Step 1: Understand what ISO 42001 certifies
ISO 42001 is the international standard for an AI management system. Certification proves that your organisation runs AI under documented governance, with risk controls, oversight, and continual improvement, verified by an accredited third party. It is a management-system standard, so it certifies how you govern AI across its lifecycle, not a single model. Before you start, be clear that the auditor will want evidence the system operates, not just that policies exist on paper. That distinction shapes everything below: the certification rewards controls you can show running, not intentions you can only describe.
Step 2: Define scope and secure ownership
Decide which parts of the organisation and which AI systems the management system covers. Name an accountable owner with authority across those systems, and get leadership commitment in writing, because the standard expects top-management involvement. A scope that is too broad makes the first certification slow; one too narrow leaves obvious AI usage outside the boundary and invites findings. Map where AI is actually used, including unsanctioned tools, so the scope reflects reality rather than the approved list.
Step 3: Run a gap assessment
Compare your current state against the standard's requirements: AI policy, roles and responsibilities, risk assessment, controls over data and models, monitoring, and incident handling. Document where you already meet the requirement, where you partly meet it, and where there is nothing. The biggest gaps in most enterprises are operational: they have policies but cannot show that AI activity is observed, that sensitive data is intercepted before it reaches a model, or that an audit trail exists. Record each gap with an owner and a target date.
Step 4: Build the controls and the evidence trail
Close the gaps by putting controls on the live AI path, not only in documents. Implement a layer that observes every interaction, enforces policy at runtime, redacts sensitive data before it leaves your boundary, and records what happened with user identity and lineage. This is what produces the evidence an auditor asks for: the demonstration that your AI is governed continuously. Pair the runtime controls with the management artefacts the standard expects (policy, risk register, roles, review cadence) so process and proof line up.
Step 5: Operate, run an internal audit, and review
Let the management system run long enough to generate real records. Then conduct an internal audit against the standard and hold a management review where leadership examines performance and decides on improvements. Fix the nonconformities you find. Certification bodies want to see the cycle of operate, audit, review, and improve actually turning, so do not rush to the external stage with an empty history. The audit trail your runtime controls produce makes this step far less manual than reconstructing evidence by hand.
Step 6: Select a certification body and complete the audit
Choose an accredited certification body and book the assessment. It runs in two stages: a documentation and readiness review, then the certification audit where the auditor tests whether the system operates as described and gathers evidence. Address any findings, and on success you receive the certificate, typically valid for three years with surveillance audits in between. Treat those surveillance checks as the reason to keep governance running continuously rather than letting it lapse after the badge is earned.
Step 7: Maintain certification
Certification is not the finish line. Surveillance audits and the standard's improvement requirement mean you must keep the management system live: new AI use cases brought into scope, risks reassessed, controls kept current, and evidence kept fresh. Enterprises that automate the evidence trail at runtime carry this maintenance lightly, because the proof is generated as the system operates instead of assembled before each audit.
Frequently asked questions
What is ISO 42001 certification?
It is third-party verification that your organisation runs an AI management system with documented governance, risk controls, oversight, and continual improvement, assessed by an accredited certification body.
How long does ISO 42001 certification take?
It depends on scope and maturity, but expect several months: scoping, a gap assessment, building and operating controls long enough to generate records, an internal audit, then a two-stage external audit.
What is the hardest part of getting ISO 42001 certified?
Producing operational evidence. Most organisations have policies but cannot show AI activity is observed, sensitive data is intercepted, and an audit trail exists. Runtime controls close that gap.
How long is ISO 42001 certification valid?
Typically three years, with surveillance audits in between to confirm the management system is still operating and improving.