The ISO 42001 certification process: a step-by-step roadmap
- Certification follows a path: build the AIMS, operate and evidence it, internal audit, then the external audit.
- The external audit has two stages: Stage 1 reviews documentation, Stage 2 reviews implementation.
- Success leads to certification on a three-year cycle with annual surveillance audits.
- A genuinely operating, well-evidenced system makes the audit confirm reality rather than expose gaps.
- Current as of June 2026. This is general information, not legal advice.
Step 1: Build your AI management system
Certification assesses a management system, so you need one first. This means establishing your AI policy, defining scope, assessing AI risks, selecting and implementing the relevant Annex A controls, and putting the management-system processes in place. This is the substantial part of the journey, and it is where most of the effort goes.
Step 2: Operate and gather evidence
An auditor needs to see the system working, not just designed. Once the management system is in place, you operate it and generate evidence: records of risk assessments, control operation, monitoring, internal audits, and management review. Many organisations run the system for a period before the audit so there is a track record to examine.
Step 3: Conduct internal audit and management review
Before the external audit, you carry out your own internal audit to find and fix gaps, and hold a management review. This is both a requirement of the standard and a practical way to enter the certification audit with confidence rather than surprises.
Step 4: Stage 1 audit (documentation review)
The certification body's audit has two stages. Stage 1 is largely a documentation review: the auditor checks that your management system is designed correctly and that the necessary documents, scope, and Statement of Applicability are in place. It identifies any gaps to address before Stage 2.
Step 5: Stage 2 audit (implementation review)
Stage 2 assesses whether the management system is actually implemented and effective. The auditor examines evidence that controls and processes are operating in practice, interviews people, and tests that the system does what it claims. Passing Stage 2 leads to certification.
Step 6: Certification and surveillance
On success, the certification body issues your ISO 42001 certificate. Certification then runs on a three-year cycle: annual surveillance audits confirm you are maintaining and improving the system, and a recertification audit at the end of the cycle renews it. This reflects the standard's continual-improvement nature: certification is a commitment to keep the system running, not a one-time pass.
Making the process smoother
The organisations that move through certification most smoothly are those whose management system is genuinely operating and well evidenced, so the audit confirms reality rather than uncovering gaps. Keeping the system's policies, risk assessments, controls, and evidence connected and current is what makes both the initial audit and the annual surveillance straightforward rather than stressful.
Key terms
- Accredited certification body
- An independent organisation authorised to audit and certify management systems against ISO standards.
- Stage 1 / Stage 2 audit
- The two-part certification audit: documentation review followed by implementation review.
- Surveillance audit
- Annual audit between certification cycles to confirm the system is being maintained.
- Recertification
- The three-year renewal of the ISO 42001 certificate.