866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

ISO 42001: Lessons Learned from Auditing and Implementing the Framework Blog Feature

By: Schellman

Print/Save as PDF

ISO 42001: Lessons Learned from Auditing and Implementing the Framework

Artificial Intelligence | ISO 42001

Published: Apr 7, 2025

Last Updated: Apr 8, 2025

As the adoption of artificial intelligence (AI) continues to grow and evolve across industries, so do concerns about security, trust, and responsible use and management. In response, as a joint effort between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), the ISO/IEC 42001:2023 framework was officially published in December 2023. 

As a global leader in cybersecurity assessments dedicated to meeting the ever-evolving needs of our clients, Schellman expanded our ISO services by becoming the first ANAB accredited Certification Body for ISO 42001. Meanwhile, risk3sixty, a company committed to helping businesses build their compliance roadmaps at scale, also oversees both the implementation and internal audit work for companies pursuing ISO 42001. 

Between Schellman and risk3sixty, we bring a unique perspective on the intricacies of ISO 42001, including valuable lessons learned from over a year of auditing and implementing the framework. In this co-authored article, we’ll provide an overview of ISO 42001, insightful certification trends, a helpful comparison to other regulatory standards, and key considerations for pursuing certification.  

The ISO 42001 Framework Explained 

Standing as the newest addition to the family of ISO management system standards, ISO 42001 serves as the first international standard for promoting responsible AI. The framework introduces requirements pertaining to the establishment, implementation, maintenance, and improvement of AI management systems (AIMS), intending to help organizations perform their practices with respect to AI systems in an ethical manner.  

Simply put, ISO 42001 enables the responsible use, development, monitoring, and risk mitigation of products or services that utilize AI. More specifically, the standard addresses concerns and challenges related to transparency, accountability, fairness/bias, security/safety, and privacy.  

The core principles of ISO 42001 aim to optimize resource management, enhance decision-making, proactively manage and mitigate risks, and strategically streamline processes. Certification requirements include compliance with 38 distinct controls organized into 9 control objectives covering areas such as mandated risk and impact assessments, comprehensive policies and guidelines, AI system lifecycles, and data management. 

ISO 42001 Certification Trends 

Current marketplace compliance trends point to 2025 matching, if not exceeding, the rise in popularity and demand of ISO 42001 that we saw as 2024 progressed. This is namely due to influential market factors such as the recent rise in AI regulations as well as supply chain impacts, such as Microsoft SSPA program v10 AI updates 

Additionally, companies are motivated by the many benefits getting ISO 42001 certification comes with, such as: increased trust and confidence by stakeholders, enhanced risk management, a notable competitive advantage, and ethical AI management validation.  

Although ISO 42001 is a voluntary standard rather than a legal requirement, a wide variety of organizations have already pursued or are considering pursuing certification, including those that 

  • are model providers, cloud service/platform providers, SaaS providers, law firms, advertising technology providers, and others
  • produce, provide, or utilize AI systems, or plan to integrate AI into their product offerings
  • are implicated by the EU AI Act
  • regularly handle AI governance inquiries, or strive to mature their AI governance controls
  • have high-risk AI use cases that will be subject to evolving regulation, such as those in the MS SSPA program who are required to complete a 42001 certification
  • are looking to standardize their approach to handling AI risk inquiries during vendor risk questionnaires from clients and prospects 

ISO 42001 Certification Process 

The ISO 42001 certification process follows the same process dictated by ISO 17021, which we are accustomed to seeing with other main ISO management system standards, like ISO 27001 (ISMS). In Stage 1, the auditor asses your organization’s readiness for the full audit, with particular attention to the design of your AIMS, including policies and documentation. Stage 1 typically only takes 1-2 days to complete.  

Stage 2 dives deeper into your operational effectiveness, assessing the implementation of your AIMS functions and supporting Annex A controls. During this stage, auditors typically interview staff and observe and evaluate the processes and performance of your AIMS. As Stage 2 involves comprehensive evidence collection to ensure your AIMS is in compliance with the standard’s requirements, it typically lasts around 1-3 weeks, depending on the size of scope.  

Lastly, the ISO 42001 certificate is issued, assuming any identified nonconformities have been properly addressed and corrected. It’s important to note that this certification follows the same 3-year certification cycle as ISO 27001 (which is again, dictated by supporting standard ISO 17021). Meaning, your ISO 42001 certification is valid for 3 years, however at 12-month intervals during years 2 and 3, you are required to undergo surveillance audits, which are abbreviated reviews in which the AIMS is reassessed for operational effectiveness (with a focus on clauses 8-10) along with a sample of Annex A controls. A full recertification audit is then required in year 4 to maintain certification of ISO 42001 compliance.  

Accredited vs. Unaccredited Certification 

It’s worth noting the undeniable confusion surrounding the difference between accredited and unaccredited certifications, stemming from one organization’s claim to be the first to be certified against ISO 42001 before the final draft was even officially published. This controversial claim misrepresented what it means to have an official accredited certification and sparked a steam of confusion.  

To issue an accredited certificate, an audit organization must undergo the accreditation process in order to become a formally accredited certification body. This requires the audit organization to undergo the accreditation processes, including a witness audit by the accreditation body as well as a thorough review of the organization’s internal policies and procedures for performing certification audits of their clients, including methodology, audit team competence, etc. This process results in the audit organization receiving accreditation as a certification body, allowing them to issue an “accredited” certification against the ISO standard. This accreditation process is reperformed on an annual basis to ensure continued compliance of the certification body to the ISO requirements for performing management system certification audits. When you pursue certifications, be sure to contract an accredited certification body.  

ISO 42001 Compared to Other Common Frameworks 

ISO 42001 is most comparable to NIST AI RMF in their shared design to help organizations responsibly develop and implement AI systems, however the latter lacks internationally accepted certification. Conversely, some of the most common compliance frameworks such as ISO 27001 and SOC 2 share a focus on risk management, security, and compliance with ISO 42001, but they differ in scope and applicability. 

ISO 42001 vs. ISO 27001 

ISO 42001 and ISO 27001 are both standards that emphasize establishing a management system for governance, risk, and compliance. However, ISO 27001 applies to information security management systems (ISMS), while ISO 42001 applies to artificial intelligence management systems (AIMS). As such, ISO 42001 introduces AI-specific controls for data governance, model transparency, bias mitigation, and human oversight; therefore, it covers much more than just security – ensuring a focus on those risks specific to AI. Meanwhile, ISO 27001 focuses on securing information assets through access control, encryption, network security, and operational security. 

Despite their difference in scope, there is still implementation overlap. Organizations that have an ISO 27001-certified ISMS can leverage existing controls for ISO 42001 compliance, especially in areas like risk assessment, internal audit, incident response, and performance monitoring. That said, ISO 27001 (just like any other ISO standard) is not a prerequisite for ISO 42001 certification. In fact, in the interest of undergoing a consolidated audit, organizations can strategically align their ISO 42001 audit cycle with that of ISO 27001, considering they follow the same certification cycle. This is one of the many notable benefits of an integrated management system.  

ISO 42001 vs. SOC 2 

SOC 2 is another compliance framework comparable to ISO 42001 as both are certifiable standards requiring an independent audit. However, SOC 2 is an attestation rather than a certification, meaning a CPA firm assesses compliance with the Trust Services Criteria (TSC).  

Additionally, SOC 2 evaluates security, availability, processing integrity, confidentiality, and privacy—but does not have specific AI governance requirements. That said, you can still incorporate AI controls into your SOC 2 examination as some of the categories cover areas relevant to AI. On the contrary, ISO 42001 explicitly addresses AI risk, transparency, accountability, and bias mitigation.  

Lastly, SOC 2 is widely used in the U.S. for SaaS and cloud providers to demonstrate security to customers, whereas ISO 42001 is global and industry-agnostic, focusing on responsible AI development and deployment across the board. 

The Role of ISO 42001 in the Emergence of Other AI Regulations and Governance Programs 

It’s important to note that as other AI regulations like the EU AI Act and South Korea AI Basic Act continue to emerge, ISO 42001 certification does not automatically guarantee compliance with any other international or US state-level regulation by default. That said, ISO 42001 can be a very useful tool as these regulations should inform requirements for the establishment and implementation of the AIMs.  

Common themes across new AI regulations that ISO 42001 also addresses include:  

  • Role focused (developers vs. deployers of AI systems)
    • Establishing responsibilities and obligations of developers, deployers, and users of AI systems, ensuring applicable parties adhere to relevant standards 
  • Risk-tiering of AI systems to determine applicability of regulation  
    • Classifying AI systems based on their potential impact or risk, allowing for tailored regulatory requirements that align with the complexity and consequences of the system’s use 
  • Heavy emphasis on testing and evaluating AI systems 
    • Ensuring that AI systems are assessed for safety, fairness, and effectiveness before being deployed, minimizing risks associated with unintended outcomes or errors 
  • Establishment of AI governance programs  
    • Risk management programs/quality management systems (QMS)
    • System impact assessments
    • Red teaming  
    • Robust policies and procedures that address the life cycle of AI systems (e.g., design, development, deployment, etc.) which are regularly re-evaluated  
  • Third-party audit requirements 
    • Independent audits provide an objective review of AI systems' compliance with regulations, ensuring transparency and accountability, and building trust among stakeholders 
  • Training programs 
    • Mandating training for developers, deployers, and users of AI systems to ensure that parties understand ethical, legal, and operational risks, as well as how to mitigate them 
  • Accountability/responsible individual 
    • Designating a point of accountability, ensuring that there is a person or group responsible for AI system outcomes, to address any issues or liabilities that arise 
  • General notice and labeling/notification  
    • Labeling of AI systems to inform users and the public about the presence of AI, ensuring transparency about the nature and capabilities of the technology they are interacting with 
  • Explanation/incident reporting 
    • AI systems must be able to explain their decision-making process in understandable terms, and provide mechanisms for incident reporting, allowing users to flag any malfunctions or harm caused by the system 
  • Provider documentation   
    • Technical and operational documentation that AI providers must offer, ensuring transparency and providing users with the necessary information to understand how the system works and is maintained 
  • Non-discrimination/bias 
    • AI systems must be developed and deployed in a way that actively prevents discrimination and minimizes bias, ensuring fair outcomes for all users regardless of their background or characteristics 

Key Considerations for Pursuing ISO 42001 certification 

As your organization steadily increases its use of AI, and before even considering starting your journey towards ISO 42001 certification, you may find yourself wondering where to begin with defining, developing, and implementing your AI strategy. Alternatively, you may have started to implement your AI governance framework but now see the need for refinement with your eyes set on ISO 42001 compliance. Either way, it’s important to strategically build out your AI policies and practices and properly prepare for ISO 42001 certification so that you can ensure a smoother path when it comes time for your audit.  

Here are some helpful tips for effectively designing, implementing, and improving your AI strategy:  

  1. Define business objectives and in-scope AI use cases  
  2. Develop an AI governance framework that includes risk management, trustworthy/ethical AI principles, and compliance with regulations (e.g., ISO 42001, NIST AI RMF, EU AI Act)  
  3. Identify AI-specific risks and control requirements   
  4. Implement AI policies, standards, and best practices   
  5. Develop and deploy AI models with oversight   
  6. Monitor and continuously improve AI systems 

Once your organization has effectively established and started to execute your AI framework and you’ve begun to prepare for certification, you may be wondering how to know when you’re ready to undertake the external audit against ISO 42001 to become certified.  

Here are key indications that your organization is ready to begin your ISO 42001 audit: 

  • When leadership and stakeholder commitment is established
  • When your AIMS and AI governance framework are fully implemented
  • When your AI policies and procedures are implemented
  • When your AI risk management and compliance measures are operational
  • When internal audits have been performed, and nonconformities have been addressed
  • When your AI system documentation and evidence is readily available 

Finally, once you’ve decided your organization is ready to begin the audit process, it’s important to thoroughly research and strategically select the right certification body to partner with. In the interest of streamlining and optimizing certification processes, organizations that maintain multiple management system certifications should consider the opportunities that come with a partnership with a certification body that can certify against multiple management systems.  

Taking the Next Steps Towards ISO 42001 Certification 

ISO 42001 certification is increasingly growing in popularity and importance with the growing emergence of reliance on AI. Becoming certified comes with many benefits including the ability to demonstrate your organization’s commitment to responsible and trustworthy AI practices.  

If you’re ready to pursue ISO 42001 certification or have any additional questions about the framework or process, Schellman and risk3sixty can help. Reach out today and we’ll get back to you shortly.  

In the meantime, discover other helpful ISO 42001 insights including answers to the most frequently asked questions, tips to better prepare for certification, and access to an ISO 42001 course in these additional resources:  

Still interested in learning more? Check out risk3sixty's ISO 42001 series on YouTube. 

About the Authors

Joe Sigman is a Manager with Schellman based in Denver, Colorado. Prior to joining Schellman in 2021, Joe worked as a Senior Associate at a management consulting firm specializing in IT strategy and compliance, solution architecture, and enterprise digital transformation. Joe has led and supported AI Assessments, Cybersecurity Assessments, Information Security Architecture Solutioning, Information Technology Gap Analysis, and Cloud Migration Roadmaps. Joe has over 6 years of experience comprised of serving clients in various industries, including Information Technology, Professional Services, Healthcare, and Energy. Joe is now focused primarily on ISO Certifications for organizations across various industries.

Christian Hyatt is the CEO and Co-founder of risk3sixty. He is responsible for setting the vision for the team, ensuring the leadership team is “rowing in the same direction,” creating purpose and alignment across the firm, and nurturing company culture. With experience overseeing over 2000 cybersecurity engagements, Christian is one of the most experienced experts in the nation. Christian is a best selling author of the critically acclaimed cybersecurity leadership book “Security Team Operating System“. Under Christian’s leadership, risk3sixty has been named 3-time Consulting Magazine’s Best Firms to Work For, 7-time Atlanta’s Fastest Growing companies, 7-time Atlanta’s Best Places to Work, 3-time HireVets Platinum Honoree, and was named Top 100 CEOs in Atlanta. Christian has an M.B.A. from Georgia Tech and a B.B.A. from the University of Georgia. Christian is a Georgia Tech Technology and Management (T&M) corporate partner and Advisory Board Member for UGA’s Management Information System Advisory Board.

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.