Skip to content
Confir.
Free trial
Blog

ISO 42001 Certification: The Step-by-Step Process

EU AI Act Guide3 April 2026· 16 min read

ISO/IEC 42001 certification explained: gap analysis to audit, AIMS clauses 4–10, 3-year cycle, and how it supports your EU AI Act Article 17 QMS.

ISO 42001 certification is not a legal requirement. No provision of Regulation (EU) 2024/1689 mandates it. But if you are building or deploying a high-risk AI system and you need to demonstrate a systematic, audited governance structure, certification against ISO/IEC 42001:2023 is currently the most credible way to do that. It gives you a third-party-verified management system, an Annex A control set mapped to real governance obligations, and a certificate that travels well — with enterprise customers, with notified bodies, and eventually with competent authorities running market surveillance.

This guide covers the full certification journey: readiness gap analysis, building the AI management system (AIMS), the audit sequence, what you receive at the end, and how it connects — and does not connect — to the EU AI Act's Article 43 conformity assessment and Article 17 quality management system obligations.

What ISO/IEC 42001:2023 Actually Is

ISO/IEC 42001 is a management system standard for artificial intelligence, published jointly by ISO and IEC in December 2023. It follows the same high-level structure (HLS) used by ISO 9001 (quality) and ISO 27001 (information security): clauses 4–10 define the management system requirements; Annex A provides a catalogue of controls that organisations select and justify through a Statement of Applicability.

The standard covers the full lifecycle of AI systems — from initial design and data governance through deployment, monitoring, and decommissioning. Its four key documents are:

  • The AIMS itself — the management system, documented in policies, procedures, and records.
  • The AI risk assessment — a structured evaluation of risks arising from the development or use of AI systems.
  • The AI impact assessment — an evaluation of how AI systems affect individuals, groups, and society.
  • The Statement of Applicability (SoA) — a document that lists each Annex A control, states whether it applies, and, if so, provides the justification and reference to implementation evidence.

ISO does not award certification. Accredited certification bodies — independent organisations whose competence has been verified by a national accreditation body (such as DAkkS in Germany, UKAS in the United Kingdom, or COFRAC in France) — conduct audits and issue certificates. The accreditation chain matters: a certificate from an unaccredited body has little weight with regulators or enterprise procurement teams.

How ISO 42001 Relates to the EU AI Act

This is the question compliance teams get wrong most often, so it is worth stating plainly.

ISO 42001 certification is not the EU AI Act Article 43 conformity assessment. Article 43 is the EU's mandatory pre-market procedure for high-risk AI systems: before a provider places a high-risk system on the market, it must complete a conformity assessment — either internal control under Annex VI (for most Annex III categories) or a notified-body assessment under Annex VII (required for biometric systems where harmonised standards are not applied in full, and triggered by the conditions in Article 43(1)). For high-risk AI embedded in Annex I regulated products — medical devices, machinery, vehicles — the applicable product law's conformity assessment route applies, with the EU AI Act requirements incorporated. ISO 42001 certification does not replace any of this.

What it does do is build the governance backbone that makes Article 43 evidence coherent. Specifically:

  • Article 17 QMS. Providers of high-risk AI systems must put a quality management system in place, documented in written policies and procedures, covering at minimum the elements listed in Article 17(1)(a)–(m): regulatory compliance strategy, design and development procedures, test and validation procedures, data management, the Article 9 risk management system, post-market monitoring, incident reporting, and an accountability framework. ISO 42001 clauses 4–10 map directly onto these requirements. A certified AIMS does not automatically satisfy Article 17, but it provides the structural evidence that a QMS exists and has been audited.
  • Article 9 risk management system. The Article 9 RMS must be documented, systematic, and iterated throughout the lifecycle. The ISO 42001 AI risk assessment process is a direct operational counterpart.
  • Article 11 technical documentation (Annex IV). Annex A controls relating to data documentation, model validation, and performance monitoring generate the records that populate the Annex IV technical file.

If you already hold ISO 27001, you have a head start. The HLS structure means your existing documentation framework, internal audit programme, and management review cycle all transfer. Organisations with mature ISO 27001 or ISO 9001 programmes typically reach ISO 42001 certification readiness faster than those starting from scratch — months rather than a year or more.

Stage 1: Readiness and Gap Analysis

Before engaging a certification body, conduct an internal gap assessment. The purpose is to establish what you have and what you need to build.

Work through ISO 42001 clauses 4–10 systematically. Clause 4 requires you to define the organisational context, interested parties, and the scope of the AIMS. Scope definition is consequential: a certification body will audit exactly what is in scope. A 30-person HR-tech company running one recruitment-screening AI system can scope the certification to that system alone; a larger organisation deploying multiple AI systems may scope it organisationally.

The gap assessment should also produce a preliminary Statement of Applicability draft. Walk through Annex A — which has 38 controls organised across nine areas (A.2–A.10), covering AI governance, data for AI, AI system life cycle, and more — and mark each control as applicable or not applicable. Controls that do not apply still require a documented justification for their exclusion. This document will be scrutinised during the Stage 1 audit.

Common gaps found in this phase: no documented AI risk assessment process, no ownership assigned for individual AI systems, training data undocumented, and no formal mechanism for capturing post-deployment performance signals. None of these are unusual; the gap assessment exists precisely to surface them before an auditor does.

Stage 2: Building the AIMS (Clauses 4–10)

The management system is what you are being certified against. It is not a project deliverable — it is an operational reality. Auditors verify that documented controls are actually followed, through interviews, log reviews, and records inspection. A policy that exists but is not communicated or used is a non-conformity.

Leadership and governance (clause 5). Top management must demonstrate commitment: establishing AI policy, assigning roles and responsibilities, and ensuring that resources are allocated. In practice this means an accountable owner (job title is less important than clarity of authority), a documented AI policy approved at senior level, and a mechanism for AI-related decisions to reach the people who need to make them. For a company under 50 people, this may be the CTO or a designated compliance lead; formal committee structures are not required, but documented decision trails are.

AI risk assessment (clause 6). The standard requires an AI risk assessment process that is repeatable and produces documented outputs. The risk assessment covers risks arising from AI system behaviour — bias, data quality failures, model drift, misuse — and feeds into the selection of Annex A controls. This is distinct from the EU AI Act Article 9 RMS, though the two are complementary: the ISO 42001 risk assessment can serve as evidence that the Article 9 process is systematic.

AI impact assessment. Annex A includes controls for assessing impacts on individuals and broader society. For high-risk systems in scope of the EU AI Act, the impact assessment naturally overlaps with the Article 27 Fundamental Rights Impact Assessment — the FRIA that certain deployers of Annex III creditworthiness and life/health-insurance systems must complete. The ISO 42001 impact assessment is not a substitute for the FRIA, but documentary alignment saves effort.

Data for AI (clauses and Annex A controls on data). Data governance is a substantive area in both the standard and the Act. You need documented procedures for training data sourcing, quality assurance, bias assessment, and retention. Article 10 of the EU AI Act requires providers to use training data that is relevant, sufficiently representative, and, as far as possible, free of errors. The ISO 42001 data controls operationalise this as auditable procedures rather than regulatory assertions.

AI system life cycle (operational controls, clause 8). Implementation, verification, and validation procedures must be documented for each AI system in scope. For a system that is purchased from a third party rather than built in-house, the operational controls shift toward procurement due diligence, monitoring of supplier controls, and configuration management. The standard accommodates both build and buy scenarios.

Internal audit and management review (clauses 9). Before the certification audit, you must have completed at least one full internal audit cycle and one management review. The internal audit assesses whether the AIMS conforms to the standard's requirements and to your own policies. Management review assesses performance inputs — audit findings, non-conformities, monitoring results — and produces documented outputs including decisions on resources and improvements. These records will be reviewed during Stage 1.

Stage 3: The Certification Audit

ISO 42001 certification audits follow the same two-stage structure used for other ISO management system standards.

Stage 1: Documentation Review

The Stage 1 audit is typically conducted remotely over one to three days, depending on scope complexity. The auditor reviews:

  • Scope definition and Statement of Applicability
  • AI policy and governance documentation
  • AI risk assessment and impact assessment outputs
  • Internal audit records and management review minutes
  • Evidence that the AIMS has been implemented and operated (not just written)

The Stage 1 outputs include a readiness determination. If the auditor identifies significant gaps — an incomplete SoA, no evidence of internal audit, core controls not yet implemented — Stage 2 will be deferred until these are addressed. More commonly, the Stage 1 produces a list of observations and clarifications, some of which the organisation must address before Stage 2 proceeds.

Stage 2: Implementation Audit

Stage 2 is conducted on-site (or via secure video for fully remote organisations, though auditors generally prefer at least partial site presence). Duration depends on scope: a small organisation with a narrowly scoped AIMS covering one or two AI systems might complete Stage 2 in two days; a mid-market company with multiple systems and cross-functional processes may take four to five days.

The auditor will:

  • Interview the AIMS owner, system owners, data stewards, developers, and operations staff
  • Review monitoring records, incident logs, corrective action registers, and training records
  • Verify that Annex A controls are operational, not merely documented
  • Trace selected risk assessment findings through to implemented controls and monitoring evidence

Non-conformities are classified as Major or Minor. A Major non-conformity — typically a failure to implement a core clause requirement or a systemic breakdown between documented procedure and actual practice — must be closed before a certificate is issued. The organisation submits corrective action evidence; the certification body reviews it, sometimes with a follow-up visit. Minor non-conformities are recorded and tracked to closure in the first surveillance audit.

The Certificate

A successful Stage 2 audit results in a certificate valid for three years. The certificate specifies the scope of certification — the organisation, the standard, and the AI systems or activities covered. It does not assert EU AI Act compliance; a certification body has no mandate to determine regulatory compliance under Regulation (EU) 2024/1689.

Stage 4: Surveillance and Recertification

Certification is not a one-time event. Two annual surveillance audits — typically one to two days each — are required to maintain active status. The surveillance audits assess whether the AIMS continues to operate effectively, whether non-conformities from previous audits have been closed, and whether significant changes to AI systems or organisational context have been reflected in updated risk assessments and controls.

At the end of the three-year cycle, a full recertification audit re-examines the entire management system. Organisations that maintain continuous operation of their AIMS and treat surveillance as a genuine review rather than an administrative exercise find recertification straightforward.

Practical calendar implication for EU AI Act timing: the high-risk obligations for stand-alone Annex III systems apply from 2 December 2027 under the Digital Omnibus agreed in May 2026. An organisation starting gap analysis now, building and implementing the AIMS over six to nine months, and achieving certification in mid-2027 would hold an active certificate — with one surveillance audit completed — by the time competent authorities begin enforcement. That is the sensible sequencing, not a crisis response.

Timing and Cost: What to Expect

Timeline. An organisation with no prior management system framework, starting from a blank gap assessment, typically reaches certification readiness in nine to eighteen months. The range is wide because it depends heavily on scope size, number of AI systems, data governance maturity, and internal resource availability. Organisations that already hold ISO 27001 or ISO 9001 routinely compress this to six to nine months, because the structural elements — internal audit programme, management review, document control, corrective action process — are already in place.

State these timelines honestly to senior stakeholders. A certification project that is under-resourced or treated as a side-of-desk activity will take longer and produce a management system that does not survive surveillance.

Cost. Audit fees depend on organisation size, scope, and certification body. For a small company — say, under 100 employees — with a single AI system in scope, expect audit fees in the range of €6,000–€15,000 for the initial Stage 1 + Stage 2 assessment, and €2,000–€5,000 per annual surveillance audit. Larger scopes, multiple sites, or complex AI portfolios will push these figures higher. Implementation costs — staff time, tooling, external consultancy if used — vary considerably and are not set by the certification body.

Do not commit to specific cost ranges in customer-facing materials beyond these general bands. Actual quotes depend on facts the certification body has not yet assessed.

Selecting a Certification Body

Find accredited certification bodies through your national accreditation body's register. In the EU: DAkkS (Germany), COFRAC (France), RvA (Netherlands), Accredia (Italy), ENAC (Spain). Verify that the certification body holds accreditation specifically for ISO/IEC 42001, not just for ISO 9001 or ISO 27001. As of 2026, the number of accredited bodies with ISO 42001 scope is growing but not yet large — check current registers rather than relying on marketing materials.

When evaluating a certification body, ask for auditor CVs to confirm AI governance and management system experience. An auditor who understands both domains will ask better questions and produce more useful findings. A purely procedural audit that ticks checklist items without engaging with the substance of your AI systems does not serve the purpose of certification.

How Confir Helps

Building ISO 42001 documentation from scratch is the part that consumes most of the time budget. Confir's rule-based compliance engine cross-maps directly to ISO 42001 controls, structuring the evidence you need across governance, risk assessment, and documentation.

Specifically, the AI risk assessment and classification output that Confir generates — covering Articles 9, 11, and 17 obligations — feeds the governance records your AIMS needs. The Article 11 / Annex IV technical documentation pack organises the per-system evidence that Stage 2 auditors will want to examine. This is deterministic, reproducible output: the same system inputs produce the same structured findings, which is exactly what an auditor expects from a documented management system.

Confir does not issue ISO 42001 certificates and is not a substitute for engaging an accredited certification body. What it reduces is the gap between regulatory compliance work and AIMS documentation, so the two programmes reinforce rather than duplicate each other.

Frequently Asked Questions

Is ISO 42001 certification required by the EU AI Act?

No. Certification is entirely voluntary. The EU AI Act does not mandate ISO 42001 or any other management system standard. What the Act does require — for providers of high-risk AI systems — is a quality management system under Article 17, a risk management system under Article 9, and a conformity assessment under Article 43. ISO 42001 certification provides strong evidence that the Article 17 QMS and Article 9 RMS are in place and audited, but it does not satisfy the Article 43 conformity assessment requirement.

Does ISO 42001 certification satisfy the EU AI Act Article 43 conformity assessment?

No. Article 43 is a separate, mandatory pre-market procedure. For most Annex III high-risk systems (categories 2–8), providers self-assess under the internal-control procedure in Annex VI. For biometric systems (Annex III point 1) where harmonised standards are not fully applied, the Annex VII notified-body route is required. ISO 42001 certification is not a notified-body procedure and does not constitute an Article 43 conformity assessment. It does, however, produce the governance and documentation evidence that goes into the conformity assessment file.

How long does certification realistically take for a company starting from scratch?

Nine to eighteen months is the honest range, depending on scope and resources. Organisations that already hold ISO 27001 or ISO 9001 can often compress this to six to nine months. The gap analysis and AIMS build-out are the long phases; the audit itself typically takes two to four weeks from Stage 1 commencement to certificate issuance, assuming no major non-conformities. Starting now means a realistic path to certification before the 2 December 2027 Annex III high-risk deadline.

What is the difference between the ISO 42001 AI risk assessment and the Statement of Applicability?

The AI risk assessment evaluates the risks associated with specific AI systems in scope — data quality failures, model drift, misuse scenarios, impact on individuals. Its outputs drive control selection. The Statement of Applicability (SoA) is a different document: it lists every Annex A control, states whether it is applicable, and, if applicable, shows how it is implemented and references the evidence. Exclusions must be justified. The SoA is one of the first documents a Stage 1 auditor will examine; an incomplete SoA is a common reason Stage 2 is deferred.

What happens if the Stage 2 audit finds non-conformities?

Non-conformities are classified as Major or Minor. A Major non-conformity means a core clause requirement has not been implemented or a systemic breakdown exists between documented procedure and actual practice — for example, an AI risk assessment that was completed once but never updated. Major non-conformities must be closed before the certificate is issued. The certification body reviews your corrective action evidence, sometimes with a targeted follow-up. Minor non-conformities are recorded and tracked to closure in the first annual surveillance audit.

Does ISO 42001 certification help if we already have ISO 27001?

Yes, materially. The two standards share the same high-level structure, so your document control system, internal audit programme, management review, and corrective action process all carry over. ISO 27001's information security risk assessment methodology is a close analogue to ISO 42001's AI risk assessment process — you adapt rather than rebuild. Practically, this reduces both implementation effort and the likelihood of structural gaps that a Stage 1 auditor would flag.

What does the certificate actually cover?

The certificate specifies the certified scope: your organisation (or a defined part of it), the standard (ISO/IEC 42001:2023), and the AI activities or systems included. It is valid for three years, subject to annual surveillance audits. It states that an accredited certification body assessed your management system against the standard's requirements and found it conforming at the time of audit. It does not assert that your AI systems are safe, lawful, or EU AI Act compliant — that determination remains with competent authorities under Regulation (EU) 2024/1689.

Related guides

Manage your EU AI Act compliance in one place

Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.

Start free trial →

Related guides

Guide

DPIA and FRIA for AI Systems: Two Assessments, One Workflow

GDPR Article 35 DPIA and EU AI Act Article 27 FRIA are distinct duties. Learn when each is required, which deployers owe it, and how to run both together.

Complete Guide

AI Governance for EU AI Act Compliance: The SME Operating Model

Build an EU AI Act governance programme for your SME. Correct article map (Art 9, 14, 43, 72), 2 Dec 2027 deadline, penalties, RACI, and a 90-day plan.

Guide

The CISO's EU AI Act Compliance Guide

CISOs and EU AI Act: AI inventory, Article 15 cybersecurity, Article 73 incident reporting, NIS2 overlap, board reporting. High-risk deadline: Dec 2027.