866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO 20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
MTCS Certification
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

Should You Get an ISO/IEC 42001 Gap Assessment? Blog Feature
Danny Manimbo

By: Danny Manimbo

Print/Save as PDF

Should You Get an ISO/IEC 42001 Gap Assessment?

ISO Certifications | Audit Readiness | Artificial Intelligence | ISO 42001

Published: Feb 8, 2024

Last Updated: Dec 18, 2025

Following the publication of ISO 42001, many organizations are more seriously considering adherence to this intriguing standard for artificial intelligence (AI). Those familiar with established ISO standards understand that this newer framework for regulating AI will be similarly rigorous and any opportunity to streamline certification, like using a gap assessment, will be enormously advantageous.

ISO 42001 has arrived at an opportune time as AI continues to emerge as a high beacon of innovation and scalability. This technology is no longer just an imagined concept. It has already transformed industries and continues to reshape the way we live and work. But as AI grows exponentially more enmeshed within the business landscape, so too have widespread concerns around its trustworthiness and what constitutes responsible AI management.

With so many companies developing their own AI capabilities, you may be wondering how you can prove to your customers and stakeholders that they can trust your systems.

Enter ISO 42001, which addresses these concerns through comprehensive requirements. Published in December 2023, this new framework provides a roadmap to address and satisfy security and safety concerns about your AI. But how should you get started? One effective way is through a gap assessment, and in this article, we’re going to expound on why having one performed can pave an easier path toward ISO 42001 certification.

What is ISO 42001?

A readiness assessment will begin to make more sense when you understand the holistic nature of ISO 42001. As the world’s first AI management system standard, the framework requires you to take a risk-based approach for the application of its specific requirements regarding the:

  • Establishment;
  • Implementation;
  • Maintenance; and
  • Continuous Improvement of an Artificial Intelligence Management System (AIMS).

As part of these phases and their requirements, you’ll be asked to:

  • Define the context in which your AI system(s) operates,
  • Identify relevant external and internal stakeholders; and
  • Understand their expectations and requirements.

A significant part of developing your comprehensive, ISO 42001-certified AI management system will also require you to standardize the fairness, accessibility, safety, and various impacts of your AI systems. The framework also emphasizes integrating your AI management systems with your established organizational structures, as it’s designed to facilitate further cohesion with any other, existing management systems and their standards, such as:

All in all, ISO 42001—and its requirements regarding responsible AI and data management processes—can help you enhance the quality, security, and reliability of your AI systems while also ensuring that you mature and use said systems ethically.

How to Prepare for ISO 42001 Certification

While there are other AI frameworks and regulations already out there that can also help secure your AI—like the NIST AI RMF and the EU AI ActISO 42001 is the first and only certifiable standard over an AIMS currently.

Unsurprisingly, organizations prepare early to stand up their AIMS and successfully obtain the certification that will reassure their customers. In fact, we’ve had conversations with clients that make it seem like it’s already “a race” to certification and gaining the market advantage over competitors.

In preparing for ISO 42001, the obvious first step is to simply sit down with the standard itself. And if you’ve already undergone ISO 27001 certification, there’s good news—ISO 42001, with its seven primary clauses and four annexes, is laid out very similarly to ISO 27001. The ISO 42001 clauses define the requirements that you must meet, and its Annex A lists controls that can be implemented to satisfy those requirements.

Just as with ISO 27001, it’s a big lift to implement a fully compliant AIMS. And that’s why there’s one more preparatory step we recommend to organizations we speak with—an ISO 42001 gap assessment, otherwise known as a readiness assessment.

Do You Need an ISO 42001 Readiness Assessment?

While this step is not required for certification, a readiness assessment can be tremendously valuable for any compliance initiative, but particularly so in the case of a new standard like ISO 42001.

Here are two very good reasons why you should invest in a gap assessment as part of your ISO 42001 preparation:

  1. You’ll Be Much Better Prepared for Your Certification Audit:Because this is a newer standard and fewer lessons have been shared regarding problem area trends, going through a gap assessment can help you discern where your organization’s remaining and specific areas of concern are regarding fulfilling ISO 42001’s requirements, as well as where you need to focus your efforts for full compliance as you stand up your AIMS.
  2. You Can Make a Quicker Demonstration of Your Commitment to High Standards for AI: As we mentioned earlier, concerns about AI are on the rise—and while achieving full ISO 42001 certification will take some time, if you opt to have a gap assessment performed, you’ll be able to communicate your proactive efforts and provide at least a preemptive degree of reassurance to your customers while you work toward full certification.

Key Consideration to Keep in Mind: The amount of effort that is required to prepare for an ISO 42001 readiness assessment will greatly depend on the implementation, management processes, and controls that are already in place in your AIMS—so, the more robust the security controls upon implementation, the lighter the lift will be to achieve ISO 42001 certification.

Take a Proactive Approach to ISO 42001

Whether you’re hearing it directly from your customers or from leading economic or regulatory experts, AI seems to be the number one topic of conversation, and that conversation always ends up leading to a discussion around whether these systems are secure, trustworthy, and responsibly managed.

ISO 42001 certification represents a comprehensive initiative to prove that your AI systems are compliant, and now is the time to prepare for the process so that you don’t fall behind as AI continues to expand across the business landscape. One key step that will position you well for successful ISO 42001 certification is a gap assessment, and Schellman is ready to help now.

The ISO 42001 Gap Assessment offered by Schellman is strictly an independent evaluation and verification of your organization's current state relative to ISO 42001 requirements, so we do not provide advisory or implementation support under this service.

Instead, we’ll review your existing documentation, governance structures, AI‑system context, and controls, and produce a diagnostic report identifying where your organization meets the requirements and where there are potential gaps. Your team retains responsibility for addressing any gaps identified, but this diagnostic step gives your team the insight and lead time you need to minimize surprises during the formal audit.

Start your AI compliance journey today—contact us to learn more about an ISO 42001 readiness assessment and whether we’re the right partner for you. In the meantime, discover additional ISO 42001 insights in these helpful resources:

About Danny Manimbo

Danny Manimbo is a Principal at Schellman based in Denver, Colorado, where he leads the firm’s Artificial Intelligence (AI) and ISO services and serves as one of Schellman’s CPA principals. In this role, he oversees the strategy, delivery, and quality of Schellman’s AI, ISO, and broader attestation services. Since joining the firm in 2013, Danny has built more than 15 years of expertise in information security, data privacy, AI governance, and compliance, helping organizations navigate evolving regulatory landscapes and emerging technologies. He is also a recognized thought leader and frequent speaker at industry conferences, where he shares insights on AI governance, security best practices, and the future of compliance. Danny has achieved the following certifications relevant to the fields of accounting, auditing, and information systems security and privacy: Certified Public Accountant (CPA), Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Internal Auditor (CIA), Certificate of Cloud Security Knowledge (CCSK), and Certified Information Privacy Professional – United States (CIPP/US).

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.