You implement ISO 42001 by scoping your AI management system, running a gap analysis against the standard, inventorying your AI and assessing its impact, then building the policy, roles and lifecycle controls. An internal audit tests the system before an accredited body runs Stage 1 and Stage 2 audits to certify it.
How do you scope ISO 42001 and define the context of the organisation?
Implementation starts at Clause 4: context of the organisation. You decide which AI systems, services, teams and locations the management system covers, and you write that scope down. A focused scope built around your most significant AI systems is easier to implement and audit than one that tries to cover every AI tool in the business on day one.
Context also means identifying the interested parties who care about your AI, customers, regulators, employees and the people your AI affects, and understanding what they expect. This is also where you set your role under the standard: whether you develop AI, provide it, or use a third party’s. That role shapes which obligations and controls apply. For the full picture of the standard itself, see our guide to what ISO 42001 is.
What does a gap analysis involve?
A gap analysis measures your current AI governance against the requirements of ISO 42001. You work through Clauses 4 to 10 and the Annex A controls, recording what you already do, what you do informally, and what is missing. The output is a clear list of gaps and the work needed to close them.
Map the analysis directly to the standard’s clauses and controls so nothing is overlooked, and be honest about the difference between a policy that exists on paper and a control that actually operates. The gap analysis becomes the basis for your implementation plan, so the more precise it is, the less rework you face later.
How do you build an AI inventory and run impact assessments?
You cannot govern AI you have not catalogued. Build an inventory of the AI systems in scope: what each one does, the data it uses, who owns it, and whether you built it or sourced it. The inventory is the foundation for every later decision about risk, controls and oversight.
For each system you then run two assessments. A risk assessment looks at the risk to your organisation. The AI system impact assessment, the requirement that sets ISO 42001 apart from other management standards, looks outward at how the AI affects individuals, groups and wider society, covering fairness, safety, transparency and the consequences of an automated decision going wrong. You document the impacts, decide what to do about them, and revisit the assessment as the system changes. For most teams this is the part of implementation that takes the most thought.
How do you build the AIMS: policy, roles, lifecycle controls and the Statement of Applicability?
With the gaps known and the AI assessed, you build the management system itself. Start with an AI policy that states your organisation’s commitments and principles for responsible AI. Keep it concise and aligned with how the business actually works; detailed procedures live in supporting documents, not the policy.
Next, assign roles and responsibilities so there is clear ownership of AI governance, and integrate that oversight into your existing structures rather than building a separate governance layer. Then design controls across the AI lifecycle, from data and development through deployment, monitoring and retirement, plus the controls covering suppliers of third-party AI. Train the people involved so they understand their part in running the system.
Annex A of ISO 42001 contains 38 controls grouped under control objectives such as AI policy, internal roles, the AI lifecycle, data for AI and information for interested parties. You select the controls that apply to your scope, justify each inclusion or exclusion, and record those decisions in a Statement of Applicability, the same mechanism ISO 27001 uses. The Statement of Applicability is the document that ties your risk and impact assessments to the controls you have implemented.
Why do you need an internal audit before certification?
ISO 42001 requires you to run an internal audit and a management review before you seek certification. The internal audit tests whether the management system you have built actually works in practice and meets the requirements of the standard. It is your chance to find and fix problems before a certification body does.
The audit must be independent of the work it examines, which is why many teams bring in an external auditor rather than have the people who built the system audit their own work. A management review then puts the results in front of leadership so they can make the strategic decisions the standard expects of them. Our ISO 42001 internal audit service gives teams an independent audit that certification bodies accept.
How does the certification audit work, Stage 1 and Stage 2?
Certification is carried out by an accredited certification body, independent of the consultancy that helps you implement. It happens in two stages. Stage 1 is a review of your documentation: the auditor checks that your management system, scope, policy, assessments and Statement of Applicability are in place and that you are ready for the next stage.
Stage 2 examines how the system works in practice. The auditor gathers evidence that your controls operate, interviews people and tests whether the AIMS does what your documents say. Pass both stages and you receive your certificate, which is then maintained through annual surveillance audits over a three-year cycle. Keep communication with the certification body open and answer questions directly; it makes for a smoother audit.
How long does ISO 42001 implementation take by company size?
There is no single timeline, and the honest answer is that it depends on where you start. The biggest factor is how much of a management system you already have. A company that already holds ISO 27001 has the clause structure, risk process and audit habits in place and can move faster. A company starting from nothing needs longer to build and embed the controls before an audit is worthwhile.
Size and complexity matter too. A small team with one or two AI systems in scope has far less to assess and document than a larger organisation running several systems across different functions. The amount of internal time the project gets, and how decisively leadership supports it, often makes more difference to the timeline than headcount alone.
What drives the cost of ISO 42001 implementation?
There is no fixed price for ISO 42001, and any single figure quoted online is misleading. The cost is driven by a handful of factors: the size of your organisation, the number and complexity of the AI systems in scope, how mature your existing governance is, whether you already hold a related ISO certification, and the certification body’s own audit fees, which are separate from any implementation support.
The single largest variable is usually internal effort: the hours your own team spends building and documenting the system. Holding ISO 27001 reduces that effort because the management-system foundations are already there, which is why companies adding ISO 42001 onto an existing ISO 27001 system generally reach certification with less work than those starting fresh. A fixed-scope engagement is designed to cut the internal-effort variable, which is the one most likely to overrun.
How Atoro helps
Atoro is Europe’s first ISO 42001 certified consultancy, with more than 200 certifications delivered across security and compliance. We run the same AI management system we help clients build, so the guidance comes from having been through the audit ourselves, not from theory. We offer ISO 42001 implementation on a fixed scope, and independent ISO 42001 internal audits for teams who have built the system and need it tested before certification.
ISO 42001 implementation FAQs
What are the steps to implement ISO 42001?
Scope the AI management system and set its context, run a gap analysis against the standard, build an AI inventory and run risk and impact assessments, then build the policy, roles, lifecycle controls and Statement of Applicability. Test the system with an internal audit, then have an accredited body run Stage 1 and Stage 2 certification audits.
How long does ISO 42001 implementation take?
It depends on how much management system you already have. A company holding ISO 27001 can move faster because the clause structure and risk process are already in place; one starting from nothing needs time to build and embed controls before the Stage 1 and Stage 2 audits are worthwhile. Size, the number of AI systems in scope and the internal time available all affect the timeline.
What is the AI system impact assessment?
The AI system impact assessment is the requirement that sets ISO 42001 apart. Beyond assessing risk to the organisation, you assess how your AI affects individuals, groups and wider society, covering fairness, safety, transparency and the consequences of an automated decision going wrong. You document the impacts, decide how to address them, and revisit the assessment as the system changes.
What is the Statement of Applicability in ISO 42001?
The Statement of Applicability records which of the 38 Annex A controls you have selected, justifies each inclusion or exclusion, and links those controls to your risk and impact assessments. It uses the same mechanism as ISO 27001 and is one of the core documents a certification body reviews.
Do you need an internal audit before ISO 42001 certification?
Yes. ISO 42001 requires an internal audit and a management review before certification. The internal audit tests whether your management system works in practice and lets you fix problems before the certification body does. It must be independent of the work it examines, so many teams use an external auditor.
What is the difference between Stage 1 and Stage 2 audits?
Stage 1 is a review of your documentation, where the certification body checks that your management system, scope, policy, assessments and Statement of Applicability are in place and ready. Stage 2 examines how the system works in practice, gathering evidence that the controls operate. Passing both leads to certification, maintained by annual surveillance audits over a three-year cycle.
Does holding ISO 27001 make ISO 42001 implementation easier?
Yes. ISO 42001 shares its clause structure with ISO 27001 and uses the same Statement of Applicability mechanism, so a company that already holds ISO 27001 has the management-system foundations, risk process and audit habits in place. That generally means less internal effort and a faster route to certification than starting from nothing.
What does ISO 42001 implementation cost?
There is no fixed price. Cost is driven by the size of your organisation, the number and complexity of the AI systems in scope, how mature your existing governance is, whether you already hold a related ISO certification, and the certification body’s audit fees. The largest variable is usually internal effort, which a fixed-scope engagement is designed to reduce.