Governance & guardrails

ISO 42001 certification: how a company actually gets certified

ISO 42001 certification is a defined path, not a purchase: you prepare an AI management system, then an independent accredited body audits it in two stages and issues a certificate that lasts three years. Most pages ranking for this search either sell you a course or argue about whether the standard is worth it. This one walks the actual steps.

What you are getting certified against

ISO/IEC 42001:2023, published in December 2023, is the first certifiable standard for an AI management system, or AIMS: the policies, roles, risk process, and controls that govern how an organization builds or uses AI. Structurally it works like ISO 27001. There is a mandatory management-system half (clauses 4 to 10) that every certified organization must meet, and a selectable half: the 38 Annex A controls across 9 domains, which you choose from through risk treatment and justify in a Statement of Applicability. Our guide to the Annex A controls explains what each domain is for, and the ISO 42001 checklist lays them out as a working list you can tick through.

Certification means an accredited third party has checked that this system exists and operates, and says so on a certificate your customers can verify. That is the whole product. It is worth being clear that it is not a government license, not an EU AI Act clearance, and not something you can grant yourself.

The path, end to end

The route is the same shape for a two-system pilot and a company-wide program; only the effort scales. Here is each stage and what happens in it.

Stage What it is
Stage 0
Readiness and gap assessment
Measure how far your current AI practices sit from the standard. This is where you scope the AI management system (which systems and teams are in), run a first risk and impact assessment, and produce a gap list. Skipping it is the most common reason companies fail stage 1.
Stage 1 (your work)
Remediation: build the AI management system
Close the gaps. Draft the AI policy, set up the risk process, write the Statement of Applicability, stand up the impact assessments and documentation, run an internal audit and a management review. Most of the calendar and most of the cost live here.
Choose a body
Select an accredited certification body
You do not certify yourself, and neither does ISO. An accredited certification body audits you. Get quotes from more than one, and check the body is accredited for ISO/IEC 42001 specifically, not just ISO in general.
Stage 1 (their audit)
Stage 1 audit: documentation review
The certification body reviews your AIMS on paper: scope, policy, risk method, Statement of Applicability, and whether you are ready for the real audit. They flag gaps for you to fix before stage 2. Think of it as a readiness check by the people who will grade you.
Stage 2 (their audit)
Stage 2 audit: implementation in practice
The main event. Auditors check that the AIMS is actually running, not just written: they interview people, sample records, and test that controls operate. Clear the findings and they recommend you for certification. The certificate covers a three-year cycle.
Years 2-3
Surveillance audits
The certificate is not one and done. The body runs a lighter surveillance audit in each of the next two years to confirm the AIMS is still operating. Then a recertification audit at year three starts the next cycle.

Who certifies you, and why the accreditation matters

This is the part most explainers skip. ISO is a standards body: it publishes ISO/IEC 42001 and does not audit or certify anyone. The certificate comes from a certification body, an independent firm that runs the stage 1 and stage 2 audits. What makes that certificate credible is that the certification body is itself accredited by a national accreditation body, which checks the auditors are competent and impartial. In the US that accreditor is the ANSI National Accreditation Board (ANAB); other countries have their own (UKAS in the UK, and so on).

Two practical consequences. First, confirm any body you talk to is accredited for ISO/IEC 42001 specifically, because the standard is young and accreditation for it rolled out only through 2025 and 2026. An unaccredited "certificate" is worth roughly what an unaccredited diploma is worth. Second, the firm that helps you prepare cannot also be the firm that certifies you. Impartiality rules for certification bodies forbid auditing a management system you helped build. That separation is a feature: it is why the certificate carries weight, and it is exactly why readiness work and the accredited audit are two different jobs.

How long it takes

Published guides put the whole path at 3 to 12 months. Where you land depends almost entirely on your starting point. A company already running ISO 27001 or SOC 2 has the risk process, internal audit, and document control in place and is mostly adding AI-specific controls, so it moves toward the short end. A company building its first formal management system is closer to a year, because the machinery has to be created before it can be audited. The audits themselves are quick by comparison: stage 1 and stage 2 are usually a few weeks apart, and surveillance audits are shorter still.

Should you pursue it at all

Certification is worth real money when someone who can hold up a deal is asking for it. The clearest case: you sell AI-touching products into enterprises or regulated sectors, where the certificate is heading the way SOC 2 and ISO 27001 went, onto procurement checklists. Early adopters bear that out: SAP, Microsoft's AI systems, and Cornerstone have certified. There is also a regulatory angle. The EU AI Act's Article 40 gives harmonised standards a presumption of conformity, and published analyses put ISO 42001 at roughly 60 to 70 percent of the Act's management-system requirements, though it does not replace the Act's prescriptive high-risk obligations. Our framework crosswalk maps where ISO 42001, the NIST AI RMF, and the EU AI Act overlap.

It is not worth the audit fee when nobody is asking. If your AI use is low-risk vendor tooling and no customer or regulator has requested proof, you can run the useful parts of the standard (an AI inventory, risk tiering, named ownership, a policy people follow) without paying for certification, and certify later if the asks arrive. The honest cost breakdown, including when to skip the audit, is in our ISO 42001 certification cost guide.

Where Tillerbridge fits

To be plain about it: Tillerbridge is not a certification body, sells no training, and cannot issue the certificate. What we do is the front half of the path, the readiness and remediation work that gets you audit-ready. Our fixed-scope ISO 42001 readiness assessment ($20,000 to $80,000, 3–6 weeks) tells you how far you are from certifiable, produces the gap list and the plan to close it, and says plainly whether the certificate is worth chasing for your situation. After that, an accredited body you choose runs the audits. The two roles stay separate on purpose.

This page is general information, not legal or audit advice; the standard itself and your accredited certification body govern the actual requirements, and dates and figures cited here are current as of July 2026.

Questions people ask

Who issues ISO 42001 certification?
An accredited certification body, not ISO and not a consultant. ISO writes the standard; it certifies nobody. Certification bodies are themselves accredited by a national accreditation body (in the US that's the ANSI National Accreditation Board, ANAB; in the UK, UKAS), which is what makes the certificate mean something to a customer. Always confirm your body is accredited for ISO/IEC 42001 specifically.
How long does ISO 42001 certification take?
Published guides put it at 3 to 12 months from start to certificate. The variable is your starting point: companies that already run ISO 27001 or SOC 2 land at the short end because the management-system machinery already exists, while a company building its first management system from scratch is closer to the long end. The stage 1 and stage 2 audits themselves are usually a few weeks apart.
What is the difference between the stage 1 and stage 2 audits?
Stage 1 is a documentation review: the certification body checks your AIMS on paper (scope, policy, risk method, Statement of Applicability) and tells you whether you're ready for the real thing. Stage 2 is the main audit, where they check the system is actually operating through interviews, record sampling, and control testing. You fix stage 1 findings before stage 2 happens.
Do we need ISO 27001 before ISO 42001?
No, it isn't a prerequisite. But the two share the same management-system backbone (leadership, risk, internal audit, document control), so if you already hold ISO 27001 or SOC 2 you can reuse most of that machinery and certify faster and cheaper. Companies whose AI is the core product sometimes go straight to ISO 42001; companies layering AI governance onto an existing security program usually already have the foundation.
Can the consultant who prepares us also certify us?
No, and that's deliberate. The accreditation rules for certification bodies require impartiality, so the body that audits you cannot have built your AI management system. The readiness and remediation work and the accredited audit are two separate jobs by two separate parties. We do the first and are not a certification body; the accredited body does the second.
Is ISO 42001 certification worth it?
It depends on who is asking you for it. It's worth it when you sell AI-touching products to enterprises or regulated buyers who put it on procurement checklists, the way SOC 2 and ISO 27001 went. It's questionable when nobody in your pipeline has asked. We wrote the honest version, with numbers, in our ISO 42001 certification cost guide.

Tell us about the work.

A few lines is enough. We read every enquiry ourselves and reply within one business day.