Overview & purpose

ISO/IEC 42001 certification confirms that your AI Management System meets international requirements for governance, risk management, oversight, transparency, and continual improvement. The goal is to demonstrate competence, accountability, and operational control across the AI lifecycle — from data acquisition to decommissioning.

Certification stages (Stage 1 & 2)

• Stage 1 (Document Review): Auditor examines policies, manuals, procedures, and records to confirm readiness for Stage 2.
• Stage 2 (Implementation Audit): Auditor verifies the AIMS is implemented effectively through interviews, observations, and sampling of evidence.
• Outcome: Nonconformities (NCs) graded as major/minor; corrective actions must be verified before certification issuance.

Readiness assessment process

1. Perform a gap assessment against ISO 42001 clause requirements.
2. Develop an action plan to address missing controls or evidence.
3. Assign owners and timelines for each clause gap.
4. Validate that key records (risk register, incident logs, training records, CAPA, audits) exist and are complete.
5. Run a mock audit to simulate Stage 1 and Stage 2 questioning.

Documentation & evidence pack

Prepare an evidence pack covering each ISO 42001 clause and sub-clause. It should include:

• Policies & manuals: AIMS manual, AI Policy Suite, Risk Policy, Supplier Policy, Oversight Policy.
• Procedures & records: incident logs, training records, audit reports, CAPA register.
• Evidence samples: screenshots, metrics, meeting minutes, KPI dashboards.
• Mapping Matrix: Clause → Document → Evidence → Owner → Date.

Interviews & auditor engagement

• Prepare staff: brief them on their roles and how they demonstrate control in practice.
• Answer factually: avoid “we plan to…” — show “we do this and here’s the record”.
• Be transparent: acknowledge gaps and show CAPA progress plans.
• Maintain tone: collaborative and professional — auditors verify evidence, not judge intent.

Handling findings & NCs

• Major NC: Systemic failure or absence of control — requires corrective action and verification before certification.
• Minor NC: Isolated issue — document CAPA within 30 days.
• Observation: potential improvement — track to completion via CAPA log.
• Evidence: retain auditor notes and updated records as proof of closure.

Timeline & responsibilities

• – 3 months: Gap assessment and CAPA execution.
• – 1 month: Mock audit & evidence validation.
• Stage 1: Document review (2–3 days).
• Stage 2: Implementation audit (3–5 days).
• + 2 weeks: NC closure & certificate issuance.

Tools & templates

Clause | Requirement | Evidence | Owner | Status | Remarks
4.1 | Context of the organisation | AIMS Manual v3 | AIMS Mgr | ✓ | Updated Oct 2025
6.1 | Risk management | Risk Register | Risk Lead | ✓ | Aligned to EU AI Act Annex III
8.2 | Operational controls | Oversight Policy | Ops Lead | ⚠ | Minor update due Dec 2025
9.1 | Monitoring & measurement | KPI Dashboard | AIMS Mgr | ✓ | Live data feeds
  

Audit evidence mapping matrix

• Link each clause to document and record evidence.
• Include live links to storage locations (e.g., Zoho WorkDrive, SharePoint).
• Keep snapshot PDFs for auditor reference.
• Version control evidence — avoid last-minute updates without sign-off.

KPIs for readiness

• Gap closure rate (% completed vs planned).
• Evidence availability (% of clauses with validated evidence).
• Mock audit score (% compliant findings).
• NC closure time (days from finding to verification).

Common pitfalls & mitigation

• Evidence not traceable: use Readiness Matrix with live links and version control.
• People unprepared: run mock interviews with role owners and auditors.
• Unclosed CAPA: maintain CAPA tracker with verifiable closure proof.
• Scope creep: freeze audit scope 30 days before Stage 1.

Implementation checklist

• Gap assessment and CAPA completed.
• Evidence pack and Readiness Matrix finalised.
• Mock audit passed and staff briefed.
• Audit plan and agenda agreed with certification body.
• Records stored and backed up in immutable format.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 08 Nov 2025 • This page is general guidance, not legal advice.