What does an ISO 42001 internal audit cover?

An ISO 42001 internal audit covers the full standard — AIMS requirements (Clauses 4–10) plus all 38 Annex A controls across nine objectives: AI policy, internal organization, resources, impact assessment, AI system lifecycle, data for AI systems, information for interested parties, use of AI systems, and third-party relationships.

How does ISO 42001 relate to ISO 27001?

Both standards follow the same ISO management-system architecture (Annex SL), so organizations with ISO 27001 can reuse a meaningful portion of their governance structure. However, ISO 42001 requires substantial AI-specific evidence for impact assessment, lifecycle management, transparency, human oversight, data governance, and bias-related controls.

ISO 42001 Internal Audits

AI Management Systems

What is ISO 42001?

ISO/IEC 42001:2023 is the first international certifiable standard for AI management systems (AIMS). It provides a framework for organizations that develop, provide, or use AI-based products and services to govern AI responsibly — addressing risk, impact, transparency, accountability, and the full AI system lifecycle.

Whether you're building AI products, deploying third-party AI tools, or adding AI governance alongside an existing ISO 27001 programme, our audits assess your AIMS against the full standard and prepare you for certification.

What We Audit

Our ISO 42001 audits cover the full standard — AIMS requirements (Clauses 4–10) plus all 38 Annex A controls across nine objectives.

1Clauses 4–10: AIMS core requirements including context, leadership, planning, support, operation, performance evaluation, and improvement
2AI policies and internal organization (A.2–A.3): Governance policy, responsible AI commitments, roles, reporting channels
3Resources and impact assessment (A.4–A.5): Competence, awareness, stakeholder consultation, AI risk and impact assessments
4AI system lifecycle (A.6): Design, training, testing, validation, deployment, monitoring, retirement, and documentation — the largest control area with 10 controls
5Data and transparency (A.7–A.8): Data quality, provenance, preparation, interaction notification, outcome explanation, and human decision support
6Use and third-party relationships (A.9–A.10): Responsible use objectives, human oversight, supplier assessment, and shared model governance
7Integration experience: For organizations running ISO 27001 alongside ISO 42001, we audit both standards using a shared management-system backbone, reducing duplication across overlapping clauses

Our Process

Typical engagement: 3–4 weeks (small org with focused AI scope) to 8–12 weeks (medium org with multiple AI systems)

Inquiry & Scoping

We start with a discovery call to understand your organization, AI system landscape, and governance maturity. We discuss which AI systems are in scope — whether you develop, provide, or use them — and agree on engagement scope and objectives.

Audit Planning

We define audit objectives, criteria, and a schedule. You receive a document request list covering AIMS documentation, AI policies, risk and impact assessments, your Statement of Applicability against the 38 Annex A controls, and evidence of AI lifecycle governance.

Document Review

We review your AIMS documentation, AI governance policy, risk register, AI system impact assessments, Statement of Applicability, and management review outputs against ISO 42001 requirements. If you use a GRC platform, we review control status and evidence directly through the auditor portal. We identify areas to investigate during fieldwork and prepare annotated working papers.

Fieldwork

Starting with an opening meeting, we conduct interviews with AI development, data science, compliance, and leadership teams. We review documents and records, observe processes, and gather evidence to assess conformity against all applicable Annex A controls and AIMS clauses — with particular focus on impact assessment, data governance, human oversight, transparency, and AI lifecycle management. We conclude with a closing meeting to share preliminary findings.

Reporting

Within 3–5 business days post-fieldwork, you receive a formal audit report with findings classified as Major NC, Minor NC, Observation, or Recommendation, along with Corrective Action Requests for each nonconformity.

Corrective Action Support

We issue Corrective Action Requests for each nonconformity and support your team through root cause analysis and remediation, including AI-specific guidance on impact assessment methodology, data governance controls, and lifecycle documentation. Once actions are implemented, we verify effectiveness through evidence review before formally closing each finding.

Certification Readiness

Once all major nonconformities are closed and minor findings are addressed, we advise on certification body selection, what to expect from the Stage 1 and Stage 2 external audits, and confirm your readiness to proceed with ISO 42001 certification.

Book Your Audit

Ready to get started? Book a 30-minute scoping call.