Hael
Sign inRequest a demo
ISO/IEC 42001 · Certification

The ISO 42001 audit: internal and external audits explained

Updated 30 June 2026 · 6 min read
Key takeaway
ISO 42001 involves two kinds of audit: internal audits that you conduct yourself as part of running the management system, and the external certification audit conducted by an accredited certification body. Both matter, and they serve different purposes. Internal audits keep your system honest; external audits provide the independent certificate.
  • ISO 42001 involves internal audits you run and an external certification audit by an accredited body.
  • Internal audits find and fix problems before they become failures and are required by the standard.
  • The external audit has Stage 1 (documentation) and Stage 2 (implementation), followed by surveillance and recertification.
  • Use an accredited certification body, and let strong internal auditing make the external audits routine.
  • Current as of June 2026. This is general information, not legal advice.

Internal audits

The standard requires you to audit your own AI management system at planned intervals. An internal audit checks whether the system conforms to the standard and to your own requirements, and whether it is effectively implemented and maintained. It is your mechanism for finding and fixing problems before they become failures. Internal audits are run by your own people (or someone you appoint), and crucially the auditor should be objective and not auditing their own work. A genuine internal audit that surfaces real issues is one of the most valuable parts of the management system.

The external certification audit

The external audit is conducted by an accredited certification body and is what leads to your ISO 42001 certificate. It has two stages:

  • Stage 1: A documentation review. The auditor checks that your management system is designed correctly, that the required documents and Statement of Applicability are in place, and that you are ready for Stage 2. It identifies gaps to close first.
  • Stage 2: An implementation review. The auditor examines evidence that the system actually operates: that controls and processes work in practice, interviewing staff and testing records. Passing Stage 2 leads to certification.

Surveillance and recertification audits

Certification is not a one-time event. After you are certified, the certification body conducts annual surveillance audits to confirm you are maintaining and improving the system, and a fuller recertification audit at the end of the three-year cycle. These ongoing audits reflect the standard's continual-improvement nature: you are certified against a living system, so it is checked periodically that the system is still alive.

Why accreditation matters

For an external certificate to carry weight, the certification body should be accredited by a recognised national accreditation authority. Accreditation provides assurance that the body is competent, independent, and consistent. When choosing a certification body, confirming its accreditation is an important step, because an unaccredited certificate may not be recognised by the buyers and regulators you are trying to satisfy.

How the audits fit together

The internal and external audits reinforce each other. Strong internal auditing means the external audit confirms a system that is already sound, which makes certification smoother and surveillance audits routine. Weak internal auditing means problems surface in front of the certification body, which is slower and more stressful. Treating internal audit as a genuine discipline, rather than a formality, is what makes the external audits straightforward.

Key terms

Internal audit
An organisation's own audit of its management system, required by the standard.
Certification body
An independent body, accredited to audit and certify against ISO standards.
Surveillance audit
An annual check by the certification body that the system is being maintained.
Accreditation
Formal recognition that a certification body is competent, independent, and consistent.

References

Related guides

Keep reading on ISO/IEC 42001.

Free check

See where you stand on ISO/IEC 42001, free.

Answer a few questions and get an indicative view of what ISO/IEC 42001 expects of your AI systems and where you stand today — no sign-up to see your result.

Indicative, not legal advice.
ISO/IEC 42001 · indicative readiness
HAEL FREE TOOL
Applicability
Applies to your AI use
What's expected
Risk classification · governance · documentation · oversight
Where you stand
Banded result · pointed to the gaps that matter most
Result
On-screen, free · optional PDF
Pre-scoped to ISO/IEC 42001~ 5 MIN