The 10 questions we get most often from teams preparing for their first ISO/IEC 42001 audit. Answers are grounded in the actual standard text and ISO/IEC TS 42006:2025 (the auditor rulebook).
What is ISO/IEC 42001?
ISO/IEC 42001:2023 is the first international standard for an AI Management System (AIMS). Published in December 2023 by ISO and IEC, it specifies requirements for establishing, implementing, maintaining and continually improving the way an organization governs its AI systems — covering policy, risk assessment, impact assessment, training, supplier relationships, incident response, and continual improvement. The standard applies to any organization developing, providing or using AI systems, regardless of size or sector.
Who needs ISO 42001 certification?
Any organization providing or using AI systems is in scope, but the practical pressure today comes from three sources: (1) enterprise customers asking AI-using SaaS vendors for a credible governance posture before signing; (2) regulators in the EU (AI Act), UK, Canada, and several US states starting to reference 42001 as one path to demonstrating responsible AI practice; (3) prospective M&A or fundraising diligence where buyers/investors want evidence of AI risk management. If you're a SaaS company shipping features that use AI, expect to be asked about 42001 by mid-2026.
How much does ISO 42001 certification cost?
Two cost lines, often confused: (1) preparation — historically a $150,000 to $400,000 engagement with a Big Four or boutique consultancy over six to nine months; today, in-house teams use SaaS tools like Encor ($999/month with a 14-day trial) to handle the drafting phase, and consultancies increasingly run their engagements on the same platforms to accelerate delivery; (2) audit fees from the Certification Body — typically $15,000 to $50,000 for the initial Stage 1 + Stage 2 audit depending on personnel count and AI system count (TS 42006:2025 Annex A.1 specifies the scaling table). Surveillance audits at month 12 and 24 each run roughly one-third of the initial audit cost. Re-certification at month 36 runs two-thirds.
How long does ISO 42001 certification take?
End-to-end, expect 4 to 12 months depending on how mature your existing management systems are. Documentation preparation (Stage 1 readiness): 4 to 8 weeks with the right tooling. Stage 1 audit: typically 5 to 16 auditor-days depending on personnel and system count, scheduled when documentation is complete. Gap between Stage 1 and Stage 2: 4 to 12 weeks while you remediate findings and accumulate operating evidence. Stage 2 audit: same auditor-day window as Stage 1, scheduled when 3 to 6 months of operating evidence exists. Certificate issuance: typically 2 to 6 weeks after Stage 2 completes. The certificate is valid for 3 years with annual surveillance audits.
What's the difference between ISO 42001 and ISO 27001?
Different scope, different risks, different controls. ISO 27001:2022 covers Information Security Management Systems (ISMS) with 93 reference controls in Annex A organized across 4 themes (organizational, people, physical, technological). ISO/IEC 42001:2023 covers AI Management Systems (AIMS) with 38 reference controls in Annex A organized across 10 categories specific to the AI lifecycle (policies for AI, internal organization, resources, impact assessment, system lifecycle, data for AI, information for interested parties, use of AI, third-party relationships). The standards share a Harmonized Structure (Clauses 4-10 are identical in shape) so an organization with an established ISMS can layer 42001 on top with materially less effort. We wrote a full comparison at /blog/iso-42001-vs-iso-27001.
Do I need ISO 42001 if I'm already SOC 2 or ISO 27001 certified?
Probably yes if you use AI in your product or operations. SOC 2 and ISO 27001 are both information-security frameworks — they don't address the AI-specific risks 42001 targets: bias in model outputs, drift, hallucination, opacity, automation bias, training-data leakage, foreseeable misuse. Auditors and enterprise buyers increasingly distinguish between 'we secured the data going into the AI' (ISO 27001's purview) and 'we govern the AI itself' (ISO 42001's purview). If your sales process is hitting questions like 'how do you assess bias in your model?' or 'what's your AI incident response process?' — SOC 2 and 27001 don't have answers. 42001 does.
What is a Statement of Applicability in ISO 42001?
The Statement of Applicability (SoA) is a documented declaration — required by Clause 6.1.3 of ISO/IEC 42001 — listing every reference control from Annex A, marking each as applicable or excluded to your AIMS, and providing justification. It is the single most-sampled document at Stage 1 audit and is literally quoted on the certificate ISO/IEC TS 42006:2025 §8.2.2 requires the Certification Body to issue. For each applicable control, the SoA should also point to the evidence operationalising that control (a risk in the register, an artefact in the documentation, a record of training, etc.). Encor versions the SoA with stable identifiers so the version on your certificate matches what the auditor sampled.
What is an AI System Impact Assessment per ISO/IEC 42005?
An AI System Impact Assessment (AIA) is a documented process for assessing the potential consequences an AI system's deployment, intended use, and reasonably foreseeable misuse can have on individuals, groups of individuals, and societies. It is required by Clause 6.1.4 of ISO/IEC 42001 and structurally specified by ISO/IEC 42005:2024. A compliant AIA covers intended use, deployment context, decisions affecting individuals, affected groups (including vulnerable populations), potential harms (bias, privacy, autonomy, safety), severity and reversibility, error rates and uncertainty communication, human oversight mechanisms, mitigation measures, and incident-detection plans. Shallow one-paragraph AIAs are the third-most-common Stage 1 nonconformity.
Can I prepare for ISO 42001 solo, or do I need a consultant?
Both paths work. Historically, organizations hired a Big Four firm to draft the artefacts (Statement of Applicability, impact assessments, management-review packs, internal audit programme), which is why preparation cost $150K to $400K. Today the documentation work is template-driven — Encor pre-drafts every required artefact from your onboarding answers and walks you through the gaps a real auditor will sample, whether your team handles it in-house or a consultant guides you through it. Many consultancies now run their engagements on Encor's consultancy edition (multi-tenant, per-client workspaces) to compress delivery from quarters to weeks. What you cannot skip is the *operating* work: running real internal audits, holding real management reviews, training real personnel, accumulating evidence over time. No SaaS replaces that — the senior judgment a good consultant brings is exactly where their time should go.
What happens at Stage 1 vs Stage 2 ISO 42001 audit?
Stage 1 is documentation review — the auditor reads your AIMS Manual, Statement of Applicability, AI Policy, AI Impact Assessments, risk register, objectives, communication plan, internal audit programme, management-review records, and confirms that the documented system meets the standard's requirements. Stage 1 nonconformities are typically resolvable in a few weeks. Stage 2 is operational audit — the auditor samples real evidence that the system is *operating*: completed internal audits with corrective actions, held management reviews with documented decisions, training records, incident records with root cause and effectiveness verification, change-management records tied to risk reassessments. Most certifications stumble at Stage 2 because Stage 1 prep doesn't produce six months of operating evidence — Encor surfaces this gap with a per-system audit-ready scorecard.
