ISO/IEC 42001:2023 scope and certification

ISO/IEC 42001 is a management system standard, which means auditors focus on how you govern AI over time, not only whether a specific document exists on audit day.

This page is a practical guide to defining scope and preparing for certification-style audits without turning ISO/IEC 42001 into a documentation sprint.

Define scope you can defend

In ISO work, scoping is not a formality. Your scope determines what auditors will sample, which systems matter, and what evidence you must be able to produce.

Good scopes are:

• specific (what is included/excluded)
• operational (who is accountable and what processes apply)
• reviewable (how scope changes are approved and recorded)

Practical scoping questions:

• Which AI systems (and lifecycle stages) are in scope?
• Which organizational functions are in scope (product teams, platform teams, vendor management, etc.)?
• Which third parties materially affect the AI system (model provider, data providers, critical infrastructure)?
• Which markets and stakeholders drive obligations and risk tolerance?

In practice, most teams structure scope as:

• an organization-level AIMS layer (policy, roles, audits, shared controls)
• plus AI system-level execution (controls, evidence, monitoring per system)

What auditors typically test (high level)

Audits usually test whether you can demonstrate that:

• your AI governance scope, policy, and objectives are defined and current
• responsibilities and oversight are assigned and operating (not just defined)
• AI risks are assessed, treated, and re-assessed as systems change
• AI system impact assessments exist where appropriate and influence decisions
• controls are implemented and executed consistently
• evidence exists for what you claim in policies and reports
• findings are tracked and used for continual improvement

The most important pattern: auditors sample operational reality (records, decisions, evidence), not just “nice documents”.

A practical certification flow (what it feels like)

Most teams experience certification as a cycle:

1. Gap analysis: identify what’s missing.
2. Implementation: establish processes and execute controls.
3. Internal audit: test whether the system works in practice.
4. Management review: ensure leadership oversight and resourcing.
5. Certification audit: external assessment and findings.
6. Surveillance audits: periodic follow‑ups.

Audit readiness loop

Certification readiness is an operating cadence.

Build

Implement controls and collect evidence

Test

Internal audit and monitoring signals

Review

Management review and decisions

Improve

Corrective actions and updates

How Modulos supports audit readiness

Modulos helps by giving you an execution and evidence system:

• requirements and controls define what “done” means
• reviews create traceable approvals and separation of duties
• evidence linking creates a stable narrative across objects
• exports create point‑in‑time packages for audits

Project PDF export

Top controls (PDF exports)

Evidence files (attachments)

Key assets (Markdown exports)

Audit pack

Exports are snapshots. Keep scope stable before exporting.

Scope stability matters

Exports are snapshots. Freeze scope (and major framework updates) before generating audit packs, so findings stay comparable and reviewable.

Next steps

Clauses 4–10 (implementation guide)

What to implement for the AIMS management-system clauses, and what evidence tends to exist

Operationalizing in Modulos

A practical workflow to execute controls, link evidence, run reviews, and export audit packs

Disclaimer

This page is for general informational purposes and does not constitute legal advice.