Hael
Sign inRequest a demo
ISO/IEC 42001 · Certification

How long does ISO 42001 certification take?

Updated 30 June 2026 · 6 min read
Key takeaway
ISO 42001 certification typically takes somewhere between a few months and a year, depending mainly on where you start. An organisation that already has mature governance, perhaps an existing ISO 27001 management system, can move faster, while one starting from scratch needs longer to build and operate the management system before it can be audited. Most of the time is consumed before the audit, not during it.
  • Certification typically takes a few months to a year, depending mostly on your starting point.
  • Most time goes into building the management system and operating it long enough to generate evidence.
  • Existing systems (like ISO 27001), narrow scope, and genuine readiness all shorten the timeline.
  • Plan backwards from any deadline and invest early in a real, operating system to avoid delays.
  • Current as of June 2026. This is general information, not legal advice.

What consumes the time

The timeline is dominated by a few phases:

  • Building the management system: Establishing policy, scope, risk assessment, and controls is the largest time investment, especially if you are starting without existing governance.
  • Operating the system to generate evidence: Auditors need to see the system working, which usually means running it for a period so there is a track record. This waiting time is often underestimated.
  • Internal audit and review: Finding and fixing gaps before the external audit takes time but reduces the risk of failure.
  • Scheduling and conducting the external audit: The two-stage audit itself, plus the lead time to book an accredited certification body, adds to the total.

What makes it faster

Several factors shorten the timeline:

  • Existing management systems: Organisations with an ISO 27001 ISMS or similar can reuse much of the structure, since ISO 42001 shares the same high-level shape and many supporting processes.
  • Narrow scope: Certifying a focused part of the business or set of systems is quicker than a broad scope.
  • Genuine readiness: A management system that is actually operating and evidenced moves through the audit without the delays caused by gap remediation and re-audit.

What makes it slower

Conversely, starting with no governance, a broad scope, a large and complex AI estate, or a system that exists mainly on paper will all extend the timeline, often because gaps surface during preparation or the audit that then need remediation before certification can proceed.

Planning your timeline

The practical approach is to be realistic about your starting point and to invest early in getting the management system genuinely operating, because that both shortens the path and reduces the risk of a stalled audit. If you have a deadline driven by a customer requirement or a regulatory milestone, work backwards from it and build in time for the system to operate and generate evidence before the audit, rather than assuming the audit can happen the moment the documents are written.

The readiness connection

As with cost, readiness is the variable that most affects how long certification takes. The fastest path is a management system that is real and current when the auditor arrives, so the audit confirms what is already working. Knowing where you stand against the standard before you begin lets you plan a realistic timeline and avoid the delays that come from discovering gaps late.

Key terms

Evidence period
The time the management system runs before the audit so there is a track record to examine.
Existing ISMS
An information-security management system (ISO 27001) whose structure ISO 42001 can build on.
Scope choice
Deciding how broadly or narrowly to define the part of the organisation being certified.
Gap remediation
Fixing shortfalls identified in preparation or audit before certification can proceed.

References

Related guides

Keep reading on ISO/IEC 42001.

Free check

See where you stand on ISO/IEC 42001, free.

Answer a few questions and get an indicative view of what ISO/IEC 42001 expects of your AI systems and where you stand today — no sign-up to see your result.

Indicative, not legal advice.
ISO/IEC 42001 · indicative readiness
HAEL FREE TOOL
Applicability
Applies to your AI use
What's expected
Risk classification · governance · documentation · oversight
Where you stand
Banded result · pointed to the gaps that matter most
Result
On-screen, free · optional PDF
Pre-scoped to ISO/IEC 42001~ 5 MIN