The route from a first gap assessment to certification — implementing the AIMS, auditing internally, then passing a stage 1 and stage 2 audit and maintaining it through surveillance.
Certification to ISO/IEC 42001:2023 is awarded by an accredited third-party certification body after an independent audit of your AI management system. The standard defines the requirements; the certification body checks that your AIMS meets them in practice. The path is the same family of stages used across ISO management system certifications, applied to AI.
The starting point is a gap assessment that measures your current state against the requirements in clauses 4 to 10 and the controls you select from Annex A. The output is a clear list of what is in place, what is partial and what is missing — the basis for everything that follows.
Next you build out the management system: define the AIMS scope, set the AI policy, assign roles, run risk and impact assessments, select and apply the relevant Annex A controls, and put the supporting documentation and records in place. This is where gaps identified in the assessment are closed and the system begins to operate.
Before inviting an external body, the standard expects the organisation to test its own system. An internal audit checks that the AIMS is working as intended, and a management review confirms that leadership has assessed its performance. Both generate records the certification body will expect to see, and both surface issues while there is still time to correct them.
The certification audit is typically carried out in two stages:
Where the audit identifies nonconformities, these are addressed before certification is granted.
Certification is not a one-off event. The certification body carries out periodic surveillance audits to confirm the AIMS remains in place and effective over time, with recertification at the end of the certification cycle. Maintaining the evidence and continuing to operate the management system between audits is what keeps certification valid.
The TrustedAIGov Readiness tooling is designed to support a certification journey aligned to these stages — keeping the gap assessment, control evidence, internal-audit records and review minutes in one place so your team can move from assessment to audit with the evidence ready. It supports your preparation; the certification decision rests with an accredited certification body.
Move from gap assessment to audit with the evidence ready and an owner on every requirement.
Related reading: ISO 42001 controls →