Hael
Sign inRequest a demo
ISO/IEC 42001 · Buyer intent

How long does ISO/IEC 42001 certification take?

Updated 12 July 2026 · 6 min read
Key takeaway
For most organisations, ISO/IEC 42001 certification takes three to six months from serious start to certificate. The variable that decides where you land in that range is not the standard — it is how much of a management system you already operate. Organisations already certified to ISO 27001 typically finish faster because the management-system machinery is in place; organisations building from scratch take longer. Both extreme claims in the market — 'certified in two weeks' and 'a twelve-month journey' — are wrong, and for opposite reasons.
  • Three to six months is the typical certification timeline from serious start to certificate.
  • The single biggest variable is the maturity of any existing management system (especially ISO 27001).
  • Stage 1 and Stage 2 audits must be scheduled with an accredited body; those slots are not instant.
  • 'Certified in two weeks' sells a subscription; 'a twelve-month journey' sells billable hours. Neither is honest.
  • Real acceleration comes from software that generates and maintains records — not from skipping the audit.
  • General information, not legal advice. Current as of July 2026.

The realistic timeline

For a mid-sized organisation with a defined AI footprint and an existing security management system, three to six months is the realistic range. Faster is possible with a very small scope and existing 27001 maturity; longer is common for larger organisations with many AI systems and no prior management-system experience.

What actually happens in those months

  • Scope definition — what is in and out of the AIMS, which systems, which sites.
  • Gap analysis — comparing current governance to Clauses 4–10 and to Annex A controls.
  • Build — the AI policy, AI system register, risk and impact assessments, supplier controls, training records, internal audit programme, management review.
  • Operate — the AIMS must actually run for a period so the audit has evidence to sample. Records that were generated the week of the audit are visible for what they are.
  • Stage 1 audit — documentation review by the certification body, plus readiness verdict.
  • Stage 2 audit — on-site (or hybrid) audit against operation. Any non-conformities must be closed before certificate issue.

The two market lies

'Certified in two weeks': no accredited certification body operates on this timeline. A body that would is not accredited, and a certificate from an unaccredited body is worth what the paper cost. The claim usually sells a subscription that ends before an audit was ever scheduled.

'A twelve-month journey to certification': this is billable-hours framing. Twelve months describes the pace of a consulting engagement, not the pace of an audit. For most organisations, twelve months is more work than the standard requires. Cost, not necessity, drives the number.

What accelerates the timeline honestly

Two things move the timeline: existing ISO 27001 maturity (which supplies most of the management-system machinery for free), and software that generates the AIMS records — SoA, AI system register, risk assessments, training and supplier records, internal audit and management review packs — from the live record rather than as a document-writing exercise. The audit itself still has to happen, and it should.

Booking the audit

Certification-body audit slots are scheduled ahead. Once you are ready, allow lead time to book Stage 1 and Stage 2. That lead time is part of the honest total and should not be forgotten when planning.

Key terms

Gap analysis
A structured comparison of current governance against the requirements of a standard.
Non-conformity
A finding by an auditor that a requirement is not met; must usually be closed before certificate issue.

References

Related guides

Keep reading on ISO/IEC 42001.

Free check

See where you stand on ISO/IEC 42001, free.

Answer a few questions and get an indicative view of what ISO/IEC 42001 expects of your AI systems and where you stand today — no sign-up to see your result.

Indicative, not legal advice.
ISO/IEC 42001 · indicative readiness
HAEL FREE TOOLLIVE
Applicability
Applies to your AI use
MAPPED
What's expected
Risk classification · governance · documentation · oversight
4 PILLARS
Where you stand
Banded result · pointed to the gaps that matter most
SOURCED
Result
On-screen, free · optional PDF
FREE
Effort
Pre-scoped to ISO/IEC 42001
~ 5 MIN
INDICATIVE · NOT LEGAL ADVICE