Unorma

ISO 42001

ISO 42001 Certification Software: How It Actually Speeds Up Your Audit

How ISO 42001 certification software maps to clauses 4–10 and Annex A, what it automates versus what still requires human judgment, and how to evaluate vendors.

Zofia Kubiak
Zofia Kubiak

June 24, 2026 · 16 min read

ISO 42001

Software does not certify anyone to ISO 42001 — a human auditor from an accredited certification body does. What software actually changes is how much time it takes your organization to reach the point where that audit succeeds. This is a precise look at what ISO 42001 certification software automates, what it can't, and how to evaluate vendors without buying into overclaimed marketing.

TL;DR

  • ISO 42001 certification software automates gap analysis, evidence collection, document generation and Statement of Applicability tracking — it does not perform the audit itself.
  • The highest-value automation is mapping one piece of evidence to multiple clauses and Annex A controls at once, since manual programs waste enormous time re-documenting the same facts.
  • Software cannot replace the human judgment required to actually operate the AI management system — running real internal audits, holding real management reviews, making real risk decisions.
  • A realistic ISO 42001 timeline with good software: 2–4 months for a mid-size organization with existing governance maturity; without it, 6–12 months is common.
  • Evaluate vendors on clause-and-control mapping depth, not just generic 'AI compliance' marketing claims — ask exactly which of the 38 Annex A controls the platform tracks.

What ISO 42001 Certification Software Actually Automates

Certification software's real job is turning the standard's 7 mandatory clauses and 38 optional Annex A controls into a scored checklist against your actual organization, then keeping the resulting evidence organized well enough that a certification body's auditor can follow it without confusion.

Clause 4 — Context92%Clause 6 — Planning & risk68%Clause 7 — Support81%Clause 8 — Operation54%Clause 9 — Evaluation40%Annex A controls63%
Illustrative gap analysis output — software scores each clause and control so you know exactly where the work is.

Mapping Software to Clauses 4–10

ClauseWhat software should help produce
4. ContextStructured scope statement referencing your actual AI systems and stakeholders
5. LeadershipTracked sign-off on AI policy and defined roles
6. PlanningRisk assessment linked to specific AI systems, and an auto-populated Statement of Applicability
7. SupportTraining completion tracking and document version control
8. OperationPer-system lifecycle records — impact assessments, change logs
9. Performance evaluationInternal audit scheduling and management review documentation
10. ImprovementCorrective action tracking with owners and due dates

Mapping Software to Annex A Controls

Good certification software doesn’t just list the 38 Annex A controls — it links each one to the specific evidence in your account that satisfies it, flags controls you’ve marked not applicable with your stated justification, and keeps that mapping current as you add new AI systems. This is the single biggest time saver over a manual spreadsheet, where the same justification often has to be rewritten by hand for every new system.

Gap Analysis: The First Thing Good Software Should Do

Before touching a single document, certification software should tell you, per clause and per applicable Annex A control, what already exists, what's partial, and what's missing entirely. This scoping step is what turns a vague “we need to get ISO 42001 certified” mandate into a concrete, assignable project plan.

Evidence Collection and the Statement of Applicability

The Statement of Applicability (SoA) is the document an auditor checks first — it's your official record of which Annex A controls apply, which don't, and why. Software earns its keep here by keeping the SoA synchronized with your actual evidence vault, so it never drifts into a document that describes a system you no longer have.

Internal Audit Support

Clause 9 requires a documented internal audit before your external certification audit. Software can schedule this, template the audit checklist against your specific control selections, and store findings — but the audit itself still has to be performed by a person applying real scrutiny, ideally someone independent of the team being audited.

Where Software Cannot Replace Human Judgment

Being honest about limits

No software can hold your management review meeting, decide your actual risk appetite, or make the judgment calls an internal auditor has to make about whether a control is genuinely effective. Certification software removes the administrative burden around these activities — it does not perform them. Any vendor implying otherwise is overselling.

Evaluating ISO 42001 Software: A Vendor Checklist

  • Ask exactly which of the 38 Annex A controls are natively mapped — not just a generic 'AI compliance' claim.
  • Confirm the Statement of Applicability updates automatically as you add or change AI systems.
  • Check whether evidence can satisfy multiple clauses/controls at once, or has to be re-uploaded per requirement.
  • Ask how internal audit scheduling and findings tracking work, since clause 9 is a common audit failure point.
  • Confirm the platform is updated when ISO issues amendments or guidance changes.

If You're Already ISO 27001 Certified: What Carries Over

Organizations with an existing ISO 27001 information security management system have a real head start — good ISO 42001 software should let you reuse that groundwork instead of starting from zero.

ISO 27001 artifactReuse for ISO 42001
Risk assessment methodologyExtend to AI-specific risk categories rather than rebuilding from scratch
Internal audit programAdd AI management system scope to existing audit cadence
Management review processExtend agenda to cover AI-specific objectives and metrics
Document control proceduresReuse directly — ISO management system clauses on this are nearly identical

Managing Certification Across Multiple Business Units

Larger organizations often need one Statement of Applicability to cover multiple business units with different AI systems and different risk profiles. Software should let you scope gap analysis per business unit while still rolling up to a single, coherent certification scope — doing this in a spreadsheet usually means duplicated documents that quietly diverge over time.

What a Document Template Library Should Actually Include

  • AI policy template, structured to clause 5 requirements
  • Risk assessment template with AI-specific risk categories pre-populated
  • Statement of Applicability template mapped to all 38 Annex A controls
  • Internal audit checklist templates per clause
  • Management review agenda template covering clause 9.3 requirements

Red Flags When Evaluating Vendors

  • Vague framework claims.“AI compliance” marketing without a clear answer on exactly which Annex A controls are mapped.
  • Implying software guarantees certification. No software can promise an audit outcome — that's determined by the certification body's auditor.
  • No mention of internal audit support. Clause 9 failures are common enough that any serious platform should address this directly.

Timeline: With Software vs. Without

Organization profileManual / spreadsheet-drivenWith certification software
Startup, first management system7–10 months4–6 months
Mid-size, existing ISO 270014–6 months2–3 months
Enterprise, multiple business units10–14 months6–9 months

A 90-Day Path to Stage 1 Using Software

  1. Days 1–15: Run the gap analysis across clauses 4–10 and all 38 Annex A controls to scope real work remaining.
  2. Days 16–40: Close documentation gaps — policy, risk assessment, Statement of Applicability — using generated drafts as a starting point, not a final answer.
  3. Days 41–65: Operate the AIMS for real — hold the management review, run training, log any incidents — so there's genuine operating history.
  4. Days 66–80: Run the internal audit and remediate findings.
  5. Days 81–90: Export the complete audit package and schedule Stage 1 with your chosen certification body.

How Unorma Maps to ISO 42001

Where Unorma fits

Unorma’s gap analysis scores every clause and Annex A control against your registered AI systems, and the audit simulation module previews the questions a certification auditor is likely to ask. See the full ISO 42001 framework page or the companion piece on ISO 42001 certification requirements for the full checklist this software is built to satisfy.

Primary Sources

Frequently asked questions

Can ISO 42001 certification software guarantee we pass the audit?

No. Certification is granted by an accredited certification body's auditor based on their judgment of your actual operating AI management system. Software organizes your evidence and closes documentation gaps faster — it cannot guarantee an audit outcome.

Do we still need a consultant if we use certification software?

Many organizations still use a consultant for judgment calls — risk appetite decisions, interpreting ambiguous requirements, mock audits — while software handles the administrative and evidence-tracking burden. It's not strictly required, especially for organizations with existing ISO experience.

How is ISO 42001 software different from generic ISO compliance software?

Generic ISO software (built for 27001 or 9001) often lacks native mapping to ISO 42001's AI-specific Annex A controls, like AI system life cycle management and data governance for AI. Purpose-built ISO 42001 software maps directly to those controls.

What's the biggest time cost software actually removes?

Re-documenting the same evidence and justification for multiple overlapping controls. Software that maps one piece of evidence to every clause and control it satisfies removes most of the duplicated manual work.

How much of our ISO 27001 work carries over to ISO 42001?

A meaningful amount — risk assessment methodology, internal audit programs, management review processes and document control procedures can typically be extended rather than rebuilt, since both standards share the same high-level ISO management-system structure.

Can one platform manage ISO 42001 certification across multiple business units?

Good software should let you scope gap analysis per business unit while rolling up to a single Statement of Applicability and certification scope — doing this manually across units in spreadsheets tends to produce documents that quietly diverge over time.

What document templates should ISO 42001 software provide at minimum?

An AI policy template, a risk assessment template with AI-specific categories, a Statement of Applicability mapped to all 38 Annex A controls, internal audit checklists per clause, and a management review agenda template.

About the author

Zofia Kubiak
Zofia Kubiak

Compliance Specialist

Compliance specialist focused on management-system standards and risk frameworks, helping teams turn certification requirements into working programs.

View full profile