866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

What to Expect in the ISO 42001 Certification Process Blog Feature
Jenelle Tamura

By: Jenelle Tamura

Print/Save as PDF

What to Expect in the ISO 42001 Certification Process

ISO Certifications | Artificial Intelligence | ISO 42001

Published: Jun 16, 2025

As artificial intelligence (AI) technologies become more deeply embedded in business operations, the need for responsible, transparent, and auditable AI management practices has never been more critical. ISO 42001 provides a structured framework to help organizations govern their AI systems responsibly and ethically. 

Whether you're just beginning to explore AI governance or are preparing to formalize your practices, achieving ISO 42001 certification can signal to stakeholders, regulators, and customers that your organization prioritizes ethical, trustworthy, and accountable AI governance. But what exactly does the certification process involve, and how can you prepare for it? In this article, we detail what ISO 42001 is and why it matters, what to expect from the certification process, and practical insights to help you lay a strong foundation for compliance. 

What Is ISO 42001 and Why Is It Important? 

Published in December 2023, ISO 42001 is the first international standard focused on managing AI responsibly. It enables companies to demonstrate governance and responsible practices for managing the use and development of AI systems. The standard is applicable to any organization providing, developing, or using AI products or services. As AI technologies become increasingly embedded in business operations, ISO 42001 offers a way to build trust, demonstrate accountability, and ensure AI is used in a transparent, safe, and human-centric manner.  

What Is the ISO 42001 Certification Process?  

The ISO 42001 certification process is similar to obtaining other ISO certifications (e.g., 27001, 9001, etc.). It involves a two-stage audit conducted by an accredited certification body, such as Schellman. Stage 1 focusses on reviewing documentation and the design of the artificial intelligence management system (AIMS), while Stage 2 evaluates the operational effectiveness and management of AI risks, governance, and controls. Once both stages are successfully completed, an ISO 42001 certificate is issued, which is valid for three years and maintained through annual surveillance audits.  

Key steps in the ISO 42001 certification process include:

1. Pre-Work

To prepare for ISO 42001 certification, organizations must first understand the ISO 42001 standard requirements and how the requirements apply to their use of AI. This begins with determining the organization's role with respect to the in-scope AI systems – AI providers, AI producer, or AI users, as well as defining the scope of the AI management system (AIMS). Policies, objectives, and procedures must then be developed to guide in the responsible AI development and use. 

A risk assessment must be performed to identify AI-specific risks (e.g., lack of transparency, fairness considerations, potential system bias, etc.), along with an AI impact assessment, which is intended to be performed as  a precursor of the risk management program – see ISO 42005:2025 for guidance on AI impact assessments.  

The results of the risk assessment and AI impact assessment are fundamental to the design and ongoing effectiveness of the AIMS. These assessments identify potential harms, societal and ethical concerns, and risks associated with the development and use of AI, which help organizations determine which controls (from Annex A) to implement. They also feed into the operations, performance evaluation, and improvement processes.  

2. Optional Readiness Assessment

A readiness assessment is a pre-certification review designed to evaluate how prepared an organization is to undergo the formal audit. Readiness reviews help identify gaps between what is currently designed and/or implemented and the requirements of the standard, so that they can be addressed prior to the beginning of the official certification process. Although not required for certification, a readiness assessment can be a valuable step in any compliance initiative—helping you identify and address areas of concern ahead of an audit, quickly demonstrate your commitment to high security standards, and proactively reassure customers as you work toward full certification.

3. Stage 1 Audit

The Stage 1 audit focuses on evaluating an organization’s preparedness for the full certification assessment, which will take place in the Stage 2 audit. During the Stage 1 audit, documented information is reviewed, including the scope, required policies, risk management and impact assessment methodologies, and statement of applicability.  

The objective of the Stage 1 audit is to confirm that the design and foundational elements of the AIMS are established and aligned with the requirements of the standard. This includes confirming roles and governance structures, as well as understanding the organization’s identified risks, obligations, and objectives. Areas of concern (AOCs) or potential nonconformities may be identified and communicated as part of the Stage 1 review, allowing the organization to address them before the start of the Stage 2 audit, which evaluates the effectiveness of the AIMS implementation. If these AOCs go undressed, they may materialize into formal nonconformities during the Stage 2 audit. 

The Stage 1 audit typically lasts 1-2 days and consists of documentation review and meetings with AIMS owners and relevant personnel. Once the audit is complete, a formal closing meeting is conducted to communicate any AOCs and next steps for the certification process. A formal report is then issued after the closing meeting. 

The time between the Stage 1 and Stage 2 reviews can vary but is typically 4-12 weeks and should not exceed more than six months. The Stage 1 process may need to be performed again if timelines exceed longer than six months. If significant AOCs are identified during Stage 1, the organization may need more time to make corrections prior to moving to Stage 2.   

4. Stage 2 Audit

The Stage 2 audit evaluates the operating effectiveness of the AIMS. This involves testing whether AI-related risks and obligations are being effectively managed across the organization, supporting responsible AI governance and enabling continual improvement.   

During the Stage 2 audit, the implementation of policies, controls, and processes is reviewed, with a focus on operational performance (Clause 8), risk and impact management, and conformity with in-scope Annex A controls. Performance evaluation and improvement processes are also assessed, which includes monitoring and measurement, internal audit, management review, and corrective action.   

The Stage 2 audit can last anywhere between 3-9+ days and consists of documentation review and meetings with AIMS owners, control owners, and other relevant personnel. Once the audit is complete, a formal closing meeting is conducted to communicate any findings (i.e., nonconformities or opportunities for improvement (OFIs)), next steps for the certification process (e.g., corrective action, etc.), and the audit team’s recommendation for certification. A formal report is issued after the closing meeting, and a formal certification decision is made.   

Schellman has a no-surprises policy – where any identified or potential nonconformities are communicated as soon as possible. Audit results are presented in real-time; this aligns with one of our core values – openness builds trust.   

5. Certification

Upon successful completion of the certification process (Stage 1 and Stage 2), an ISO 42001 certificate of conformity is issued. The certificate is valid for a three-year period, with annual surveillance audits conducted to ensure continued compliance with the standard and the effectiveness of the AIMS. Surveillance audits require 1/3 of the time of the initial certification review. Surveillance audits can last anywhere between 2-5+ days (dependent on the number of personnel in-scope) and consist of documentation review and meetings with AIMS owners, control owners, and other relevant personnel. Often, a sampling approach is taken during surveillance audits, as opposed to the initial certification audit which includes a full assessment of the AIMS framework and all in scope Annex A controls.  

Key Considerations for Starting Your ISO 42001 Compliance Journey 

A good starting point for organizations beginning their ISO 42001 compliance journey is to gain a clear understanding of how the standard applies to their specific use of AI technologies, in other words – determining their role (e.g., AI developer, AI user, etc.). This includes defining the scope of the AIMS, identifying internal and external stakeholders, and determining any legal, regulatory, ethical, or contractual obligations.   

Organizations must think beyond the traditional information security risks and consider ethical, legal, social, and operational impacts of AI. This includes bias, transparency, accountability, and unintended consequences. Conducting a readiness assessment helps assess the current state of the AIMS and can pinpoint the areas that do not meet the requirements of the standard.   

For organizations who are already ISO 27001 certified, starting the ISO 42001 compliance journey offers advantages, but also new considerations. Many foundational elements – such as risk management frameworks, internal audit processes, and continual improvement mechanisms can be leveraged from the existing information security management system (ISMS). However, ISO 42001 introduces some new and unique requirements specific to AI, including the AI impact assessment, ethical considerations, and transparency obligations. Ultimately, organizations will need to expand their risk assessment approach to include broader societal, legal, and operational impacts of AI.   

Contact us if you are looking to start your ISO 42001 certification journey, or if you have any further questions about the certification process or requirements. In the meantime, discover additional ISO 42001 insights in these helpful resources:  

About Jenelle Tamura

Jenelle Tamura is a Manager with Schellman Compliance and has 9+ years professional in IT assurance and compliance with experience in auditing, information security, and cloud compliance. Jenelle is focused primarily on leading ISO 27001, ISO 42001, ISO 9001, SOC 2, and CSA STAR projects to help organizations meet security and compliance standards.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.