Skip to main contentChat with us
Chat with us

ISO/IEC 42001 · Certification Process

ISO 42001 Certification:
Stage 1, Stage 2 & Surveillance

ISO 42001 certification follows the same two-stage audit path as every ISO management-system standard. Here is the full journey — from gap assessment to certificate — what an accredited auditor checks at each step, and the mistakes that cause findings.

2Audit stages
8–12Weeks to certification
3-yearCertificate cycle

ISO/IEC 42001:2023 · AI Management System · Last reviewed July 2026

The Short Version

How ISO 42001 certification works

An accredited certification body certifies your organization against ISO/IEC 42001 through a Stage 1 documentation audit and a Stage 2 certification audit. Everything before that — gap assessment, building the AI Management System, internal audit, and management review — is preparation you do (with or without a consultant) to be ready.

The certificate lasts three years, with surveillance audits along the way. Consulting and certification are kept separate: the firm that helps you build the AIMS cannot be the body that certifies it.

8–12 weeks

Typical preparation time with expert support and basic governance in place.

2 audit stages

Stage 1 documentation review, then the Stage 2 certification audit.

3-year cycle

Certificate validity, with surveillance audits and recertification at year three.

Want the full, clause-by-clause walkthrough?

This page is the map of the journey. Our complete guide goes deeper — every clause, all 38 Annex A controls, the impact-assessment method, the EU AI Act overlap, and the nonconformities our auditors see most.

Read the complete ISO 42001 guide

Step by Step

The six steps to certification

From first gap assessment to a certificate on the wall, and what an auditor looks for at each step.

01

Gap assessment & readiness

Benchmark your current AI practices against ISO/IEC 42001. The output is a prioritized gap list and a remediation plan — the single most useful artifact for scoping budget and timeline.

Auditor looks at: Existing AI inventory, policies, and governance maturity.

02

AIMS implementation

Build the management system: define scope, write the AI policy, stand up the AI system inventory, run AI risk and impact assessments (A.5), implement applicable Annex A controls, and produce the Statement of Applicability.

Auditor looks at: Scope, AI policy, inventory, risk & impact assessments, SoA, control evidence.

03

Internal audit & management review

Audit your own AIMS against the standard and close findings, then hold a documented management review. Both are mandatory inputs the certification body expects to see at Stage 1.

Auditor looks at: Internal audit report, corrective actions, management-review minutes.

04

Stage 1 — documentation audit

An accredited certification body reviews your AIMS documentation and readiness. It confirms scope, examines the SoA and impact assessments, and flags gaps to resolve before Stage 2. Think of it as a readiness checkpoint, not a pass/fail exam.

Auditor looks at: AIMS documentation, SoA, impact assessments, internal audit, management review.

05

Stage 2 — certification audit

The certification audit. The auditor evaluates whether the AIMS is implemented and effective — sampling evidence, interviewing staff, and testing that controls actually operate. Findings are raised as major or minor nonconformities or opportunities for improvement.

Auditor looks at: Operating effectiveness of controls, evidence sampling, staff interviews, human-oversight records.

06

Certification & surveillance

Once nonconformities are cleared, the body issues an ISO/IEC 42001 certificate, valid for three years. Surveillance audits (typically annual) confirm the AIMS stays effective, and a recertification audit renews the cycle at year three.

Auditor looks at: Closure of nonconformities; continued conformity at each surveillance visit.

A Typical 8–12 Week Path

Certification Timeline

At Tranquility, compliance is fast, flexible, and achievable in under 2 months or sometimes even under 2 weeks!

Weeks 1–2

Gap Assessment & Scoping

Map AI systems, benchmark against ISO 42001, and define the AIMS scope and boundaries.

Weeks 2–5

Risk & Impact Assessment

Run AI risk assessments and Annex A.5 impact assessments for each system in scope.

Weeks 4–8

Controls & Documentation

Implement applicable Annex A controls, write the AI policy, and build the Statement of Applicability.

Weeks 8–10

Internal Audit & Review

Conduct the internal audit, remediate findings, and hold the management review.

Weeks 10–11

Stage 1 Audit

Certification body reviews documentation and readiness; close any gaps raised.

Weeks 11–12

Stage 2 Audit

On-site/remote certification audit of implementation and effectiveness, then the certification decision.

Avoid the Findings

Where Stage 2 audits go wrong

Five recurring nonconformities account for most first-attempt findings. Close these before the auditor arrives.

Incomplete AI system inventory

Shadow AI, embedded foundation models, and third-party AI features left off the register — so the A.5 impact assessment cannot be complete.

Impact assessment treated as a formality

A.5 assessments that list no real affected individuals, harms, or mitigations. Auditors probe this objective hardest.

Human oversight that cannot be evidenced

A policy says a human can intervene, but there is no log, no defined trigger, and no record that intervention ever happened.

SoA that does not trace to risk

Controls marked applicable with no link to an assessed risk or impact — or exclusions with no justification.

Stale data governance

No provenance, quality, or preparation records (A.7) for training and operational data.

Build the underlying artifacts right and the audit takes care of itself. See the Annex A controls catalog for the Statement of Applicability, the risk & impact assessment guide for A.5, and our certification services if you want a team to run it with you.

Frequently Asked Questions

What buyers ask before committing to the certification path.

What are the stages of ISO 42001 certification?

Certification by an accredited body has two formal stages. Stage 1 is a documentation and readiness audit — the auditor reviews your AIMS scope, Statement of Applicability, AI risk and impact assessments, internal audit, and management review, and identifies gaps. Stage 2 is the certification audit, where the auditor tests whether the AIMS is implemented and effective by sampling evidence and interviewing staff. Before either stage, you complete the preparatory work: gap assessment, AIMS implementation, internal audit, and management review.

How long is an ISO 42001 certificate valid?

An ISO/IEC 42001 certificate is valid for three years. During that period the certification body conducts surveillance audits — typically annually — to confirm the AIMS remains effective. At the end of the three-year cycle, a recertification audit renews the certificate. This mirrors the certification lifecycle used for ISO 27001 and other ISO management-system standards under ISO/IEC 17021-1.

How long does it take to get ISO 42001 certified?

For an organization with basic AI governance already in place, 8–12 weeks of preparation is typical before the certification audit: AI system inventory (about two weeks), risk and impact assessment (two to three weeks), controls implementation (about four weeks), and internal audit (one to two weeks). The timeline lengthens with the number and risk level of AI systems and shortens when you already run an ISO 27001 ISMS you can extend.

What do ISO 42001 auditors check most closely?

Three areas consistently draw the most scrutiny: the completeness of the AI system inventory (including foundation models and shadow AI); the AI impact assessment under Annex A.5 (real affected parties, harms, and mitigations — not a box-ticking document); and demonstrable human oversight (a defined trigger, an able human, and a log proving intervention is possible and recorded). Data governance (A.7) and a risk-traceable Statement of Applicability follow close behind.

How much does ISO 42001 certification cost?

At Tranquility, consulting engagements are scoped to the number and risk level of AI systems and your existing maturity. The engagement covers gap analysis, AIMS documentation, AI risk and impact assessments, and internal audit — request a scoped quote via our contact page. Accredited certification-body fees for Stage 1, Stage 2, and surveillance audits are billed separately by the registrar and depend on organization size and audit duration.

Do we need an accredited certification body?

For a certificate that carries weight with customers and regulators, yes — use a certification body accredited for ISO/IEC 42001 by a national accreditation body (ANAB, UKAS, RvA, NABCB, and peers) under ISO/IEC 17021-1 and the AIMS-specific requirements of ISO/IEC 42006:2025. Accreditation for 42001 is recent — the first accreditations landed through 2025–2026 — so some certificates in the market were issued before any accreditation existed. You can verify any certificate and its issuing body on the IAF CertSearch database. A consultant helps you build and prepare the AIMS but must remain independent of the body that audits it; the same firm cannot both consult and certify. Tranquility coordinates with accredited bodies on your behalf and prepares you for their audit.

What is ISO/IEC 42006 — and why does it matter which body certifies you?

ISO/IEC 42006:2025, published in July 2025, sets the requirements a certification body must meet to audit and certify AI management systems — auditor competence in AI, audit-time calculation, and AIMS-specific audit methods — on top of the general ISO/IEC 17021-1 rules. It exists because AI auditing requires competences classic ISMS auditors may not have. Practically: a 42001 certificate from a body accredited against ISO/IEC 42006 is the defensible kind; an unaccredited certificate may not survive scrutiny in enterprise procurement or regulatory contexts. When selecting a certification body, ask which accreditation body granted its ISO 42001 scope and when.

Written By Expert Auditors

Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Last reviewed: July 2026Content verified by certified lead auditors

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations