In This Guide
- ISO 42001 implementation follows a phased approach: foundation, AI system inventory, risk assessment, control implementation, and internal audit
- The AI system inventory is a unique requirement — you must catalog all AI systems within scope with their risk classification
- AI impact assessments go beyond traditional risk assessments to cover societal, ethical, and individual impacts
- Data management controls are critical: training data quality, bias assessment, and data lineage must be documented
- Organizations should align implementation with EU AI Act risk categories where applicable
Roadmap Overview
This 30-60-90 day roadmap provides a structured approach to ISO 42001 implementation, designed for organizations with existing governance maturity who want to achieve certification efficiently. The timeline assumes dedicated resources and management commitment.
This roadmap assumes: dedicated implementation team (0.5-1 FTE), existing AI systems to govern, management sponsorship secured, and basic documentation practices in place. Organizations starting from scratch may need 4-6 months.
Prerequisites & Planning
Before You Start
- Executive Sponsorship: Secure top management commitment and resource allocation
- Implementation Team: Assign project lead and core team members
- AI System Inventory: Preliminary list of AI systems to be governed
- Standard Access: Purchase ISO 42001 standard document
- Training: Team members complete ISO 42001 awareness training
Resource Requirements
- Project Lead: 50-80% time allocation
- AI/Technical SME: 20-40% time allocation
- Executive Sponsor: 5-10% time allocation
- Functional representatives: As needed for workshops
Days 1-30: Foundation Phase
The first 30 days establish the AIMS foundation—understanding context, defining scope, and creating core governance documents.
Week 1: Project Initiation
- Kick-off meeting with executive sponsor
- Finalize project team and RACI matrix
- Establish project governance and meeting cadence
- Complete detailed AI system inventory
- Identify stakeholders and their requirements
Deliverables: Project charter, AI system inventory, stakeholder register
Week 2: Gap Assessment
- Conduct clause-by-clause gap analysis against ISO 42001
- Assess existing documentation and practices
- Identify quick wins and major gaps
- Prioritize remediation activities
- Estimate effort for each gap
Deliverables: Gap assessment report, prioritized action plan
Week 3: Scope & Policy
- Define AIMS scope (AI systems, roles, boundaries)
- Draft AI policy with responsible AI commitments
- Obtain executive input on policy direction
- Document organizational context (Clause 4.1)
- Finalize stakeholder needs analysis (Clause 4.2)
Deliverables: Draft scope statement, draft AI policy, context documentation
Week 4: Governance Structure
- Define roles, responsibilities, and authorities
- Establish AI governance committee or forum
- Define AI objectives aligned with policy
- Create document control procedures
- Executive review and approval of policy
Deliverables: Approved AI policy, roles matrix, AI objectives
By Day 30, you should have: approved AI policy, defined scope, documented context, established governance structure, and a clear understanding of gaps to close.
Days 31-60: Development Phase
The second 30 days focus on developing core AIMS processes—risk assessment, impact assessment, and control selection.
Week 5: Risk Assessment Framework
- Design AI risk assessment methodology
- Define AI-specific risk categories (bias, transparency, safety)
- Establish risk criteria and tolerance levels
- Create risk assessment templates
- Train team on risk assessment process
Deliverables: Risk assessment procedure, risk criteria, templates
Week 6: Risk Assessments
- Conduct risk assessments for all in-scope AI systems
- Identify and document AI-specific risks
- Evaluate likelihood and impact
- Determine risk levels against criteria
- Document assessment results
Deliverables: Completed AI risk assessments
Week 7: Impact Assessment & Risk Treatment
- Design AI impact assessment process
- Conduct impact assessments for high-risk systems
- Select risk treatment options for each risk
- Map controls to identified risks
- Develop Statement of Applicability (SoA)
Deliverables: Impact assessment procedure, SoA draft, risk treatment decisions
Week 8: Control Documentation
- Finalize Statement of Applicability
- Document control implementation status
- Develop risk treatment plan with timelines
- Create/update operational procedures
- Define monitoring and measurement approach
Deliverables: Approved SoA, risk treatment plan, operational procedures
By Day 60, you should have: completed risk assessments for all AI systems, impact assessments for high-risk systems, approved SoA, and documented operational procedures.
Days 61-90: Implementation Phase
The final 30 days focus on implementing controls, conducting internal audit, and preparing for certification.
Week 9: Control Implementation
- Implement remaining controls from risk treatment plan
- Deploy monitoring mechanisms
- Establish incident response procedures
- Implement supplier management for third-party AI
- Complete competence assessments and training
Deliverables: Implemented controls, training records, incident procedure
Week 10: Internal Audit
- Plan internal audit program
- Conduct internal audit against ISO 42001
- Document audit findings
- Initiate corrective actions for findings
- Verify effectiveness of critical controls
Deliverables: Internal audit report, corrective action plans
Week 11: Management Review
- Prepare management review inputs
- Conduct management review meeting
- Document decisions and actions
- Update AIMS based on review outputs
- Close remaining corrective actions
Deliverables: Management review minutes, updated AIMS documentation
Week 12: Certification Preparation
- Final documentation review
- Evidence compilation and organization
- Pre-audit readiness assessment
- Certification body selection and contracting
- Schedule Stage 1 audit
Deliverables: Certification-ready AIMS, CB contract, Stage 1 scheduled
By Day 90, your AIMS should be fully implemented and operating, internal audit completed, management review conducted, and Stage 1 audit scheduled.
Beyond 90 Days: Certification
Days 91-120: Certification Audits
- Complete Stage 1 audit
- Address any Stage 1 findings
- Conduct Stage 2 audit
- Close nonconformities
- Receive certification
Ongoing: Maintenance
- Continue risk assessments for new AI systems
- Conduct periodic impact assessments
- Annual internal audits
- Annual management reviews
- Surveillance audits with CB
Accelerated Timeline
Organizations with existing ISO 27001 certification or mature governance can accelerate this timeline:
| Starting Point | Typical Timeline | Key Accelerators |
|---|---|---|
| Greenfield (no existing systems) | 6-12 months | Consultant support, templates, dedicated resources |
| Basic governance in place | 4-6 months | Leverage existing processes, focus on AI-specific |
| ISO 27001 certified | 3-4 months | 50-60% documentation reuse, integrated approach |
| ISO 27001 + AI governance | 2-3 months | Extension of existing system, minimal new documentation |
The fastest implementations we have seen completed certification in 8 weeks. However, these were organizations with mature ISO 27001 systems, limited AI scope, and full-time dedicated resources. Plan realistically based on your starting point.
Frequently Asked Questions
How long does ISO 42001 implementation take?
Typically 6–9 months for organizations with mature AI practices; 9–14 months for those building AI governance from scratch. Organizations with existing ISO 27001 certification can accelerate to 3–4 months by leveraging existing documentation and processes.
Do I need ISO 27001 before ISO 42001?
Not required, but helpful. Many AI governance controls build on information security foundations, and ISO 27001 provides reusable documentation, risk management processes, and audit experience that accelerate ISO 42001 implementation.
What is an AI system inventory?
A documented catalog of all AI systems within scope, including purpose, risk level, data inputs, and deployment status. This is a unique ISO 42001 requirement that forms the foundation for risk assessments and control selection.
What is an AI impact assessment?
An evaluation of potential societal, ethical, individual, and organizational impacts of AI systems — going beyond traditional risk assessment to consider effects on people and communities. ISO 42001 requires impact assessments for AI systems with significant potential consequences.
Can startups implement ISO 42001?
Yes, the standard is scalable. Startups with fewer AI systems can implement proportionally, focusing on the AI systems that matter most and building governance as they grow. The key is demonstrating a systematic approach appropriate to your scale.