ISO 42001 is in an interesting commercial position. The standard published in December 2023. Serious early adopters — Microsoft on the 365 Copilot product line, AWS on its AI services, Miro as the first SaaS to certify, Synthesia, Anthropic — have certified through 2024 and 2025. Certification bodies are issuing certificates. Accredited auditors exist. And yet the content published about ISO 42001 online is still mostly consultant marketing material that treats the standard as mysterious or as a product to be sold through an engagement.
The standard is not mysterious. It’s a management system standard in the ISO High-Level Structure, the same family as ISO 27001, ISO 9001, and ISO 22301 — which means if you’ve implemented any of those, the shape of ISO 42001 is familiar. What’s new is the subject matter: artificial intelligence, its risks, and the specific controls required to manage them.
This article is the implementation plan. Ten months, phased, written for the AI-first or AI-integrated SaaS company deciding whether and how to pursue certification.
ISO 42001 in context
ISO/IEC 42001:2023 is the world’s first international management system standard for Artificial Intelligence Management Systems (AIMS). It specifies requirements for establishing, implementing, maintaining, and continually improving an AIMS within an organisation. Structurally it follows the ISO Harmonised Structure — clauses 4 through 10 covering context, leadership, planning, support, operation, performance evaluation, and improvement — exactly like ISO 27001.
What’s distinctive: Annex A of the standard contains AI-specific controls covering policy, organisational roles, resource management, AI system lifecycle, data governance, third-party involvement, customers and users, and system impact assessment. The controls are written at the management system level — not a technical controls catalogue like NIST 800-53. Implementing them means establishing documented processes and governance around AI development and deployment.
Three things ISO 42001 is not. It is not the EU AI Act. The AI Act is law with specific obligations for high-risk systems; ISO 42001 is a voluntary management system standard. Implementing ISO 42001 helps with AI Act compliance but doesn’t substitute for it. It is not the NIST AI Risk Management Framework. NIST AI RMF is a US-developed voluntary framework with different structure and emphasis; the two are complementary, not alternatives. And it is not a technical AI safety evaluation. The standard doesn’t prescribe how to test an AI model for bias or measure its accuracy; it requires that you have a documented process for doing so.
When ISO 42001 certification is worth pursuing
Certification isn’t free. Auditor fees, consultant costs, internal time. The commercial case needs to stack up.
Certification is worth pursuing when one of three conditions holds. First, your customers are asking for it — enterprise buyers increasingly list ISO 42001 in security questionnaires and vendor evaluations, particularly in regulated sectors and in the EU market. Second, you have regulatory exposure where ISO 42001 reduces compliance burden — EU AI Act high-risk system providers can use ISO 42001 work as substantive evidence of quality management system and risk management system requirements. Third, you’re building credibility as a trust anchor — AI-adjacent competitive positioning where “we’re certified against the world’s only AI management system standard” carries commercial weight.
Certification is probably not worth pursuing in 2026 if you’re a small AI-using SaaS with no EU exposure whose customers haven’t asked and whose AI use is incidental rather than core. The advertiser pool is still maturing, the consultant market is uneven, and you’re likely to pay early-adopter premium for marginal commercial return.
The editorial position: treat ISO 42001 like you’d treat ISO 27001 a decade ago — worth pursuing when the commercial case is there, worth declining when it isn’t, and worth preparing for quietly in either case because the question of whether to certify tends to come up as a customer ask before it comes up as a strategic initiative.
The 10-month implementation timeline
Ten months is realistic for a first-time ISO 42001 certification at an AI-focused SaaS company of 50–500 people with an existing ISO 27001 or SOC 2 programme. Organisations starting without an ISMS foundation should budget twelve to fifteen. Organisations certifying ISO 42001 and ISO 27001 simultaneously are covered separately in our combined-programme guide.
Phase 1: Scope, leadership, AI system inventory Months 1–2
Phase 2: AI impact assessment process Months 2–4
Phase 3: Annex A controls implementation Months 3–8
Phase 4: Management review and internal audit Months 8–9
Phase 5: Stage 1 and Stage 2 certification Months 9–10Phases overlap. AI impact assessment work in Phase 2 informs the controls priorities in Phase 3. Internal audit in Phase 4 covers the controls implemented in Phase 3, so Phase 3 has to be substantially complete before Phase 4 can run meaningfully.
Phase 1: Scope, leadership, and AI system inventory (months 1–2)
Two months to establish what the AIMS covers and who’s responsible for it.
AI system inventory. List every AI system your organisation develops or uses. For each, document the intended purpose, the data it processes, the users and affected parties, the lifecycle stage, and your organisation’s role (provider, deployer, or both). This inventory is the foundational artefact. Auditors will reference it at Stage 2; your Annex A controls apply to the systems it lists. Getting it wrong — missing systems, misclassifying roles — propagates downstream.
AIMS scope statement. Define what the AIMS covers: which AI systems, which business units, which operational contexts. Narrow scopes are defensible if well-documented; broad scopes are more work but cleaner. For SaaS companies whose product is AI-centric, an AIMS covering the product’s entire AI footprint is usually the right call.
Leadership and roles. Clause 5 requires top management commitment. In practice: a named AIMS owner with appropriate authority, a policy signed by senior management, defined roles and responsibilities for AI-related decisions, and governance mechanisms (often a review committee or steering group) that meet on a documented cadence. The organisations that do this well have an executive who actually owns the AI strategy — not a compliance lead trying to ventriloquise leadership on governance questions they’re not positioned to decide.
Context of the organisation. Document internal and external issues relevant to the AIMS, interested parties (customers, regulators, data subjects, affected parties), and their requirements. This reads like boilerplate until the auditor uses it at Stage 1 as evidence that leadership actually thought about why the AIMS exists. Treat it as real.
Phase 2: AI impact assessment process (months 2–4)
Two months to stand up the AI impact assessment process and run it across the system inventory.
The AI system impact assessment is a distinctive feature of ISO 42001. It evaluates the potential impact of AI systems on individuals, groups, and society, considering intended purpose, operational context, affected parties, and potential consequences. Unlike a risk assessment (which evaluates risks to the organisation), an impact assessment evaluates consequences for others.
Process design. Document how your organisation conducts impact assessments — who triggers them, what criteria apply, what evidence is collected, how findings are acted on, and how often they’re refreshed. The process itself is auditable.
Impact assessment execution. Run the process on each AI system in the inventory. The output per system is an impact assessment record covering the intended and reasonably foreseeable uses, the groups potentially affected, the types of impact (economic, social, psychological, environmental, rights-based), the likelihood and severity of each impact type, and the mitigations in place.
Integration with risk management. Impact assessment outputs feed into the broader AI risk management process (Clause 6.1, plus the controls in Annex A). Build the feedback loop explicitly.
This phase is where organisations with strong engineering cultures and weak governance cultures struggle most. Impact assessment requires documented reasoning about outcomes that are not always directly measurable. The documentation has to be defensible to an auditor who will ask how you arrived at a given conclusion.
Phase 3: Annex A controls implementation (months 3–8)
Six months of controls work running in parallel with Phase 2’s tail. This is the heaviest phase.
The Annex A control structure covers: AI-related policies, internal organisation, resources, impact assessment (feeding from Phase 2), AI system lifecycle (from conception through retirement), data governance, third-party involvement, information for interested parties (customers, users, affected parties), and use of AI systems. The controls are written at the management system level — implementation means having a documented process, evidence the process runs, and evidence it produces the intended outcomes.
AI lifecycle controls. Documented processes covering system objectives, design, development and testing, deployment, operation, monitoring, and retirement. For SaaS companies running continuous deployment, “lifecycle” is a continuous operation — the controls are about having documented decisions at key points, not about waterfall gates.
Data governance controls. Data acquisition, quality, labelling, preparation, privacy. Overlaps substantially with GDPR programme work; if you run one, pull on it.
Third-party AI controls. For AI systems you integrate from third parties (foundation models, pre-trained systems, AI APIs), documented due diligence, contractual terms, and ongoing monitoring of third-party AI use.
User-facing controls. Information provided to users and affected parties about AI capabilities, limitations, and appropriate use. Connects to the EU AI Act Article 13 instructions-for-use requirement for high-risk systems.
Resource management. Competencies required for people involved in AI systems, training programmes, infrastructure and tools. This is often under-resourced in technical organisations — competency matrices for AI roles and documented training programmes are rare outside large enterprises.
The pragmatic approach: map Annex A controls to your existing processes first. Controls you already satisfy through ISO 27001, GDPR, or existing product processes need documentation that links the existing process to the AIMS rather than new process creation. Controls that genuinely require new work get implemented from scratch. Rough rule: for organisations with mature ISMS and privacy programmes, about 40% of Annex A controls are new work, 40% are existing work that needs AIMS documentation, 20% are existing work that lifts cleanly.
Phase 4: Management review and internal audit (months 8–9)
One month of governance artefacts.
Internal audit. Like ISO 27001, ISO 42001 requires internal audit of the AIMS on a planned schedule, by a sufficiently independent auditor, producing documented findings. Organisations pursuing 42001 for the first time typically hire an external firm to perform the internal audit function, particularly where internal AI competency is limited.
Management review. Clause 9.3 requires top management to review the AIMS with specified inputs (audit results, risks and opportunities, impact assessment outcomes, performance measurement results, stakeholder feedback) and specified outputs (decisions about continual improvement, resource allocation, policy changes). Produces a documented record.
Both artefacts will be read carefully at Stage 1. Don’t compress the schedule here.
Phase 5: Stage 1 and Stage 2 certification audits (months 9–10)
Stage 1 is a documentation review assessing AIMS readiness. The auditor examines your scope statement, policy, impact assessment process, risk management approach, Annex A applicability statement, internal audit results, and management review record. Typically one to three days for a mid-sized organisation. Stage 1 findings usually produce minor corrections before Stage 2.
Stage 2 is the implementation audit — interviews, evidence sampling, walkthrough of key processes, testing that the AIMS documented at Stage 1 is the AIMS operating in practice. Three to seven days for a typical scope. Minor nonconformities at Stage 2 are normal; major nonconformities require remediation before certification issues.
Certification body selection: as of April 2026, the ISO 42001 certification body landscape is smaller than ISO 27001’s — fewer accredited bodies, with variable auditor competency given the newness of the standard. Pick a certification body with demonstrated 42001 audit experience and check the specific auditor’s background. An auditor moving from ISO 27001 to ISO 42001 without meaningful AI exposure will produce a superficial audit that won’t help you commercially.
Integrating with existing ISO 27001
Organisations already running ISO 27001 can run ISO 42001 as a combined programme with roughly 30–40% efficiency gain over sequential implementation. Shared elements include the management system structure (clauses 4–10), leadership and governance artefacts, internal audit function, management review, and approximately 60% of controls by content overlap (particularly in organisational, human resources, and access-related areas).
Full mapping and combined-programme schedule in the dual-track guide.
Where the ISO 42001 ecosystem is still maturing
Four areas worth flagging honestly, given how often vendor content glosses them.
Auditor competency is variable. The standard is new, the accredited auditor pool is still growing, and auditors’ AI expertise ranges from genuinely expert to minimal-with-a-weekend-training. Interview your certification body’s proposed lead auditor specifically about their AI experience before committing. A credible 42001 audit adds commercial value; a superficial one produces a certificate that sophisticated customers will see through.
Consultant quality is uneven. The consulting market for 42001 is in its early-adopter phase, with a wide quality range. Template libraries from some consultants are thin, impact assessment methodologies are underdeveloped, and “experience” sometimes means “we did the training last quarter.” Check references and ask to see anonymised artefacts before signing engagements.
GRC automation platforms are catching up. Most established GRC automation platforms now offer ISO 42001 control frameworks, but the depth and quality varies significantly. Platforms built for ISO 27001 with 42001 bolted on tend to cover the 27001-overlapping controls well and the AI-specific controls thinly. For organisations where automation is material to the business case, evaluate the specific 42001 feature set rather than assuming parity with the vendor’s 27001 coverage.
Commercial recognition is still forming. Customers asking for 42001 are a growing minority rather than a clear majority in 2026. Expect this to shift substantially over the next 18–24 months, particularly as EU AI Act obligations apply in force.
The honest picture: ISO 42001 is a real standard with real value, and the ecosystem around it is approximately where the ISO 27001 ecosystem was in 2007 — the standard works, but the supporting infrastructure (auditors, consultants, tooling, customer recognition) is still building out. Early adopters accept this as the price of early-mover positioning.
FAQ
Is ISO 42001 certification mandatory?
No. It’s a voluntary management system standard. Certification is a commercial decision, driven by customer demand or strategic positioning.
How does ISO 42001 relate to the EU AI Act?
ISO 42001 is a voluntary standard; the EU AI Act is law. ISO 42001 implementation produces substantial evidence useful for AI Act compliance (quality management system, risk management system, documentation) but doesn’t substitute for AI Act compliance where the Act applies.
How does ISO 42001 relate to NIST AI RMF?
NIST AI RMF is a voluntary framework with different structure (Govern, Map, Measure, Manage). The two are complementary — organisations running meaningful AI governance typically use both.
What’s in ISO 42001 Annex A?
Controls covering AI-related policies, internal organisation, resources, impact assessment, AI system lifecycle, data governance, third-party involvement, information for interested parties, and use of AI systems. Written at the management system level, not as technical controls.
How long does ISO 42001 certification take?
Ten months is realistic for a first-time certification at a mid-sized AI-focused SaaS with an existing ISMS. Twelve to fifteen months without an existing ISMS foundation.
Can I certify ISO 42001 without ISO 27001?
Yes. ISO 42001 doesn’t require ISO 27001 certification. But the overlap is substantial, and organisations typically benefit from an existing ISMS foundation.
How much does ISO 42001 certification cost?
Early-market pricing varies widely. Certification body fees for a first-time Stage 1 + Stage 2 at a mid-sized SaaS typically run $25,000–$60,000, plus internal effort and any consulting engagement. Surveillance audit fees are roughly half that annually.
How long is an ISO 42001 certificate valid?
Three years, with annual surveillance audits and a full recertification audit at year three. Same cadence as ISO 27001.
Which certification bodies can issue ISO 42001 certificates?
Any accredited certification body whose accreditation scope includes ISO 42001. Accreditation bodies (UKAS, ANAB, DAkkS, and others) list which certification bodies have scope.
Is ISO 42001 right for small companies?
The standard is designed to scale. Small companies can certify, though the cost-to-benefit ratio is usually less favourable than for mid-sized organisations. Small organisations with specific customer or regulatory drivers certify; others often wait for the market to mature further before pursuing certification.