Key facts
- Typically 6–12 months from start to certificate, depending on AI maturity.
- Two audit stages: Stage 1 (documentation review) and Stage 2 (implementation audit).
- Requires an accredited third-party certification body — you cannot self-certify.
- Annual surveillance audits, with full recertification typically every three years.
- Use the free readiness gap checklist before you book an audit.
Outcome summary
A fully certified AI Management System (AIMS), evidenced by an accredited certificate, that you can present to customers, regulators and your own board as proof of structured AI governance.
Prerequisites
An AI inventory, a documented AI policy with board sign-off, defined roles and a basic risk-assessment process. Most of the certification effort goes into producing evidence for what you already do, or building the missing pieces.
The steps
Step 1: Gap assessment. Score your current state against ISO 42001 Annex A controls.
Step 2: Close gaps. Build missing policies, roles, risk processes and documentation.
Step 3: Select a certification body. Confirm it is accredited by a recognised national accreditation body.
Step 4: Stage 1 audit. Documentation review — the auditor checks your AIMS is designed correctly.
Step 5: Stage 2 audit. Implementation audit — the auditor checks the AIMS is actually operating as documented.
Step 6: Certification. Certificate issued, valid three years subject to annual surveillance audits.
Common mistakes
Booking an audit before the gap assessment is done, treating certification as a one-off project rather than an ongoing management system, and under-resourcing the evidence-gathering stage. Use the readiness gap checklist to avoid the first mistake.
Frequently asked questions
How long does ISO 42001 certification take?
Typically six to twelve months, depending on AI maturity, scope and existing management systems.
How many stages is ISO 42001 certification?
Usually a Stage 1 (documentation review) and Stage 2 (implementation audit), followed by annual surveillance audits.
Who certifies ISO 42001?
Accredited certification bodies; check the certifier is accredited by a recognised national accreditation body.
Can we self-certify ISO 42001?
No — certification requires an accredited third-party audit, but you can and should self-assess readiness first.
How often is ISO 42001 re-audited?
Annual surveillance audits with a full recertification typically every three years.
Related pages
Sources
Last updated 19 June 2026.