ISO 42001 Certification Readiness: A Step-by-Step Checklist for UK Organisations in 2026

ISO 42001 certification is becoming the reference standard for organisations that want to demonstrate credible AI governance to regulators, customers and boards. For UK organisations preparing in 2026, the path to certification is structured but demanding: it spans governance, risk management, AI system documentation, operational controls and continual improvement. A clear ISO 42001 checklist turns an abstract management system standard into a sequence of practical actions your GRC team can plan, resource and evidence.

This guide sets out what an ISO 42001 readiness checklist includes, how long certification typically takes, and what UK organisations should prioritise given the regulatory context of 2026. It is written for GRC Managers, compliance leads and AI governance practitioners who need to move from intent to evidence. It is general guidance, not legal advice; organisations should take their own legal counsel on their specific regulatory position.

What is ISO 42001 and why does it matter in 2026?

ISO 42001 is the international management system standard for artificial intelligence. It specifies requirements for establishing, maintaining and continually improving an AI Management System (AIMS), covering governance accountability, risk assessment, lifecycle controls, supplier management and impact assessment. Certification provides independent assurance that an organisation manages AI responsibly.

For UK organisations, the strategic case in 2026 is stronger than pure compliance. The EU AI Act (Regulation (EU) 2024/1689) has extraterritorial provisions in Articles 2 and 3 that may capture UK providers and deployers whose AI systems affect users inside the EU, and the ICO’s published guidance on automated decision-making, fairness and transparency under UK GDPR continues to develop. ISO 42001 offers a recognised framework that maps cleanly onto both regimes. Treating readiness as a risk-management decision rather than a tick-box exercise positions the organisation to absorb regulatory change without repeated, costly remediation.

What does an ISO 42001 readiness checklist include?

A practical ISO 42001 implementation checklist breaks the standard into work packages that GRC teams can assign, evidence and audit. The structure below mirrors the clauses of ISO 42001 and the order in which most UK organisations sequence the work.

1. Establish governance and accountability

• Define the scope of the AI Management System: which business units, products and AI systems are in scope.
• Appoint an accountable owner at executive level and a working group spanning legal, security, data, product and operations.
• Draft and approve an AI policy that sets out the organisation’s principles, risk appetite and prohibited use cases.
• Document roles, responsibilities and decision rights for AI development, procurement and deployment.

2. Build the AI system inventory

• Identify every AI system in use, in development or procured from third parties.
• Classify each system by purpose, data inputs, decision impact and risk category.
• Record ownership, supplier dependencies and the regulatory regimes that apply.
• Maintain the inventory as a living record, not a one-off audit artefact.

3. Conduct AI risk and impact assessments

• Carry out an AI risk assessment for each in-scope system, covering safety, fairness, security, privacy and societal impact.
• Complete AI impact assessments where systems affect individuals’ rights or material decisions.
• Map identified risks to mitigations and assign treatment owners.
• Integrate AI risk into the wider enterprise risk register so the board has relevant insight.

4. Implement lifecycle controls

• Define development standards covering data quality, model evaluation, bias testing and documentation.
• Establish deployment gates that require sign-off on testing, security review and impact assessment.
• Put monitoring in place for accuracy, drift, fairness and security events once systems are live.
• Set retirement criteria so models that no longer meet standards are decommissioned.

5. Manage suppliers and third-party AI

• Update procurement processes to require AI-specific due diligence on vendors.
• Capture contractual commitments on transparency, security, data use and incident notification.
• Assess supplier AI systems against the same risk framework as internal systems.

6. Prepare evidence and operate the system

• Document procedures, records and decisions in a structure auditors can navigate.
• Train staff on AI policy, risk procedures and incident reporting.
• Run internal audits to test that controls operate as designed.
• Conduct a management review before booking the stage 1 audit.

How long does ISO 42001 certification take in the UK?

In our experience supporting mid-sized UK organisations, the path from decision to certificate typically runs between six and twelve months. The variables are the maturity of existing management systems, the number of AI systems in scope and the resource the organisation commits to the programme.

Organisations already certified to ISO 27001 or ISO 9001 typically move faster because governance, document control and audit disciplines are in place. Those starting from a lower baseline should plan for the longer end of the range and resist the temptation to compress the build phase. Auditors look for evidence that the AI Management System has been operating, not just designed.

The certification itself follows the standard two-stage route used across ISO management system standards: a stage 1 documentation review followed by a stage 2 implementation audit, conducted by an accredited certification body. UK organisations can choose a UKAS-accredited certification body where one is available for ISO 42001, or a body accredited by another IAF MLA signatory; the right choice depends on the markets and customers the certificate needs to satisfy.

Any gaps identified at either stage require corrective action before the certificate is issued.

Where UK organisations most often fall short

In our work with GRC teams preparing for ISO 42001, three gaps typically appear. The AI system inventory is incomplete because shadow AI use across business units has not been surfaced. Risk assessments are produced as documents but not integrated into deployment decisions. Supplier due diligence treats AI as a feature of an existing product rather than a distinct risk surface.

Closing these before a formal assessment removes the most common audit findings.

Key questions on ISO 42001 readiness

What are the main requirements of ISO 42001?

The standard requires a documented AI Management System covering governance, risk assessment, AI impact assessment, lifecycle controls, supplier management, competence, internal audit and management review. Organisations must demonstrate that the system is implemented, operating and continually improving, not simply written down.

Do we need ISO 27001 before pursuing ISO 42001?

No, but it helps. See our comparison of ISO 42001 and ISO 27001 for which controls transfer and which require fresh AI-specific work. ISO 42001 shares structural conventions with ISO 27001 and assumes a level of information security maturity. Organisations without an established Information Security Management System (ISMS) should expect to build security controls in parallel with the AIMS.

How does ISO 42001 relate to the EU AI Act?

ISO 42001 is not a substitute for EU AI Act compliance, and certification alone cannot address obligations relating to prohibited AI systems under the Act. It does, however, provide a recognised governance framework that addresses many of the Act’s obligations on risk management, documentation, human oversight and post-market monitoring. UK organisations within the Act’s potential extraterritorial scope would benefit from aligning the two programmes and should confirm their specific position with legal counsel.

What evidence do auditors expect to see?

Auditors look for an AI policy approved at executive level, a complete AI system inventory, risk and impact assessments tied to live decisions, evidence of monitoring and incident handling, training records, internal audit reports and a documented management review.

The companion blog on the ISO 42001 audit evidence pack sets out each evidence category in more detail. In our practitioner experience, certification bodies expect to see the system operating in practice for a meaningful period before stage 2, with live records rather than backdated documentation.

Can we self-assess against ISO 42001 before engaging a certification body?

Yes, and we recommend it. A structured readiness review against the clauses of ISO 42001 identifies gaps while there is still time to close them affordably. Discovering a missing inventory or absent impact assessments during a stage 2 audit is significantly more expensive than finding them six months earlier.

Move from checklist to certification

ISO 42001 readiness is achievable for UK organisations that plan the work in stages, resource it properly and treat the AI Management System as a living governance capability. The checklist above gives GRC teams a structure; the harder work is sequencing it against business priorities and existing compliance commitments.

If you would like a practitioner view on where your organisation stands against ISO 42001, schedule a 30-minute ISO 42001 Readiness Review with our GRC team. We will walk through your current governance position, identify the highest-impact gaps and outline a realistic path to certification.

This article is general guidance for UK GRC practitioners and does not constitute legal advice. Organisations should obtain their own legal counsel on the application of UK GDPR, the EU AI Act and related regulatory regimes to their specific circumstances. QL Security is a commercial provider of ISO 42001 readiness services.