ISO/IEC 42001:2023, the AI Management System standard, became available for certification in 2024. It’s the first international standard that allows organizations to demonstrate conformity with an AI governance framework through third-party certification. Here’s what the certification process actually looks like.
What ISO 42001 Certifies
ISO 42001 specifies requirements for an AI management system (AIMS) — the policies, processes, and controls an organization uses to manage AI responsibly across its lifecycle.
Certification means an accredited audit body has verified that your organization’s AIMS meets the standard’s requirements. It doesn’t certify specific AI systems — it certifies your management system for AI.
This distinction matters: you can have an ISO 42001 certificate and still deploy problematic AI systems if your management system processes fail. The certificate is about the system, not the outcome.
Who Issues Certificates
Only accredited certification bodies can issue ISO 42001 certificates. Look for certification bodies accredited by:
- ANAB (ANSI National Accreditation Board) in the US
- UKAS (United Kingdom Accreditation Service) in the UK
- DAkkS in Germany
- Similar national accreditation bodies in other countries
Major certification bodies now offering ISO 42001: BSI, SGS, Bureau Veritas, DNV, and others. Prices and audit approaches vary. Get multiple quotes.
The Certification Process
ISO 42001 follows the standard ISO certification structure.
Stage 0: Readiness Assessment (Optional but Recommended)
Before formal certification, many organizations conduct a readiness assessment (sometimes called a pre-audit or gap assessment) with their chosen certification body or an independent consultant. This identifies:
- What mandatory clauses are already satisfied
- What gaps need to be closed before Stage 1
- Rough timeline to certification readiness
Readiness assessments typically cost $5,000–$15,000. They’re not required but save time and money in Stage 1.
Stage 1: Documentation Review
The formal certification process begins with Stage 1, a documentation-only review. The auditor examines:
- Your AIMS scope statement (what AI activities are in scope)
- Your AI policy and high-level objectives
- Risk assessment documentation
- Key procedures and process documents
- Evidence that leadership is engaged
Stage 1 takes 1–2 days of auditor time. The output is a Stage 1 report identifying:
- Areas where documentation is adequate
- Gaps or clarifications needed before Stage 2
- Recommended focus areas for Stage 2
Many organizations have Stage 1 findings that require weeks to address before proceeding to Stage 2. This is normal.
Stage 2: Implementation Audit
Stage 2 is the main audit. The auditor verifies that your documented AIMS is actually implemented in practice.
Duration: Depends on organization size and scope. For a mid-size organization with 200-500 employees and a defined AI scope, expect 3–5 days of on-site (or remote) audit time.
What auditors check:
- Evidence that processes are followed, not just documented (audit trails, records, meeting minutes)
- Competence of personnel with AI governance responsibilities
- Internal audit results and management review records
- Corrective action processes for nonconformities
- Objective evidence for each mandatory clause
Auditor techniques:
- Interviews with staff at multiple levels (executive sponsors, AI developers, risk owners)
- Document and record review
- Process walkthroughs
- Sampling of AI system documentation
Output: Stage 2 report with any nonconformities. Nonconformities come in two levels:
- Major nonconformity: A significant failure to meet a mandatory clause. Must be addressed before certification.
- Minor nonconformity: A gap that doesn’t prevent overall conformity. Must be addressed within a specified timeframe.
Certification Decision
If Stage 2 produces no major nonconformities (and any minors have a remediation plan), the certification body issues a certificate. The certificate is valid for three years with annual surveillance audits.
Preparing for the Audit
Most common audit failures:
- Scope is unclear. Organizations can’t clearly articulate what AI activities are in and out of scope for their AIMS. Define scope precisely before Stage 1.
- Leadership isn’t engaged. ISO standards require demonstrable leadership commitment. Auditors will interview executives. If the CEO or CTO can’t speak to the AI governance program, that’s a finding.
- Internal audit hasn’t happened. ISO 42001 requires at least one complete internal audit cycle before certification. Do internal audits before Stage 2.
- Management review hasn’t occurred. Leadership must formally review the AIMS. Document it with minutes and actions.
- Records are thin. ISO requires objective evidence. If you say you do risk assessments, you need records of specific risk assessments, not just a policy saying you do them.
Timeline and Cost
Timeline from decision to certificate: 9–18 months for most organizations starting from scratch.
Cost breakdown:
- Readiness assessment: $5,000–$15,000 (optional)
- Internal implementation work: Staff time (significant, varies widely)
- Stage 1 audit: $3,000–$8,000
- Stage 2 audit: $15,000–$50,000 depending on size
- Annual surveillance audits: $8,000–$20,000
- Three-year recertification: Similar to Stage 2
Is It Worth It?
For organizations that need to demonstrate AI governance externally — to enterprise customers, EU regulators, or M&A due diligence — the certificate provides something that self-assessed NIST RMF alignment cannot: an independently verified, internationally recognized credential.
For organizations building governance purely for internal purposes, the certification overhead may not be necessary. NIST AI RMF gives you the governance without the certification cost.
This article is for informational purposes only and does not constitute legal advice. Always consult qualified counsel before making compliance decisions. Try the free compliance checker →