ISO 42001 Certification: Process and Effort

ISO 42001 certification is the evidence that an organisation operates an effective AI management system (Artificial Intelligence Management System, AIMS; in German KI-Managementsystem, KIMS) in accordance with ISO/IEC 42001:2023. An accredited certification body assesses, in a two-stage audit, whether the policies, processes, roles, and risk and impact assessments meet the standard's requirements. The certificate is valid for three years.

Important upfront: what is certified is the management system, not an individual AI system or model. The widespread statement "our AI is ISO 42001 certified" is oversimplified to the point of being misleading. The correct phrasing is: "Organisation X's AIMS is certified to ISO/IEC 42001:2023, with scope Y (per Statement of Applicability version Z)."

Three quick answers:

• Process: gap analysis → AIMS implementation (policy, risk and impact assessment, Annex A controls) → operation with evidence → internal audit + management review → external Stage 1 and Stage 2 audit → certificate (3 years).
• Duration: 6-12 months with an existing ISO 27001/9001, 9-18 months when starting from scratch. External Stage 1: 1-3 days, Stage 2: 3-10 days.
• Effort: EUR 50k-150k for a DACH mid-market deployer (500-2,000 employees, as of 2026); consulting and implementation are the largest item, not the audit fees.

The certification process in detail

ISO/IEC 42001:2023 follows the Annex SL high-level structure like ISO 9001, ISO 14001 and ISO/IEC 27001. Certification is carried out by an accredited certification body (CB), which works in accordance with ISO/IEC 17021-1 and, since 2025, the AI-specific supplement ISO/IEC 42006:2025. The process is divided into an organisation-side preparation phase and the external audit.

1. Gap analysis (readiness assessment)

The starting point is a target/actual comparison of the current state against the normative clauses 4 to 10 and Annex A. In doing so, the AI inventory (agent/AI register) is built or updated, all in-scope AI systems are risk-classified, and a gap report with severity levels and accountable owners is produced. This step typically takes 4-8 weeks.

2. AIMS implementation

This is where the substance is created. At the core is the AI policy approved by top management (Clause 5.2 / Annex A.2.3), supplemented by five to seven supporting procedures: AI risk management, AI impact assessment, AI lifecycle, data governance for AI, supplier procedures, and AI incident response. In parallel, the applicable Annex A controls (9 control areas, 38 controls) are implemented operationally - with particular focus for agent operators on A.4 (AI register), A.5 (impact assessment), A.6.2.8 (event logging), A.7 (data provenance) and A.10 (suppliers). The conclusion is the Statement of Applicability (SoA), which designates each Annex A control as "applicable" or "not applicable" with a risk-based justification. The SoA is the most-reviewed document in the audit; its version and date are referenced on the certificate (for example, SAP SE: SoA v1.4 of 28 July 2025).

3. Operation

The AIMS must be running, not merely documented. Before the external Stage 2 audit, 3-6 months of operational evidence are expected: monitoring analyses, incident logs, change and training records, supplier assessments. The most common Stage 1 finding is "documentation without operation" - nice documents, but no operational evidence.

4. Internal audit and management review

Clause 9.2 requires a risk-based internal audit covering all clauses and applicable Annex A controls. At least one full internal audit cycle is expected before the external Stage 2 audit; the internal auditors must be independent of the activities being audited. Subsequently, top management conducts the management review under Clause 9.3 - with mandatory inputs (audit results, nonconformities, achievement of objectives, customer feedback) and mandatory outputs (decisions on improvement, change, resources). The minutes are themselves audit evidence.

5. External Stage 1 audit

The certification body assesses, predominantly document-based, whether the AIMS documentation (scope, policy, objectives, SoA, risk methodology, impact assessment process, internal audit, management review) is in place and whether the organisation is mature enough for Stage 2. Duration in the mid-market: 1-3 days. Findings are usually addressed within a few days; larger gaps postpone Stage 2.

6. External Stage 2 audit (main audit)

The operational audit takes place on-site or hybrid. The auditor takes samples per SoA line, interviews control owners (top management, AI officer, system owners, data stewards, MLOps lead, data protection officer, CISO) and assesses whether the AIMS is working effectively. Duration: 3-10 days, scaling with size, scope complexity and the number of AI systems. Findings are classified as major nonconformities (to be closed before certification, typically within 90 days), minor nonconformities (corrective action plan after the audit) and opportunities for improvement (OFIs).

7. Certification decision

A reviewer at the certification body, independent of the lead auditors, decides on certification. Validity is three years.

8. Surveillance audits and re-certification

Annual surveillance audits assess, with a narrower scope, key controls, changes since the last audit, achievement of objectives and corrective action progress (typically 1-4 days). At the end of the three-year cycle comes the re-certification audit, comparable to the original Stage 2, but with credit given for the AIMS history.

Table: phases, content, duration

Observed distribution of effort across the clauses: Clause 6 + Clause 8 + Annex A (risk, impact and operational core) account for around 60 per cent, clauses 4 + 5 about 15 per cent, Clause 7 around 10 per cent, clauses 9 + 10 about 15 per cent.

Effort, costs and roles

The cost range depends heavily on the starting position and scope. The following figures (as of 2026, consolidated from Schellman, BSI Group, A-LIGN, DNV, Vanta, reconn.io and the Modulos case study, in EUR for the DACH region) are indicative values:

Pure external audit fees (Stage 1 + Stage 2) are around EUR 20k-60k in the mid-market and EUR 50k-150k+ at large enterprises; roughly 25-40 per cent is added per surveillance audit. The largest single item is usually consulting (gap analysis, AIMS implementation, internal audit).

Roles: the central function is the AIMS manager or AI officer as project lead. ISO 42001 does not prescribe a single "AI officer" title; in mid-market DACH organisations, the role is frequently combined with the CISO or data protection officer. Also involved are top management (accountability, approval of policy and SoA), MLOps lead, product owners of the AI systems, procurement (suppliers, A.10.3) and HR/training (competence under Cl. 7.2).

A concrete example: a mid-market deployer

A DACH mid-market company with 800 employees, an existing ISO 9001 but no ISMS, operates five AI applications (customer service agent, knowledge assistant, sales copilot, internal search, HR document agent). With a total budget of around EUR 100k, the effort typically breaks down as follows:

• Gap analysis: 10 % (EUR 10k)
• Policy and process implementation: 25 % (EUR 25k)
• Annex A implementation (operational): 35 % (EUR 35k)
• Internal audit + remediation: 10 % (EUR 10k)
• External audit fees: 15 % (EUR 15k)
• Buffer: 5 % (EUR 5k)

Recommendation for the first certification: choose a narrow scope ("operation of AI agents for [defined feature set]") and expand at re-certification. An upward outlier in terms of speed is the case of Xayn (Germany), which was reportedly certified by SGS in around four weeks - although only because the AIMS substance (policies, risk register, lifecycle review, monitoring) was already largely in place before project start.

Accredited bodies in the DACH region

In the DACH region, active bodies include TÜV SÜD (first European ISO 42001 certificate, Unique AG, April 2025), TÜV Rheinland, TÜV Austria with its TRUSTIFAI division, TÜV Nord, DEKRA, DQS, BSI Group and SGS (first German certificate, Xayn). Accreditation bodies are DAkkS (Germany), Akkreditierung Austria (Austria) and SAS (Switzerland), cross-recognised via the IAF MLA. A note on due diligence: a body advertising "ISO 42001 certification" should be able to demonstrate the specific accreditation scope and alignment with ISO/IEC 42006:2025 - as of 2026, accreditation is not yet uniform, and some CBs are operating under transitional schemes.

A discreet note: this article is professional orientation and not legal advice. Legal terms, article numbers and deadlines (for example, relating to the EU AI Act, the GDPR data protection impact assessment, or the fundamental rights impact assessment) should be reviewed with qualified legal advice in the specific case.

For agencies and B2B decision-makers

For marketing agencies and B2B service providers that operate AI agents for clients, ISO 42001 certification is increasingly becoming a sales argument: the certificate replaces parts of the supplier questionnaires of large enterprise clients and shortens sales cycles. Those who certify a narrow, well-documented scope early on create an auditable governance foundation that can be expanded later. Blck Alpaca supports DACH companies with gap analysis, AIMS implementation and audit preparation - factual, evidence-oriented and focused on the real effort rather than mere document polishing.