ISO 42001
ISO 42001 Certification Requirements: The Complete Checklist
Every requirement in ISO/IEC 42001 explained in plain language, organized into a checklist you can use to scope your AI management system before the audit.
June 29, 2026 · 13 min read
ISO 42001
ISO/IEC 42001:2023 is the first international standard for AI management systems, and it reads like most ISO standards: precise, cross-referenced, and not written to be skimmed. This is the plain-language checklist version — every requirement organized so you can scope what your organization actually has to build before an auditor shows up.
TL;DR
- ISO 42001 has two requirement sets: clauses 4–10 (the mandatory AI Management System, or AIMS, structure) and Annex A (38 optional-but-usually-applicable controls across 9 categories).
- Clauses 4–10 follow the standard ISO high-level structure: context, leadership, planning, support, operation, performance evaluation and improvement.
- You don't have to implement every Annex A control — you select applicable ones based on your risk assessment and document your reasoning in a Statement of Applicability.
- Expect two audit stages: Stage 1 (documentation review) and Stage 2 (evidence that the AIMS is actually operating), followed by a 3-year certification cycle with annual surveillance audits.
- The most commonly underestimated requirement is evidence of ongoing operation — policies alone don't pass Stage 2; auditors want to see the AIMS running for a meaningful period first.
The Two Parts of ISO 42001: Clauses and Annex A
Like ISO 27001, ISO 42001 splits its requirements into two parts. Clauses 1–3 are scope and definitions — not audited directly. Clauses 4 through 10 are the mandatory management-system requirements: every certified organization must satisfy all of them. Annex A is a reference set of 38 AI-specific controls across 9 categories that you select from based on your own risk assessment, not a checklist you must fully implement.
Clauses 4–10: The Mandatory AIMS Checklist
| Clause | Requirement | What you need to produce |
|---|---|---|
| 4. Context | Understand internal/external issues and interested parties' needs | Documented AIMS scope statement |
| 5. Leadership | Top management commitment, AI policy, defined roles | AI policy, roles & responsibilities matrix |
| 6. Planning | Risk & opportunity assessment, AI risk treatment, objectives | Risk assessment, Statement of Applicability, AIMS objectives |
| 7. Support | Resources, competence, awareness, communication, documented information | Training records, document control procedure |
| 8. Operation | Operational planning and control of the AI lifecycle | AI system impact assessments, lifecycle records |
| 9. Performance evaluation | Monitoring, internal audit, management review | Internal audit reports, management review minutes |
| 10. Improvement | Nonconformity handling and continual improvement | Corrective action records |
Annex A: The 38 Controls, by Category
Annex A controls are organized into 9 categories (A.2 through A.10). You don’t need to implement all 38 — you select which are applicable based on your risk assessment, and justify exclusions in your Statement of Applicability.
| Category | Focus |
|---|---|
| A.2 Policies for AI | Documented AI policy aligned to organizational objectives |
| A.3 Internal organization | Roles, responsibilities and reporting lines for AI governance |
| A.4 Resources for AI systems | Data, tooling, compute and human resources needed to operate responsibly |
| A.5 AI system life cycle | Controls across design, development, verification, deployment and retirement |
| A.6 Data for AI systems | Data quality, provenance and governance for training and operational data |
| A.7 Information for interested parties | Transparency obligations to users and affected parties |
| A.8 Responsible use of AI systems | Controls over how the organization uses AI, including third-party AI |
| A.9 Information for stakeholders | Reporting and disclosure obligations to internal and external stakeholders |
| A.10 Third-party and customer relationships | Supplier due diligence and customer-facing AI obligations |
The Mandatory Documents Auditors Will Ask For
- AIMS scope statement
- AI policy, signed off by top management
- Risk assessment methodology and results
- Statement of Applicability
- Roles and responsibilities matrix
- Competence and training records
- Internal audit program and reports
- Management review minutes
- Nonconformity and corrective action log
Who Does What: A Simple RACI for the Project
| Activity | Responsible | Accountable | Consulted |
|---|---|---|---|
| AI policy sign-off | Compliance lead | Executive sponsor | Legal |
| Risk assessment | Compliance / risk team | Compliance lead | Engineering, product |
| Annex A control selection | Compliance lead | Executive sponsor | Security, legal |
| Internal audit | Independent internal auditor | Compliance lead | All control owners |
| Stage 1 & 2 audit liaison | Compliance lead | Executive sponsor | Certification body |
The Certification Process, Step by Step
- Gap analysis — assess your current state against clauses 4–10 and Annex A to scope the work.
- Build the AIMS — write the policy, complete the risk assessment, and select Annex A controls into a Statement of Applicability.
- Operate it — run the AIMS for long enough to generate real records: training completions, reviews, incident logs, internal audits.
- Internal audit and management review — required evidence that the organization checks its own system before the external auditor does.
- Stage 1 audit — the certification body reviews your documentation for completeness and readiness.
- Stage 2 audit — the certification body checks for evidence the AIMS is actually operating, not just documented.
- Certification and surveillance — certificates run 3 years, with annual surveillance audits to keep it valid.
How Long It Actually Takes
| Organization size / maturity | Realistic timeline |
|---|---|
| Startup, few AI systems, no existing ISMS | 4–7 months |
| Mid-size, existing ISO 27001 certification to build on | 2–4 months |
| Enterprise, multiple business units and AI systems | 6–12 months |
What Certification Actually Costs
| Cost item | Typical range |
|---|---|
| Certification body audit fees (Stage 1 + 2) | Varies by organization size and certification body — request quotes from multiple accredited bodies |
| Internal effort (compliance lead time) | Often the largest real cost — typically several months of substantial part-time or full-time focus |
| Gap-closing work (policy, training, tooling) | Varies widely based on existing governance maturity |
| Annual surveillance audits | Smaller recurring fee, each year of the 3-year cycle |
Common Nonconformities Auditors Flag
| Nonconformity | Why it happens |
|---|---|
| Statement of Applicability doesn't match actual systems | SoA written once and never updated as AI systems changed |
| No evidence of internal audit independence | Same person designs and audits the same control |
| Risk assessment not linked to specific AI systems | Generic, org-wide risk statements instead of per-system analysis |
| Training records incomplete | Training tracked informally instead of systematically logged |
Choosing a Certification Body
Not every certification body is accredited to issue ISO 42001 certificates yet, since accreditation for a relatively new standard takes time to roll out across national accreditation bodies. Before requesting quotes, confirm the certification body's accreditation for ISO/IEC 42001 specifically, rather than assuming accreditation for other ISO standards carries over automatically.
- Confirm accreditation for ISO 42001 specifically, not just ISO 27001 or ISO 9001
- Ask how many ISO 42001 audits they've actually conducted — the standard is new enough that experience varies widely
- Compare Stage 1 and Stage 2 quotes from at least two accredited bodies
- Ask about auditor familiarity with AI-specific risk, not just generic management-system auditing
Maintaining Certification After You Get It
Certification isn’t the finish line — annual surveillance audits check that the AIMS is still operating, not just that it existed on the day you were certified. Organizations that treat certification as a one-time project rather than an ongoing practice are the ones most likely to lose it at recertification, three years later.
Where Software Actually Speeds This Up
Practical note
Primary Sources
- ISO — ISO/IEC 42001:2023 — the official standard listing from the International Organization for Standardization.
- ISO — ISO/IEC 27001:2022 — the related information security management standard many organizations run alongside ISO 42001.
Frequently asked questions
Do we have to implement all 38 Annex A controls to get certified?
No. You select controls based on your own risk assessment and document your reasoning — including exclusions — in a Statement of Applicability. Auditors check that your selections are justified, not that every control is present.
Can we get ISO 42001 certified without ISO 27001?
Yes, ISO 42001 is a standalone standard. That said, organizations already certified to ISO 27001 typically move faster, since the clause 4–10 structure and much of the governance groundwork overlap.
What's the biggest reason organizations fail Stage 2 audits?
Insufficient operating history. Stage 2 auditors look for evidence the AIMS has actually been running — internal audits performed, reviews held, incidents logged — not just that policies exist. Standing up the AIMS the week before Stage 2 is the most common mistake.
How long is an ISO 42001 certificate valid?
Three years, with required annual surveillance audits to confirm the AIMS is still operating and effective. A recertification audit is required before the three years expire.
What documents does an auditor definitely want to see?
At minimum: the AIMS scope statement, AI policy, risk assessment, Statement of Applicability, roles matrix, training records, internal audit reports and management review minutes. Missing or outdated versions of these are the most common audit friction points.
How much does ISO 42001 certification cost?
Costs vary by organization size and chosen certification body, but the largest real cost for most organizations is internal effort — the compliance lead's time — rather than the audit fees themselves.
Can we lose ISO 42001 certification after we get it?
Yes. Annual surveillance audits check that the AIMS is still operating effectively, and failing one can suspend or withdraw certification. Treating certification as an ongoing practice, not a one-time project, is what keeps it valid.
What's the most common reason for a nonconformity finding?
A Statement of Applicability that no longer matches the organization's actual AI systems — written once during the initial project and never updated as new systems were added or changed.
How do we choose between multiple accredited certification bodies?
Confirm each is specifically accredited for ISO 42001 (not just ISO 27001 or 9001), ask how many ISO 42001 audits they've actually conducted given how new the standard is, and compare Stage 1/2 quotes from at least two before deciding.
Does every certification body have ISO 42001 accreditation yet?
Not necessarily — accreditation for a newer standard rolls out gradually across national accreditation bodies, so it's worth confirming ISO 42001-specific accreditation rather than assuming it carries over from other standards.
Key terms in this article
About the author

Compliance Specialist
Compliance specialist focused on management-system standards and risk frameworks, helping teams turn certification requirements into working programs.
View full profileKeep reading
More from the blog
AI Compliance Software
AI Compliance Software
What Is AI Compliance Software? A Complete Guide for 2026
AI compliance software turns scattered spreadsheets and PDFs into a live system of record for every AI system you build or use. Here's what it does, who needs it, and how to evaluate it.
EU AI Act
EU AI Act
EU AI Act Deadlines in 2026 and 2027: What the Digital Omnibus Actually Changed
In May 2026, EU lawmakers provisionally agreed to delay the AI Act's high-risk deadlines. Here's exactly what changed, what didn't, and what's legally binding today.
NIST AI RMF
NIST AI RMF
The NIST AI RMF Playbook Explained: Govern, Map, Measure, Manage
Govern, Map, Measure, Manage — the NIST AI RMF's four functions sound simple. Here's what each one actually requires you to do, with the playbook's real structure.