Back to Blog
StandardsApril 18, 2026

ISO 42001 certification: what it actually takes

By Modulos15 min read
ISO 42001 certification: what it actually takes

ISO 42001 certification typically takes 3 to 6 months end-to-end, costs €15,000 to €60,000 for the certification body alone, and requires a live AI management system that actually operates day to day. It has been done in four weeks, once, when the management system was already in place before the clock started.

Modulos is Europe's first ISO/IEC 42001-certified AI governance platform, a position no generic GRC vendor and no other AI governance platform has yet matched.

Here is how the timeline really breaks down.

Guides on the market today either underestimate this ("certified in two weeks") or overestimate it ("a 12-month journey"). Both are wrong in opposite directions, and both are structurally incentivised to be. The "two weeks" claim sells platform subscriptions. The "12 months" claim sells billable consulting hours. The honest answer sits between them and depends on one variable: how much of the AI management system was already in place when you started.

There is also a category error buried in the marketing of 42001 itself that matters more than the timeline question. ISO 42001 certifies your AI management system. It does not certify your AI products. Organisations that conflate the two spend months preparing a certification that does not give them what they expected to receive.

This post lays out the real process, the real costs, the real timelines, and the distinction the market keeps getting wrong.

ISO 42001 certification timeline chart with bars showing evidence production, internal audit, and stage 1–2 audit phases.

What ISO 42001 certification is

ISO/IEC 42001 is the first international management system standard for AI. Published in December 2023 by ISO and IEC. It is modelled on the same architecture as ISO 9001, ISO 27001, and the other ISO management system standards: Clauses 4 through 10 covering context, leadership, planning, support, operation, performance evaluation, and improvement. Annex A lists 39 controls for AI. Annex B provides implementation guidance. Annex C gives generic application guidance. Annex D covers sector-specific notes.

What gets certified is the AI management system (AIMS). Not your AI products, not your specific models, not your conformity against the EU AI Act. The AIMS is the organisational machinery: policies, roles, lifecycle controls, change management, risk treatment, monitoring, continuous improvement, all operating inside your organisation.

This is why the distinction matters. A certified AIMS demonstrates that your organisation has the governance capability to run AI responsibly. It does not demonstrate that any specific AI system conforms to any specific regulatory requirement. Conformity assessments under the EU AI Act are separate exercises with their own scope, their own notified bodies, and their own deliverables.

For a deeper treatment of this category error, see the companion post Your ISO 42001 certification won't make your AI system AI Act compliant. The short version: the certificate says "this organisation has an AIMS." It does not say "this organisation's AI is compliant with the AI Act." Marketers who conflate the two will cost their clients audits.

Who actually needs ISO 42001 certification

Three buyer patterns account for almost all of the current demand.

EU market access preparation. Organisations anticipating the EU AI Act high-risk obligations are building AIMS capability in advance, and certifying early makes conformity assessments substantially easier later. One caveat, and it is the one the market gets wrong most often: ISO 42001 is not product-level conformity to the AI Act. ISO 42001 certifies the organisation's management system. The AI Act requires product-level conformity for high-risk systems, which is a separate exercise. The companion post Your ISO 42001 certification won't make your AI system AI Act compliant treats this distinction in full. When prEN 18286 (the harmonised European standard bridging ISO 42001 and AI Act conformity) publishes, a certified AIMS will be the natural starting point for Act-level conformity work, but not the deliverable.

Enterprise sales requirement. Large customers increasingly ask for ISO 42001 certification in AI vendor questionnaires. Particularly financial services, healthcare, critical infrastructure, and government buyers. For AI vendors, certification has moved from a differentiator to a gate.

Financial sector supervisory pressure. Supervisors in several jurisdictions are asking for certified AIMS as a baseline expectation without yet mandating it. The pressure is polite but clear. Institutions that do not certify now will certify later under less favourable conditions.

If none of these apply, ISO 42001 certification may be premature. The AIMS capability is still worth building, because it is the organisational spine for any serious AI program, but you do not need a certificate to have a management system.

The six stages of certification

The process decomposes into six stages. The durations below are indicative only. Actual timelines depend heavily on the size of the organisation, the breadth of the AI estate in scope, and the maturity of the existing management system on day one. A ten-person team with one AI product in scope moves through each stage in a fraction of the time a multinational with dozens of AI systems takes.

Stage 1: Gap analysis. 2 to 4 weeks typical. An assessment of the current state of AI governance against the 42001 requirements. Produces a list of the clauses and Annex A controls that are already addressed, those that are partially addressed, and those that do not exist. The output is a roadmap. Organisations with existing ISO 27001 certifications compress this because many controls map. Organisations starting cold take the full four weeks.

Stage 2: AIMS design and documentation. 4 to 8 weeks typical. Writing the policies, procedures, and roles that the management system will run on. An AI policy, an AI risk management procedure, a lifecycle process, an incident response plan, role definitions for AI governance. The documentation is where teams usually overshoot because they produce text without testing whether anyone can actually operate it. The check is: can someone you have never met follow the document and produce the intended outcome?

Stage 3: Controls implementation. Varies wildly. The 39 Annex A controls become operational. This is the longest phase for organisations starting from scratch because implementing a control is different from documenting one. Implementation means the control operates in production, produces evidence on a cadence, and has a named owner who approves changes. Some controls (change management, training, incident response) are already operational in mature organisations and need minor AI-specific extensions. Others (AI-specific risk management, lifecycle reviews, bias and performance monitoring) are new capability.

Stage 4: Internal audit. 1 week typical. An internal audit of the AIMS against the 42001 standard. Produces findings: observations, non-conformities, opportunities for improvement. Findings get addressed before the external audit begins. Some organisations use their internal audit function. Others use an external advisor who is not the future certification body (to preserve independence).

Stage 5: Stage 1 certification audit. 1 to 2 weeks. The certification body reviews the AIMS documentation. This is a desk-based exercise. The auditor checks that the management system is designed correctly, that the scope statement is clear, and that the organisation is ready for the on-site audit. Findings at Stage 1 are typically minor and addressed within days.

Stage 6: Stage 2 certification audit. 1 to 2 weeks. The certification body audits the operational management system. Interviews with roles, reviews of evidence, sampling of controls, testing that the AIMS is operating as designed. This is the substantive audit. Findings here determine the certification outcome: certified, certified with minor non-conformities, or deferred pending corrective action.

Between Stage 5 and Stage 6 the gap depends entirely on the certification body's schedule. In well-resourced jurisdictions it can be 4 to 12 weeks. In jurisdictions with tight auditor capacity it can stretch to 6 to 12 months. Book the Stage 2 audit as early as you credibly can. The overall project timeline is what the Stage 2 audit closes.

Cost breakdown

A realistic cost picture has four components. The ranges below span small firms through mid-size enterprises. Costs at the very small end (a single-product startup) sit at the bottom of each range or below. Costs at the very large end (a multinational with dozens of AI systems in scope) sit above the top of each range.

Certification body fees. €15,000 to €60,000, depending on scope. Scope is driven by the size of the organisation, the number of AI systems in the certification boundary, and the complexity of the management system. Fees scale roughly with auditor-days. Several major certification bodies publish rate cards on request. Surveillance audits (annual, required to maintain certification) typically run at 30 to 50% of the initial certification cost.

Internal effort. 2 to 4 FTE for 3 to 6 months in typical cases. The internal effort is the dominant cost. Depending on day rates and geography, this ranges from €60,000 to €300,000 fully loaded. For the Xayn four-week case, the internal effort was closer to 1 FTE, because the management system was already in operation and the project was primarily documentation and audit preparation.

Platform cost. Variable. Running an AIMS without a platform is possible but expensive in internal effort. A governance platform that maintains the control graph, connects to evidence sources, and handles review workflow reduces the internal effort substantially. Platform costs vary with the number of controls, the number of AI systems governed, and the feature set required.

Surveillance audit costs. Annual. Once certified, surveillance audits run annually for the three-year certification cycle. Budget for surveillance is typically 30 to 50% of the initial certification cost. Recertification at year three resembles the initial certification in scope and cost.

Horizontal bar chart of ISO 42001 costs by category over three years: internal effort, certification body, platform, advisors.

Why timelines vary so wildly

The speed-limiting step is almost always evidence production, not audit scheduling or documentation.

Teams with a live, documented, operating management system move fast. Their Stage 2 audit works because the evidence is already being generated, the roles are already defined, and the controls are already running. The audit is a verification of what exists.

Teams starting from scratch spend months on documentation before the audit even begins, and then discover during Stage 1 that documentation without operation is not a management system. The Stage 1 findings are "you have written it, but you are not yet running it." The organisation returns to build operation, then reschedules Stage 1.

No shortcut replaces the operational work. A platform that generates documentation for you does not produce evidence. Evidence is generated by systems that actually run. The vendors who promise "ISO 42001 certification in two weeks with AI" are selling the documentation output and assuming the operational work is already done somewhere.

This is the failure mode that has recurred across adjacent compliance markets. Automated artifact generation without underlying control operation produces documents, not management systems. The documents describe a posture the organisation does not actually hold. Eventually a real audit, or a real incident, exposes the gap.

ISO 42001 is designed to be harder to falsify because the Stage 2 audit includes operational sampling. An auditor will ask to see the control in action. No document generation substitutes for that.

The Xayn four-week case

Xayn was the first German organisation to receive ISO 42001 certification. The certification body was SGS. The platform was Modulos. The timeline was four weeks from project start to certificate issuance. The full case is written up in Fast-tracking ISO 42001 certification for Xayn.

Four weeks is not the typical timeline. It is not even achievable for most organisations on a first attempt. The Xayn result was possible because:

The AIMS was substantially in place before the clock started. Xayn had an operating AI governance program with documented policies, assigned roles, a working risk register, a lifecycle review process, and monitoring infrastructure already in operation. The four-week project was to formalise the AIMS against the 42001 structure, close the residual gaps, and run the audit.

The control graph was shared across frameworks. Modulos maintained the control set against 42001, the EU AI Act requirements Xayn was preparing for, and the ISO 27001 baseline Xayn already held. One control implementation produced evidence that satisfied multiple frameworks. This is the structural efficiency the Modulos platform is built around.

The certification body was engaged early. SGS was briefed on the scope, the timeline, and the AIMS architecture before the audit was scheduled. Surprises during the audit add days. Preparation removes them.

The internal project was 1 FTE, not 3 or 4. Because the AIMS was in operation, the work was audit preparation, not AIMS construction. A single governance lead co-ordinated documentation, scheduled interviews, and managed the certification body relationship.

The implication for buyers is this: the Xayn timeline is a ceiling, not a target. Your timeline depends on how close your AIMS is to operating condition on day one. If you are starting closer to zero, plan for three to six months.

Common mistakes that extend the timeline

Five failure modes recur across certification projects.

  • Treating documentation as the deliverable rather than as evidence of an operating system.
  • Trying to certify too broad a scope on the first attempt. Certify a defined AIMS scope first. Expand at surveillance.
  • Underestimating the Annex A controls that touch engineering (data governance, performance monitoring, incident response). These require real integration with the technical stack.
  • Leaving risk quantification as traffic lights. Auditors increasingly probe whether the organisation can express AI risk in monetary terms. 5x5 matrices produce findings.
  • Running the certification project without a platform that connects to the engineering stack. The manual evidence-gathering burden extends timelines by weeks.

The trap to avoid

ISO 42001 is not AI Act compliance.

A certified AIMS is the management-system-level capability. The EU AI Act requires product-level conformity for high-risk systems, with different deliverables. prEN 18286 is the harmonised European standard currently in development to bridge 42001 and AI Act conformity assessments. When prEN 18286 publishes, organisations that have already built their AIMS around the 42001 structure will be in the best position to take advantage.

Plan for both now, not one at a time. Running two parallel compliance programs is the default failure pattern, and it is expensive. Running one AIMS with a shared control graph that covers 42001, the AI Act articles, and the sector frameworks is the efficient pattern.

Framework versioning matters here as well. Modulos tracks framework versions and flags when regulatory or standard updates affect your projects. Surveillance audits then become verifications of the currently-operating system, not rediscovery exercises that start from scratch each year.

FAQ

How much does ISO 42001 certification cost? Certification body fees: €15,000 to €60,000 depending on scope. Internal effort: €60,000 to €300,000 fully loaded for 3 to 6 months. Platform and advisory costs: variable. Surveillance audits: 30 to 50% of initial cost per year.

How long does ISO 42001 certification take? Typically 3 to 6 months end-to-end. Organisations with existing management systems (ISO 9001, ISO 27001) move faster. Organisations starting from zero can take 6 to 9 months. Xayn, with a fully operational AIMS at project start, certified in four weeks.

What is the difference between ISO 42001 and the EU AI Act? ISO 42001 is a management system standard. It certifies your AI management system. The EU AI Act is a regulation. It requires product-level conformity for high-risk AI systems. A certified AIMS makes Act-level conformity easier. It does not substitute for it.

Do I need to be ISO 27001 certified first? No, but it helps. Many Annex A controls in 42001 overlap with 27001 controls, so existing 27001 certification compresses the 42001 gap analysis and documentation phases.

Who can certify an organisation against ISO 42001? ISO does not designate "notified bodies"; that is EU AI Act terminology. ISO 42001 certification is issued by accredited certification bodies, which are themselves accredited by national accreditation bodies (UKAS in the UK, DAkkS in Germany, ANAB in the US, SAS in Switzerland, and so on, under the ISO/IEC 17021 scheme). Not every certification body is yet accredited specifically for ISO 42001, so check the current accreditation scope with your national accreditation body before committing. EU AI Act notified bodies are a separate list for product-level conformity assessments and are still being designated.

How long is the certification valid? Three years, subject to annual surveillance audits. Recertification at year three is a full audit cycle.

Can the Modulos platform support certification? Yes. Modulos maintains the 42001 control graph, supports evidence collection from the engineering stack (GitHub, GitLab, Jira, Google Drive, SharePoint), runs continuous tests through Runtime Inspection (Prometheus, Datadog, Modulos Client, GitHub, Azure), and accelerates assessment and documentation workflows through Scout, the Evidence agent, and the Control assessment agent with human-in-the-loop approvals. Xayn was the first German organisation to certify using Modulos.

Closing

Either the certification forces you to build a real management system, which was the point, or you gold-plate the audit and regress six months later. The value of certification lies entirely in the operating system behind it.

Ready to see how Modulos handles ISO 42001 certification? Request a demo and we will walk you through how the platform operationalises ISO/IEC 42001 for your organisation, from gap analysis through Stage 2 audit. See also how Xayn achieved ISO 42001 certification in four weeks and the ISO 42001 documentation.

Request a Demo

Cross-links: ISO/IEC 42001, ISO 42001 documentation, how Xayn achieved ISO 42001 certification, AI governance platform.

Related Articles

AI governance tools in 2026: one category is splitting in two
April 18, 2026

AI governance tools in 2026: one category is splitting in two

AI governance assessment: why most of them have already failed
April 18, 2026

AI governance assessment: why most of them have already failed

Global standards for AI governance: EU AI Act, ISO 42001 and NIST compared
April 18, 2026

Global standards for AI governance: EU AI Act, ISO 42001 and NIST compared