ISO 42001
ISO42k
On this page
Step by step

Implementation guide

A practical roadmap to ISO 42001 certification

Timeline overview

6–12 months
Starting from scratch
4–6 months
With existing ISO 27001
3–4 months
Small organizations

Seven phases to certification

Getting ISO 42001 certified is a structured process. Each phase builds on the previous one.

Phase 12–4 weeks

Leadership buy-in & scoping

  • Get stakeholder buy-in across legal, IT, product, and executive teams
  • Define which business units, products, or AI systems the AIMS will cover
  • Certification doesn't have to cover the entire organization — start focused
  • Allocate budget, assign a project lead, and form a governance committee
Phase 22–4 weeks

Gap analysis

  • Compare current AI practices against all ISO 42001 requirements
  • Identify what exists, what's partially in place, and what's missing
  • Map existing ISO 27001 or ISO 9001 controls that carry over
  • Create a prioritized remediation roadmap with clear ownership
Phase 34–8 weeks

Build the AIMS foundation

  • Draft your AI policy — the high-level commitment to responsible AI
  • Establish roles: AI Ethics Officer, Model Validator, Data Steward, AIMS Manager
  • Document the context of your organization and interested parties (Clause 4)
  • Secure top management commitment with formal sign-off (Clause 5)
Phase 44–6 weeks

Risk assessment & controls

  • Conduct AI-specific risk assessments across all in-scope systems
  • Evaluate risks: bias, fairness, transparency, safety, data quality, security
  • Select applicable controls from Annex A's AI-specific controls
  • Create the Statement of Applicability (SoA) documenting which controls apply
  • Develop a risk treatment plan with mitigation strategies and timelines
Phase 58–16 weeks

Implement & document

  • Implement selected Annex A controls (data management, model validation, human oversight)
  • Create required documentation: impact assessments, data procedures, incident response
  • Establish monitoring processes for AI system performance and model drift
  • Train all relevant staff on AIMS policies and their responsibilities
  • Integrate with existing management systems (ISO 27001, ISO 9001) where applicable
Phase 62–4 weeks

Internal audit & management review

  • Conduct a full internal audit against ISO 42001 requirements
  • Document nonconformities and create corrective action plans
  • Hold a management review meeting to evaluate AIMS effectiveness (Clause 9)
  • Address all findings before proceeding to the external certification audit
Phase 72–4 weeks

Certification audit

  • Stage 1 (Document Review): 1–2 days — auditor verifies your AIMS documentation
  • Address any Stage 1 findings before Stage 2
  • Stage 2 (Implementation Review): 3–9+ days — auditor verifies AIMS is working in practice
  • Certificate issued (valid for 3 years with annual surveillance audits)

What does it cost?

Costs vary by organization size, scope, and complexity. Here are typical ranges:

ItemTypical range
Standard document (ISO)CHF 225 (~$245 USD)
Consulting services$10,000–$50,000
Training (per person)$2,000–$5,000
Certification audit fees$5,000–$20,000
Internal labor (50-person co.)200–400 hours
Annual surveillance audits20–30% of initial fees

Total direct costs for a mid-size organization typically range from $20,000–$60,000.

Required documentation

ISO 42001 requires specific documented information. Your AIMS must include:

AIMS scope statement
AI policy
AI objectives
AI risk assessment methodology
AI risk treatment plan
Statement of Applicability (SoA)
AI impact assessment process
Internal audit program
Documented operational control procedures

Tips for a smoother implementation

  • Start with a clear scope — you don't need to cover every AI system on day one
  • Leverage existing ISO certifications — ISO 27001's shared Annex SL structure can significantly reduce effort
  • Involve AI practitioners early — engineers and data scientists understand the real risks
  • Choose a registrar experienced with AI standards — not all certification bodies have this expertise yet
  • Treat it as a business improvement program, not a compliance exercise
  • You can implement without a consultant, but experienced help accelerates timelines significantly

Who performs the audit?

ISO itself does not certify organizations. Certification is performed by independent, accredited certification bodies (registrars).

BSIBureau VeritasDNVSGSTUV

After certification: the 3-year cycle

  • Year 1: Full certification audit
  • Year 2: Surveillance audit (shorter, focused)
  • Year 3: Surveillance audit
  • Year 4: Full recertification audit (cycle repeats)

Surveillance audits verify you're maintaining your AIMS, tracking improvements, and adapting to new AI risks.

Common questions →← Benefits