WATCHUR6 // ISO 42001 // AUDIT READINESS

The first AI standard you can certify against.
The credential AI procurement is starting to ask for by name.

ISO/IEC 42001:2023 — published December 2023 — is the world's first international AI management system standard, and the only AI standard you can certify against. By 2026 it has become the de facto AI governance credential for enterprises selling AI-enabled products into regulated markets, the EU, and into enterprise procurement processes that have started asking "show us your AI governance framework."

Microsoft, AWS, and Miro are among the first organizations to certify — establishing the 2026 market floor for serious AI vendors. The standard uses the same Plan-Do-Check-Act structure as ISO 27001, with 38 AI-specific Annex A controls across 9 control areas. Certification follows the same Stage 1 + Stage 2 + 3-year cycle ISO 27001 uses.

It's also the fastest credible path to EU AI Act conformance. ISO 42001 implementation covers approximately 70% of EU AI Act high-risk system documentation requirements. Certification doesn't substitute for legal compliance — but it's the structural foundation regulators, customers, and notified bodies expect to see underneath an AI Act conformity assessment.

Book an ISO 42001 Strategy Call
ISO/IEC 42001:2023 38 AI CONTROLS / 9 CONTROL AREAS ACCREDITED CB-COORDINATED VETERAN-LED

// THE AI PROCUREMENT REALITY

AI governance is something we'll formalize when a regulator asks.
Enterprise procurement is asking first — and ISO 42001 is the answer they're expecting.

A pattern that emerged through 2025 and accelerated into 2026: an AI-enabled SaaS company wins the technical review with a Fortune 500 buyer, gets through security review on the strength of its SOC 2 Type II report, and stalls at a new section of the vendor risk questionnaire that didn't exist 18 months earlier — "Describe your AI governance framework. What standard are you certified to?" — and the deal slips a quarter while the company scrambles to assemble an AI governance program that doesn't exist yet.

The same pattern shows up in healthcare AI procurement (where HITRUST AI Security Certification may also be required), in financial services AI vendor selection (where fair-lending and discrimination concerns drive heightened scrutiny), in HR and people-analytics platforms (where bias and explainability are procurement-stopping issues), and in any AI-enabled product sold into the EU where the EU AI Act classifies the system as high-risk. Whoever is gating the contract, the answer is increasingly the same: "show us ISO 42001 or wait."

ISO/IEC 42001 is the world's first international AI management system standard and the only certifiable AI standard available. It uses the same management system structure as ISO 27001 — Plan-Do-Check-Act, scope and context, leadership and commitment, planning, support, operation, performance evaluation, improvement — with 38 AI-specific controls across 9 Annex A control areas. Certification is voluntary, performed by independent accredited certification bodies, and follows the same Stage 1 + Stage 2 + 3-year surveillance cycle ISO 27001 follows.

The arithmetic from a cold start: 8 to 12 months to certification. With existing ISO 27001 the timeline compresses to 4 to 6 months because the management system mechanics are already running. With existing NIST AI RMF or HITRUST AI Security Certification work, further acceleration is possible. The 2026 reality is that organizations starting their AI governance work after the procurement question hits the table are already a deal cycle behind — the ones with certification in hand are the default vendor selection.

// THE FOUR ANNEX A CONTROL DOMAINS

38 AI controls. Four operational domains. One AI Impact Assessment at the center.

ISO 42001's Annex A organizes 38 AI-specific controls across 9 control areas, which group into four operational domains. The AI System Lifecycle + Risk domain is the substantive core — the AI Impact Assessment, the lifecycle management requirements, and the AI-specific risk treatment that justify the standard's existence as separate from ISO 27001. The other three domains (organizational context, resources and data, operations and improvement) provide the management system foundation the AI-specific work sits on.

Every certification audit reads the Statement of Applicability first — the document declaring which Annex A controls apply to your AIMS and how they're implemented. The AI Impact Assessment (Annex A 8.5) is the artifact the Stage 2 auditor will examine most closely — it's where the standard's responsible AI principles meet the organization's actual AI system inventory.

// DOMAIN 01 // A.4 + A.5 + A.6

Organizational Context & Leadership

Policies related to AI, internal organization, and AI roles and responsibilities. The governance scaffolding the AIMS sits on — AI policy committed by top management, defined roles for AI development and oversight, and the organizational context for how AI fits into the broader risk landscape.

Failure mode: AI policy that exists on paper but doesn't connect to actual AI development practices. The Stage 2 auditor tests whether leadership commitment is operational, not whether the policy was published.

Annex A: A.5 (Policies), A.6 (Internal Org)
ISO 27001 carry: ~70% structural

// DOMAIN 02 // A.6.2 + A.8 SUBSTANTIVE CORE

AI System Lifecycle & Risk

The substantive core of the standard. AI Impact Assessment (A.8.5), AI system lifecycle management (A.6.2), AI risk treatment, and the responsible AI principles that justify the standard's existence as separate from ISO 27001 — bias, explainability, autonomy, human oversight, model drift, fundamental rights.

Failure mode: running AI risk through the security risk register without a dedicated AI Impact Assessment. The Stage 2 auditor reads the AI Impact Assessment most closely.

Annex A: A.6.2 (Lifecycle), A.8 (Impact)
ISO 27001 carry: Net-new
EU AI Act: Direct bridge

// DOMAIN 03 // A.7 + A.9

Resources & Data Governance

Resources for AI systems (A.7) including computational, data, human, and supplier resources. Data for AI systems (A.9) including data quality, lineage, training data governance, data preparation, and ongoing data management across the AI lifecycle.

Failure mode: data quality for AI training treated identically to data quality for analytics. AI training data requires explicit lineage, representativeness assessment, and bias evaluation that traditional data governance doesn't capture.

Annex A: A.7 (Resources), A.9 (Data)
ISO 27001 carry: ~40% partial

// DOMAIN 04 // A.10 + A.11 + A.12

Operations & Improvement

Information for interested parties of AI systems (A.10), use of AI systems (A.11), and third-party and customer relationships (A.12). The downstream operational dimensions: transparency to data subjects and decision recipients, responsible use guidance, and supply chain management for AI components.

Failure mode: assuming the AI system's existence is sufficient disclosure. A.10 requires structured information for stakeholders that enables them to understand, challenge, and respond to AI-driven outcomes.

Annex A: A.10, A.11, A.12
ISO 27001 carry: ~30% partial

// THE 9 ANNEX A CONTROL AREAS + 2026 CONTEXT

A.5 // POLICIES RELATED TO AI

Top-management-committed AI policy. The governance anchor — everything in the AIMS traces back to policy commitments.

A.6 // INTERNAL ORGANIZATION

AI roles, responsibilities, and the AI System Lifecycle (A.6.2). Who in the organization is accountable for what AI development outcomes.

A.7 // RESOURCES FOR AI SYSTEMS

Computational, data, human, supplier, and tooling resources. Including the supplier oversight that's increasingly important as foundation models become AI building blocks.

A.8 // AI IMPACT ASSESSMENT CORE

The dedicated assessment of AI impacts on individuals, groups, and society. The artifact most closely examined in Stage 2 audits.

A.9 // DATA FOR AI SYSTEMS

Data quality, lineage, representativeness, training data governance. Where AI-specific data requirements diverge from traditional data governance.

A.10 // INFORMATION FOR INTERESTED PARTIES

Structured disclosure to data subjects, decision recipients, and external stakeholders. The transparency dimension.

A.11 // USE OF AI SYSTEMS

Responsible use guidance, ongoing monitoring during deployment, drift detection, and operational human oversight requirements.

A.12 // THIRD-PARTY RELATIONSHIPS

Supply chain for AI — foundation model providers, training data sources, AI infrastructure suppliers, customer-side AI system uses.

★ // EU AI ACT BRIDGE

ISO 42001 covers ~70% of EU AI Act high-risk system documentation. Fastest credible structural foundation for AI Act conformance.

⌖ // ISO 27001 CROSSWALK

~50% management system structural reuse. Same PDCA, scope, leadership, planning, support, operation, performance, improvement clauses.

★ // 2026 CERTIFIED ORGANIZATIONS

Microsoft. AWS. Miro. The market floor for serious AI vendors is being established — certification is the procurement-credible signal.

⚐ // 3-YEAR CYCLE

Same as ISO 27001: Stage 1 + Stage 2 initial, surveillance Y1+Y2, full recert at Y3. Accredited CB (UKAS, ANAB, RvA, DAkkS) required.

// THE ISO 42001 CERTIFICATION LIFECYCLE

Six stages, three years. From AI scoping to renewable certification.

ISO 42001 follows the same certification lifecycle structure as ISO 27001 because both are ISO management system standards in the same family. Certifications are valid for three years contingent on annual surveillance audits in years 1 and 2 and a full recertification audit in year 3. The Stage 1 + Stage 2 audit pair at the start is performed by an accredited certification body (UKAS, ANAB, RvA, DAkkS). Amber milestones mark the initial audit pair — the moments where external accountability establishes the certification.

SCOPE

AI System Scoping & Context

WEEK 1–4

AI systems and AI-enabled features inventoried. AIMS boundary defined. Organizational context, interested parties, and AI lifecycle stages documented. Gap analysis against all 38 Annex A controls.

AIMS BUILDOUT

AIMS + AI Impact Assessment

MONTH 1–3

AIMS policies and procedures authored under PDCA. AI Impact Assessment performed against in-scope systems. Risk treatment plan and Statement of Applicability drafted.

IMPLEMENT

Annex A Controls + Internal Audit

MONTH 3–7

All 38 Annex A controls implemented across the 9 control areas. Internal audit cycle performed against the AIMS. Management review held. Findings remediated before external audit.

STAGE 1

Stage 1 Documentation Audit

MONTH 7–8

Accredited CB auditor reviews AIMS documentation: scope, AI Impact Assessment, SoA, risk treatment, policies. Stage 1 findings addressed before Stage 2.

STAGE 2

Stage 2 Implementation Audit

MONTH 8–10

Auditor verifies the AIMS is operating as documented. Walkthroughs, evidence sampling, control owner interviews, AI Impact Assessment scrutiny. Certificate issued. Valid 3 years.

SURVEILLANCE

Surveillance Y1, Y2, Recert Y3

MONTH 12, 24, 36

Annual surveillance audits (shorter scope) in Y1 and Y2. Full recertification audit at Y3 with new 3-year certificate. Continuous AI Impact Assessment refresh as AI systems evolve.

BLUE NODES = scoping, AIMS buildout, implementation, and continuous improvement (WatchUr6-led)  ·  AMBER NODES = the initial certification audit pair. Stage 1 reviews documentation; Stage 2 verifies implementation. Both performed by the accredited certification body. Surveillance and recertification audits follow the same three-year ISO management system cycle.

// THE ISO 42001 ENGAGEMENT MODEL

Six services. Three phases. One AI Impact Assessment.

ISO 42001 engagements are structured around the three-phase lifecycle: AI scoping and AIMS authoring first; Annex A controls implementation and internal audit in the middle; Stage 1 + Stage 2 certification and ongoing surveillance at the end. The AI Impact Assessment is the single most consequential artifact — it's where the standard's responsible AI principles meet the organization's actual AI system inventory, and it's what the Stage 2 auditor examines most closely.

// PHASE 01

Scope & AIMS

AI INVENTORY · AIMS AUTHORING · AI IMPACT ASSESSMENT

// 01 // AI SCOPING

AI System Scoping & Inventory

The first strategic step. Every AI system, AI-enabled feature, ML model in production, and AI development activity inventoried against the proposed AIMS boundary. Scope decisions documented: which systems are in scope for initial certification, which are out, and what the staged-expansion plan looks like.

Organizational context analyzed: interested parties identified (customers, data subjects, regulators, employees, partners), external and internal issues affecting AI governance documented, AI lifecycle stages mapped to organizational responsibilities.

Output: a defensible AIMS scope document that the certification body's Stage 1 auditor will accept.

// INCLUDES

AI INVENTORY AIMS BOUNDARY CONTEXT ANALYSIS INTERESTED PARTIES STAGED EXPANSION

// 02 // AIMS + IMPACT

AIMS Authoring & AI Impact Assessment

AIMS policies and procedures authored under the PDCA structure: AI policy, risk management procedure, AI lifecycle procedures, data governance for AI, supplier management for AI components, internal audit procedure, management review procedure.

The AI Impact Assessment (Annex A 8.5) authored against in-scope AI systems: who is affected, what kinds of impacts the system can produce, whether protected classes can be disproportionately affected, whether decisions can be explained and challenged, whether human oversight is meaningfully possible, what remediation pathways exist for harm.

// INCLUDES

AIMS POLICIES PDCA STRUCTURE AI IMPACT ASSESSMENT SoA AUTHORING RISK TREATMENT
// PHASE 02

Implementation

38 ANNEX A CONTROLS · INTERNAL AUDIT

// 03 // ANNEX A CONTROLS

38 Annex A Controls Implementation

All 38 AI-specific controls implemented across the 9 control areas: A.5 Policies Related to AI; A.6 Internal Organization and AI System Lifecycle; A.7 Resources for AI Systems; A.8 Assessing Impacts of AI Systems; A.9 Data for AI Systems; A.10 Information for Interested Parties; A.11 Use of AI Systems; A.12 Third-Party and Customer Relationships.

Implementation depth varies by control: some are documentation (policies, procedures, role definitions); others require operational instrumentation (drift detection, output monitoring, transparency disclosures, supplier oversight cycles).

// INCLUDES

38 CONTROLS 9 CONTROL AREAS DRIFT MONITORING DATA GOVERNANCE SUPPLIER OVERSIGHT

// 04 // INTERNAL AUDIT

Internal Audit Program & Management Review

The management system mechanics ISO 42001 inherits from the broader ISO management system family. Internal audit program established with a documented audit plan covering all AIMS clauses and all 38 Annex A controls. Audit performed by competent internal auditors (or contracted independent auditors). Findings logged and tracked through corrective action.

Management review held: the AIMS performance reviewed by top management at planned intervals against documented inputs (audit results, AI impacts, risk treatment effectiveness, opportunities for improvement) with documented outputs (decisions on changes, resource allocation, AIMS improvements).

// INCLUDES

INTERNAL AUDIT PROG AUDIT PLAN CORRECTIVE ACTION MGMT REVIEW EVIDENCE TRAIL
// PHASE 03

Certification & Sustainment

STAGE 1 + STAGE 2 · SURVEILLANCE · RECERT

// 05 // STAGE 1 + STAGE 2

Accredited CB Coordination & Audit Fieldwork

Accredited certification body selected from UKAS, ANAB, RvA, or DAkkS-accredited firms (BSI was first UKAS-accredited; multiple firms now hold accreditation). Scope negotiation, audit timeline coordination, evidence trail preparation, walkthrough rehearsals.

Stage 1 (documentation review) and Stage 2 (implementation verification) supported with operator-led representation during fieldwork. Findings response coordinated. On successful Stage 2: ISO/IEC 42001 certificate issued, valid 3 years contingent on surveillance.

// INCLUDES

CB SELECTION STAGE 1 PREP STAGE 2 PREP FIELDWORK SUPPORT FINDINGS RESPONSE

// 06 // SURVEILLANCE

Annual Surveillance + 3-Year Recertification

The ongoing cadence that keeps the certificate valid. Annual surveillance audits in Y1 and Y2 (shorter scope — 30–50% of Stage 2 scope, with sampled controls verified). Corrective actions from prior audit verified. Full recertification audit at Y3 with new 3-year certificate.

Continuous AI Impact Assessment refresh as AI systems evolve — material changes (new models, expanded use cases, new training data sources, new affected populations) trigger Impact Assessment review and potential AIMS scope updates.

// INCLUDES

Y1 SURVEILLANCE Y2 SURVEILLANCE Y3 RECERT IMPACT REFRESH SCOPE EXPANSION

// CONNECTED INTELLIGENCE

ISO 42001 sits on top of your security infrastructure — not next to it.

ISO 42001 governs AI-specific risks but it doesn't replicate the security infrastructure work that ISO 27001 and SOC 2 already address. The cleanest 2026 deployment pattern is an integrated management system: ISO 27001 for the security foundation, ISO 42001 layered on top for the AI-specific governance, with the AIMS leveraging the existing ISMS mechanics rather than duplicating them.

// PARENT SERVICE

Audit Readiness

ISO 42001 is one framework inside Audit Readiness. AI-enabled organizations typically need at least one alongside — ISO 27001 for the security foundation, SOC 2 for the general B2B contract gate, HITRUST AI Security Certification for healthcare-adjacent AI.

The operator who runs your ISO 42001 engagement is the same operator who would represent you in ISO 27001, SOC 2, or HITRUST work — with full crosswalk reuse across overlapping management system mechanics.

Audit Readiness Brief

// SECURITY FOUNDATION

ISO 27001

The security infrastructure layer the AIMS builds on. ~50% structural reuse between the two standards — same PDCA, same clauses 4–10, same internal audit and management review mechanics. Organizations running ISO 27001 reach ISO 42001 in 4–6 months instead of 8–12.

The cleanest deployment is an Integrated Management System: one set of management mechanics, two certificates, no duplication.

ISO 27001 Brief

// SIBLING FRAMEWORK

HITRUST AI Security Certification

The healthcare ecosystem's AI assurance credential. ~60% control overlap with ISO 42001 on AI-specific concerns — the two frameworks address overlapping but not identical risk surfaces.

Healthcare AI vendors typically need both: HITRUST AI Security for healthcare ecosystem customer demand; ISO 42001 for the international procurement signal and EU AI Act bridge.

HITRUST Brief

// THE NUMBERS

ISO 42001 by the numbers.

8–12 MO

Cold Start to Certification

AI scoping through Stage 2 certificate issuance. With existing ISO 27001: 4–6 months. With existing NIST AI RMF or HITRUST AI Security: further acceleration possible.

Initial certificate valid 3 years contingent on annual surveillance.

38 / 9

Annex A Controls / Control Areas

38 AI-specific controls organized across 9 control areas covering policies, organization, resources, impact assessment, data, transparency, use, suppliers.

Statement of Applicability documents which controls apply to your AIMS scope.

~70%

EU AI Act Bridge

ISO 42001 implementation covers approximately 70% of EU AI Act high-risk system documentation requirements. The fastest credible path to AI Act conformance foundation.

Certification doesn't substitute for legal compliance — but it's the structural foundation regulators expect.

// THE OPERATOR TEAM

Fortune 500 senior CISO leads AIMS scoping strategy, AI Impact Assessment authoring, and accredited certification body relationship management. CISSP-credentialed cloud architect engineers the 38 Annex A controls across the AI development and deployment lifecycle, with specialization in the 2026 procurement-critical areas: AI lifecycle management (A.6.2), AI Impact Assessment (A.8), data governance for AI (A.9), and transparency to interested parties (A.10).

Army Special Forces communications sergeant (Green Beret, 18B/18C) leads internal audit program operations, management review coordination, and accredited CB Stage 1/Stage 2 fieldwork support. Naval Special Warfare veteran runs the annual surveillance cadence and the three-year recertification cycle, with continuous AI Impact Assessment refresh as AI systems evolve through the AIMS lifecycle.

SDVOSB · DVBE · SBE · CMAS #3-25-06-1018 · CAGE 9CQZ9 · SAM-registered · veteran-led.

// SELF-QUALIFICATION CHECK

Does ISO 42001 actually apply to you?

Three quick questions: whether the AI procurement question is hitting your sales calls, when you'd need certification by, and how much of the work reuses from frameworks you already run.

// 01 // APPLICABILITY

Do you need ISO 42001?

ISO 42001 is the AI procurement credential. It applies if your AI-enabled product faces enterprise procurement scrutiny or EU market exposure.

  • You're an AI platform, foundation model provider, or AI infrastructure company selling to enterprises.
  • You're a SaaS company with AI-enabled features and your enterprise customers' vendor risk teams are asking about AI governance.
  • You're targeting EU markets with AI systems that may fall into EU AI Act high-risk classification.
  • You operate regulated-industry AI — healthtech clinical decision support, fintech credit decisioning, HR bias-sensitive AI, identity/biometrics, autonomous systems.
  • You're a federal contractor building AI for government use — federal AI procurement increasingly references international standards.

If any of the above applies, ISO 42001 is the 2026 procurement-credible answer. If your AI is internal-only and not subject to external procurement scrutiny, the urgency is lower.

// 02 // TIMING

When do you need certification by?

ISO 42001 is a renewable 3-year certification. The deadline is whichever comes first from your market exposure.

  • An enterprise customer's AI governance requirement — typically 6–12 months ahead of contract performance.
  • The EU AI Act enforcement schedule for high-risk AI systems entering EU markets in 2026.
  • An existing ISO 27001 surveillance window — aligning Stage 1+Stage 2 for ISO 42001 to your existing audit calendar reduces operator overhead.
  • A competitive procurement where one of Microsoft, AWS, Miro, or your peers has gone certified and the market floor has moved.
  • An investor or partner due-diligence cycle where AI governance maturity is a 2026 scrutiny area.

Work backward. Cold start: subtract 8–12 months. With ISO 27001: subtract 4–6 months.

// 03 // FRAMEWORK LEVERAGE

What if you already run another framework?

ISO 42001 leverages existing management system and AI-specific work meaningfully. The work is the delta, not the whole standard.

  • ISO 27001 : ~50% management system structural reuse. Same PDCA clauses, same internal audit and management review mechanics. Net-new: 38 AI Annex A controls and the AI Impact Assessment.
  • HITRUST AI Security Cert : ~60% AI control overlap. Net-new: AIMS management system structure (HITRUST is control-driven, not management-system-driven).
  • NIST AI Risk Management Framework : ~60% AI risk concept overlap. Net-new: certifiable management system structure and accredited CB process.
  • SOC 2 Type II : ~30% overlap on management mechanics (organizational governance, risk assessment generally). Most ISO 42001 work is net-new.
  • Nothing existing : cold start. 8–12 months to certification.

Existing ISO 27001 makes ISO 42001 dramatically faster. The AI Impact Assessment and the 38 AI controls are net-new for everyone — that's where the substantive work goes.

// FREQUENTLY ASKED

The ISO 42001 questions teams keep asking.

We already have ISO 27001. Why do we need ISO 42001 too?

The two standards address different risk surfaces and answer different procurement questions.

ISO/IEC 27001 governs information security: confidentiality, integrity, and availability of data and systems. It addresses how data is protected and processed but not what an AI system does with that data once it's processing it.

ISO/IEC 42001 governs AI-specific risks that ISO 27001 does not address: algorithmic bias and discriminatory outputs, explainability and the ability to justify automated decisions, autonomous decision-making and human oversight requirements, model drift and degradation over time, fundamental rights impacts on individuals subject to AI decisions, ethical considerations in AI deployment, and the unique data quality requirements for training and operating AI systems.

The frameworks are explicitly complementary, not competitive. An AI system processing personal data for automated credit decisions requires all three layers: ISO 27001 securing the infrastructure, GDPR governing the personal data processing, and ISO 42001 managing the AI-specific risks like discriminatory outputs or unexplainable decisions.

From an implementation standpoint, ISO 27001 provides approximately 50% of the management system foundation that ISO 42001 builds on — both use Plan-Do-Check-Act structure, both require management commitment and internal audit, and both share concepts like risk-based thinking and continual improvement. For organizations already running ISO 27001, the ISO 42001 build is faster and cheaper than a cold start because the management system mechanics are already in place.

Does ISO 42001 certification satisfy EU AI Act compliance?

No — but it's the closest available path. ISO/IEC 42001 is a voluntary international management system standard. The EU AI Act is enforceable EU law. Certification against one is not legal compliance with the other.

However, they overlap substantially. ISO 42001 implementation covers approximately 70% of the documentation, risk management, data governance, technical documentation, human oversight, and accuracy/robustness control requirements the EU AI Act imposes on high-risk AI systems.

The practical implication is that organizations targeting EU markets with AI systems classified as high-risk under the AI Act use ISO 42001 as the management system "operating system" implementing the AI Act's structural requirements. Certification does not substitute for the legal compliance assessment, the conformity assessment procedure, or the CE marking required for certain high-risk AI systems — but it demonstrates to regulators, customers, and notified bodies that AI governance is structured, documented, and continuously improved.

The 30% gap between ISO 42001 and the AI Act is concentrated in AI Act-specific obligations: the conformity assessment procedure itself, the post-market monitoring requirements for AI Act high-risk systems, registration in the EU database, the specific transparency obligations for general-purpose AI models above certain compute thresholds, and the AI Act's enforcement mechanics including the European AI Office coordination.

For US organizations selling AI-enabled products into the EU, the standard 2026 playbook is ISO 42001 certification first as the foundation, then targeted AI Act conformance work for the EU-specific obligations on top.

Who actually needs ISO 42001 certification in 2026?

Five categories of organizations are facing increasing 2026 pressure to certify.

(1) AI platform companies and foundation model providers — Microsoft and AWS are among the first hyperscalers to certify, establishing the market floor for serious AI infrastructure providers.

(2) SaaS companies that have integrated AI-enabled features into products serving enterprise customers — Miro is among the first SaaS companies to certify, and enterprise procurement teams are starting to require evidence of AI governance maturity as a precondition for AI-enabled product purchases.

(3) Organizations targeting EU markets with AI systems that fall into the EU AI Act's high-risk classification (employment and worker management AI, biometric identification, critical infrastructure, education and vocational training, essential services, law enforcement, migration, asylum, border control, administration of justice and democratic processes, certain product safety components).

(4) Regulated-industry AI vendors: healthtech with clinical decision support (where HITRUST AI Security Certification also applies), fintech with credit decisioning and fraud automation subject to fair-lending and discrimination concerns, HR and people-analytics platforms subject to bias and explainability scrutiny, identity and biometric authentication providers, autonomous systems vendors.

(5) Federal contractors building AI for government use — the federal AI procurement guidance increasingly references international standards including ISO 42001 as preferred AI governance frameworks.

The pattern across all five categories is the same: enterprise procurement teams have started asking "show us your AI governance framework" and ISO 42001 is becoming the answer expected to satisfy that question.

What is the AI Impact Assessment and how does it differ from a traditional risk assessment?

The AI Impact Assessment is required by Annex A 8.5 (Assessing Impacts of AI Systems) and is one of the most operationally consequential additions ISO 42001 makes over ISO 27001.

Where a traditional ISO 27001 risk assessment evaluates threats to information confidentiality, integrity, and availability, the AI Impact Assessment evaluates the impacts the AI system has on individuals, groups, and society — including impacts that ISO 27001's framing doesn't naturally surface.

The assessment examines several dimensions: who is affected by the AI system's outputs (the data subjects, the decision recipients, the broader stakeholder groups); what kinds of impacts the system can produce (economic, legal, social, physical safety, fundamental rights, environmental); whether those impacts can affect protected classes disproportionately; whether the system's decisions can be explained and challenged; whether human oversight is meaningfully possible given the system's operational tempo and decision volume; and what remediation pathways exist when the system causes harm.

The AI Impact Assessment is also distinctive in that it is forward-looking and lifecycle-aware: it must be performed before deployment, reviewed when the system changes materially, and re-assessed when new evidence about impacts emerges.

The output is a documented assessment that the certification body's Stage 2 auditor will examine, and that downstream stakeholders (customers, regulators, individuals subject to the AI's decisions) may be entitled to information about under the AI System Information requirements in Annex A 8.7.

What does the ISO 42001 certification process actually involve?

ISO 42001 follows the same certification structure as ISO 27001 and other ISO management system standards: a Stage 1 audit followed by a Stage 2 audit for initial certification, surveillance audits in years 1 and 2, and a recertification audit in year 3.

The certification is performed by an accredited certification body — BSI was the first to achieve UKAS accreditation for ISO 42001; multiple certification bodies now hold accreditation through UKAS, ANAB, RvA, DAkkS, or other national accreditation bodies.

Stage 1 is the documentation review audit. The certification body's auditor examines the AIMS documentation: the AIMS scope, the AI Impact Assessment, the Statement of Applicability for the 38 Annex A controls, the risk assessment, the policies and procedures, the internal audit results, and the management review records. Findings from Stage 1 must be addressed before Stage 2 begins.

Stage 2 is the implementation audit. The auditor verifies that the AIMS is actually operating as documented through walkthroughs, evidence sampling, interviews with control owners, and assessment of how the AI Impact Assessment is being used to inform actual AI system development and deployment decisions.

On a successful Stage 2, the certification body issues an ISO/IEC 42001 certificate valid for three years contingent on annual surveillance audits in years 1 and 2 and a full recertification audit in year 3. The certification scope is specific to defined AI systems and the AIMS boundary documented during scoping — organizations frequently start with a narrow scope (one or two AI systems) and expand the AIMS scope over time as additional systems mature into the management system.

How long does ISO 42001 certification take from a cold start?

From a cold start — no existing ISO management system, no formalized AI governance program — a realistic timeline to ISO/IEC 42001 certification is 8 to 12 months.

The phases break down as follows:

AI system scoping and inventory: 3 to 5 weeks to identify which AI systems, AI-enabled features, and AI development activities fall within the AIMS boundary.

AIMS authoring and AI Impact Assessment: 6 to 10 weeks to draft the management system policies and procedures and to perform the AI Impact Assessment against the in-scope systems.

Annex A 38 control implementation: 12 to 20 weeks depending on the maturity of existing technical and operational controls.

Internal audit cycle and management review: 4 to 6 weeks.

Stage 1 audit + remediation: 3 to 6 weeks total.

Stage 2 audit + remediation: 4 to 7 weeks total. Certificate issuance follows.

With an existing ISO 27001 program, the timeline compresses to approximately 4 to 6 months because the management system mechanics (internal audit, management review, document control, corrective action) are already in place and the work concentrates on the 38 AI-specific Annex A controls and the AI Impact Assessment.

With an existing NIST AI Risk Management Framework or HITRUST AI Security Certification program, additional acceleration is possible because much of the AI-specific control content has already been implemented.

// THE NEXT MOVE

The AI procurement question is already on the questionnaire. Have an answer.

Book a 30-minute ISO 42001 strategy call with a WatchUr6 advisor. Bring the enterprise customer's AI governance ask, the EU market exposure, the competitive certification move, or the federal AI procurement trigger driving this — and any existing framework you run (ISO 27001, SOC 2, HITRUST AI Security, NIST AI RMF).

You'll walk away with a tactical read on AIMS scope (which AI systems certify first), realistic timeline (cold start vs ISO 27001 leverage), the AI Impact Assessment work that drives the engagement, and your crosswalk math from existing frameworks — whether you hire us or not.

Book an ISO 42001 Strategy Call