TNV Global Limited

6-step AIMS certification journey

ISO 42001 Certification Process

A structured, transparent, ISO 17021-1 compliant journey for obtaining independent third-party assurance for your Artificial Intelligence Management System. TNV Global delivers the process from application to certificate issuance, then maintains certification through surveillance and recertification.

6 clear steps
7 to 30 working days
UAF No. 72602222104
Recognised by IAF (GAC)

Start Step 1 Today

Request a free discovery call and customised quotation. Our AIMS expert responds within four business hours.

At A Glance

The 6 steps of ISO 42001 certification

1

Initial Meeting and Application

1 to 3 working days

A no-obligation discovery call defines your AI use cases, sites, governance maturity, certification objectives, audit mode, and authorised signatory.

Outcome: Scope agreed, quotation issued, contract signed

2

Gap Analysis

2 to 5 working days

Optional but recommended for first-time AIMS organisations. TNV Global performs assessment only and does not provide consulting or implementation support.

Outcome: Gap report and closure plan delivered

3

Stage 1 Audit

1 to 3 audit days

An IRCA-qualified Lead Auditor reviews the AI Policy, AIMS Manual, risk register, Statement of Applicability, use-case inventory, and supporting procedures.

Outcome: Readiness for Stage 2 confirmed

4

Stage 2 Audit

2 to 10+ audit days

The main certification audit verifies implementation, effectiveness, governance, AI risk controls, interviews, evidence, and selected AI use-case walkthroughs.

Outcome: Implementation verified and findings reported

5

Technical Review and Certificate Issuance

3 to 7 working days

A qualified reviewer independent of the audit reviews the audit file and decision before the UAF Accredited certificate is issued.

Outcome: Certificate issued and listed on global-aci.org

6

Surveillance and Recertification

Annual plus 3-year cycle

Annual surveillance audits maintain the certificate. A full recertification audit at the end of year three starts a new certificate cycle.

Outcome: Continued conformity confirmed

Stage 1

Documentation review

Policy and ScopeAI Policy, AIMS Scope Statement, AI Ethics Charter, Roles and Responsibilities
Risk and ImpactAI Risk Assessment Methodology, AI Risk Register, AI Impact Assessment, Statement of Applicability
AI Use CasesAI Use Case Inventory, Model Cards, Data Sheets, third-party AI register
Lifecycle ProceduresAI Development Lifecycle, Data Governance, Model Validation, Monitoring, Decommissioning
Oversight and EthicsHuman Oversight Procedure, AI Ethics Review, Bias and Fairness Testing Records
OperationsAI Incident Management, Change Management, Supplier and Third-Party AI Management
Management SystemInternal Audit, Management Review, Corrective Actions, Training, Communication Records

Stage 2

Implementation audit

Stage 2 verifies that the AIMS described in your documentation is actually implemented, effective, and consistently applied across the certified scope.

Leadership and governance

AI risk management

AI use-case lifecycle

Data governance

Human oversight

Ethics and bias controls

Incident management

Third-party AI and LLM governance

Continual improvement

Audit Mode

On-site, remote, or hybrid audit options

TNV Global recommends the audit mode that best balances rigour, cost, and timeline for your scope.

ModeBest ForAdvantagesConsiderations
On-SiteCritical infrastructure, regulated sectors, manufacturingDirect observation, full evidence access, in-person interviewsTravel cost and scheduling constraints
RemoteSaaS, fintech, cloud-native AI providers, distributed teamsLower cost, faster scheduling, no travel impactRequires reliable ICT and secure file exchange
HybridMulti-site organisations and mixed-profile activitiesOn-site for critical activities, remote for routine reviewsRequires more planning upfront

Your Team

Roles typically engaged during the audit

Senior Management Representative

Participates in opening and closing meetings; demonstrates leadership commitment.

AIMS Manager / Sponsor

Coordinates audit logistics, document provision, and access to interviewees.

AI System Owners

Demonstrate risk management, lifecycle controls, and operational evidence.

Data and Privacy Lead

Demonstrates data governance, lawful basis, and privacy integration.

Information Security Lead

Demonstrates security of AI assets, training data, and model artefacts.

AI Ethics / Governance Lead

Demonstrates ethics review, bias testing, fairness, and human oversight.

Internal Auditor

Presents internal audit programme, findings, and corrective actions.

Non-Conformities

What happens if issues are found

Non-conformities are not failures. They show that the audit was rigorous and provide a structured path to closure.

Major Non-Conformity Closure

Identify root cause using 5 Whys, fishbone analysis, or equivalent

Submit corrective action plan within 30 days

Implement corrective action and provide objective evidence

Closure verified by auditor, sometimes through follow-up audit

Certificate issued after verified closure

Minor Non-Conformity Closure

Root cause identified and corrective action planned

Closure typically completed within 60 to 90 days

Documentary evidence may be verified at the next surveillance audit

Certificate is not delayed if the action plan is accepted

Opportunities for Improvement

Documented as advisory observations

No formal closure required

Organisation chooses whether and how to act

Certificate Cycle

Surveillance and recertification after issuance

ISO 42001 certification is valid for three years, subject to annual Surveillance Audits.

Year 2

Surveillance Audit 1

Focuses on changes since initial audit, management review, internal audit, corrective actions, and evolving AI portfolio.

Year 3

Surveillance Audit 2

Confirms continued conformity, AI lifecycle effectiveness, and incident management performance.

End of Year 3

Recertification Audit

A full AIMS re-audit followed by a new three-year certificate on successful completion.

Call Us

UK: +44 7877 901727

India: +91 98380 70227

WhatsApp

+44 7877 901727

Instant chat

Email Us

admin@tnvglobal.com

Reply in 4 business hours

FAQ

Frequently asked questions about the ISO 42001 process

What are the steps to get ISO 42001 Certification?

ISO 42001 Certification follows six steps: Initial Meeting and Application, Optional Gap Analysis, Stage 1 Audit, Stage 2 Audit, Independent Technical Review and Certificate Issuance, and Surveillance Audits with Recertification.

What is the difference between Stage 1 and Stage 2 audit?

Stage 1 is a documentation review confirming readiness. Stage 2 is the implementation audit that verifies the AIMS is operating effectively through evidence, interviews, and sampling.

Is Gap Analysis mandatory for ISO 42001 Certification?

No. Gap Analysis is optional, but strongly recommended for first-time AIMS organisations because it identifies gaps before the formal audit.

What documents are required for ISO 42001 Certification?

Typical documents include AI Policy, AIMS Manual, Scope Statement, Risk Register, Statement of Applicability, AI Use Case Inventory, procedures, internal audit records, and management review records.

Can the ISO 42001 audit be done remotely?

Yes. TNV Global supports on-site, remote, and hybrid audit modes in accordance with IAF MD 4.

What happens if non-conformities are found?

Major non-conformities must be closed before certificate issuance. Minor non-conformities can be closed within the agreed timeframe. Opportunities for Improvement are advisory.

Who conducts the ISO 42001 audit?

Audits are conducted by IRCA-qualified Lead Auditors with competence in AI, ML, information security, and management system auditing.

How long does the certification process take?

Total elapsed time ranges from 7 working days for small ready organisations to 30 working days for larger or multi-site organisations.

Do we need ISO 27001 first?

No. ISO 42001 can be obtained independently, though an integrated audit may reduce time and cost if you already hold ISO 27001, ISO 9001, or ISO 27701.

What happens after the certificate is issued?

The certificate is valid for three years subject to annual Surveillance Audits, followed by a Recertification Audit at the end of the cycle.