How long does an ISO 42001 gap assessment take?

Two to four days for an SMB; one to two weeks for a mid-market organisation with multiple AI products and entities in scope.

Do we have to use a consultant?

No. An internally-run gap assessment is acceptable if the lead has ISO 42001 familiarity. The benefit of an external assessor is faster pattern recognition and a credible baseline for the executive sponsor.

What is the difference between a gap assessment and a pre-assessment?

A gap assessment is an internal stocktake. A pre-assessment is a paid review by the certification body, typically run 4-8 weeks before Stage 1 to confirm readiness. Both are useful but serve different purposes.

How much does an external gap assessment cost?

€4,000 to €10,000 for an SMB in 2026. Day rates for ISO 42001 specialists are €900-€1,800 and a focused assessment is 4-8 person-days end to end.

Will a gap assessment satisfy an EU AI Act regulator?

No. The gap assessment is an ISO 42001 readiness exercise and does not constitute legal evaluation of EU AI Act conformity. The two topics overlap and many organisations run integrated gap assessments.

Last reviewed: May 2026 · 8 min read

ISO 42001 Gap Assessment: Method, Checklist and Report

What a gap assessment is — and is not

A gap assessment compares your current practice against ISO/IEC 42001 requirements and identifies the work needed to certify. It is not a certification audit, a pre-assessment by the certification body, or a recommendation that you adopt every Annex A control. It is a structured stocktake done before you commit budget to implementation.

When to run one

Run a gap assessment in the first month of any serious ISO 42001 project, and run one again 6-8 weeks before Stage 1 as a final readiness check. Some organisations run a third internal gap-style review after major scope changes (new AI system, new entity, new high-risk classification).

Step 1 — Confirm scope

Agree the AI systems, sites and entities that the gap assessment covers. A common mistake is assessing one product line and then certifying a different one — the gap report becomes irrelevant. The scope should match the planned certification scope.

Step 2 — Walk the clauses (4-10)

One short workshop per clause with the relevant function owners. Suggested attendees and question prompts:

Clause 4 (Context) — Compliance, AI lead. Do we have a documented scope, stakeholder register, and list of relevant requirements?
Clause 5 (Leadership) — Executive sponsor. Is the AI policy approved, signed and reviewed? Are roles allocated?
Clause 6 (Planning) — Risk, AI lead. Is there an AI risk methodology and a risk register linked to AI objectives?
Clause 7 (Support) — HR, IT. Do we have a competence matrix for AI roles, awareness training, and documented information control?
Clause 8 (Operation) — Product, ML, procurement. AI inventory, impact assessments, lifecycle controls, third-party AI evidence.
Clause 9 (Performance) — Compliance. Internal audit programme, measurement plan, management review minutes.
Clause 10 (Improvement) — Compliance. CAPA log with root-cause analysis and verified closure.

Step 3 — Score Annex A

For each of the 39 Annex A controls record: in place, partial, missing, or not applicable. For partial and missing, write a one-line description of the gap and the evidence required. See the full Annex A control reference.

Step 4 — Draft the report

The gap report should contain:

Scope of the assessment and date.
Summary heat-map of clause and Annex A status.
Numbered findings, each tied to a specific evidence item with owner, effort estimate and target date.
Recommended sequencing across the implementation roadmap.
Top risks to certification timeline.

Step 5 — Validate with management

Sign-off by the executive sponsor turns the gap report into the implementation plan budget and timeline are agreed against. Without sign-off the report quietly slips and the implementation drifts.

Who should run it?

Either an internal ISO-experienced lead, or an external consultant familiar with ISO 42001 specifically (not just ISO 27001). External rates for a 2-4 day engagement in 2026 typically sit at €4,000-€10,000. Internal-only is feasible but takes longer and risks missing AI-specific evidence patterns auditors expect.

What you should have at the end

A scored gap report covering clauses 4-10 and all 39 Annex A controls.
An implementation backlog with owners and target dates.
An indicative budget for software, consulting and audit fees.
A go/no-go decision from the executive sponsor.