Can the ISO 42001 audit be done entirely remotely?

Yes for most small and mid-sized organisations. Larger or higher-risk organisations may be required to host an on-site component at Stage 2, particularly when the AIMS scope includes physical AI deployments or sensitive data processing.

How long is the certificate valid?

Three years from the date of issue, conditional on successful surveillance audits in years two and three. A full recertification audit in year four issues a new three-year certificate.

What happens if we fail Stage 2?

Major nonconformities must be closed and verified before the certificate can be issued. This typically means a follow-up audit within 90 days. Minor nonconformities do not block certification; they are tracked and verified at the next surveillance audit.

Can we switch certification bodies mid-cycle?

Yes, typically at recertification rather than mid-cycle. A new body usually accepts the existing surveillance evidence subject to a verification audit, and applies its own approach from the next cycle.

Will an ISO 42001 audit cover EU AI Act compliance?

No. ISO 42001 auditors verify conformity with ISO 42001 requirements only. The evidence overlaps with EU AI Act obligations for high-risk systems but the audit does not deliver a legal determination of AI Act compliance.

Do compliance platforms reduce audit time?

Yes. Well-maintained evidence in a structured platform reduces sampling time and the risk of evidence-related nonconformities. Most accredited auditors are comfortable working directly inside Vanta, Drata, Secureframe, Sprinto and similar tools.

Last reviewed: May 2026 · 10 min read

ISO 42001 Audit Process: What to Expect at Each Stage

Selecting an accredited certification body

ISO 42001 certificates are only meaningful when issued by a certification body accredited for ISO 42001 by a national accreditation body (UKAS, DAkkS, COFRAC, Accredia, ENAC, ANAB). Accreditation for ISO 42001 is still maturing in 2026 — BSI, DNV, TÜV SÜD, LRQA and Bureau Veritas were among the first internationally accredited bodies. Always verify accreditation on the national accreditation body's public register before signing, because an unaccredited certificate has limited market value and will not be recognised in EU public procurement.

Pre-audit: gap analysis and readiness

Most first-time certifiers run an internal or third-party gap analysis 3-6 months before Stage 1. This is not an audit — it is a structured comparison of current evidence against ISO 42001 clauses and Annex A. A focused gap analysis takes 2-4 days and produces an action plan tied to specific evidence items. Skipping it almost always leads to nonconformities at Stage 2.

Stage 1: documentation review

Stage 1 is typically a one- to two-day audit, usually remote. The auditor reviews documented information to confirm the AIMS exists, is appropriate, and is ready for Stage 2. Evidence requested includes:

Scope statement and stakeholder register.
AI policy and supporting policies.
Risk methodology and risk register.
AI system inventory and impact assessments.
Statement of Applicability and Annex A control list.
Internal audit programme, latest internal audit report.
Latest management review minutes.
Competence matrix and training records.

Stage 1 ends with a written report listing any "areas of concern" — items that would be nonconformities at Stage 2 if not closed. There is usually a 4-8 week gap before Stage 2, during which the organisation closes the gaps.

Stage 2: operational audit

Stage 2 assesses whether the AIMS operates as documented. The auditor interviews control owners, samples specific AI systems and walks each through the impact assessment, lifecycle and monitoring evidence. Typical Stage 2 day-counts:

Headcount	Stage 1	Stage 2	Surveillance / year
≤ 50	1 day	3-4 days	1-2 days
51-250	1-2 days	5-8 days	2-3 days
251-1,000	2 days	10-15 days	4-6 days

Stage 2 is conducted on site for larger organisations or sensitive AI deployments and remotely for smaller ones. The closing meeting presents findings classified as major nonconformity, minor nonconformity, opportunity for improvement, or observation.

Major vs minor nonconformities

A major nonconformity is a systemic failure to meet a requirement — certification is withheld until it is closed and verified, typically requiring a follow-up audit within 90 days. A minor nonconformity is an isolated lapse — certification can still be granted, but the auditor verifies the corrective action at the next surveillance audit. Most well-prepared first audits result in a handful of minor nonconformities and no majors.

The most common nonconformities in 2026

Incomplete AI inventory — production AI systems (often embedded in SaaS tools) missing from the inventory used to scope impact assessments.
Impact assessments missing dimensions — fairness, environmental impact or foreseeable misuse not analysed.
Generic AI policy — template wording without organisation-specific commitments, especially around third-party AI use.
Weak third-party AI evidence — supplier due diligence not covering AI features in vendor SaaS.
Management review without AI items — AI rolled into security review minutes without distinct agenda items or actions.
Competence matrix gaps — AI-specific roles in product and data science not mapped to AIMS responsibilities.

Surveillance audits

Surveillance audits in years two and three sample a subset of the management system. The scope is set by the certification body and usually covers: corrective actions for any nonconformities raised at the previous audit, a rotating sample of Annex A controls, changes to the scope or AI portfolio since the last audit, and verification that internal audit and management review continued on schedule.

Recertification

A full recertification audit in year four issues a new three-year certificate. Recertification is typically 60-80% of the duration of the original Stage 1 + Stage 2 and focuses on the continued effectiveness of the AIMS, particularly the impact of any scope or AI portfolio changes since initial certification.

How to prepare for the audit

Maintain a current AI inventory linked to impact assessments — auditors trace from inventory to evidence.
Run an internal audit covering every clause and a sample of Annex A controls at least 60 days before Stage 2.
Hold a dedicated AI management review with documented decisions and actions before Stage 2.
Brief control owners on what to expect — most nonconformities come from interview gaps, not document gaps.
Use a compliance automation platform to keep evidence current and timestamped. See our best ISO 42001 software list for current options.

How long the whole process takes

From the start of implementation to a granted certificate, typical timings are: 3-5 months for organisations with an existing ISO 27001 programme, 6-9 months for a first-time ISO certifier. Add 60-90 days for closure of any major nonconformities raised at Stage 2.