As artificial intelligence becomes increasingly embedded in core business operations and customer-facing product offerings, organizations are under growing pressure to ensure their AI systems are safe, ethical, transparent, and well-governed. ISO 42001, the world’s first international standard for AI management systems, provides the structure needed to build trustworthy AI and demonstrate responsible governance to customers, regulators, and partners.
To become ISO 42001 certified, organizations must navigate a defined, multi-stage process from early advisory work and scoping through design, implementation, and formal audit. Without a clear roadmap in place, teams often face implementation rework, stakeholder misalignment, and certification delays.
In this co-authored article, Joe Sigman, Manager of AI Assessments and ISO Certification Services at Schellman, and Sawyer Miller, Director of Advisory and Assurance at risk3sixty, provide step-by-step guidance to walk you through the ISO 42001 certification process, outlining what to expect at each phase, what auditors will look for, and how to prepare your organization for a smooth, successful certification.
Your Roadmap to ISO 42001 Certification
1. Advisory Phase
When pursuing ISO 42001 certification, it’s important to first understand the framework requirements, align scope, and lay a strong foundation before any implementation or audit preparation takes place.
During the advisory phase, organizations work to clearly define the scope of their AIMS, deciding which AI systems, business units, and processes are included. Advisory also involves bringing the right stakeholders on board, from executives and compliance officers to data scientists and legal teams, so that all governance roles and responsibilities are well understood.
By the end of the advisory phase, organizations should have a documented program scope, stakeholder governance structure, and a high-level roadmap that balances quick wins with longer-term initiatives. The identification of the AIMS scope should include all in scope and out of scope business functions or products as well as a defined set of AI roles relevant to the program. When done well, this phase reduces surprises, avoids wasted effort, and creates alignment before the more resource-intensive work of implementation begins.
2. Gap Analysis
The gap analysis step, or current state assessment, enables you to identify what is missing or deficient in your current practices as compared to the ISO 42001 requirements. During this step, you’ll assess policies, procedures, and controls against each ISO 42001 Clause and Annex A requirement to classify gaps by severity and impact and determine what must be addressed, improved, or remediated prior to the audit.
This is where you’ll evaluate your AI lifecycle management, governance, accountability, transparency, and ethics to document where existing frameworks already align or identify where AI-specific elements are lacking.
3. Designing Your AI Management System (AIMS)
The next step is to design your AIMS in a way that addresses the gaps you identified and meets all applicable ISO 42001 requirements. This includes developing policies and processes, identifying roles and responsibilities, and mapping ISO 42001 requirements to internal controls and procedures.
Typically, your organization will create a core set of documentation to outline this AIMS design in collaboration with an implementation partner, such as risk3sixty. Such documentation should address the mandatory requirements of ISO 42001 and policies addressing your organization’s selected Annex A controls.
4. Implementation & Change Management
After your AIMS is designed, it’s time to put the policies and controls into practice and ensure your organization adopts them effectively. This step requires effective training, awareness, and communication to emphasize why controls exist and how to use monitoring tools. It’s important to facilitate and encourage a culture of accountability, transparency, and ethical AI practices.
Monitor adoption and adjust processes as needed to improve usability and compliance. Implementation deliverables include a fully operational AIMS applied to scoped AI systems, training materials, and pilot program results, including lessons learned.
5. Internal Audits & Readiness Reviews
Once your AIMS is implemented, it’s essential that you ensure everything runs as intended prior to pursuing ISO 42001 certification. Internal audits and readiness reviews give you the chance to assess whether the system is effectively operating, compliant with ISO 42001 requirements, and ready for an external audit.
ISO 42001 requires that you perform an internal audit of the AIMS each year, including prior to the first Stage 1 audit with your certifying body, like Schellman. For this reason, internal audits are often conducted by partners as part of an implementation or other advisory engagement. During the internal audit, the internal auditor will evaluate the performance of your AIMS against ISO 42001 clauses and your internal controls.
This involves reviewing documentation, processes, and records to confirm that governance, risk management, and technical safeguards are in place and properly functioning. Key stakeholders will also be interviewed to ensure awareness and consistent application of the AIMS policies and procedures. At the end of the internal audit process, you’ll be able to identify and remedy any nonconformities or areas for improvements.
A readiness assessment can also help you evaluate how prepared your organization is to undergo the formal audit by simulating a mock review. This optional review provides a mechanism for you to assess if your organization can provide the necessary documentation and can demonstrate effective control operation. During the optional readiness assessment, you can validate that key processes like AI risk assessment, model lifecycle management, and incident handling are mature and repeatable.
6. Stage 1 Audit: Readiness & Design Review
The Stage 1 audit is designed to confirm that your AIMS is properly defined and ready for a full assessment. During this review, auditors will evaluate key documentation, including your scope, governance framework, policies, and risk assessment approach to verify that the foundation of your AIMS is in place. You’ll receive clear feedback about any areas of concern (AOCs) and will have the opportunity to make any necessary adjustments before moving into Stage 2.
This stage usually spans several days and focuses on document reviews and discussions with key AIMS stakeholders. Thoroughly addressing feedback from Stage 1 sets the stage for a smoother certification audit.
7. Stage 2 Audit: Operational Effectiveness Review
Stage 2 tests how well your AIMS actually works in practice, focusing on effectiveness. Auditors will assess operational performance (Clause 8), review evidence of monitoring, internal audits, and management reviews, and ensure that all identified risks and obligations are actively managed.
Stage 2 is more in-depth than Stage 1, typically lasting several days depending on scope and complexity of the AIMS scope and selected roles. At the end of this stage, findings such as nonconformities or opportunities for improvement (OFIs) are presented, along with recommendations for next steps toward certification.
8. Post-Audit, Certification, & Continuous Improvement
After successfully completing both audit stages, an ISO 42001 certificate of conformity is issued and valid for three years. Each year, a surveillance audit is performed to confirm your AIMS continues to operate effectively and remains compliant with the standard. These reviews are shorter than the initial certification audit and focus on key updates, AI risk management, and evidence of continual improvement rather than a full assessment.
ISO 42001 Implementation Considerations and Best Practices
Successfully implementing ISO 42001 requires careful planning, a forward-looking strategy, and attention to the unique challenges of AI governance. Below are key considerations and best practices for ISO 42001 implementation:
1. Plan Ahead
Early planning helps align resources, define roles, and ensure a smooth certification journey.
2. Choose the Right Advisory/Implementation Partner
Select an experienced and recognized partner to ensure an accurate scope and gap analysis. This ensures your implementation plan is focused on what matters.
3. Define Your Scope, Context, and AI Role
Clearly identify which AI systems and organizational functions fall within your AI Management System (AIMS).
4. Consider an Integrated Management System
Organizations already certified to established standards like ISO 27001 or ISO 27701 may benefit from integrating ISO 42001 into existing management systems, reducing duplication, simplifying controls, and supporting a holistic approach to risk and compliance.
5. Address Supply Chain & Regulatory Impacts
AI regulation is evolving rapidly, and external obligations are increasingly visible. Certain industries, like financial services, are beginning to incorporate ISO 42001 requirements into vendor security questionnaires, underscoring the importance of supply chain compliance.
6. Choose the Right Certification Body
Only a few bodies are currently accredited to certify ISO 42001. Selecting an experienced, recognized certification body helps ensure an efficient and credible audit process.
7. Emphasize Unique AI Considerations
Unlike other management system standards, ISO 42001 focuses on AI-specific risks, including bias, explainability, model drift, and ethical considerations. Tailoring your AIMS to these unique risks ensures both compliance and responsible AI governance.
Moving Towards ISO 42001 Certification
Achieving ISO 42001 certification is a significant milestone, demonstrating not only compliance, but a mature, responsible approach to the development and operation of AI systems. By moving strategically through each phase of the journey, you build the foundation for both certification and long-term AI governance success.
As AI regulation accelerates and organizations face increased scrutiny over how AI systems are built and used, ISO 42001 offers a clear, globally recognized framework to operate safely, ethically, and transparently. With the right preparation, the certification process becomes less about checking boxes and more about strengthening your AI governance, boosting stakeholder trust, and enabling innovation with confidence.
To continue learning about ISO 42001 and AI governance best practices, contact risk3sixty for advisory services or contact Schellman for support on your certification audit journey. In the meantime, explore our related resources below:
- ISO 42001: Frequently Asked Questions
- The ISO/IEC 42001 Certification Requirements Explained
- What to Expect in the ISO 42001 Certification Process
- ISO 42001: Lessons Learned from Auditing and Implementing the Framework
- Understanding ISO 42001
- How to Add ISO 42001 to Your ISO 27001 Program with risk3sixty + Schellman
About the Authors
Joe Sigman is a Manager of AI Assessments and ISO Certification Services with Schellman based in Denver, Colorado. Prior to joining Schellman in 2021, Joe worked as a Senior Associate at a management consulting firm specializing in IT strategy and compliance, solution architecture, and enterprise digital transformation. Joe has led and supported AI Assessments, Cybersecurity Assessments, Information Security Architecture Solutioning, Information Technology Gap Analysis, and Cloud Migration Roadmaps. Joe has over 6 years of experience comprised of serving clients in various industries, including Information Technology, Professional Services, Healthcare, and Energy. Joe is now focused primarily on ISO Certifications for organizations across various industries.
Sawyer Miller is the Director of Audit & Implementation Practice for risk3sixty. He is a graduate of the Georgia Institute of Technology. He has been a major part of the growth of risk3sixty by leading the ISO 27001 service line by becoming the go-to thought leader for ISO for the company.
Sawyer is a Certified Information Systems Security Professional (CISSP) and a Certified Information Systems Auditor® (CISA).