Key facts
- Format: editable XLSX gap-assessment spreadsheet.
- Scores your AI management system (AIMS) against the Annex A control catalogue.
- Flags each control as in place, partial or missing, with an owner and target date column.
- Written for SMEs preparing for a Stage 1/Stage 2 certification audit.
- Free to download, no sign-up required — pairs with the ISO 42001 complete guide.
What is the ISO 42001 readiness gap checklist?
It is a self-assessment spreadsheet that walks through the Annex A controls in ISO/IEC 42001 and asks, for each one, whether you have it in place, partially in place, or missing. It gives you a realistic view of your certification readiness before you engage a certification body, so audit time is spent closing real gaps rather than discovering them for the first time.
Who is it for?
Any organisation preparing for ISO/IEC 42001 certification, or deciding whether it's worth pursuing. It suits a compliance lead, AI governance owner or founder who needs a clear, evidence-based view of the gap between where they are and where an auditor expects them to be.
What the checklist covers
Scope and context. Whether your AI management system's scope, boundaries and interested parties are documented.
Leadership and policy. Whether there is a board-endorsed AI policy with clear objectives.
Risk and impact assessment. Whether AI risk and impact assessments are performed and recorded per system.
Annex A controls. Line-by-line scoring against the Annex A catalogue — data, third parties, transparency, lifecycle and incident management.
Statement of Applicability. A working draft of which controls apply, why, and their current status — the document auditors ask for first. See what is ISO 42001?
How to use it
Score honestly rather than aspirationally — the gaps you find now are far cheaper to close before a Stage 1 audit than during one. Assign an owner and a target date to every gap, then re-run the checklist quarterly as you close items. Most SMEs find they are further along than they expect on policy and further behind than they expect on evidence and records.
Frequently asked questions
What is ISO 42001?
ISO/IEC 42001 is the international standard for an AI Management System (AIMS) — a certifiable framework for governing AI responsibly.
How does ISO 42001 relate to the EU AI Act?
ISO 42001 is voluntary but provides the management system to operationalise and evidence many EU AI Act obligations.
How long does ISO 42001 certification take?
Typically six to twelve months, depending on AI maturity, scope and existing management systems.
How much does ISO 42001 certification cost?
It varies by size and scope: certification body audit fees plus internal or consulting effort. SMEs are often in the low-to-mid five figures (GBP) all-in.
Is ISO 42001 worth it for an SME?
Often yes, when AI is core to your product or customers demand assurance — it shortens procurement and signals trust.
What documentation does ISO 42001 require?
An AI policy, scope, risk and impact assessments, a Statement of Applicability, defined roles, objectives and operational records.
Can we self-certify ISO 42001?
No — certification requires an accredited third-party audit, but you can and should self-assess readiness first, which is what this checklist is for.
Related pages
Sources
Last updated 19 June 2026.