ISO 42001 Implementation Roadmap: 30-60-90 Day Plan

Roadmap Overview

This 30-60-90 day roadmap provides a structured approach to ISO 42001 implementation, designed for organizations with existing governance maturity who want to achieve certification efficiently. The timeline assumes dedicated resources and management commitment.

Prerequisites & Planning

Before You Start

• Executive Sponsorship: Secure top management commitment and resource allocation
• Implementation Team: Assign project lead and core team members
• AI System Inventory: Preliminary list of AI systems to be governed
• Standard Access: Purchase ISO 42001 standard document
• Training: Team members complete ISO 42001 awareness training

Resource Requirements

• Project Lead: 50-80% time allocation
• AI/Technical SME: 20-40% time allocation
• Executive Sponsor: 5-10% time allocation
• Functional representatives: As needed for workshops

Days 1-30: Foundation Phase

The first 30 days establish the AIMS foundation—understanding context, defining scope, and creating core governance documents.

Week 1: Project Initiation

• Kick-off meeting with executive sponsor
• Finalize project team and RACI matrix
• Establish project governance and meeting cadence
• Complete detailed AI system inventory
• Identify stakeholders and their requirements

Deliverables: Project charter, AI system inventory, stakeholder register

Week 2: Gap Assessment

• Conduct clause-by-clause gap analysis against ISO 42001
• Assess existing documentation and practices
• Identify quick wins and major gaps
• Prioritize remediation activities
• Estimate effort for each gap

Deliverables: Gap assessment report, prioritized action plan

Week 3: Scope & Policy

• Define AIMS scope (AI systems, roles, boundaries)
• Draft AI policy with responsible AI commitments
• Obtain executive input on policy direction
• Document organizational context (Clause 4.1)
• Finalize stakeholder needs analysis (Clause 4.2)

Deliverables: Draft scope statement, draft AI policy, context documentation

Week 4: Governance Structure

• Define roles, responsibilities, and authorities
• Establish AI governance committee or forum
• Define AI objectives aligned with policy
• Create document control procedures
• Executive review and approval of policy

Deliverables: Approved AI policy, roles matrix, AI objectives

Days 31-60: Development Phase

The second 30 days focus on developing core AIMS processes—risk assessment, impact assessment, and control selection.

Week 5: Risk Assessment Framework

• Design AI risk assessment methodology
• Define AI-specific risk categories (bias, transparency, safety)
• Establish risk criteria and tolerance levels
• Create risk assessment templates
• Train team on risk assessment process

Deliverables: Risk assessment procedure, risk criteria, templates

Week 6: Risk Assessments

• Conduct risk assessments for all in-scope AI systems
• Identify and document AI-specific risks
• Evaluate likelihood and impact
• Determine risk levels against criteria
• Document assessment results

Deliverables: Completed AI risk assessments

Week 7: Impact Assessment & Risk Treatment

• Design AI impact assessment process
• Conduct impact assessments for high-risk systems
• Select risk treatment options for each risk
• Map controls to identified risks
• Develop Statement of Applicability (SoA)

Deliverables: Impact assessment procedure, SoA draft, risk treatment decisions

Week 8: Control Documentation

• Finalize Statement of Applicability
• Document control implementation status
• Develop risk treatment plan with timelines
• Create/update operational procedures
• Define monitoring and measurement approach

Deliverables: Approved SoA, risk treatment plan, operational procedures

Days 61-90: Implementation Phase

The final 30 days focus on implementing controls, conducting internal audit, and preparing for certification.

Week 9: Control Implementation

• Implement remaining controls from risk treatment plan
• Deploy monitoring mechanisms
• Establish incident response procedures
• Implement supplier management for third-party AI
• Complete competence assessments and training

Deliverables: Implemented controls, training records, incident procedure

Week 10: Internal Audit

• Plan internal audit program
• Conduct internal audit against ISO 42001
• Document audit findings
• Initiate corrective actions for findings
• Verify effectiveness of critical controls

Deliverables: Internal audit report, corrective action plans

Week 11: Management Review

• Prepare management review inputs
• Conduct management review meeting
• Document decisions and actions
• Update AIMS based on review outputs
• Close remaining corrective actions

Deliverables: Management review minutes, updated AIMS documentation

Week 12: Certification Preparation

• Final documentation review
• Evidence compilation and organization
• Pre-audit readiness assessment
• Certification body selection and contracting
• Schedule Stage 1 audit

Deliverables: Certification-ready AIMS, CB contract, Stage 1 scheduled

Beyond 90 Days: Certification

Days 91-120: Certification Audits

• Complete Stage 1 audit
• Address any Stage 1 findings
• Conduct Stage 2 audit
• Close nonconformities
• Receive certification

Ongoing: Maintenance

• Continue risk assessments for new AI systems
• Conduct periodic impact assessments
• Annual internal audits
• Annual management reviews
• Surveillance audits with CB

Accelerated Timeline

Organizations with existing ISO 27001 certification or mature governance can accelerate this timeline:

The fastest implementations we have seen completed certification in 8 weeks. However, these were organizations with mature ISO 27001 systems, limited AI scope, and full-time dedicated resources. Plan realistically based on your starting point.