ISO 42001 Certification in the UK: A Lead Auditor's Q&A

This FAQ answers the questions UK GRC teams, security leads and AI governance owners ask most often about ISO 42001 certification. It covers the certification path, what it costs, how long it takes and how the standard compares with ISO 27001. It also goes deeper into what auditors expect to see, how to integrate ISO 42001 into an existing management system and where certification efforts most commonly stumble. We write from the perspective of a Lead Auditor who runs these audits, so the answers reflect what actually happens in the audit room rather than what a marketing page promises.

How do you get ISO 42001 certified in the UK?

ISO 42001 certification in the UK starts with a gap analysis against the standard, then building an AI management system covering policy, risk assessment and controls. An internal audit and management review follow, before an accredited certification body runs a two-stage external audit covering documentation then implementation.

The practical sequence runs like this. First you scope which AI systems and processes fall inside your management system, because scope drives everything that follows, including the audit fee. Then you carry out a gap analysis to measure your current state against the clauses and Annex A controls, which tells you how far you are from certifiable. From there you build the system itself: an AI policy, a risk assessment process, AI impact assessments and the operational controls that govern how your AI behaves. Once the system has run for a short operating period and produced records, you complete an internal audit and a management review. Only then does the accredited certification body conduct its Stage 1 and Stage 2 audit. The order matters because each step produces the evidence the next one depends on, and skipping ahead usually means going back. We recommend an ISO 42001 readiness assessment before booking the certification audit, so you find the gaps before the auditor does.

How much does ISO 42001 certification cost in the UK?

ISO 42001 certification cost in the UK varies with organisation size, number of AI systems and existing control maturity. Costs split between optional consultancy support to build the management system and the accredited certification body’s audit fees. Smaller UK firms typically budget several thousand pounds; larger or multi-site organisations pay considerably more.

The single biggest cost driver is how much of the management system already exists. An organisation with mature governance, a working ISO 27001 system and documented controls reuses a great deal and pays less, because the build phase is the expensive part and it has already done most of it. An organisation starting from a blank page spends more on the build, since policy, risk methodology and controls all have to be created and tested. The certification body’s fee scales with the number of audit days, which in turn scales with the size of your scope, the number of sites and the complexity of your AI systems. Treat the audit fee and any consultancy support as two separate lines in your budget, because you control one of them and the certification body sets the other. Tightening your scope to the systems that genuinely need governing is one of the few levers that reduces both figures at once. We map both costs during a readiness assessment so the total is clear before you commit.

How long does ISO 42001 certification take?

ISO 42001 certification typically takes three to six months for a UK SME with reasonable governance already in place, and longer for complex or multi-site organisations. The timeline covers gap analysis, building the AI management system, gathering evidence over a short operating period, then the two-stage certification audit.

The part that surprises people is the operating period. A certification body will not certify a management system that has never run. You need records that show the system working: completed risk assessments, an internal audit, a management review and evidence that your controls operate as documented. That evidence takes weeks to accumulate, which is why a realistic readiness phase rarely compresses below three months no matter how much budget you throw at it. Multi-site organisations, those with many AI systems and those with little existing governance should plan for longer, because each added system and site adds scope, controls and audit days. The two-stage certification audit itself runs over a defined number of days set by the certification body, with a gap between Stage 1 and Stage 2 so you can close any findings before implementation is assessed. Building that gap into your plan rather than treating it as a delay keeps the overall timeline honest.

What is the difference between ISO 42001 and ISO 27001?

ISO 27001 governs an information security management system; ISO 42001 governs an AI management system. ISO 27001 protects the confidentiality, integrity and availability of information. ISO 42001 addresses how an organisation governs AI across its lifecycle, including risks that traditional security controls do not cover.

The two standards share the same management-system structure, which is why organisations holding ISO 27001 find ISO 42001 familiar. Both use a policy, a risk-based approach, internal audits and management review, so the governance routines feel recognisable from day one. The substance differs. ISO 27001 focuses on protecting information assets. ISO 42001 asks whether your AI systems behave as intended, whether you have assessed their impact on individuals and society and whether you can demonstrate responsible governance over models, data and decisions. We frame this through the CIA+EFT Framework, which extends the familiar confidentiality, integrity and availability triad with explainability, fairness and traceability to capture the questions AI raises that the information-security triad alone cannot answer. An ISO 27001 certificate does not make you ISO 42001 compliant, but it gives you a strong foundation to build on and shortens the route considerably.

What is the difference between ISO 42001 and SOC 2?

ISO 42001 and SOC 2 answer different questions. ISO 42001 is an accredited, certifiable AI management system standard that governs how you build, deploy and run AI responsibly. SOC 2 is a US attestation report on security and privacy controls, assessed by an auditor against the Trust Services Criteria rather than awarded as a certification, and it does not address AI-specific risks such as model behaviour, bias or impact on people. For governing AI specifically, UK organisations need ISO 42001; where both apply, they are complementary rather than interchangeable.

What does an ISO 42001 Stage 1 audit involve?

A Stage 1 audit is a documentation and readiness review. The Lead Auditor checks that your AI management system exists on paper, that it covers the right scope and that you are ready for the Stage 2 implementation audit. It is not a pass-or-fail certification decision; it is a checkpoint that tells you whether to proceed.

During Stage 1 the auditor reviews your AI policy, your scope statement, your risk assessment process, your Statement of Applicability and your planned controls. The auditor also confirms that you have completed an internal audit and a management review, because a certification body cannot certify a system that has never been checked internally. The output is a set of findings and observations rather than a verdict. If Stage 1 surfaces material gaps, you close them before Stage 2 rather than failing the whole audit, which is exactly why the two-stage structure exists. We treat Stage 1 as the moment where good preparation pays off: organisations that ran a proper readiness assessment arrive with documentation that holds up, the auditor moves on quickly to implementation and Stage 2 becomes a confirmation rather than a scramble.

What evidence does an ISO 42001 auditor expect to see?

An ISO 42001 auditor expects evidence that your AI management system operates in practice, not just that it exists on paper. That means completed AI risk assessments, AI impact assessments, records of your controls working, internal audit results and a management review that engaged with real issues.

In practice the auditor will ask to see specific artefacts. Your AI policy and scope, signed off by management. A risk assessment that names actual AI systems and the risks they carry, not a generic template lifted from elsewhere. Impact assessments for the systems that warrant them. Evidence that your behaviour controls operate, which is where many organisations come up short because they have written a control but cannot show it running. Internal audit reports with findings and corrective actions, demonstrating that you check your own work. A management review with decisions and follow-up, proving leadership engaged with the system rather than rubber-stamping it. The principle is consistent across ISO management systems: if it is not documented and you cannot show it happening, the auditor treats it as not done. We use AI Behaviour Verification to generate the kind of evidence that demonstrates a control actually constrains how a system behaves, which is the type of proof that turns an assertion into an accepted finding.

Can you integrate ISO 42001 into an existing ISO 27001 system?

Yes. ISO 42001 shares the high-level structure common to ISO management standards, so an organisation with a working ISO 27001 system can extend it rather than build a parallel one. Shared elements include the policy framework, risk methodology, internal audit programme, management review and corrective action process.

Integration is the efficient route for most organisations that already hold ISO 27001. You keep one management system with one set of governance routines and add the AI-specific requirements on top, which avoids the duplication and conflicting paperwork that two separate systems create. Your existing risk methodology extends to cover AI risks. Your internal audit programme adds AI scope. Your management review agenda gains AI items. What you cannot reuse wholesale is the substance of the AI controls, because protecting information and governing AI behaviour are different problems with different evidence. The structure transfers; the content does not. We advise integrating where the existing system is genuinely mature and running a focused gap analysis to identify exactly which AI-specific elements need building from scratch, so you spend effort only where the existing system genuinely falls short.

What are the most common ISO 42001 non-conformities?

The most common ISO 42001 non-conformities are a weak AI risk assessment, missing AI impact assessments and undocumented behaviour controls. These three account for a large share of findings because they are the substance of the standard, and they are the parts that cannot be lifted from an existing ISO 27001 system.

A weak risk assessment typically uses a generic template that never names the organisation’s actual AI systems or the specific risks they carry, so it reads as a formality rather than an analysis. Missing impact assessments happen when an organisation treats AI as a standard IT project and never assesses its effect on individuals or wider stakeholders. Undocumented behaviour controls are the most frequent of all: a control exists in policy, but there is no evidence it operates, so the auditor cannot accept it. The pattern across these failures is the same. Organisations document intent without demonstrating practice, and the audit is built to spot exactly that gap. A readiness assessment with a Lead Auditor finds these gaps before the certification audit does, which turns a potential major non-conformity into a corrected item and keeps your timeline and certificate intact.

Does ISO 42001 certification help with EU AI Act compliance?

ISO 42001 certification supports EU AI Act compliance without being a substitute for it. The standard gives you a governance framework, risk assessment process and documentation discipline that map onto many of the Act’s expectations, particularly around risk management, transparency and accountability.

The EU AI Act is law and ISO 42001 is a voluntary standard, so they operate differently and you cannot trade one for the other. The Act imposes legal obligations that scale with the risk classification of your AI systems. ISO 42001 provides a management system that helps you meet those obligations in an organised, auditable way. Many of the Act’s requirements, such as maintaining risk management processes, documenting systems and demonstrating transparency, sit comfortably inside an ISO 42001 management system. Holding the certificate does not exempt you from the Act, and a UK organisation still needs to assess its own exposure to EU rules based on where its AI systems are used and who they affect. What certification does give you is a credible, externally verified foundation that makes demonstrating compliance far easier when a regulator or customer asks. We map the two together during a readiness assessment so you can see where your management system already satisfies the Act and where legal obligations go further.

To map your own certification path, cost and timeline, book an ISO 42001 readiness assessment with our Lead Auditor team. You may also find our guidance on AI Governance and the AI Security Gap Analysis useful background.