Unorma

ISO 42001

ISO 42001 Certification Requirements: The Complete Checklist

Every requirement in ISO/IEC 42001 explained in plain language, organized into a checklist you can use to scope your AI management system before the audit.

Zofia Kubiak
Zofia Kubiak

June 29, 2026 · 13 min read

ISO 42001

ISO/IEC 42001:2023 is the first international standard for AI management systems, and it reads like most ISO standards: precise, cross-referenced, and not written to be skimmed. This is the plain-language checklist version — every requirement organized so you can scope what your organization actually has to build before an auditor shows up.

TL;DR

  • ISO 42001 has two requirement sets: clauses 4–10 (the mandatory AI Management System, or AIMS, structure) and Annex A (38 optional-but-usually-applicable controls across 9 categories).
  • Clauses 4–10 follow the standard ISO high-level structure: context, leadership, planning, support, operation, performance evaluation and improvement.
  • You don't have to implement every Annex A control — you select applicable ones based on your risk assessment and document your reasoning in a Statement of Applicability.
  • Expect two audit stages: Stage 1 (documentation review) and Stage 2 (evidence that the AIMS is actually operating), followed by a 3-year certification cycle with annual surveillance audits.
  • The most commonly underestimated requirement is evidence of ongoing operation — policies alone don't pass Stage 2; auditors want to see the AIMS running for a meaningful period first.

The Two Parts of ISO 42001: Clauses and Annex A

Like ISO 27001, ISO 42001 splits its requirements into two parts. Clauses 1–3 are scope and definitions — not audited directly. Clauses 4 through 10 are the mandatory management-system requirements: every certified organization must satisfy all of them. Annex A is a reference set of 38 AI-specific controls across 9 categories that you select from based on your own risk assessment, not a checklist you must fully implement.

PlanClauses 4–6Context, leadership, risk treatmentDoClause 8Operate the AIMSCheckClause 9Monitor & internal auditActClause 10Nonconformity & improvement
ISO 42001's AI management system runs on the same Plan-Do-Check-Act cycle as ISO 27001 and ISO 9001.

Clauses 4–10: The Mandatory AIMS Checklist

ClauseRequirementWhat you need to produce
4. ContextUnderstand internal/external issues and interested parties' needsDocumented AIMS scope statement
5. LeadershipTop management commitment, AI policy, defined rolesAI policy, roles & responsibilities matrix
6. PlanningRisk & opportunity assessment, AI risk treatment, objectivesRisk assessment, Statement of Applicability, AIMS objectives
7. SupportResources, competence, awareness, communication, documented informationTraining records, document control procedure
8. OperationOperational planning and control of the AI lifecycleAI system impact assessments, lifecycle records
9. Performance evaluationMonitoring, internal audit, management reviewInternal audit reports, management review minutes
10. ImprovementNonconformity handling and continual improvementCorrective action records

Annex A: The 38 Controls, by Category

Annex A controls are organized into 9 categories (A.2 through A.10). You don’t need to implement all 38 — you select which are applicable based on your risk assessment, and justify exclusions in your Statement of Applicability.

CategoryFocus
A.2 Policies for AIDocumented AI policy aligned to organizational objectives
A.3 Internal organizationRoles, responsibilities and reporting lines for AI governance
A.4 Resources for AI systemsData, tooling, compute and human resources needed to operate responsibly
A.5 AI system life cycleControls across design, development, verification, deployment and retirement
A.6 Data for AI systemsData quality, provenance and governance for training and operational data
A.7 Information for interested partiesTransparency obligations to users and affected parties
A.8 Responsible use of AI systemsControls over how the organization uses AI, including third-party AI
A.9 Information for stakeholdersReporting and disclosure obligations to internal and external stakeholders
A.10 Third-party and customer relationshipsSupplier due diligence and customer-facing AI obligations

The Mandatory Documents Auditors Will Ask For

  • AIMS scope statement
  • AI policy, signed off by top management
  • Risk assessment methodology and results
  • Statement of Applicability
  • Roles and responsibilities matrix
  • Competence and training records
  • Internal audit program and reports
  • Management review minutes
  • Nonconformity and corrective action log

Who Does What: A Simple RACI for the Project

ActivityResponsibleAccountableConsulted
AI policy sign-offCompliance leadExecutive sponsorLegal
Risk assessmentCompliance / risk teamCompliance leadEngineering, product
Annex A control selectionCompliance leadExecutive sponsorSecurity, legal
Internal auditIndependent internal auditorCompliance leadAll control owners
Stage 1 & 2 audit liaisonCompliance leadExecutive sponsorCertification body

The Certification Process, Step by Step

  1. Gap analysis — assess your current state against clauses 4–10 and Annex A to scope the work.
  2. Build the AIMS — write the policy, complete the risk assessment, and select Annex A controls into a Statement of Applicability.
  3. Operate it — run the AIMS for long enough to generate real records: training completions, reviews, incident logs, internal audits.
  4. Internal audit and management review — required evidence that the organization checks its own system before the external auditor does.
  5. Stage 1 audit — the certification body reviews your documentation for completeness and readiness.
  6. Stage 2 audit — the certification body checks for evidence the AIMS is actually operating, not just documented.
  7. Certification and surveillance — certificates run 3 years, with annual surveillance audits to keep it valid.

How Long It Actually Takes

Organization size / maturityRealistic timeline
Startup, few AI systems, no existing ISMS4–7 months
Mid-size, existing ISO 27001 certification to build on2–4 months
Enterprise, multiple business units and AI systems6–12 months

What Certification Actually Costs

Cost itemTypical range
Certification body audit fees (Stage 1 + 2)Varies by organization size and certification body — request quotes from multiple accredited bodies
Internal effort (compliance lead time)Often the largest real cost — typically several months of substantial part-time or full-time focus
Gap-closing work (policy, training, tooling)Varies widely based on existing governance maturity
Annual surveillance auditsSmaller recurring fee, each year of the 3-year cycle

Common Nonconformities Auditors Flag

NonconformityWhy it happens
Statement of Applicability doesn't match actual systemsSoA written once and never updated as AI systems changed
No evidence of internal audit independenceSame person designs and audits the same control
Risk assessment not linked to specific AI systemsGeneric, org-wide risk statements instead of per-system analysis
Training records incompleteTraining tracked informally instead of systematically logged

Choosing a Certification Body

Not every certification body is accredited to issue ISO 42001 certificates yet, since accreditation for a relatively new standard takes time to roll out across national accreditation bodies. Before requesting quotes, confirm the certification body's accreditation for ISO/IEC 42001 specifically, rather than assuming accreditation for other ISO standards carries over automatically.

  • Confirm accreditation for ISO 42001 specifically, not just ISO 27001 or ISO 9001
  • Ask how many ISO 42001 audits they've actually conducted — the standard is new enough that experience varies widely
  • Compare Stage 1 and Stage 2 quotes from at least two accredited bodies
  • Ask about auditor familiarity with AI-specific risk, not just generic management-system auditing

Maintaining Certification After You Get It

Certification isn’t the finish line — annual surveillance audits check that the AIMS is still operating, not just that it existed on the day you were certified. Organizations that treat certification as a one-time project rather than an ongoing practice are the ones most likely to lose it at recertification, three years later.

Where Software Actually Speeds This Up

Practical note

The slowest part of ISO 42001 certification is usually not deciding what to do — it’s producing consistent evidence across every clause and control without losing track of what’s done. Unorma’s gap analysis scores you against every ISO 42001 clause and Annex A control, and the evidence vault keeps the audit trail an assessor needs in Stage 2. See the full ISO 42001 framework page for how the mapping works, or read our companion piece on what AI compliance software does.

Primary Sources

  • ISO — ISO/IEC 42001:2023 — the official standard listing from the International Organization for Standardization.
  • ISO — ISO/IEC 27001:2022 — the related information security management standard many organizations run alongside ISO 42001.

Frequently asked questions

Do we have to implement all 38 Annex A controls to get certified?

No. You select controls based on your own risk assessment and document your reasoning — including exclusions — in a Statement of Applicability. Auditors check that your selections are justified, not that every control is present.

Can we get ISO 42001 certified without ISO 27001?

Yes, ISO 42001 is a standalone standard. That said, organizations already certified to ISO 27001 typically move faster, since the clause 4–10 structure and much of the governance groundwork overlap.

What's the biggest reason organizations fail Stage 2 audits?

Insufficient operating history. Stage 2 auditors look for evidence the AIMS has actually been running — internal audits performed, reviews held, incidents logged — not just that policies exist. Standing up the AIMS the week before Stage 2 is the most common mistake.

How long is an ISO 42001 certificate valid?

Three years, with required annual surveillance audits to confirm the AIMS is still operating and effective. A recertification audit is required before the three years expire.

What documents does an auditor definitely want to see?

At minimum: the AIMS scope statement, AI policy, risk assessment, Statement of Applicability, roles matrix, training records, internal audit reports and management review minutes. Missing or outdated versions of these are the most common audit friction points.

How much does ISO 42001 certification cost?

Costs vary by organization size and chosen certification body, but the largest real cost for most organizations is internal effort — the compliance lead's time — rather than the audit fees themselves.

Can we lose ISO 42001 certification after we get it?

Yes. Annual surveillance audits check that the AIMS is still operating effectively, and failing one can suspend or withdraw certification. Treating certification as an ongoing practice, not a one-time project, is what keeps it valid.

What's the most common reason for a nonconformity finding?

A Statement of Applicability that no longer matches the organization's actual AI systems — written once during the initial project and never updated as new systems were added or changed.

How do we choose between multiple accredited certification bodies?

Confirm each is specifically accredited for ISO 42001 (not just ISO 27001 or 9001), ask how many ISO 42001 audits they've actually conducted given how new the standard is, and compare Stage 1/2 quotes from at least two before deciding.

Does every certification body have ISO 42001 accreditation yet?

Not necessarily — accreditation for a newer standard rolls out gradually across national accreditation bodies, so it's worth confirming ISO 42001-specific accreditation rather than assuming it carries over from other standards.

About the author

Zofia Kubiak
Zofia Kubiak

Compliance Specialist

Compliance specialist focused on management-system standards and risk frameworks, helping teams turn certification requirements into working programs.

View full profile