What are the main requirements to get ISO 42001-certified?

Organizations face new governance and security risks as AI becomes part of everyday business operations. While the ISO/IEC 42001 standard helps organizations oversee AI systems, implementing its various risk controls and ongoing oversight workflows demands standard-specific expertise.

‍

Vanta’s 2025 State of Trust Report shows that nearly 60% of security teams are concerned about AI security threats advancing faster than their expertise. For companies with 1,000–2,000 employees, this figure rises to 67%, highlighting how AI risk management becomes more complex at scale.

‍

To address such gaps, organizations need to establish a framework to meet ISO 42001 requirements in a way that’s effective and auditable.

‍

ISO 42001 certification requirements explained

ISO 42001 certification requirements can be interpreted across 10 clauses that define how organizations must structure, operate, and maintain their Artificial Intelligence Management System (AIMS).

‍

• Clause 1: Scope
• Clause 2: Normative references
• Clause 3: Terms and definitions
• Clause 4: Context of the organization
• Clause 5: Leadership
• Clause 6: Planning
• Clause 7: Support
• Clause 8: Operation
• Clause 9: Performance evaluation
• Clause 10: Improvement

‍

The first three clauses provide the general context and vocabulary that help navigate the requirements, while the remaining clauses 4–10 outline the actual organizational, technical, and operational requirements you must meet to get certified.

‍

In this guide, we’ll group the ISO 42001 requirements into four practical areas:

‍

‍

{{cta_withimage7="/cta-modules"}} | ISO 42001 checklist

‍

Area 1: Foundational requirements (clauses 4 and 5)

Foundational ISO 42001 requirements primarily focus on establishing the organizational structure, accountability, and governance oversight needed to effectively manage an AIMS.

‍

A key requirement of Clause 4 is defining and documenting the AIMS scope. You must clearly identify the AI system(s) in use, organizational boundaries, stakeholders, and the intended contexts in which those systems operate.

‍

In practice, most organizations conduct internal assessments to map all relevant systems, supporting data pipelines, and third-party AI models or components relied upon. A reliable AI inventory is critical at this stage. Limited system visibility or the use of shadow AI undermines risk assessments, which in turn impacts the control design and its efficacy.

‍

Next, you must also clarify your role relative to the AI system—if you develop, deploy, or use AI. This is essential for identifying applicable controls and assigning ownership and accountability.

‍

Leadership involvement, as required under clause 5, is another non-negotiable part of building an AIMS. Organizations must demonstrate leadership buy-in through resource support, governance policies, and well-planned roles and responsibilities. Additionally, to align with clause 5.2, top management must establish an AI policy that sets direction, defines AI objectives, and commits to meeting applicable requirements and continual improvement.

‍

Area 2: Planning and operational requirements (clauses 6 and 8)

By following the planning and operational requirements under ISO 42001, you’ll establish AI objectives, processes for risk assessment and treatment, and operational controls that help maintain AIMS integrity.

‍

Under Clause 6, you must identify the intended purpose of your AI system. The goal is to understand what the system is designed to do, what types of decisions it automates, and how it impacts processes, users, and customers.

‍

The next step is to conduct AI-focused risk assessments to identify threats and determine your risk appetite. A common mistake organizations make here is to start with the control mapping right after scoping the AIMS. However, you first need a clear view of AI risks depending on system criticality. High-risk systems typically require deeper assessments, stronger oversight, and tighter monitoring, while lower-risk tools can follow a light, fast-track risk management process.

‍

Once you have your risk findings, create formal AI risk treatment plans that align with the expectations in Clause 6. This includes determining how AI risks will be treated, formally accepting residual risks, and documenting how selected controls are implemented. You can use Annex A as a reference to confirm if you’ve implemented necessary controls, although additional controls may also be needed in some cases.

‍

A frequent roadblock in meeting ISO 42001 requirements, especially for organizations building AI, is failing to embed AI risk controls into existing development and deployment processes. Without AI risk checkpoints in the software development lifecycle (SDLC), risk management often doesn’t connect with regular engineering workflows.

‍

Another operational requirement is conducting risk assessments and other planning-related activities at a set cadence to ensure your AIMS reflects broader changes in your AI systems, use cases, and risk environment.

‍

Area 3: Support and documentation requirements (clause 7)

Clause 7 focuses on the supporting requirements to operate an effective AIMS. This includes ensuring the staff has the relevant AI-related competence, establishing communication mechanisms, and maintaining documentation that supports AI governance activities.

‍

Organizations must maintain documentation specified by the standard, as well as additional records and processes necessary for the AIMS. Common evidence includes:

‍

• Policies and procedures: Define how your organization manages the AIMS and AI risks
• Training records: Demonstrate that stakeholders involved with your AI systems have completed the required training
• Model testing documentation: Tracks how AI systems are evaluated for risk, performance, and reliability
• Data governance artifacts: Show how you source, use, classify, and secure the data your AI systems use
• Access logs: Demonstrate who has accessed your AI systems and when 
• Monitoring outputs: Track your AI system’s ongoing performance to highlight potential drift and bias early
• Internal audit report: Documents findings from your periodic assessments and ongoing alignment with ISO 42001
• Incident response plan: Shows how you identify, report, and respond to AI-related incidents
• Management review minutes: Demonstrates leadership decision-making and oversight over your AIMS

‍

The breadth of documentation depends on the nature of the AI systems. From a certification standpoint, Clause 7 requirements help auditors independently verify what’s documented and supported by evidence. That’s why these records should be kept up to date.

‍

Area 4: Continuous monitoring requirements (clauses 9 and 10)

Clauses 9 and 10 focus on keeping your AIMS and the mechanisms that govern them functional as technologies, use cases, and risk profiles change.

‍

Organizations must evaluate the performance and effectiveness of their AIMS over time through internal assessments and defined metrics. This generally involves establishing KPI for AIMS performance, documenting management review outcomes, and implementing remediation measures as needed.

‍

Remember to incorporate stakeholder feedback from across multiple departments and functions, as some performance aspects may not be visible in metrics alone.

‍

Maintaining continuous monitoring might get complicated post-deployment, depending on the scale of your system. Ongoing oversight for issues such as data drift, bias shifts, misuse, and performance degradation is easier said than done for complex systems. Brainstorm with your security teams to plan operational and review processes that are measurable, repeatable, and auditable for compliance with ISO 42001.

‍

When nonconformities are identified, the expected next steps are to address the gaps by determining root causes and implementing corrective actions. You should also retain documented evidence of the reported issues and the progress of corrective actions.

‍

{{cta_withimage28="/cta-blocks"}} | Vanta’s AI Security Assessment

‍

How to get ISO 42001 certification

The ISO 42001 certification process involves a structured audit process to verify that your AIMS meets the standard’s requirements. This process is extensive and can typically take 6–12 months to complete, depending on your AI system’s maturity and complexity. Using automation tools such as Vanta can help organizations streamline many of the time-consuming workflows, potentially cutting down the timeline and effort required.

‍

Broadly, you can obtain and retain ISO 42001 certification by completing three checkpoints:

‍

1. Preparation and internal audit
2. External audit
3. Surveillance and recertification

‍

Step 1: Preparation and internal audit

Before engaging any external auditors, complete your internal preparation by aligning with clauses 4–10 of the standard AIMS. As part of this preparation, you’ll also need to select and implement applicable Annex A controls based on your organization's specific risk environment, security objectives, and AI use cases. The controls are one of the key audit components, as they’re reviewed not just for presence but also effectiveness.

‍

A simple rule of thumb for choosing Annex A controls: start with the use case—not the control list. Consider applying Annex A controls proportionally. For lower-impact, internally facing AI tools, you can often apply a lighter subset of Annex A.

‍

Conduct an internal audit to identify and address any potential gaps before bringing in a third-party. This reduces the likelihood of issues arising during the external audit. You can further streamline this phase by using automation platforms to centralize documentation, track progress in real time, and reduce the required manual effort.

‍

“

Before teams learned how to automate parts of their ISO 42001 programs, demonstrating compliance often felt like a scavenger hunt—pulling together screenshots and CSVs and hoping they’d be enough for an auditor.

Automation doesn’t just make audits smoother; it shifts the focus to real AI risk. It improves internal discussions and audit conversations, and turns the AIMS from a once-a-year compliance push into something that adds value to day-to-day operations."

Evan Rowse

GRC Subject Matter Expert, Vanta

|

LinkedIn

‍

Step 2: External audit

After finishing your preparation, organizations can engage an accredited third-party auditor to conduct the certification audit. This audit is typically split into two stages:

‍

1. Stage 1 audit: a readiness assessment that lasts around two days and involves a detailed review of all of your AIMS-related documentation and policies focusing on Clauses 4-10.
2. Stage 2 audit: a comprehensive and often on-site review of your chosen Annex A controls, as well as the overall effectiveness and implementation of your AIMS. During this stage, the auditor might also interview stakeholders to confirm that controls are understood and consistently applied.

‍

Once you successfully complete these assessments, the auditor will issue you an ISO 42001 certificate valid for up to three years.

‍

Step 3: Surveillance and recertification

During the three-year certification cycle, you’ll undergo surveillance audits in Years one and two, followed by a recertification audit in year three to renew your ISO 42001 certification. The goal of both assessments is to verify that your AIMS continues to operate in line with the standard’s requirements.

‍

To remain audit-ready and reduce the risk of last-minute remediation efforts, have defined processes to continuously monitor your AIMS, identify and address nonconformities early, and document improvements throughout the certification period.

‍

You can make ongoing oversight efficient by using Vanta. It’s a top compliance and audit support software that helps streamline compliance workflows, enable real-time insights, and centralize evidence collection.

‍

Automate ISO 42001 compliance with Vanta

Vanta is a leading agentic trust platform that helps organizations achieve and maintain compliance with 35+ compliance standards and frameworks. The platform offers built-in workflows for gap assessments, risk management, continuous oversight, and automated control testing.

‍

Vanta’s ISO 42001 compliance product reduces the time and effort needed for certification through features such as:

‍

• Pre-built risk scenarios
• 1,200+ automated, hourly tests
• A unified dashboard for everything ISO 42001
• 70+ controls, policies, and documentation templates with version control
• Automated evidence collection powered by 400+ integrations

‍

Vanta also enables cross-mapping to help you extend existing control evidence to other AI frameworks and regulations, such as the EU AI Act, NIST AI RMF, and CPS 234. You can also use the platform’s partner network to find ISO 42001-accredited auditors.

‍

Book a custom demo to experience how Vanta can streamline your ISO 42001 program.

‍

{{cta_simple21="/cta-modules"}} | ISO 42001 product page

‍