Docs

Appearance

How to Comply with ISO 42001

This guide turns ISO/IEC 42001:2023 into an ordered path from scoping to certification. It is written for the team that will actually run the AI Management System (AIMS), not for a steering committee.

Typical timeline: 6–9 months if you already operate a mature ISO 27001 / ISO 9001 program; 9–15 months starting from scratch.

Before you start

  • Confirm the AIMS sponsor at executive level (ISO 42001 Clause 5).
  • Decide whether ISO 42001 will stand alone or integrate with existing ISO 27001 / 27701 management systems (Annex D).
  • Agree on a target certification body early — accreditation status matters.

Step 1 — Define AIMS scope and governance charter

Output: documented AIMS scope, role of the organization (provider, developer, deployer), list of AI systems in scope, governance charter.

Decide which AI systems, business units, and geographies the AIMS covers. ISO 42001 explicitly allows you to exclude AI systems you neither develop, provide, nor use — document the justification.

In Modulos: create an organization project and attach the ISO/IEC 42001 framework.

Step 2 — Run a gap analysis against clauses 4–10 and Annex A

Output: prioritized backlog, Statement of Applicability (SoA) draft.

Compare current practice to:

  • Clauses 4–10 — context, leadership, planning, support, operation, performance evaluation, improvement.
  • Annex A — 38 reference control objectives across A.2–A.10.

Not every Annex A control applies to every organization — justify inclusion or exclusion in the SoA against your AI risk assessment.

Step 3 — Build the AIMS documentation set

Output: AI policy, AI objectives, risk and impact assessment procedures, Statement of Applicability, core procedures.

Minimum documentation set:

  • AI policy (Clause 5.2) and AI objectives (Clause 6.2)
  • AI risk assessment procedure (Clause 6.1.2) and AI impact assessment procedure (Clause 6.1.4)
  • Statement of Applicability (Clause 6.1.3)
  • Document control, internal audit, management review, corrective action procedures
  • System-level artifacts for each AI system in scope (scope, intended use, data lineage, lifecycle records)

In Modulos: use Policy Center for the policy lifecycle and Controls for the SoA.

Step 4 — Operate the AIMS for an evidence window

Output: real records produced by the AIMS during a defined operating period (usually 2–3 months minimum).

Certification audits are against operating evidence, not a documentation sprint. Run the AIMS:

  • execute Annex A controls on the AI systems in scope
  • run AI risk and AI impact assessments on real systems
  • produce review minutes, evidence, and corrective actions

In Modulos: link evidence to controls and run reviews on the operating cadence.

Step 5 — Conduct an internal audit and management review

Output: internal audit report, management review minutes, closed nonconformities.

  • Run the internal audit against clauses 4–10 and selected Annex A controls (Clause 9.2).
  • Feed the internal audit into a management review at executive level (Clause 9.3).
  • Open corrective actions for findings and close them before Stage 1 (Clause 10.1).

Step 6 — Engage an accredited certification body (Stage 1)

Output: Stage 1 audit report and readiness confirmation.

  • Select a certification body with ISO 42001 accreditation from an IAF-signatory accreditation body.
  • Stage 1 is a documentation and readiness audit. Common Stage 1 findings are missing SoA justifications, weak AI impact assessments, and incomplete management review records.
  • Close Stage 1 findings and schedule Stage 2.

Step 7 — Pass the Stage 2 audit and maintain the certificate

Output: ISO 42001 certificate; annual surveillance; 3-year recertification.

Stage 2 is an on-site audit of AIMS effectiveness — interviews, sampling evidence, and testing controls.

After certification:

  • Annual surveillance audits cover a subset of the AIMS each year.
  • Recertification is a full audit every 3 years.
  • Continual improvement (Clause 10.2) is the ongoing habit — every management review should produce input for the next cycle.
ISO 42001 guide

The full guide to ISO/IEC 42001:2023 — clauses 4–10, Annex A, certification

ISO 42001 scope and certification

Deeper guidance on scoping the AIMS and preparing for audit

ISO 42001 vs NIST AI RMF

How to combine ISO 42001 with NIST AI RMF as your operating model

From zero to audit-ready

A pragmatic path to build an audit-ready governance program

Disclaimer

This page is for general informational purposes and does not constitute legal or audit advice. Engage qualified auditors and legal counsel before ISO 42001 certification decisions.