ISO 42001
Get Your Organization ISO 42001-Ready: A 2026 Readiness Guide
June 27, 2026 · 9 min read
What it takes to become ISO/IEC 42001-ready — the first international standard for AI management systems — as a checklist you can work through.
ISO/IEC 42001:2023 is the first international standard for an AI Management System (AIMS) — the responsible-AI counterpart to what ISO 27001 is for information security. Getting "ISO 42001-ready" means standing up that management system, governing every AI system you build or use, and having the evidence to prove it. This guide walks the readiness path step by step.
What ISO 42001 readiness actually means
ISO 42001 is a management-system standard, so its core (Clauses 4–10) mirrors ISO 27001: context, leadership, planning, support, operation, evaluation, and improvement. On top of that sit Annex A controls specific to AI governance. Being "ready" means the AIMS is established and operating, AI risks and impacts are assessed, the applicable Annex A controls are implemented and evidenced, and your Statement of Applicability is written — so a certification body’s Stage 1 and Stage 2 audit finds a working system, not a binder of intentions.
The ISO 42001 readiness checklist
1. Secure leadership commitment and set an AI policy
Clause 5 requires top-management ownership. Name an AIMS owner, agree objectives and a target certification date, define roles and responsibilities, and publish an AI policy that leadership signs — covering your organization’s stance on responsible, transparent, and accountable AI.
2. Define the AIMS scope and your AI roles
Decide which AI systems, products, and use cases the AIMS covers, and which role(s) you play for each — AI provider, developer, or deployer — since obligations differ. Document the context, interested parties, and scope boundaries with justification.
3. Inventory your AI estate
You cannot govern AI you cannot see. Build a register of every AI system, model, training dataset, and embedded or third-party AI in scope. This inventory is the backbone of the whole AIMS — AI estate governance in CATAAM discovers and tracks it for you so the register stays current.
4. Run AI risk and AI impact assessments
Clause 6 requires a repeatable risk assessment, and ISO 42001 uniquely requires an AI system impact assessment — the effect of each AI system on individuals, groups, and society. Document the methodology, score likelihood and impact, and decide treatments.
5. Select Annex A controls and write the Statement of Applicability
Annex A groups its controls under nine objectives (A.2–A.10): AI policies, internal organization, resources, AI system impact assessment, AI lifecycle, data for AI systems, information for interested parties, AI system use, and third-party relationships. Mark each control applicable or excluded, justify the decision, and record status in the Statement of Applicability — the cornerstone audit document.
6. Implement the AI governance controls
Stand up the controls behind the policies: data governance and quality, transparency and system documentation, human oversight, lifecycle management from design to retirement, and supplier and third-party AI due diligence.
7. Operate the system and collect evidence
Auditors want proof controls operate over time, not just on paper — the most time-consuming step manually. Continuous AI control validation tests each Annex A control natively and harvests evidence as your AI estate changes, so there is no audit-season scramble.
8. Run an internal audit and management review
Clause 9.2 requires an internal audit before certification, and Clause 9.3 a management review of AIMS performance, risks, and impacts. Find and close nonconformities now, while they are cheap to fix.
9. Stage 1 and Stage 2 certification audits
A certification body reviews your documentation (Stage 1), then tests that controls operate in practice (Stage 2). Close any findings and you are certified for three years, with annual surveillance audits.
How long does it take to get ISO 42001-ready?
Manually, standing up an AIMS takes many months. With ISO 42001 automation — pre-built AIMS scaffolding, automatic AI-estate discovery, native Annex A control tests, and a generated Statement of Applicability — teams reach audit-ready in weeks. CATAAM is also the first platform to both govern and attack-test your AI, so you can prove controls hold, not just document them.
ISO 42001 and ISO 27001 together
Because ISO 42001 shares the management-system clauses of ISO 27001, an existing ISMS gives you a running start — much of leadership, risk, internal audit, and supplier management carries over. If you are running both, implement once and cross-map evidence. See ISO 27001 compliance automation and, if you are choosing where to start, the ISO 27001 vs SOC 2 comparison.
Get your organization ISO 42001-ready inside CATAAM
See ISO 42001 automation →Frequently asked questions
- What does it mean to be ISO 42001-ready?
- It means your AI Management System (AIMS) is established and operating per ISO/IEC 42001 — scope defined, AI estate inventoried, AI risk and impact assessments done, applicable Annex A controls implemented and evidenced, and a Statement of Applicability written — so a certification body’s Stage 1 and Stage 2 audit finds a working system.
- How many controls are in ISO 42001 Annex A?
- ISO/IEC 42001:2023 Annex A contains 38 controls grouped under nine objectives (A.2–A.10), covering AI policies, internal organization, resources, AI system impact assessment, the AI lifecycle, data for AI systems, information for interested parties, AI system use, and third-party relationships.
- Do I need ISO 27001 before ISO 42001?
- No. ISO 42001 is a standalone management-system standard. But because it shares the same clause structure as ISO 27001, an existing ISMS gives you a head start — leadership, risk management, internal audit, and supplier controls largely carry over, and evidence can be cross-mapped.
- How long does ISO 42001 certification take?
- Manually, standing up an AIMS typically takes many months. With automation that pre-builds the AIMS, discovers your AI estate, validates Annex A controls, and generates the Statement of Applicability, organizations can reach audit-ready in weeks.