Short answer: 4-9 months, less if you already have ISO 27001
Most organizations reach ISO 42001 certification in 4 to 9 months from kickoff to certified. That range is wide for a reason: the lower end applies to teams that already hold ISO 27001 and have documented AI systems, and the upper end applies to organizations starting from scratch with no existing management system infrastructure.
If you are a CTO or AI product lead facing an enterprise RFP or a regulatory question about AI governance, this is the number to plan around. The rest of this post explains what drives the timeline and what you can do to stay closer to 4 months than 9.
What ISO 42001 actually requires
ISO 42001, published in December 2023, defines requirements for an AI Management System (AIMS). The AIMS is not a checklist of security controls. It is an organizational system for governing how you develop, deploy, and monitor AI systems over time.
The standard covers:
- An AI policy that articulates your organization's approach to responsible AI
- An AI system inventory with documented purpose, context of use, and risk level for each system
- An AI impact assessment process that evaluates effects on individuals and society, not just technical risk
- Controls for transparency, explainability, and human oversight appropriate to each system's risk level
- Bias and fairness considerations built into development and monitoring
- Roles, responsibilities, and competency requirements for people working on AI
- Incident management specific to AI failures, including unexpected model behavior
This is a management system standard in the ISO family (like 27001, 9001, 14001). Auditors look for evidence that your organization has systematic processes, not just that you passed a one-time technical test. Policies must be implemented. Risk assessments must be current. Records must exist.
How ISO 42001 differs from ISO 27001
ISO 27001 governs information security. ISO 42001 governs AI systems specifically. They share a structure (both use the ISO High Level Structure, which makes integration easier) but the content is different enough that 27001 does not substitute for 42001.
| Dimension | ISO 27001 | ISO 42001 |
|---|---|---|
| Management system | ISMS (Information Security Management System) | AIMS (AI Management System) |
| Primary risk focus | Confidentiality, integrity, availability of data | Fairness, transparency, human oversight, societal impact of AI systems |
| Risk assessment scope | Information assets and threats to them | AI systems, their outputs, and effects on people who interact with or are affected by them |
| Key control areas | Access control, cryptography, physical security, supplier management | AI impact assessment, human oversight, bias mitigation, transparency disclosures |
| Incident types | Data breaches, unauthorized access | Unexpected AI behavior, discriminatory outputs, model failures affecting users |
| Stakeholder consideration | Primarily internal and direct data subjects | Broader: individuals affected by AI decisions, potentially including third parties |
| Audit evidence | Logs, access reviews, vulnerability scans | Risk assessments, AI system documentation, bias testing records, oversight mechanisms |
The practical implication: if you already have ISO 27001, you know how to run a management system. That knowledge transfers. But you still need to build out AI-specific processes from scratch.
Where ISO 27001 holders get a head start
ISO 42001 references ISO 27001 Annex B controls directly. There is real and substantial overlap in areas like supplier management, asset management, information security in development, and incident management.
If your organization has ISO 27001, you likely already have:
- A functioning management system with documented policies, internal audits, and management reviews
- An asset inventory that can be extended to include AI systems
- Supplier assessment processes that cover AI vendors
- Incident response procedures you can extend to AI-specific failure modes
- A culture of documentation and evidence-keeping that auditors expect
Typical ISO 27001 holders reach ISO 42001 certification in 4 to 6 months. Organizations without any existing management system should plan for 7 to 9 months.
The gap analysis phase is also faster when you have 27001. You are mapping what you have against a new standard, not building from nothing.
Who is asking for ISO 42001 right now
Demand for ISO 42001 is growing, though it is still early relative to ISO 27001.
The EU AI Act is the primary driver. High-risk AI system providers operating in the EU need to demonstrate conformity with requirements that map closely to ISO 42001 controls. ISO 42001 is not mandatory for EU AI Act compliance, but certification gives you a structured, auditable evidence trail that regulators can review. Several conformity bodies are developing ISO 42001-aligned assessments as a practical path to EU AI Act readiness.
Beyond regulation, enterprise buyers in financial services and healthcare are already including ISO 42001 in vendor security questionnaires and RFPs. A bank deploying an AI-powered underwriting tool from a vendor wants evidence that the vendor has systematic AI governance, not just a policy document on a website. ISO 42001 certification is the clearest way to provide that evidence.
Government procurement in several markets (UK, Singapore, Canada) is moving in the same direction. Procurement guidelines that reference responsible AI standards are starting to cite ISO 42001 specifically.
If your target customers are enterprise or regulated, expect ISO 42001 to appear in sales conversations over the next 12 to 24 months at increasing frequency.
The 4 phases of ISO 42001 certification
Phase 1: Gap analysis (4-8 weeks)
Map your current state against each clause of ISO 42001. This produces a list of what you have, what you partially have, and what you are missing. The output is a remediation plan with owners and timelines.
For ISO 27001 holders, this phase moves faster because the management system infrastructure already exists. For others, this phase also reveals how much work building that infrastructure will require.
Phase 2: AIMS documentation (6-12 weeks)
Write and implement the policies, procedures, and records ISO 42001 requires. This includes your AI policy, AI system register, impact assessment methodology, transparency and disclosure procedures, human oversight procedures, and AI-specific incident response. Each document needs to be reviewed, approved, and operationalized, not just drafted.
This is typically the longest phase. Documentation work that looks straightforward on paper becomes slow when cross-functional input is required: engineering teams to describe how systems work, product teams to clarify intended use, legal to sign off on transparency disclosures.
Phase 3: AI system inventory and risk assessment (4-8 weeks, often parallel with phase 2)
Identify all AI systems your organization develops or deploys. For each one, document purpose, data inputs, affected populations, risk level, and existing controls. Run AI impact assessments for systems that affect individuals.
This phase raises scope questions worth settling early: does a rules-based recommendation engine qualify as an AI system under ISO 42001? (Often yes.) Does using a third-party LLM API count? (It depends on how you use it and what context you deploy it in.) Getting scope right before the audit avoids rework.
Phase 4: Certification audit (4-8 weeks)
The certification audit has two stages. Stage 1 is a documentation review: the auditor checks that your AIMS documentation is complete and meets the standard's requirements. Stage 2 is an implementation audit: the auditor interviews staff, samples records, and verifies that documented processes are actually running.
Between Stage 1 and Stage 2, you typically have 4 to 8 weeks to address any gaps the auditor identifies. Most organizations pass Stage 2 on the first attempt if the gap analysis and documentation phases were thorough.
Practical questions
Can we do ISO 42001 without ISO 27001?
Yes. ISO 42001 does not require ISO 27001 as a prerequisite. Organizations can pursue ISO 42001 independently. The tradeoff is that you will build management system infrastructure from scratch, which takes longer. If your organization handles sensitive data and you are also considering ISO 27001, doing them in sequence (27001 first, then 42001) typically takes less total time than doing them separately, because the management system work overlaps significantly.
How often does ISO 42001 need to be audited?
Like ISO 27001, ISO 42001 certification runs on a 3-year cycle. You receive certification after a successful initial audit, then undergo annual surveillance audits in years 1 and 2 to verify continued compliance, and a full recertification audit in year 3. Surveillance audits are lighter than the initial audit but do require current records and active processes.
Which certification bodies offer ISO 42001?
ISO 42001 certification is available through accredited certification bodies (CBs). BSI, Bureau Veritas, SGS, TUV Rheinland, and LRQA have all published ISO 42001 audit services. Choose a body that is accredited for ISO 42001 specifically (not just ISO 27001) and that has auditors with AI system experience. The accreditation body in your region (UKAS in the UK, DAkkS in Germany, ANAB in the US) maintains lists of accredited CBs.
What makes the difference between 4 months and 9
The clearest predictor of timeline is documentation readiness. Organizations that move quickly tend to have:
- An existing AI system inventory, even if informal
- Engineering and product teams that can respond quickly to documentation requests
- A compliance owner with dedicated time, not a fractional responsibility alongside a full engineering role
- Some prior experience with management system standards
pTrackly reduces the documentation and inventory phases by starting with automated discovery of AI systems across your stack and generating structured starting points for impact assessments and risk documentation. The gap analysis is faster because you begin with a mapped current state rather than a blank intake form.
If you are facing an enterprise deal that requires ISO 42001, the first question to answer is where your AI system inventory stands today. That single data point determines whether you are looking at 4 months or closer to 9.