ISO 42001 Implementation: Why UK Consultants Are Missing the Mark

UK organisations are starting to ask the same question: who actually knows how to implement ISO 42001? The honest answer is that very few consultants do. The standard is new, the practical body of knowledge is thin, and the gap between selling an ISO 42001 implementation consultant UK engagement and delivering one is wider than most buyers realise. In our experience, programmes stall, certification audits get exposed and budgets burn because the people leading the work have treated ISO 42001 as a paperwork exercise grafted onto ISO 27001 templates.

This post sets out what good looks like, why so many UK implementations are running into trouble and what to ask before you sign a statement of work.

What ISO 42001 actually requires

ISO 42001 is the international standard for AI management systems. It asks an organisation to govern the full lifecycle of AI systems it develops, deploys or procures, including risk assessment, data governance, transparency, human oversight, supplier controls and continuous improvement. The structure looks familiar to anyone who has worked with ISO 27001, but the content is materially different. Risk treatments must address model behaviour, data lineage, fairness, explainability and downstream impact on individuals. None of that maps cleanly onto information security controls.

To certify against ISO 42001, an organisation needs a working AI management system, evidence that controls operate as designed, and an accredited certification body to audit it. The AI management system certification UK market is still maturing, with a small number of accredited bodies and an even smaller pool of consultants who have taken a client through the full cycle.

Why ISO 42001 implementations are failing in the UK

We are observing several patterns repeat across the market. In our view, each one traces back to a shortage of genuine AI governance experience among the consultants delivering the work.

Treating ISO 42001 as ISO 27001 with new labels

The most common failure we see. A consultant copies an ISO 27001 statement of applicability, renames a few controls, and presents it as an AI management system. (We cover the structural differences between ISO 42001 and ISO 27001 — which controls transfer and which need fresh AI-specific work.)

The audit then asks how the organisation has assessed bias in a specific model, what evidence supports the fairness claim, and how human oversight is exercised in production. The documentation has no answer because the underlying work was never done.

Skipping the AI inventory

A credible implementation begins with a structured discovery exercise — covered in detail in our shadow AI discovery guide — that goes well beyond the one-page survey most teams default to. In our experience, this step is the single biggest determinant of audit outcome. Skip it, and you end up with a management system that governs three known AI projects while ignoring forty undiscovered ones.

Misreading the risk methodology

ISO 42001 risk assessment is not a tabletop exercise scored on likelihood and impact. It requires structured analysis of harm to individuals, groups and society, alongside operational and reputational risk. Consultants without an AI governance background tend to default to the security risk register format they know. Auditors see through this immediately.

Underestimating the evidence burden

Certification bodies want to see operational evidence: model cards, data sheets, bias testing results, incident logs, change records and human oversight artefacts. The ISO 42001 audit evidence pack walks through the seven evidence categories certifiers actually request. A documentation pack written three weeks before audit will not pass. The organisations succeeding are those who built evidence collection into operational workflows from the start, which requires a consultant who understands how AI development and deployment actually run.

What separates a competent ISO 42001 consultant from a generic one

In our view, a good ISO 42001 implementation consultant UK engagement should look like this from day one:

• The consultant has personally led AI governance work, not adjacent compliance work
• They can describe the control objectives in plain English and explain why each one matters
• They have a defensible methodology for AI system discovery across the organisation
• They understand model risk, data governance and the specific harms ISO 42001 is designed to surface
• They can talk credibly to your data science, engineering and procurement teams as well as your compliance function
• They have direct experience with at least one UKAS-accredited certification body and know what auditors test

Generic ISO consultants will rarely meet more than two of these criteria in our experience. Generic AI consultants will rarely meet the compliance and audit ones. The work sits at the intersection, and the intersection is where most engagements break.

Questions to ask before you sign

We recommend buyers put the following questions to any prospective consultant:

1. How many ISO 42001 implementations have you personally led from gap analysis through to certification readiness?
2. Show me a redacted AI system inventory you have produced. How did you find systems your client did not know they had?
3. Walk me through your AI risk assessment methodology. How does it differ from an information security risk assessment?
4. Which UKAS-accredited certification bodies have you worked with, and what did their auditors focus on?
5. What evidence artefacts do you require teams to produce on an ongoing basis, and how do you embed that into operational workflows?
6. How do you handle third-party AI systems where you have limited visibility into the supplier’s controls?

If the answers are vague, recycled from ISO 27001 experience or rely on theoretical frameworks rather than delivery evidence, walk away. The cost of choosing the wrong consultant is not the fee. It is the better part of a year of work that may need to be redone.

Why first-mover certification matters

ISO 42001 certification is, in our view, becoming a procurement consideration in regulated sectors. We are seeing early signals from NHS trusts, local authorities and financial services firms asking suppliers about AI governance maturity, and certification is, in our opinion, among the clearest signals available. We expect organisations that achieve certification early to be better positioned commercially than those that wait until the standard is mandated by regulators or required by major customers, though specific outcomes will depend on individual market conditions. That positioning compounds, because certified organisations also build the internal discipline to deploy AI safely and at scale, which is the real business outcome the standard is designed to produce.

The gap between intent and delivery is where we see the most damage. Boards approve ISO 42001 programmes, consultants are appointed and the work begins, but six months in the project owner realises the AI management system being built may not stand up to audit scrutiny. By that point, budget is largely spent and timelines have slipped.

Key questions on ISO 42001 implementation

What makes a good ISO 42001 implementation consultant?

A good consultant has direct AI governance delivery experience, understands the technical and operational reality of AI systems, and has worked with UKAS-accredited certification bodies through full audit cycles. They treat ISO 42001 as a distinct discipline rather than an extension of ISO 27001, and they can engage credibly with data science and engineering teams as well as compliance functions.

How long does an ISO 42001 implementation take?

For a typical mid-sized UK organisation without prior ISO 27001 certification, plan for nine to fifteen months from kickoff to certification readiness, depending on the size of the AI estate and the maturity of existing governance. The shortcut, where 27001 is already in place and the AI inventory is small, is six to nine months.

Can our existing ISO 27001 consultant handle ISO 42001?

The scope is materially different. ISO 27001 expertise is useful for the management system structure, but ISO 42001 covers a distinct domain: AI risk, model governance and the technical evidence auditors expect to see. We typically see the best outcomes when ISO 27001 consultants partner with AI governance specialists rather than attempt the work alone.

What does ISO 42001 certification cost in the UK?

Costs vary significantly by organisation size and AI estate complexity, and we recommend obtaining quotes directly from consultants and certification bodies for your specific circumstances. The larger cost is often internal time, which is, in our experience, underestimated by consultants who have not delivered the work before.

Is ISO 42001 mandatory?

Not at present. ISO 42001 is currently voluntary. In our view, it is increasingly appearing in procurement processes in regulated sectors, and we expect future UK and EU regulation may reference it, though the regulatory trajectory is not yet settled.

Get an honest assessment before you commit

If you are considering ISO 42001 certification, the most valuable thing you can do before signing any consulting contract is understand where you actually stand. Most organisations are further from certification readiness than they think, and the gaps are rarely the ones they expect.

A half-hour conversation with one of our practitioners will give you a clear view of where your AI inventory is, where the real governance gaps sit and what a realistic scope of work looks like — including, candidly, when you don’t need us. The discussion is informal, does not constitute legal or regulatory advice, and certification outcomes depend on your specific organisational circumstances. Schedule your readiness conversation.