How long does ISO 42001 certification take?
- Certification typically takes a few months to a year, depending mostly on your starting point.
- Most time goes into building the management system and operating it long enough to generate evidence.
- Existing systems (like ISO 27001), narrow scope, and genuine readiness all shorten the timeline.
- Plan backwards from any deadline and invest early in a real, operating system to avoid delays.
- Current as of June 2026. This is general information, not legal advice.
What consumes the time
The timeline is dominated by a few phases:
- Building the management system: Establishing policy, scope, risk assessment, and controls is the largest time investment, especially if you are starting without existing governance.
- Operating the system to generate evidence: Auditors need to see the system working, which usually means running it for a period so there is a track record. This waiting time is often underestimated.
- Internal audit and review: Finding and fixing gaps before the external audit takes time but reduces the risk of failure.
- Scheduling and conducting the external audit: The two-stage audit itself, plus the lead time to book an accredited certification body, adds to the total.
What makes it faster
Several factors shorten the timeline:
- Existing management systems: Organisations with an ISO 27001 ISMS or similar can reuse much of the structure, since ISO 42001 shares the same high-level shape and many supporting processes.
- Narrow scope: Certifying a focused part of the business or set of systems is quicker than a broad scope.
- Genuine readiness: A management system that is actually operating and evidenced moves through the audit without the delays caused by gap remediation and re-audit.
What makes it slower
Conversely, starting with no governance, a broad scope, a large and complex AI estate, or a system that exists mainly on paper will all extend the timeline, often because gaps surface during preparation or the audit that then need remediation before certification can proceed.
Planning your timeline
The practical approach is to be realistic about your starting point and to invest early in getting the management system genuinely operating, because that both shortens the path and reduces the risk of a stalled audit. If you have a deadline driven by a customer requirement or a regulatory milestone, work backwards from it and build in time for the system to operate and generate evidence before the audit, rather than assuming the audit can happen the moment the documents are written.
The readiness connection
As with cost, readiness is the variable that most affects how long certification takes. The fastest path is a management system that is real and current when the auditor arrives, so the audit confirms what is already working. Knowing where you stand against the standard before you begin lets you plan a realistic timeline and avoid the delays that come from discovering gaps late.
Key terms
- Evidence period
- The time the management system runs before the audit so there is a track record to examine.
- Existing ISMS
- An information-security management system (ISO 27001) whose structure ISO 42001 can build on.
- Scope choice
- Deciding how broadly or narrowly to define the part of the organisation being certified.
- Gap remediation
- Fixing shortfalls identified in preparation or audit before certification can proceed.