ISO 42001 Gap Analysis: Process, Duration and Outcome
What an ISO 42001 gap analysis is, how it works, how long it takes and what you end up with, the first and lowest-risk step towards certification readiness.
In short
An ISO 42001 gap analysis is the structured baseline assessment at the very start: it compares your current state against the requirements of the standard and shows, in black and white, what is already in place and what is missing. Depending on your size it takes roughly one to three weeks and ends with a prioritised gap report plus an effort estimate, the foundation for any credible project and budget planning.
Auf Deutsch lesen: deutsche Fassung
Every serious ISO 42001 project begins not by writing documents, but with an honest baseline assessment: the gap analysis. It is the first, lowest-risk and least expensive step, and often the most valuable, because it turns "we really should" into a clear, quantified plan.
What a gap analysis is
The gap analysis compares your current state against the requirements of ISO/IEC 42001 (clauses 4 to 10 and Annex A) and against your use of AI in the light of the EU AI Act. The result is a clear list: what you already meet (often more than you think, especially where you have ISO 27001 or 9001 in place), what is missing, and where the greatest risk lies.
The process in three steps
- Step 1 · AI inventory: we capture your AI applications, their purpose and your role (provider/deployer). Outcome: a clear view of what actually needs to be governed.
- Step 2 · Target-versus-actual comparison: comparison against the standard's clauses and Annex A, review of existing documentation, short interviews. Outcome: a gap list with a level of fulfilment for each requirement.
- Step 3 · Prioritisation: prioritise gaps by risk and effort, derive a roadmap and effort estimate. Outcome: a prioritised gap report plus project plan.
The lowest-risk way in: afterwards you know exactly where you stand, without committing to the full project.
Duration and outcome
Depending on size and complexity, a gap analysis takes roughly one to three weeks. At the end you hold a prioritised gap report: met / partially met / open for each requirement, the biggest risks first, together with a realistic estimate of the effort and time needed to close them. This is the foundation for credible budget and project planning, and for deciding whether and how you proceed.
The gap analysis is precisely the first building block of my ISO 42001 readiness support. Afterwards you can carry on building yourself or with me, with no obligation beyond the analysis itself.
Frequently asked questions
How long does an ISO 42001 gap analysis take?+
Depending on size and complexity, roughly one to three weeks, from capturing your AI applications through the target-versus-actual comparison to the prioritised gap report.
What is the outcome of a gap analysis?+
A prioritised gap report: met / partially met / open for each requirement, the biggest risks first, plus a realistic estimate of effort and time. This lets you plan and budget the full project on a credible basis.
Do I have to book the whole project after the gap analysis?+
No. The gap analysis is a self-contained, standalone step. Afterwards you can carry on building yourself or continue the support, there is no obligation beyond the analysis itself.
Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor & Senior Lead Implementer · ISO/IEC 27001 Lead Auditor & Lead Implementer (PECB)
Last updated: 16 July 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.
Sources & further reading
Questions about your own case?
In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act, honestly and without a sales pitch.