Skip to content

Govern AI responsibly · ISO/IEC 42001

ISO 42001 readiness

I build your AI management system (AIMS) to ISO/IEC 42001, from the gap analysis through risks, roles, controls and policies to the internal audit and certification readiness. That lets you govern AI demonstrably and responsibly, meet customer requirements and be ready for the EU AI Act. The official certificate is issued at the end by an accredited certification body, I make you independently fit for it.

ISO/IEC 42001 is an international standard, its certificate is recognised worldwide and increasingly requested in global supply chains, wherever you are based.

When it makes sense

AI is long since in use in mid-sized companies, in production, in sales, in administration. What is often missing is the proof that you have it under control. Customers ask for it, supply chains demand it, and the EU AI Act turns it into obligations. An AI management system to ISO/IEC 42001 makes sense if you:

  • want to govern AI demonstrably and responsibly, not just 'use it somehow'
  • are asked about AI governance by customers or clients
  • want to stand out from competitors with responsible AI
  • need to be ready for the EU AI Act and want a solid framework

Want to go deeper? ISO 42001 explained and ISO 42001 vs. ISO 27001.

What I build

  • Gap analysis against ISO/IEC 42001
  • AI risk assessment & treatment
  • Roles, responsibilities & governance
  • Policies, procedures & controls
  • Internal audit & management review
  • Preparation for the certification audit

For clarity: I build your AI management system and make it audit-ready. The official ISO/IEC 42001 certificate is issued exclusively by an accredited certification body, and that is exactly where my groundwork is meant to hold up.

Why me?

As an ISO/IEC 42001 Senior Lead Auditor & Senior Lead Implementer and ISO/IEC 27001 Lead Auditor & Lead Implementer (PECB) who runs a manufacturing company himself, I know both sides of the audit table. I own the build as a certified Senior Lead Implementer and the examination as a Senior Lead Auditor, both publicly verifiable via Credly. PECB awards the Senior level only from 1,000+ documented audit hours and at least seven years of professional practice. I do not build a paper management system that gathers dust on a shelf, but one that holds up in real operation and passes an external audit.

Three entry points

BaselineBuild & readinessCertification readiness

How it works

Three stages to certification readiness

01

Baseline

Gap analysis against ISO/IEC 42001 and classification of your AI applications. You get a finding and a prioritised action plan.

02

Build & readiness

We build the AIMS that holds up in operation: policies, roles, AI risk assessment and controls, plus training for the people who own it.

03

Certification readiness

An internal audit run like the certification body would, corrective actions and preparation for stage 1 / stage 2 of the external audit.

The fast track

Already have ISO 27001 or ISO 9001? Then you have most of it.

ISO/IEC 42001 shares the same core structure (Annex SL) with ISO/IEC 27001 and ISO 9001. If you already live one of them, context, leadership, roles, risk management, internal audit and management review are already in place, we don't rebuild those, we only add the AI-specific parts.

Already in place (transferable)

  • Context & interested parties
  • Policy, roles & responsibilities
  • Risk management process
  • Internal audit & management review
  • Document control & improvement (CAPA)

Added for AI

  • AI policy
  • AI inventory & roles (provider/deployer)
  • AI risk and impact assessment
  • AI-specific controls (Annex A)
  • Human oversight & transparency

How big your head start really is becomes clear from the gap analysis in a few days, usually far shorter than building from scratch.

Build vs. certification

I prepare: I build the AI management system with you, run the internal audit and make you audit-ready. The accredited certification is then issued by an independent certification body, which I deliberately am not tied to. That keeps my advice neutral and the external audit a genuine examination rather than a formality. What the build realistically costs I set out in the insight ISO 42001 cost in 2026.

Frequently asked questions

What is ISO/IEC 42001?+

ISO/IEC 42001 is the world's first standard for an AI management system (AIMS, a management system for artificial intelligence). It describes how an organisation plans, controls, monitors and demonstrably improves its use of AI in a responsible way, analogous to ISO/IEC 27001 for information security, just for AI. With an AIMS you show customers, supply chains and regulators that you have your AI under control.

What does 'readiness' mean, and how do you build it?+

Readiness means: your AI management system is built and lived to the point where it would pass an external certification audit. I work in three stages. First, a baseline (gap analysis against ISO/IEC 42001 plus classification of your AI applications). Second, the build: policies, roles, AI risk assessment and controls that hold up in day-to-day operation. Third, certification readiness: an internal audit run like the certification body would, corrective actions, and preparation for the external audit.

How long does implementation take?+

In a mid-sized organisation, realistically three to nine months; a well-run project with a clear scope lands at around five months (about 22 weeks) to certification readiness, from the gap analysis through policy, AI risk and impact assessment and internal audit to preparing for the external audit. An existing ISO 27001 shortens this noticeably. The certification body sets the date of the external audit separately.

Do I need ISO/IEC 27001 first?+

No, but it helps. A solid ISMS (information security management system to ISO/IEC 27001) is a good foundation, because ISO/IEC 42001 shares many structures, risk assessment, roles, management review. If you already have an ISMS, the AIMS builds on top of it. If not, we build the shared parts as we go.

What does ISO/IEC 42001 have to do with the EU AI Act?+

The EU AI Act requires you to classify your AI systems and, at higher risk, meet obligations such as risk management, documentation and oversight. ISO/IEC 42001 provides exactly the organisational framework for this and makes meeting those obligations demonstrable. A well-run AIMS is a strong argument towards customers and regulators, even though it does not formally replace the AI Act.

Is ISO/IEC 42001 relevant outside the EU?+

Yes. ISO/IEC 42001 is an international standard and its certificate is recognised worldwide, so it is valuable to companies in the US, UK, the Gulf and Asia-Pacific just as much as in Europe. It is increasingly requested in global supply chains and procurement as independent evidence of responsible AI, regardless of where you are based.

What does building an AI management system cost?+

It depends on the size, number and risk of your AI applications and on your existing maturity. In a free intro call we settle the frame and the right entry point, whether baseline, build or certification readiness. You then get a clear price, no inflated figures.

Who selects and coordinates the certification body?+

I support you in choosing an accredited certification body and coordinate the process, stage 1 and stage 2 audits, dates and documents. The body invoices its fee separately; as a rough guide, for a small operation this is roughly EUR 3,000 to 4,500 for the initial certification plus about EUR 1,400 to 2,000 per annual surveillance audit (comparable accredited audits, 2026). Because I am not tied to any certification body, the choice stays neutral and in your interest.

Do you issue the certificate?+

No. Official certification to ISO/IEC 42001 is issued exclusively by an accredited certification body. I prepare you independently for that audit and am not tied to any certification body. That keeps my advice neutral and the external audit a genuine, independent examination.

Imprint and privacy policy are available in German (the German version is legally binding): Imprint, Privacy (English summary).