If your organisation builds, deploys, or uses AI, you have probably heard of ISO 42001. Published in December 2023, it is the first international standard dedicated to AI management systems (AIMS). But hearing about it and actually getting certified are two very different things. This guide walks you through every stage of the certification journey — scope, timeline, costs, and how to avoid the most common pitfalls.
À retenir
- ISO 42001 certification typically takes 6–12 months and costs between €15,000 and €80,000 depending on organisation size
- The standard aligns closely with the EU AI Act, making certification a practical path to regulatory compliance
- Organisations already ISO 27001 certified can leverage overlapping controls to accelerate the process
- Brain's AI training platform directly supports Clause 7.2 (Competence) and Clause 7.3 (Awareness) requirements
What is ISO 42001?
ISO/IEC 42001:2023 is a management system standard — not a technical specification. It tells your organisation what governance to put in place around AI, not which models or algorithms to use. The structure follows the Annex SL framework shared by ISO 27001 (information security) and ISO 9001 (quality management), which means it integrates smoothly with existing management systems.
At its core, ISO 42001 requires you to:
- Define an AI policy with clear objectives
- Conduct AI-specific risk assessments covering bias, hallucination, transparency, and data quality
- Perform AI impact assessments for systems that affect individuals or society
- Establish roles, responsibilities, and accountability for AI decisions
- Implement human oversight mechanisms
- Monitor, measure, and continually improve the system
If your teams already follow a structured AI governance framework, you are closer than you think.
ISO 42001 and the EU AI Act
The connection between ISO 42001 and the EU AI Act is direct and practical. The AI Act mandates risk management systems for high-risk AI (Article 9), requires AI literacy across the organisation (Article 4), and demands ongoing monitoring and documentation. ISO 42001 provides a ready-made structure for meeting these obligations.
The European Commission is exploring harmonised standards as a mechanism for demonstrating AI Act compliance. ISO 42001 is the leading candidate. Certification does not guarantee compliance, but it creates strong presumption of conformity.
This matters beyond Europe too. Organisations subject to the UK’s AI regulatory framework or the NIST AI Risk Management Framework will find that ISO 42001 covers significant common ground. A single management system can serve multiple jurisdictions.
78%
of enterprise buyers say they will require evidence of AI governance from vendors by 2027
Source : Gartner, 2025
Who should pursue certification
Not every organisation needs to certify immediately. But three groups should move now:
AI vendors and SaaS providers. Enterprise clients increasingly require proof of AI compliance. ISO 42001 certification is becoming the AI equivalent of SOC 2 — a baseline expectation in procurement.
Regulated industries. If you operate in banking and finance, healthcare, or insurance, regulators already expect robust AI governance. Certification formalises what you should be doing anyway.
Large enterprises deploying AI at scale. When hundreds of employees use AI tools daily, the risk of shadow AI grows. ISO 42001 gives you a framework to manage that risk systematically rather than reactively.
The certification process, step by step
Phase 1 — Scoping and gap analysis (4–8 weeks)
Before anything else, define the scope. Which AI systems, business units, and processes will the management system cover? Then conduct a gap analysis: compare your current governance against every clause and control in ISO 42001.
Common gaps at this stage include missing AI impact assessments, undocumented risk assessment processes, and no formal AI policy.
Phase 2 — Building the management system (8–16 weeks)
This is the heavy lifting. You will need to:
- Write or update your AI policy and supporting procedures
- Conduct formal risk and impact assessments for all in-scope AI systems
- Define roles and responsibilities (typically through an AI governance committee)
- Implement training programmes to satisfy Clause 7.2 (Competence) and Clause 7.3 (Awareness)
- Set up monitoring, measurement, and reporting mechanisms
- Document everything — ISO auditors verify through evidence
Do not underestimate the training requirement. ISO 42001 Clause 7.2 requires that all personnel whose work affects AI system performance have demonstrable competence. A one-off webinar will not satisfy an auditor — you need structured, role-based AI training with completion tracking.
Phase 3 — Internal audit and management review (2–4 weeks)
Run a full internal audit against ISO 42001 requirements. Identify non-conformities and fix them before the external auditor arrives. Then hold a formal management review where senior leadership assesses the system’s effectiveness.
Phase 4 — Certification audit (2–4 weeks)
An accredited certification body (BSI, Bureau Veritas, TUV, DNV, or similar) conducts a two-stage external audit:
- Stage 1 — Document review. The auditor examines your policies, risk assessments, and procedures.
- Stage 2 — On-site (or remote) assessment. The auditor verifies implementation through interviews, observation, and evidence sampling.
If non-conformities are found, you have a defined period to address them before the certificate is issued.
Phase 5 — Surveillance and re-certification
Once certified, you face surveillance audits annually and a full re-certification audit every three years. This is not a “set and forget” exercise.
€15K–€80K
typical total cost of ISO 42001 certification, including consultancy and audit fees
Source : Industry estimates, 2025–2026
What certification costs
Costs vary significantly by organisation size and complexity. Here is a rough breakdown:
| Component | Small org (< 50 staff) | Mid-size (50–500) | Enterprise (500+) |
|---|---|---|---|
| Gap analysis & consultancy | €5,000–€15,000 | €15,000–€30,000 | €30,000–€60,000 |
| Certification audit fees | €5,000–€10,000 | €10,000–€20,000 | €20,000–€40,000 |
| Internal effort (staff time) | Significant | Significant | Very significant |
| Annual surveillance | €3,000–€6,000 | €6,000–€12,000 | €12,000–€20,000 |
Organisations that are already ISO 27001 certified can often reduce these costs by 20–30% through integrated audits.
Common mistakes to avoid
Treating it as a checkbox exercise. Auditors can tell the difference between a management system that lives in practice and one that only lives in documents.
Ignoring the training requirement. Clause 7.2 is one of the most scrutinised areas. If your teams cannot demonstrate AI competency, you will not pass.
Scoping too broadly too early. Start with a defined set of AI systems. You can expand the scope later.
Neglecting data governance. AI systems depend on data quality. If you cannot demonstrate controls over training data, validation data, and operational data, expect non-conformities.
How Brain supports ISO 42001 certification
Brain’s AI training platform is purpose-built for the competence and awareness requirements that ISO 42001 demands. Rather than generic e-learning, Brain delivers:
- Role-based AI training mapped to Clause 7.2 — from executives to frontline staff, everyone gets training relevant to their interaction with AI systems
- Awareness modules aligned with Clause 7.3 — covering your AI policy, data privacy obligations, bias recognition, and hallucination detection
- Completion tracking and reporting — auditors need evidence of training delivery, and Brain provides it
- Ongoing updates — as AI regulations evolve, training content evolves with them
Whether you are at the start of your ISO 42001 journey or preparing for your certification audit, Brain gives you one less thing to worry about.
Ready to build AI competence across your organisation? Start Brain →
Related articles
AI Governance Framework: Checklist + Template (ISO 42001)
Build an AI governance framework step by step. Includes checklist, template, EU AI Act alignment and ISO 42001 integration guide.
AI Governance Framework: EU AI Act + NIST Guide
Build an AI governance framework that meets EU AI Act and NIST AI RMF requirements. Step-by-step implementation for organisations of all sizes.
AI Regulation UK: DSIT vs EU AI Act (2026)
UK AI regulation explained — DSIT framework, FCA/ICO/Ofcom roles, and how it compares to the EU AI Act. What UK businesses must do now.