ISO 42001
From Gap Analysis to Certificate: Using Software to Run Your ISO 42001 Project
A practical walkthrough of running an entire ISO 42001 certification project inside software, from the first gap analysis through the final certificate.
April 26, 2026 · 7 min read
ISO 42001
Most ISO 42001 guides describe the standard's requirements. This one describes the project — how gap analysis, document generation and evidence tracking chain together inside software into a single continuous path to certification, instead of five disconnected spreadsheets that quietly drift out of sync.
TL;DR
- Running certification as one connected project — not five separate efforts — is what software actually changes about the process.
- Gap analysis output should directly become your project backlog, not a report that sits separately from the work.
- Generated documents need a human reviewer at every stage — software drafts, people approve.
- Evidence gathered during the operating period should map automatically to the clauses and controls it satisfies.
- The final export package should assemble automatically from everything already tracked, not require last-minute compilation.
One Connected Project, Not Five Disconnected Efforts
Step 1: Gap Analysis Becomes the Backlog
The gap analysis shouldn't be a static report you read once — its output should become the actual project backlog, with each gap assigned an owner and a deadline directly, rather than requiring someone to manually transcribe findings into a separate task tracker.
Step 2: Closing Gaps With Reviewed Drafts
| What software does | What a human still does |
|---|---|
| Drafts the AI policy structured to clause 5 | Reviews and edits for organizational accuracy |
| Pre-populates the Statement of Applicability | Confirms control selections and exclusion reasoning |
| Suggests risk assessment structure | Makes the actual risk judgment calls |
Step 3: Operating With Evidence Mapped as You Go
During the operating period, each piece of evidence — a completed training session, an internal audit finding, a management review — should be tagged to the specific clauses and controls it satisfies at the moment it's created, not reconstructed later when someone tries to remember what happened months ago.
Step 4: Internal Audit Using the Same Structure
The internal audit should check against the same clause and control structure used throughout the project, with findings recorded directly against the relevant control — creating a closed loop instead of a separate audit report disconnected from the rest of the record.
Step 5: The Certificate Export
- Confirm every clause has current, complete evidence
- Confirm the Statement of Applicability matches your actual registered AI systems
- Generate the full audit package for the certification body
- Schedule Stage 1 once the package is internally reviewed
Primary Sources
- ISO — ISO/IEC 42001:2023
- NIST — AI Risk Management Framework
When the Scope Changes Mid-Project
New AI systems get built during a certification project — that's normal, not a sign of poor planning. When one is added, it should flow through the same gap-analysis-to-evidence pipeline as everything registered before it, rather than being handled as an exception. Projects that treat scope changes as one-off additions tend to end up with an inconsistent Statement of Applicability by the time Stage 1 arrives.
Keeping Momentum During the Operating Period
- Put the internal audit and management review dates on the calendar at the start of the project, not once documentation is 'done'
- Review the backlog from the gap analysis monthly, not just at kickoff
- Treat any newly discovered gap the same way as an original one — assign an owner and a deadline immediately
Who Should Actually Run This Project
A single accountable owner — usually a compliance lead — should run the project end to end, even if specific tasks are delegated across engineering, legal and HR. Splitting ownership across multiple people without one clearly accountable lead is one of the most common reasons a certification project stalls partway through the operating period, once the initial kickoff energy fades and nobody is left explicitly responsible for keeping it moving.
Where Unorma Fits
One project, start to finish
Frequently asked questions
Does the gap analysis need to be a separate document from the project plan?
No — ideally the gap analysis output becomes the actual project backlog directly, with owners and deadlines assigned to each finding, rather than living as a separate static report.
Do generated documents need human review before use?
Yes, always — software drafts documents pre-filled with your data, but a qualified person needs to review and approve them before they're used as real evidence.
When should evidence be mapped to clauses and controls?
As it's created, during the operating period — mapping it later requires reconstructing context that's easy to lose, especially months after the fact.
What does the final certificate export actually include?
A complete package covering all clauses and applicable Annex A controls with their supporting evidence, assembled from what's already been tracked throughout the project rather than compiled from scratch at the end.
What happens if we add a new AI system mid-project?
It should flow through the same gap-analysis-to-evidence pipeline as every other system, rather than being handled as a one-off exception — otherwise the Statement of Applicability tends to drift out of sync by Stage 1.
How do we keep momentum during the operating period?
Schedule internal audit and management review dates at the start of the project rather than waiting for documentation to feel 'done,' and review the gap-analysis backlog monthly rather than only at kickoff.
Who should have final say when the project stalls?
The single accountable project owner — usually the compliance lead — should have clear authority to escalate blockers, rather than the project depending on informal coordination across multiple stakeholders.
Key terms in this article
About the author

Compliance Specialist
Compliance specialist focused on management-system standards and risk frameworks, helping teams turn certification requirements into working programs.
View full profileKeep reading
More from the blog
AI Compliance Software
AI Compliance Software
What Is AI Compliance Software? A Complete Guide for 2026
AI compliance software turns scattered spreadsheets and PDFs into a live system of record for every AI system you build or use. Here's what it does, who needs it, and how to evaluate it.
EU AI Act
EU AI Act
EU AI Act Deadlines in 2026 and 2027: What the Digital Omnibus Actually Changed
In May 2026, EU lawmakers provisionally agreed to delay the AI Act's high-risk deadlines. Here's exactly what changed, what didn't, and what's legally binding today.
ISO 42001
ISO 42001
ISO 42001 Certification Requirements: The Complete Checklist
ISO 42001 has 10 clauses and 38 Annex A controls. This is the complete, plain-language checklist for what you actually need to have in place before your audit.