4 lessons learned during our ISO 42001 audit
BlogISO 42001
April 28, 2025

4 lessons learned during our ISO 42001 audit

Written by
Adam Duman
Information Security & Compliance Manager
Reviewed by
No items found.

Accelerating security solutions for small businesses 

Tagore offers strategic services to small businesses. 

A partnership that can scale 

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

Vanta is proud to be one of the first companies to achieve ISO 42001 compliance with our audit partner Schellman, an ANSI-accredited ISO 42001 auditor. 

To prepare for and pass our audit, our team worked diligently to assess our specific business needs, communicate clearly with stakeholders and AI leadership, and complete formal training to learn how to develop, integrate, and deploy trustworthy AI systems in line with emerging laws and policies. 

Equipped with this real-world experience—and our powerful trust management platform to streamline ISO 42001 compliance—Vanta has the knowledge and tools to make ISO 42001 attainable for any organization. 

Here are some of the biggest lessons we learned during our audit process and tips for you to consider as you begin your journey to ISO 42001. 

1. Educate and inform your team and key stakeholders

Prior to our audit, we spent a lot of time educating our team and key stakeholders about the “why” and “how” of ISO 42001. This helped create a shared sense of responsibility when cross-functional support was needed and inspired more collaboration to guide how we plan for new changes. 

Collaboration allowed us to ask questions about how certain processes were completed (before the audit), explain potential changes we would need to make, and brainstorm recommendations for how to move forward. Importantly, this brought our engineering or product teams in as partners in the control design process.

During the prep and audit process, key stakeholders received updates via bi-weekly status calls and ad hoc Slack messages. Dedicated communication channels helped streamline the process and keep everything on track. 

2. Consider additional AI training 

Although it wasn’t required for ISO 42001 certification, one of our team members completed AIGP training from IAPP prior to our audit. The training helped our team lead understand AI risk at a deeper level and contextualize those risks against the requirements of ISO 42001. AIGP training went beyond just the history of AI and ML systems—it provided a formal structure to make decisions about managing AI systems and how to make their impacts predictable and repeatable. It stripped away much of the FUD surrounding the technology and framed managing it as an opportunity when rooted in good governance.

As an added benefit, the certification proved to be useful during our audit—specifically when asked about “training and expertise of stakeholders.” Auditors felt at ease knowing that a member of our team was certified by IAPP. 

3. Focus on integrating ISO 42001 into existing processes

Where able, our team integrated ISO 42001 into existing processes versus creating net new processes. For example, we have an existing process for developing new functions that uses product resource documents (PRDs), requests for comments, and engineering specifications as part of the planning process. These documents cover customer asks, implementation plans, cost-benefit analysis work, feature analysis, and more. Rather than create a new bespoke document or process, we simply adjusted our PRD template so that it satisfied any ISO 42001 requirements. That way, teams could continue using that familiar document and process, with limited disruption to their existing workflows.

Throughout our audit prep, we also focused on the intent of requirements to ensure our solutions were relevant to the root of the requirement instead of just something that checked a box. 

4. Do a stress test prior to the official audit

Our team conducted an internal audit with a secondary audit firm as a stress test before the official audit with Schellman. This was particularly useful as ISO 42001 was still new at the time of our assessment—there was a lot to be learned from collaborating with our internal audit firm. 

Our internal audit helped us find gaps and areas for improvement, like tightening up our roles and responsibilities within our org chart and providing more specificity about the methodology used within our AI Impact Assessment, which explains the use cases for the Vanta AI product and specifically evaluates its expected positive or negative impact to individuals, groups of individuals, and even society.

These changes made a huge difference before our official audit.

Raising the bar for AI security

As an early adopter, we learned a lot during our ISO 42001 audit experience. As others in the industry look to achieve ISO 42001 certification and raise the bar for AI security, we’re happy to provide additional insights and consultation.

And for anyone who is curious to learn more—you can find our official ISO 42001 certification on our Trust Center

Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail
Logo of incident.io
Incident.io
Logo of Lumos
Lumos
Icepanel logo on a white background.
IcePanel
Epsilon Logo
Epsilon3
The logo for supabase.
Supabase
EasyLLama Logo
EasyLlama
Qualifi Logo
Qualifi
Logo of toku
Toku
FEATURED VANTA RESOURCE

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

DOWNLOAD FOR FREE
GRC
AI and Trust: Navigating Maturity, Influence, and Risk
Compliance
Secure from the Start: How Founders Build Compliance Into Early-Stage Growth
Compliance
Building Trust in the AI Boom: Security, Capital, and Credibility from Day One
Compliance
Live Demo: Accelerate security and compliance workflows with AI
GRC
AI and Trust: Navigating Maturity, Influence, and Risk
Compliance
Secure from the Start: How Founders Build Compliance Into Early-Stage Growth
Compliance
Building Trust in the AI Boom: Security, Capital, and Credibility from Day One
Compliance
Live Demo: Accelerate security and compliance workflows with AI

Table of contents

No titles!

Share this article

Share this article

Related Resources

Compliance
Events

Convos with Customers: Explo

Learn how the co-founder of Explo, Gary Lin, uses Vanta to manage security and compliance at a quickly growing startup.

Audit Ready Checklist cover image
Compliance
Guide / Report

Audit Ready Checklist

Get ready for your next audit with tips from Vanta’s team of GRC experts.

Product updates
Blog

Introducing Cyber Essentials and Essential Eight: Putting customers first globally

Today, we’re excited to announce two new frameworks, Cyber Essentials and Essential Eight, to further support the complex security and compliance needs of our international customers.

A blue and purple logo with the words trustpage and vanta.
Company news
Blog

Reimagining the future of trust with Trustpage by Vanta

Vanta announced today its acquisition of Trustpage to transform trust into a marketable advantage for companies around the world.

Related Resources

ISO 42001
Blog
EU AI Act and ISO 42001: Compatibility and implementation guidelines

Learn about the compatibility of the EU AI Act and ISO 42001.

ISO 42001
Events
Compliance for AI in Europe: Preparing for Emerging AI Laws and Regulation

Explore how ISO 42001 and the EU AI Act help your company stay compliant, secure, and ahead of evolving AI regulations with expert insights and practical strategies.

ISO 42001
Blog
5 key differences between the NIST AI RMF and ISO 42001

Use our NIST AI RMF vs. ISO 42001 guide to capture the main differences between the two frameworks in the AI space.

ISO 42001
Events
How to demonstrate secure AI practices with ISO 42001

Watch Vanta and A-LIGN's Coffee and Compliance session on ISO 42001 —what it is, what types of organizations need it, and how it works.

ISO 42001 cover image
ISO 42001
Guide / Report
ISO 42001 Compliance Checklist

The ISO 42001 compliance checklist helps to lay the foundation for what your organization should expect when working towards certification.

ISO 42001 cover image
ISO 42001
Blog
The ISO 42001 Compliance Checklist

The ISO 42001 compliance checklist helps to lay the foundation for what your organization should expect when working towards certification.

Get compliant and build trust—fast

Request a demo
G2 Badge 2025 - Best Software | Top 50 Governance, Risk, & Compliance ProductsG2 Badge 2025 - Best Software | Top 50 Security ProductsG2 Badge 2025 - Best Software | Top 100 Best Software Products