Frequently asked questions
Questions & answers
The AI Auditor (Der KI-Auditor) is the personal practice of Lars Zimmermann, a Germany-based auditor who helps organisations worldwide get ready for ISO/IEC 42001 and ISO/IEC 27001 and clarify their obligations under the EU AI Act. The service covers readiness (building your management system to certification-ready), internal (first-party) audits, second-party (supplier) audits on the buyer's behalf, and EU AI Act classification. It is not a certification body and does not issue accredited certificates; the accredited certificate comes from a separate accredited certification body once you are ready. Audits are conducted in German or English, remotely or on-site, so the service works for clients in the US, UK, EU, the Gulf and APAC.
What is The AI Auditor?+
The AI Auditor (Der KI-Auditor) is the personal practice of Lars Zimmermann, an auditor based in Germany. The practice helps organisations prepare for and pass audits against ISO/IEC 42001 (AI management systems) and ISO/IEC 27001 (information security), run internal and supplier audits, and understand where they stand under the EU AI Act. The legal entity behind the brand is a precision-engineering (manufacturing) company that Lars Zimmermann runs, so the work is grounded in real operational practice, not theory alone.
Is this a certification, and do you issue certificates?+
No. The AI Auditor is not a certification body and does not issue accredited certificates. An accredited ISO/IEC 42001 or 27001 certificate can only be issued by an accredited certification body. What we do is get you certification-ready, run internal and second-party audits, and classify your systems under the EU AI Act, so that when the accredited body arrives there are no surprises.
What is the difference between an auditor, a certification body and a consultant?+
A certification body is the accredited organisation that issues the official certificate after its own audit; for independence reasons it cannot also build your system. A consultant helps you implement and may have a commercial interest in a particular outcome. An independent auditor assesses your management system against the standard, tells you honestly where the gaps are, and reports what an accredited body would find. The AI Auditor works in the auditor and readiness role, keeping the assessment separate from the certificate itself.
What is a second-party (supplier) audit and when do I need one?+
A second-party audit is an audit carried out on the buyer's behalf, when you want independent assurance about a supplier, vendor or partner. The supplier does not need to hold any certificate to be audited. This is useful when you rely on an AI or IT provider, when a customer asks you to demonstrate control over your supply chain, or when you are deciding whether to trust a vendor's claims about security or AI governance.
Does the EU AI Act apply to my company if we are not based in the EU?+
It can. The EU AI Act applies extraterritorially: any company that places an AI system on the EU market, or whose AI output is used within the EU, can fall within scope regardless of where the company itself is located. A firm in the US, UK, the Gulf or APAC that serves EU customers or whose AI results are used in the EU may therefore have obligations. We start with a classification to establish whether, and how, the Act applies to your specific systems.
What are the key EU AI Act deadlines for 2026 and beyond?+
The AI literacy obligation under Article 4 has applied since 2 February 2025. The Article 50 transparency obligations apply from 2 August 2026, with a grace period for marking pre-existing systems until 2 December 2026. High-risk obligations under Annex III are deferred to 2 December 2027, and Annex I embedded high-risk obligations follow on 2 August 2028. These timelines reflect the Digital Omnibus as confirmed by the Council on 13 May 2026.
What is ISO/IEC 42001 and who is it for?+
ISO/IEC 42001 is the international management-system standard for artificial intelligence. It gives an organisation a structured, auditable way to govern how it develops, deploys and monitors AI, covering risk, roles, controls and continual improvement. It suits any organisation building or using AI that wants to demonstrate responsible, well-governed practice to customers, regulators and partners. Because it is an international standard, a certificate against it is recognised worldwide.
What is ISO/IEC 27001 and how does it relate to AI work?+
ISO/IEC 27001 is the international standard for information security management. It provides a systematic framework for protecting the confidentiality, integrity and availability of information. AI systems run on data and infrastructure, so a solid 27001 foundation supports responsible AI: much of the security governance an AI programme needs already lives inside a 27001 management system. Like 42001, it is an international standard whose certificate is recognised worldwide.
How does having ISO certification help with the EU AI Act?+
ISO/IEC 42001 and 27001 give you the governance, risk and control structures that AI Act obligations expect: documented roles, risk assessment, data and security controls, monitoring and continual improvement. Building these management systems means much of the evidence and discipline the Act asks for is already in place and maintained. ISO certification is not the same as legal compliance, but a mature management system makes meeting AI Act duties far more straightforward and demonstrable.
In which languages do you work, and can I get reports in English?+
Audits are conducted in German or English, and reports are available in English. This makes the practice practical for international teams and for headquarters or customers who need documentation they can read and act on directly.
Do you work remotely or on-site, and can you serve clients in my country?+
Both. Document and interview audits are handled reliably and fully remotely, which works anywhere in the world. On-site engagements are available across several countries as well as within Germany. In practice the service supports clients across the US, UK, EU, the Gulf and UAE, Singapore and the wider APAC region.
What qualifications and credentials do you hold, and can I verify them?+
Lars Zimmermann holds ISO/IEC 42001 Senior Lead Auditor and Senior Lead Implementer, and ISO/IEC 27001 Lead Auditor and Lead Implementer, and is a PECB Certified Trainer and Partner. The senior level requires more than 1,000 documented audit hours and over seven years of practice. These credentials are issued through PECB and are independently verifiable via Credly.
How much does it cost?+
There are no fixed public prices, because scope varies with the size and maturity of your organisation and systems. We begin with a free intro call of around fifteen minutes to scope the work, after which you receive a clear price. As a separate rough guide, an accredited certification body's own fees in 2026 run roughly EUR 3,000-4,500 for the initial certification audit plus about EUR 1,400-2,000 per annual surveillance audit; those fees are paid to the certification body, not to us.
Where are you based, and does that limit international clients?+
The practice is based in Germany. Being in Germany is an advantage for international work: it places us at the heart of EU regulation, including the EU AI Act, while remote document and interview audits and English-language reporting keep the service accessible to clients anywhere in the world. ISO 42001 and 27001 are international standards, so the readiness and audit work translates directly across markets.