Most organisations starting ISO 42001 are not starting from zero. They have an AI policy that someone wrote a year ago, a few risk assessments done in different formats by different teams, and a growing list of AI features that have shipped without a clear governance layer. The implementation question is rarely "where do we begin from scratch?" It is "how do we turn what we already have into a coherent management system?"
Days 1–30: Establish the Boundary
Define the scope of the AIMS first. Not what your organisation does — what your AIMS covers. Which legal entity, which business units, which AI systems. Auditors will ask, so write it down. Then identify the AI systems currently in scope — not just the new ones, but anything decision-supporting or customer-facing. You will probably find more than expected. Inventories tend to undercount embedded AI inside SaaS products and analytics tools.
Get explicit leadership commitment. Not a memo. A signed AI policy and a named accountable executive (some organisations call this the AI sponsor; the standard just requires top management to be involved). Without this, every later decision becomes contested.
Days 30–90: Risk and Impact
Build two artefacts in parallel: a risk register that captures organisational risks from AI (operational, financial, regulatory, reputational), and an impact assessment process that captures harms to people. They are different things. ISO 42001 wants both. Use a structured template for the impact assessment so the answers are consistent across systems — categories like affected groups, types of harm, severity, likelihood, mitigations.
Apply the impact assessment process retroactively to your highest-risk in-scope systems. Do not try to assess everything at once. Work down the list in priority order, with the riskiest systems first.
Pace yourself. Organisations that try to ISO 42001 their entire AI portfolio in three months end up with shallow, mechanical artefacts that auditors see through immediately. Better to have five thoroughly assessed systems and an honest plan to extend coverage than fifty boxes ticked.
Days 90–180: Operationalise the Controls
Now you implement Annex A controls. Some are policy and process — write them, get them approved, train the people who execute them. Others are technical — logging, monitoring, model documentation, access control on training data, controls over data input quality. The hardest part is integrating with the way the organisation already works. New checkboxes in existing project intake, new fields in your CMDB, new sections in your supplier due diligence questionnaires.
Run at least one full AI lifecycle through the new controls before you call them implemented. A control that exists in a document but has never been exercised in production is not yet an implemented control.
Days 180–270: Internal Audit and Management Review
Before you call a certification body, you need an internal audit and at least one management review. The internal audit must be independent — not by the same people who built the AIMS. The management review needs to be a real meeting that produces decisions, not a status update. Both audit findings and management review decisions are evidence the certification auditor will look for.
- Internal audit report covering the full scope of the AIMS, including findings and corrective actions
- Management review minutes showing leadership engagement with audit results, KPIs, and improvement opportunities
- Evidence that nonconformities raised during internal audit have been addressed or have an active corrective action plan
Days 270–365: Stage 1 and Stage 2 Audits
Stage 1 is documentation review by your chosen certification body. They check that your AIMS is structurally sound — policies exist, scope is defined, key processes are documented. Stage 2 is the substantive audit: do the things you say you do actually happen? Auditors will sample AI systems, request impact assessments, talk to the people running the controls.
Most organisations get minor nonconformities at Stage 2 and address them within the agreed window. Major nonconformities — usually a missing fundamental like impact assessments not being conducted at all — require remediation before the certificate is issued. The point is not to be perfect. The point is to demonstrate that the management system is functioning and improvable.