Governance & guardrails

ISO 42001 readiness assessment

ISO 42001 readiness assessment is the work you do before an accredited audit: find the gap between where your AI governance is now and what the standard requires, so you walk into stage 1 knowing you will pass. We run it as a fixed-scope engagement with the price stated up front.

What the assessment covers

  • Scope. Which AI systems, teams, and sites are in your AI management system, and which are out. Auditors read this first, and weak scope is a known way to fail stage 1.
  • Risk and impact. A first risk assessment and the AI impact assessment the standard requires, covering effects on the people your systems touch, not just the business.
  • Gap report. Where you stand against the mandatory clauses (4 to 10) and the 38 Annex A controls, with a draft Statement of Applicability.
  • A plan to close it. A prioritized, costed sequence of fixes written so your own people can run it, or we can, without starting over.

Scope, timeline, and price

3–6 weeks. $20,000 to $80,000; where in that range depends on scope: how many systems and teams we assess, company size, and regulatory exposure. Most firms selling certification-prep work make you ask for a number. We publish ours, above the fold, because you should be able to compare before you talk to anyone. For the market ranges on the audit and remediation that follow, our certification cost guide lays them out with sources.

Where this fits, and who does it

The readiness assessment is the front half of the certification path: it tells you how far you are from certifiable and whether the certificate is worth chasing at all, and the report says so either way. If it is, the remediation and ongoing program are AI governance consulting; then an accredited body runs the audits. If you are weighing ISO 42001 against other regimes first, the framework crosswalk is free and ungated. A senior person runs the work end to end. Our senior people are an engineer and an operator, and the person who scopes your assessment is the person who does it.

Questions people ask

What is an ISO 42001 readiness assessment?
A structured check of how far your current AI practices sit from ISO/IEC 42001, before you engage an accredited auditor. It scopes the AI management system, runs a first risk and impact assessment, and produces a gap list against the mandatory clauses and the Annex A controls. Same thing people mean by an ISO 42001 gap assessment.
How much does it cost?
$20,000 to $80,000; where in that range depends on scope: how many systems and teams we assess, company size, and regulatory exposure. That's our published range for the fixed-scope assessment, not a starting point for a quote negotiation. For the market ranges on the audit and remediation that follow, see our ISO 42001 certification cost guide.
Can you certify us?
No. We are not a certification body and we don't issue the certificate. The accreditation rules require the body that audits you to be independent of the people who prepared you, so a consultant certifying their own work isn't allowed, and that's a good thing. We do the readiness and remediation; an accredited body you choose runs the stage 1 and stage 2 audits.
What do we walk away with?
A scoped AI management system boundary, a risk and impact assessment, a gap report against every relevant clause and control, a draft Statement of Applicability, and a prioritized plan to close the gaps, written so your own team can run it. You keep all of it whether or not you continue with us.
Do we need this if we already have ISO 27001?
Usually a lighter version. ISO 27001 gives you the management-system backbone (risk process, internal audit, document control), so the readiness work concentrates on the AI-specific gaps: impact assessment, the development lifecycle, and data provenance. The assessment says plainly how much is genuinely new for you.

Tell us about the work.

A few lines is enough. We read every enquiry ourselves and reply within one business day.