Frequently asked questions

Costs vary by organization size, scope, and complexity. The ISO standard document itself costs approximately $250 from ISO. For a small to mid-size company, expect $40,000–$100,000 total including consulting, internal preparation, and certification audit fees. Audit fees alone (paid to the registrar) are typically $15,000–$50,000. Larger enterprises with complex AI systems may invest $150,000+. Annual surveillance audits cost about 25–40% of initial certification fees.^[1]

Most organizations achieve certification in 6 to 12 months starting from scratch. Companies with existing ISO 27001 can move faster (4–6 months) because both standards share the Harmonized Structure (formerly Annex SL), so much of the groundwork carries over. Small, focused organizations have achieved certification in as little as 3–4 months. The audit itself takes 1–2 days (Stage 1) plus 3–9+ days (Stage 2).^[1][2]

No. ISO 42001 is a voluntary international standard. However, it's rapidly becoming a de facto requirement in enterprise procurement, government contracts, and regulated industries. US federal agencies and enterprise buyers are increasingly incorporating AI governance standards into procurement requirements, and state-level AI laws (Colorado, Illinois, Texas, California, New York) are raising the compliance bar.^[1][3]

ISO 27001 focuses on information security management. SOC 2 focuses on security, availability, processing integrity, confidentiality, and privacy. ISO 42001 specifically addresses AI governance — covering AI-unique risks like bias, fairness, transparency, explainability, and the full AI lifecycle. They're complementary: ISO 27001 protects your data, ISO 42001 governs how your AI systems use that data to make decisions.^[1][2]

No. ISO 42001 is a standalone standard. However, if you already have ISO 27001, you'll find significant structural overlap (both use the Harmonized Structure, formerly Annex SL). Having ISO 27001 in place can meaningfully accelerate your ISO 42001 implementation and reduce costs by leveraging existing documentation, processes, and audit relationships.^[1]

Yes. The standard is designed to be scalable. A 20-person startup with a focused AI product can scope their AIMS to cover specific AI systems without needing enterprise-level bureaucracy. The key is right-sizing your management system. Some startups achieve certification in 3–4 months with a focused scope.

Yes. Organizations can implement ISO 42001 entirely with internal resources. However, experienced consultants can significantly accelerate timelines, reduce the risk of nonconformities at audit, and bring lessons learned from multiple implementations. For first-time implementers, consulting support is often worth the investment.

Annex A contains 38 AI-specific controls organized across 9 categories: AI Policy, Internal Organization, Resources for AI Systems, Assessing AI System Impacts, AI System Life Cycle, Data for AI Systems, Information for Interested Parties, Use of AI Systems, and Third-Party & Customer Relationships. You select which controls apply based on your risk assessment and document this in your Statement of Applicability (SoA).^[1]

Key mandatory documents include: AIMS scope statement, AI policy, AI objectives, AI risk assessment methodology, AI risk treatment plan, Statement of Applicability (SoA), AI impact assessment process, internal audit program, and documented operational control procedures. The extent of documentation scales with your organization's size and complexity.

Accredited certification bodies (registrars) perform the audit — not ISO itself. Look for bodies accredited by national accreditation organizations like UKAS (UK), ANAB (US), or JAS-ANZ (Australia/NZ). Major registrars offering ISO 42001 certification include BSI, Bureau Veritas, DNV, SGS, and TÜV.^[4]

Organizations rarely fail outright. More commonly: minor nonconformities allow certification to proceed with a corrective action plan; major nonconformities must be resolved (typically within 90 days) before the certificate is issued; in rare cases of significant issues, the certification body may recommend delaying Stage 2. It's a constructive process, not pass/fail.

The certification is valid for 3 years. During this period, your registrar conducts annual surveillance audits (shorter, focused audits) to verify you're maintaining and improving your AIMS. After 3 years, a full recertification audit is required to renew.^[1]

AI regulation is accelerating in the US and globally. The EU AI Act is law with penalties up to EUR 35M or 7% of global turnover. In the US, NIST's AI RMF provides voluntary guidance, while states like Colorado, Illinois, Texas, California, and New York have enacted AI-specific laws. Executive Orders 14179 and 14365 shape federal AI policy. ISO 42001 is a voluntary management framework that addresses many common regulatory requirements around risk management, documentation, transparency, human oversight, and governance. It's widely considered one of the best preparation tools for AI regulation.^[1][3]

Both aim to increase trust in AI, but they differ in scope. ISO 42001 is an internationally certifiable management system standard. The NIST AI RMF is a voluntary U.S. framework without certification. They can be used together — ISO 42001 as the formal management system and NIST AI RMF as supplemental risk guidance.^[1][3]