Hael
Sign inRequest a demo
ISO/IEC 42001 · Certification

The ISO 42001 certification process: a step-by-step roadmap

Updated 30 June 2026 · 7 min read
Key takeaway
The ISO 42001 certification process follows a clear, recognisable path: you build your AI management system, prepare it, then pass a two-stage audit conducted by an accredited certification body. After certification, annual surveillance audits confirm you are maintaining the system, with recertification every three years. Understanding the steps in advance makes the process far more manageable.
  • Certification follows a path: build the AIMS, operate and evidence it, internal audit, then the external audit.
  • The external audit has two stages: Stage 1 reviews documentation, Stage 2 reviews implementation.
  • Success leads to certification on a three-year cycle with annual surveillance audits.
  • A genuinely operating, well-evidenced system makes the audit confirm reality rather than expose gaps.
  • Current as of June 2026. This is general information, not legal advice.

Step 1: Build your AI management system

Certification assesses a management system, so you need one first. This means establishing your AI policy, defining scope, assessing AI risks, selecting and implementing the relevant Annex A controls, and putting the management-system processes in place. This is the substantial part of the journey, and it is where most of the effort goes.

Step 2: Operate and gather evidence

An auditor needs to see the system working, not just designed. Once the management system is in place, you operate it and generate evidence: records of risk assessments, control operation, monitoring, internal audits, and management review. Many organisations run the system for a period before the audit so there is a track record to examine.

Step 3: Conduct internal audit and management review

Before the external audit, you carry out your own internal audit to find and fix gaps, and hold a management review. This is both a requirement of the standard and a practical way to enter the certification audit with confidence rather than surprises.

Step 4: Stage 1 audit (documentation review)

The certification body's audit has two stages. Stage 1 is largely a documentation review: the auditor checks that your management system is designed correctly and that the necessary documents, scope, and Statement of Applicability are in place. It identifies any gaps to address before Stage 2.

Step 5: Stage 2 audit (implementation review)

Stage 2 assesses whether the management system is actually implemented and effective. The auditor examines evidence that controls and processes are operating in practice, interviews people, and tests that the system does what it claims. Passing Stage 2 leads to certification.

Step 6: Certification and surveillance

On success, the certification body issues your ISO 42001 certificate. Certification then runs on a three-year cycle: annual surveillance audits confirm you are maintaining and improving the system, and a recertification audit at the end of the cycle renews it. This reflects the standard's continual-improvement nature: certification is a commitment to keep the system running, not a one-time pass.

Making the process smoother

The organisations that move through certification most smoothly are those whose management system is genuinely operating and well evidenced, so the audit confirms reality rather than uncovering gaps. Keeping the system's policies, risk assessments, controls, and evidence connected and current is what makes both the initial audit and the annual surveillance straightforward rather than stressful.

Key terms

Accredited certification body
An independent organisation authorised to audit and certify management systems against ISO standards.
Stage 1 / Stage 2 audit
The two-part certification audit: documentation review followed by implementation review.
Surveillance audit
Annual audit between certification cycles to confirm the system is being maintained.
Recertification
The three-year renewal of the ISO 42001 certificate.

References

Related guides

Keep reading on ISO/IEC 42001.

Free check

See where you stand on ISO/IEC 42001, free.

Answer a few questions and get an indicative view of what ISO/IEC 42001 expects of your AI systems and where you stand today — no sign-up to see your result.

Indicative, not legal advice.
ISO/IEC 42001 · indicative readiness
HAEL FREE TOOL
Applicability
Applies to your AI use
What's expected
Risk classification · governance · documentation · oversight
Where you stand
Banded result · pointed to the gaps that matter most
Result
On-screen, free · optional PDF
Pre-scoped to ISO/IEC 42001~ 5 MIN