How long does ISO 42001 implementation take?

Six to nine months for a first-time certifier without prior ISO experience. Organisations with an existing ISO 27001 programme often complete in three to five months.

Can we implement ISO 42001 in-house?

Yes for organisations with prior ISO experience. First-time certifiers typically benefit from at least pre-assessment support to validate the SoA and impact assessment methodology.

What is the highest-risk step?

Step 4, impact assessments. They cannot be templated meaningfully and consume the most calendar time; under-investment here is the most common cause of Stage 2 nonconformities.

Do we need a project manager?

Yes, ideally a 0.4-0.8 FTE compliance or AI governance lead for the full duration. The role spans planning, evidence wrangling and cross-functional coordination.

When should we engage the certification body?

After step 3 and before step 4. Bodies have multi-month lead times; locking in Stage 1 and Stage 2 dates early prevents the project slipping at the end.

Last reviewed: May 2026 · 12 min read

ISO 42001 Implementation Guide: A 9-Step Roadmap

Step 1 — Define the scope (week 1-2)

Scope determines audit cost, complexity and risk. A narrow first scope — one product line, one legal entity — usually beats a broad scope you cannot evidence well. Deliverable: a scope statement listing the AI systems, sites, entities and processes included; a stakeholder register; and a list of out-of-scope items.

Step 2 — Run a gap analysis (week 2-4)

Map current practice against clauses 4-10 and Annex A. Most first-time gap analyses surface gaps in impact assessment, AI inventory, third-party AI evidence, and management review cadence. Deliverable: a gap report tied to specific evidence items with owner and due date. See our gap assessment guide.

Step 3 — Build the AI inventory (week 3-6)

The AI inventory is the spine of the AIMS — every other control points back to it. Include in-house AI systems, embedded AI in commercial SaaS, and AI components used by integrators on your behalf. For each: purpose, owner, risk classification, training data overview, human oversight model, and the impact assessment status.

Vanta homepage with ISO 42001 framework and control mapping — Vanta and similar platforms turn the AI inventory into a structured record with control mappings — useful glue between Step 3 and Step 5. Source: vanta.com (captured May 2026)

Step 4 — Run impact assessments (week 5-12)

Complete an AI system impact assessment for every system in scope. This is the most time-consuming step and the one auditors scrutinise most closely. Use a documented methodology; cover intended use, foreseeable misuse, affected groups, harms across fairness, safety, privacy, security and environment, residual risk, and ownership. Deliverable: an impact assessment per system with named approver and review date.

Step 5 — Implement Annex A controls (week 6-16)

Apply the controls from your Annex A list selected via the risk assessment. Build a Statement of Applicability that records every control as applied or excluded with justification and an evidence pointer.

Step 6 — Run internal audit (week 16-20)

Internal audit must cover every clause and a sample of Annex A controls, conducted by a competent and impartial auditor (internal or external). Deliverable: internal audit programme, audit reports, and a CAPA log of nonconformities with corrective actions.

Step 7 — Hold a management review (week 20-22)

A dated management review with documented inputs (audit results, performance, changes, opportunities) and outputs (decisions and actions). Auditors look for a distinct AI agenda item — not AI rolled into a generic security review.

Step 8 — Stage 1 audit (week 22-26)

External documentation review by the certification body, usually remote, 1-2 days. The auditor reviews the SoA, policy, risk methodology, inventory, internal audit and management review evidence. Areas of concern are closed in a 4-8 week gap before Stage 2.

Step 9 — Stage 2 audit (week 26-32)

External operational audit. Interviews with control owners, walkthroughs of sampled AI systems, and verification of evidence. Certificate is issued once minor nonconformities have corrective action plans accepted. See the full audit process guide.

Common pitfalls

Skipping the gap analysis. Always finds expensive surprises late.
Treating AI inventory as a one-off list. It must be maintained continuously.
Generic impact assessments. Each AI system needs substantive, system-specific analysis.
Internal audit by the same team that built the AIMS. Impartiality is required.
Holding management review the week before Stage 1. Auditors want to see an established cadence.