How long does ISO/IEC 42001 certification take?
- Three to six months is the typical certification timeline from serious start to certificate.
- The single biggest variable is the maturity of any existing management system (especially ISO 27001).
- Stage 1 and Stage 2 audits must be scheduled with an accredited body; those slots are not instant.
- 'Certified in two weeks' sells a subscription; 'a twelve-month journey' sells billable hours. Neither is honest.
- Real acceleration comes from software that generates and maintains records — not from skipping the audit.
- General information, not legal advice. Current as of July 2026.
The realistic timeline
For a mid-sized organisation with a defined AI footprint and an existing security management system, three to six months is the realistic range. Faster is possible with a very small scope and existing 27001 maturity; longer is common for larger organisations with many AI systems and no prior management-system experience.
What actually happens in those months
- Scope definition — what is in and out of the AIMS, which systems, which sites.
- Gap analysis — comparing current governance to Clauses 4–10 and to Annex A controls.
- Build — the AI policy, AI system register, risk and impact assessments, supplier controls, training records, internal audit programme, management review.
- Operate — the AIMS must actually run for a period so the audit has evidence to sample. Records that were generated the week of the audit are visible for what they are.
- Stage 1 audit — documentation review by the certification body, plus readiness verdict.
- Stage 2 audit — on-site (or hybrid) audit against operation. Any non-conformities must be closed before certificate issue.
The two market lies
'Certified in two weeks': no accredited certification body operates on this timeline. A body that would is not accredited, and a certificate from an unaccredited body is worth what the paper cost. The claim usually sells a subscription that ends before an audit was ever scheduled.
'A twelve-month journey to certification': this is billable-hours framing. Twelve months describes the pace of a consulting engagement, not the pace of an audit. For most organisations, twelve months is more work than the standard requires. Cost, not necessity, drives the number.
What accelerates the timeline honestly
Two things move the timeline: existing ISO 27001 maturity (which supplies most of the management-system machinery for free), and software that generates the AIMS records — SoA, AI system register, risk assessments, training and supplier records, internal audit and management review packs — from the live record rather than as a document-writing exercise. The audit itself still has to happen, and it should.
Booking the audit
Certification-body audit slots are scheduled ahead. Once you are ready, allow lead time to book Stage 1 and Stage 2. That lead time is part of the honest total and should not be forgotten when planning.
Key terms
- Gap analysis
- A structured comparison of current governance against the requirements of a standard.
- Non-conformity
- A finding by an auditor that a requirement is not met; must usually be closed before certificate issue.