Preparation for ISO 42001 certification

If you are aiming for ISO 42001 certification, you will need a variety of documents that represent an Artificial Intelligence Management System (AIMS). These documents must be adapted to the situation and infrastructure of the respective company. As soon as all documents are complete, ISO 42001 preparation for the audit should take place. This also includes training all employees to improve AI risk awareness (e.g., “AI Awareness Training”).

It is not enough to have a nice document folder and neither the technical nor the human resources to focus on AI governance. Although auditors largely examine the documents presented, technical aspects may be addressed in the initial certification audit or in subsequent surveillance audits. If the auditor determines that it is just a management system that has not been implemented, he may be forced to declare the certificate that has already been issued invalid.

We have provided a short video for you here on the subject of audit preparation:

What kind of evidence do you need for an ISO 42001 audit?​

As you could already see from the video, you definitely need the following to carry out a qualitative ISO 42001 audit:

  • Customized management system according to ISO/IEC 42001 (in DOCx or PDF format)
  • Proof of security training for all employees (AI Awareness Training)
  • Proof of the appointment of a security officer (AI Officer)

The following documents, measures and evidence may also be required:

  • IT emergency plan
  • AI audit report with the following evidence:
  • Directory of all AI systems
  • Data protection folder with the following evidence:
  • Internal and public procedure directory
  • Appointment of an expert data protection officer (DPO)
  • Documentation of the security optimizations made
Woman in a library holding books and a binder, engaged in reading, symbolizing the importance of documentation and training for ISO 9001 certification.

The list above shows that you should be well prepared for the AIMS audit. Not all of the measures recommended above need to be taken. The more of these are implemented, the better able you are to live by the required set of rules.

In the event of a security incident, an insurer can decline liability if systematic negligence is found. A company without economically and technically appropriate AI risk precautions cannot convincingly maintain an AIMS management concept.

We not only help you quickly put together the extensive set of policies, but also take any necessary technical measures and receive the absolutely necessary training.

How strictly do auditors check the ISO 42001 ISMS?​

First, the auditors check the completeness of the documents and the plausibility of the information provided there. Then they specifically focus on individual critical points as well as noticeable components. For SMEs, the management system consists of a manageable number of documents. This helps the auditor save a lot of time. Nevertheless, he is also required to take samples that he knows from his “auditing practice” to be aspects that are mostly neglected or often missing.

It would be highly recommended to have at least some documents to hand. This information convinces the auditor that this is not a crazy “monkey business”.

Frequently asked questions about preparing for ISO 42001 certification

The ISO/IEC 42001 certification requires that we comply with the main normative part of ISO 42001. The requirements can be summarized as follows:

  • Context of the organization
  • Leadership and commitment
  • planning
  • Support
  • Operation
  • Evaluation of performance
  • improvement
  • Controls (Annex)

The certificate is valid for a maximum of 3 years and must then be extended through a recertification audit. The recertification audit checks whether the requirements for an extension of the certificate still exist.

The costs for certification according to ISO 42001 can be defined quite well for small companies (SMEs) in hardly complex industrial sectors. Here the audit and the issuance of the certificate together cost around £1,500-£3,000.

Things are more difficult for companies with complex processes and increasing company size.

Here, the very complex audit costs significantly more because the risks are significantly higher. Additional technical AI audits often take place here. These are usually necessary because these companies require the ISO 42001, due to the regulations of the legislator or the main insurer of the company concerned.

Therefore, the certification of large corporations can quickly cost over around £15,000.

The ISO 42001 standard enables companies to integrate a comprehensive information security system into the organization through certification.

These are the 5 elementary advantages for small and medium-sized companies:

  1. Optimized information security
  2. Sustainable strategies
  3. Supplement to the existing management system
  4. Reduce costs and increase productivity
  5. Competitive advantage increases sales

These individual benefits are explained in more detail in the article on the strategic benefits of ISO 42001.