecting staff awareness — Completing documentation without ensuring staff understand their AIMS roles consistently produces findings during Stage 2 staff interviews.
• Skipping the internal audit — Proceeding directly to Stage 1 without a completed internal audit is one of the most common reasons organisations receive major nonconformities during certification.

Start Your ISO 42001 Certification Process with CertPro

CertPro CPA LLC’s licensed auditors manage the entire ISO 42001 certification process for your organisation — from scope definition and gap analysis through to Stage 2 audit and ongoing surveillance support. Contact us today for a tailored project timeline.

Begin Your ISO 42001 Certification Process with CertPro →

FAQ