Hael
Sign inRequest a demo
ISO/IEC 42001 · Certification

How to prepare for an ISO 42001 audit

Updated 30 June 2026 · 6 min read
Key takeaway
Preparing for an ISO 42001 audit comes down to one principle: the auditor needs to see a management system that genuinely operates, backed by evidence. Good preparation is not about producing documents for the audit; it is about having a real, working system whose documentation and evidence are complete and current. The organisations that pass smoothly are those for whom the audit confirms reality rather than reveals gaps.
  • The core of preparation is a management system that genuinely operates, backed by evidence.
  • Get documentation complete, current, and internally consistent before the audit.
  • Assemble evidence for each control and process so it can be produced quickly.
  • Run an internal audit and management review first, and prepare the people the auditor will interview.
  • Current as of June 2026. This is general information, not legal advice.

Have a genuinely operating system

The most important preparation is that your AI management system is actually running, not just designed. The auditor will look for evidence that risk assessments happen, controls operate, monitoring occurs, and reviews take place. A system that exists only on paper will not survive the Stage 2 implementation audit. So the first preparation step is to ensure the system has been operating, ideally for a period, before the audit.

Get the documentation in order

ISO 42001 requires certain documented information: your scope, AI policy, risk assessment, Statement of Applicability, and records of the system operating. Before the audit, confirm these are complete, current, and consistent with each other. A common failure is documentation that contradicts itself or describes a system different from the one actually running.

Assemble the evidence

For each control and process, gather the evidence that it operates: records, logs, assessment outputs, review minutes. The auditor works from evidence, so being able to produce it quickly and clearly is central to a smooth audit. Scattered or missing evidence is one of the most common causes of audit friction.

Run an internal audit first

Conduct your own internal audit before the external one. This is both a requirement of the standard and the single best way to find and fix gaps in advance. Treat it seriously: an honest internal audit that surfaces problems early is far better than discovering them in front of the certification body.

Hold a management review

Complete a management review so that leadership has formally examined the system's performance and signed off on its direction. This demonstrates the leadership engagement the standard requires and ensures the system has top-level attention going into the audit.

Prepare your people

Auditors interview the people who operate the system. Make sure those involved understand their roles, can explain how the system works in their area, and know where the relevant records are. A system that looks good on paper but that staff cannot explain raises concerns.

The readiness mindset

The reliable way to prepare is to close the gap between what your documentation claims and what actually happens, so the two match when the auditor looks. Knowing where you stand against the standard before the audit lets you remediate gaps in advance rather than discovering them mid-audit. That is the difference between an audit that confirms a working system and one that turns into a remediation exercise.

Key terms

Stage 1 audit
The certification body's documentation review, checking readiness for the implementation audit.
Stage 2 audit
The implementation review where the auditor examines evidence that the system actually operates.
Documented information
The records and documents the standard requires the organisation to keep current.
Management review
A formal review by top management of the management system's performance and direction.

References

Related guides

Keep reading on ISO/IEC 42001.

Free check

See where you stand on ISO/IEC 42001, free.

Answer a few questions and get an indicative view of what ISO/IEC 42001 expects of your AI systems and where you stand today — no sign-up to see your result.

Indicative, not legal advice.
ISO/IEC 42001 · indicative readiness
HAEL FREE TOOL
Applicability
Applies to your AI use
What's expected
Risk classification · governance · documentation · oversight
Where you stand
Banded result · pointed to the gaps that matter most
Result
On-screen, free · optional PDF
Pre-scoped to ISO/IEC 42001~ 5 MIN