How to prepare for an ISO 42001 audit
- The core of preparation is a management system that genuinely operates, backed by evidence.
- Get documentation complete, current, and internally consistent before the audit.
- Assemble evidence for each control and process so it can be produced quickly.
- Run an internal audit and management review first, and prepare the people the auditor will interview.
- Current as of June 2026. This is general information, not legal advice.
Have a genuinely operating system
The most important preparation is that your AI management system is actually running, not just designed. The auditor will look for evidence that risk assessments happen, controls operate, monitoring occurs, and reviews take place. A system that exists only on paper will not survive the Stage 2 implementation audit. So the first preparation step is to ensure the system has been operating, ideally for a period, before the audit.
Get the documentation in order
ISO 42001 requires certain documented information: your scope, AI policy, risk assessment, Statement of Applicability, and records of the system operating. Before the audit, confirm these are complete, current, and consistent with each other. A common failure is documentation that contradicts itself or describes a system different from the one actually running.
Assemble the evidence
For each control and process, gather the evidence that it operates: records, logs, assessment outputs, review minutes. The auditor works from evidence, so being able to produce it quickly and clearly is central to a smooth audit. Scattered or missing evidence is one of the most common causes of audit friction.
Run an internal audit first
Conduct your own internal audit before the external one. This is both a requirement of the standard and the single best way to find and fix gaps in advance. Treat it seriously: an honest internal audit that surfaces problems early is far better than discovering them in front of the certification body.
Hold a management review
Complete a management review so that leadership has formally examined the system's performance and signed off on its direction. This demonstrates the leadership engagement the standard requires and ensures the system has top-level attention going into the audit.
Prepare your people
Auditors interview the people who operate the system. Make sure those involved understand their roles, can explain how the system works in their area, and know where the relevant records are. A system that looks good on paper but that staff cannot explain raises concerns.
The readiness mindset
The reliable way to prepare is to close the gap between what your documentation claims and what actually happens, so the two match when the auditor looks. Knowing where you stand against the standard before the audit lets you remediate gaps in advance rather than discovering them mid-audit. That is the difference between an audit that confirms a working system and one that turns into a remediation exercise.
Key terms
- Stage 1 audit
- The certification body's documentation review, checking readiness for the implementation audit.
- Stage 2 audit
- The implementation review where the auditor examines evidence that the system actually operates.
- Documented information
- The records and documents the standard requires the organisation to keep current.
- Management review
- A formal review by top management of the management system's performance and direction.