How long does ISO 42001 take? A realistic timeline
From gap analysis to certification readiness: a realistic week-by-week timeline for an ISO 42001 implementation in a mid-sized company, and the factors that really drive the duration.
In short
An ISO/IEC 42001 implementation realistically takes three to nine months for a mid-sized company, a well-run, typical case lands at around five months (about 22 weeks) from gap analysis to certification readiness. How long it actually takes depends mainly on whether an ISO 27001 is already in place, how clearly the scope is drawn, and how much internal time is allocated.
Auf Deutsch lesen: deutsche Fassung
After cost, "how long does it take?" is the next question everyone asks, and the honest answer is a range, not a date. For a mid-sized company, three to nine months is realistic. A well-run project with a clear scope typically lands at around five months, roughly 22 weeks from the first assessment to certification readiness.
One clarification up front: this is the time to readiness for the external certification audit. The audit itself (Stage 1 and Stage 2) is scheduled separately by the accredited certification body, with its own lead time.
The timeline in six phases
This sequence follows a real implementation project, tailored to ISO 42001, the AI-specific steps (AI inventory, risk and impact assessment) are added:
| Phase | Week | What happens | Output |
|---|---|---|---|
| 1 · Initiation | 1–2 | Build standard knowledge, set up the project, gap analysis / pre-audit | Gap report, project plan |
| 2 · Planning | 3–4 | Context, interested parties, scope, inventory of AI systems | Scope, AI inventory, stakeholder list |
| 3 · Development | 5–9 | AI policy, objectives, AI risk and impact assessment, control selection (SoA), documented information | Policy, risk register, SoA, procedures |
| 4 · Implementation | 10–14 | Training, roll out processes, establish human oversight and monitoring, collect evidence | Processes in use, first evidence |
| 5 · Review | 15–18 | Internal audit, management review, corrective actions | Audit report, management review, action plan |
| 6 · Certification | 19–22 | Select certification body, Stage 1 and Stage 2 audit | Certification readiness, audit date |
What really drives the duration
- Existing foundation: a live ISO 27001 (or ISO 9001) already provides structure, roles and management review, a clear shortcut, because ISO 42001 shares the same base structure (Annex SL).
- A clear scope: a few clearly bounded AI systems go faster than "everything that is somehow AI".
- Internal effort: whether your people have weekly time decides the pace more than any method. The most common cause of delay is not complexity but missing internal capacity.
- AI maturity: if you already document and monitor your AI, you are faster than starting from zero.
The external audit: what drives the number of audit days
How many audit days the certification body allocates depends, per ISO/IEC 42006:2025 (Table A.1), explicitly not on your total headcount but on the number of people involved in the AI life cycle and your role (AI provider, AI deployer, or both). A company with 500 employees but only 15 people working with the AI is audited like a small organisation, the single most misunderstood lever.
For orientation, rounded guide values for the initial audit per ISO/IEC 42006:2025: up to around 10 people involved with the AI, roughly 3.5 to 5 audit days; up to ~25 people, roughly 4.5 to 7 days; up to ~85 people, roughly 7.5 to 11 days. An AI provider sits higher than a pure AI deployer. Adjustments apply for the number of AI systems, the regulatory frameworks involved and high-risk applications. Annual surveillance audits are considerably shorter.
What makes it faster
Three levers shorten the timeline without cutting quality: a tightly drawn scope for the initial certification (you can extend it later), building on an existing management system rather than reinventing it, and AI-assisted templates for policy, risk register and evidence. The last mainly shortens the documentation phase, but not the external audit, whose scope follows fixed accreditation rules.
I estimate the realistic timeframe for your case after a short assessment, more reliable than any flat figure, because it depends on your foundation and scope.
Frequently asked questions
How long does an ISO 42001 implementation take?+
Realistically three to nine months. A well-run project with a clear scope lands at around five months (about 22 weeks) to certification readiness; the external certification audit is scheduled separately by the accredited body.
Is it faster if I already have ISO 27001?+
Yes, considerably. ISO 42001 shares the base structure (Annex SL) with ISO 27001 and ISO 9001, context, roles, risk management and management review are already in place. The planning and development phases shorten most.
What takes the longest?+
Rarely the method, almost always internal capacity: interviews, document review, control implementation and evidence collection need reliable weekly time from your people. Plan for it and you hold the schedule.
Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor & ISO/IEC 27001 Lead Auditor (PECB)
Last updated: 14 June 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.
Sources & further reading
Questions about your own case?
In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act, honestly and without a sales pitch.