ISO/IEC 42001 certification: how to prepare

ISO/IEC 42001 is certifiable, which makes it a powerful way to demonstrate responsible AI governance. But certification is the end of a journey, not the start. Here's how to prepare.

1. Understand the management-system model

ISO/IEC 42001 specifies an AI Management System (AIMS). Like ISO 27001, it expects a documented, repeatable system — policy, objectives, roles, risk treatment and continual improvement — not a one-off project.

2. Establish the foundations

Before an audit you'll want:

• An AI policy and defined governance objectives
• Clear roles and accountability
• An AI risk assessment and treatment process
• Controls mapped across the AI lifecycle
• A cadence for performance review and improvement

3. Run an internal gap analysis

Assess your current governance against the standard's requirements to find what's missing. An organization-level gap analysis gives you this view quickly.

4. Close gaps, then audit

Remediate the priority gaps, gather evidence, run an internal audit, and only then engage a certification body.

How it connects

The foundations you build for ISO 42001 also produce much of the evidence the EU AI Act expects and align naturally with the NIST AI RMF.