AI Governance and ISO/IEC 42001 Readiness

ISO/IEC 42001 certification demonstrates that your organisation manages artificial intelligence responsibly. It gives customers, regulators, and procurement officers an independent basis for trusting your AI systems.

When does ISO 42001 become relevant?

ISO 42001 is the international standard for AI management systems. It is becoming a business requirement at one of these inflection points:

1. A government agency or enterprise customer asks how you govern the AI systems in your products or operations and you cannot provide a structured answer
2. A procurement tender or supplier questionnaire includes AI governance requirements and you have no documented framework to reference
3. Your organisation is deploying AI in a regulated context — healthcare, financial services, legal, or government — where accountability for AI decisions is a compliance or liability concern
4. You are building or selling AI-enabled products and want a credible, auditable basis for claims about safety, fairness, and transparency
5. Your board or executive team is asking about AI risk and you need a structured program to manage and report on it

What AI governance and ISO 42001 readiness includes?

We take organisations from their current state through to a documented, auditable AI management system. For organisations pursuing certification, we support you through to your external audit.

1. AI governance gap assessment. A structured review of your current AI governance practices against the requirements of ISO/IEC 42001. We identify what is in place, what is partial, and what is missing — rated by implementation status and certification risk. This includes a review of how AI is used across your organisation, who is accountable for AI decisions, and what controls are in place.
2. AI system inventory and use case review. Documentation of the AI systems your organisation develops, deploys, or procures, including the intended use case, the data involved, the decision being made or supported, and the risk profile of each system. This is the foundation of a compliant AI management system.
3. AI risk assessment and treatment. A structured risk assessment across your AI systems using a methodology aligned to ISO 42001 requirements. Identification of risks related to bias, transparency, accountability, security, and unintended outcomes. Development of a risk treatment plan with prioritised controls.
4. AI policy and procedure development. We design and document the governance framework your organisation needs: AI use policy, acceptable use guidelines, AI procurement policy, model governance procedures, incident management, and human oversight requirements. Written for your organisation’s context.
5. AI supplier risk review. Assessment of the AI systems and components you procure from third parties. Many organisations are exposed to AI risk through suppliers without realising it. We review your supply chain against ISO 42001 supplier requirements and identify gaps.
6. ISO 42001 implementation support. Prioritised implementation roadmap with realistic timelines. We work with your team through the implementation phase rather than handing over a list of findings.
7. AI audit readiness. A formal internal audit of your AI management system before the certification audit. Identifies remaining nonconformities so you can address them before the certifying body arrives. Includes preparation of your audit evidence package.

What you receive

Agreed AI governance artefacts aligned to ISO/IEC 42001, which may include an AI system register, risk assessment and treatment documentation, policies, procedures, Statement of Applicability and internal audit support. Everything required to support external certification or to demonstrate AI governance maturity to customers and regulators without pursuing formal certification.

Do I need to pursue certification?

No. Many organisations complete the readiness and implementation work without pursuing formal certification. The governance framework, documented controls, and risk assessment are valuable independently — they give you a defensible basis for AI governance conversations with customers, regulators, and boards regardless of whether a certifying body has audited them. Certification is an additional step for organisations that need an independent attestation for procurement or regulatory purposes.

Timeline

The gap assessment and AI system inventory phase typically runs 3 to 6 weeks. Full implementation support through to certification audit runs 4 to 9 months depending on the number and complexity of AI systems in scope, existing governance maturity, and how much of the implementation work your team handles internally.

Pricing

Contact us with your organisation size, industry, number of AI systems in scope, and target timeline. We will scope the engagement and respond within one business day.