Dejan KosuticWhat is ISO 42001, and why does certification matter?
ISO 42001 is a leading international standard that explains how to implement AI governance.
When a company gets ISO 42001 certified, the main benefit is that it can prove to its customers and other stakeholders that it governs its AI systems in the best possible way.
When an individual gets ISO 42001 certificate, it means that this person can prove to their employers that he or she has the knowledge required to implement AI governance.
To learn more, see this article: What is ISO 42001? An overview of AI governance framework.
Who can get ISO 42001 certified?
As mentioned above, both individuals and companies can get certified. However, the processes of certification will be very different — the text below explains the details for both of them.
ISO 42001 certification for individuals
Certification process for individuals
The process is very simple — anyone who wants to get a certificate must go through an ISO 42001 course and pass the exam.
Once he or she passes the exam, the course provider will issue a certificate to this person.
Types of ISO 42001 courses
There are different ISO 42001 courses, and each one is intended for a specific target group.
Here are the four most popular ISO 42001 courses:
- ISO 42001 Foundations Course — intended for members of the AI governance project team, mid- or senior-level management, and scholars.
- ISO 42001 Internal Auditor Course — intended for people who are in charge of the ISO 42001 internal audit in their companies.
- ISO 42001 Lead Auditor Course — intended for auditors who want to perform certification audits, but also for consultants who want to boost their credentials.
- ISO 42001 Lead Implementer Course — intended for AI officers and other people in charge of implementing AI governance in their companies, but also for consultants who want to offer ISO 42001 compliance as a service.
Here you can sign up for free ISO 42001 courses.
ISO 42001 certification for companies
Is ISO 42001 certification mandatory?
Currently, it is not mandatory to obtain ISO 42001 for companies.
However, in the future, some countries might introduce an obligation for ISO 42001 compliance, as is the case with some other standards like ISO 27001 or ISO 13485.
Which types of companies should go for ISO 42001?
ISO 42001 is written in such a way that any type or size of company that develops or uses AI systems can implement it.
However, the following companies will probably be the most interested in ISO 42001 certification:
- Developers of AI models
- Developers of AI applications
- Companies that provide or sell AI applications to customers
- Companies that use AI systems for important processes or sensitive data
What is the process to get ISO 42001 certified?
Overall, a company first needs to implement ISO 42001, i.e., fully comply with all of its requirements — learn about the details here: ISO 42001 checklist of implementation steps.
Typically, the last steps in the implementation will be the following:
- Internal audit
- Management review
- Corrective actions
After the implementation has been completed, the company needs to invite a certification body to perform the certification audit.
What are the ISO 42001 certification steps?
As mentioned above, the certification is performed by a certification body — it is performed in three stages:
- The Stage 1 audit is called “Document review” — this is where a certification auditor checks if all AI governance documents comply with ISO 42001.
- The Stage 2 audit is called “Main audit” — this is where a certification auditor checks if everyday activities in the company are compliant with their AI governance documentation.
If the certification auditor does not find any major nonconformity, then the company will get the ISO 42001 certificate; if the auditor does find a major nonconformity, then the company will typically have 90 days to resolve this nonconformity and ultimately get the certificate.
After the certificate is issued, it will be valid for three years — during that time, the certification body performs the last stage:
- The Stage 3 audit is called “Surveillance audit” — this is where the auditor visits the company at least once a year and checks if the company maintains its Artificial Intelligence Management System (AIMS).
How long does the certification process take?
The implementation process for ISO 42001 typically takes between three and 12 months, depending on the size of the company.
However, the certification audit itself is much quicker:
- The Stage 1 audit takes a minimum of two days for very small companies, and is longer for larger companies.
- The Stage 2 audit takes a minimum of four days for very small companies, and could go up to 30 days for larger companies.
Usually, there is at least a two-week period between Stage 1 and Stage 2 audits — sometimes this in-between period can be up to a couple of months.
How long is the ISO 42001 certificate valid?
The ISO 42001 certificate is valid for 3 years.
However, a certification body can withdraw this certificate (while it is still valid) if a certification auditor finds a major nonconformity during the surveillance audit.
Once the certificate expires, a company can go for ISO 42001 re-certification — this process is very similar to the initial Stage 1 and Stage 2 audits.
How much does ISO 42001 certification cost?
The cost of certification bodies varies significantly from one country to another. In general, ISO 42001 certification costs in Western Europe and North America start from US$6,000 for very small companies, while larger companies pay several times that amount.
Is an ISO 42001 gap assessment required?
Gap assessment is not required by the standard, nor by the certification body.
In general, gap assessment is not recommended for smaller companies (because it will unnecessarily delay the implementation process), whereas for larger companies, it might be useful to get a rough estimate of the required time and resources for the implementation.
See also: ISO 42001 Requirements: Clauses and Structure.
Is it possible to certify against ISO 42001, ISO 27001, and ISO 9001 at the same time?
Yes, it is possible to go for a so-called “integrated certification audit” where the certification body checks compliance with several standards at the same time.
Once a company passes such an integrated audit, the certification body will issue separate certificates for each standard.
See also: ISO 42001 vs. ISO 27001: Similarities and differences.
What are the main benefits of ISO 42001 certification?
There are several benefits of ISO 42001 implementation and certification:
- A better reputation brings more sales. As mentioned before, when a company shows an ISO 42001 certificate to its customers and other stakeholders, the company will be perceived as one that manages its AI systems in a systematic way. This may bring additional revenues to this company and enable easier handling of AI stakeholders.
- A structured framework brings quicker compliance. The EU AI Act has very strict requirements for high-risk AI systems that can be more easily complied with when companies use ISO 42001 as guidance.
- Lower risks bring lower costs. Uncontrolled usage of AI systems will produce various incidents — when such incidents are prevented by systematic AI governance according to ISO 42001, then related costs will be avoided.
- Better organization brings less wasted time. When clear rules are set on how to develop and use AI systems, employees will spend less time trying to figure out what to do and more time on productive activities.
To learn about ISO 42001, see these free ISO 42001 courses that will teach you about the details of AI governance.
