Hael
Sign inRequest a demo
ISO/IEC 42001 · Certification

ISO 42001 compliance checklist

Updated 30 June 2026 · 6 min read
Key takeaway
An ISO 42001 compliance checklist turns the standard into a sequence of practical moves: define your scope, set your AI policy, assess your AI risks, apply the relevant controls, evidence the system, audit yourself, and then certify. The detail varies by organisation, but this order works as a reliable path from a standing start to a certifiable AI management system.
  • Eight steps: scope, policy, risk assessment, controls, processes, evidence, internal audit, certify.
  • Scope is an early lever that shapes the effort and cost; a focused scope is easier and can be widened.
  • Apply the Annex A controls to real systems and document choices in a Statement of Applicability.
  • Keep the elements connected and current; a system that drifts fails its next surveillance audit.
  • Current as of June 2026. This is general information, not legal advice.

1. Define the scope

Decide what your AI management system covers: which parts of the organisation, which AI systems, which sites. Scope is a key early decision because it shapes the size of the effort and the cost of certification. A focused scope is easier to achieve and can be widened later.

2. Set leadership commitment and AI policy

Secure top-management commitment and establish an AI policy with clear objectives for responsible AI. Assign roles and responsibilities. Without genuine leadership backing, the management system lacks the authority to function.

3. Assess your AI risks

Identify and assess the risks associated with your AI, and where relevant carry out AI system impact assessments. This risk assessment drives which controls you need and is a core requirement the auditor will examine.

4. Select and apply the Annex A controls

Choose the AI-specific controls relevant to your context, implement them, and document your selection (including any exclusions and why) in a Statement of Applicability. Apply the controls to your real AI systems, not just on paper.

5. Build the supporting processes

Put in place the management-system processes: competence and awareness, documented information, operational controls across the AI lifecycle, and the mechanisms for monitoring and communication. This is what makes the system operate rather than merely exist.

6. Operate the system and gather evidence

Run the management system and generate evidence that it works: records of risk assessments, control operation, monitoring, and reviews. Auditors need to see the system functioning, so this operating period matters.

7. Conduct an internal audit and management review

Audit your own system to find and fix gaps, and hold a management review. This is both a requirement and the best way to enter certification without surprises.

8. Certify

Engage an accredited certification body for the two-stage external audit. Pass Stage 1 (documentation) and Stage 2 (implementation), then maintain the system through annual surveillance and three-year recertification.

Turning the checklist into a working system

The checklist is straightforward to list and harder to sustain, because each item must stay connected to the others as your AI changes. Scope, policy, risk assessments, controls, and evidence that drift apart turn a once-compliant system into a paper exercise that fails its next surveillance audit. The organisations that stay certified keep these elements connected and current, treating the checklist as the start of an ongoing system rather than a one-time project.

Key terms

Scope
The defined boundary of the AI management system: which parts of the organisation and which AI systems it covers.
AI policy
The top-level statement of intent and objectives for responsible AI, backed by leadership.
Statement of Applicability
The document recording which Annex A controls apply, with justifications and exclusions.
Internal audit
An organisation's own audit of its management system, required by the standard and best done before certification.

References

Related guides

Keep reading on ISO/IEC 42001.

Free check

See where you stand on ISO/IEC 42001, free.

Answer a few questions and get an indicative view of what ISO/IEC 42001 expects of your AI systems and where you stand today — no sign-up to see your result.

Indicative, not legal advice.
ISO/IEC 42001 · indicative readiness
HAEL FREE TOOL
Applicability
Applies to your AI use
What's expected
Risk classification · governance · documentation · oversight
Where you stand
Banded result · pointed to the gaps that matter most
Result
On-screen, free · optional PDF
Pre-scoped to ISO/IEC 42001~ 5 MIN