Brochures

How to Choose a Certification Body for ISO 42001

Zertia Team · 5 min read
Share

Choosing a certification body is often treated as a procurement exercise: collect three quotes, compare prices, pick one. That approach works for commodities. It fails for certification, because the value of a certificate is entirely determined by who issued it.

This brochure is a short checklist of the seven questions that actually matter when evaluating a certification body for ISO 42001. Most vendors will not volunteer the answers. All of them should be able to answer if asked directly.

## The common belief

The common assumption is that certification bodies are interchangeable because they are all audited against the same standard. Price and scheduling become the deciding factors.

In practice, certification bodies differ substantially in accreditation scope, technical competence, methodology, and the credibility their certificate carries in specific markets. These differences are invisible until they matter, which is usually too late.

## The seven questions to ask

### 1. Are you accredited for ISO 42001, specifically?

Accreditation is granular. A certification body accredited for ISO 27001 is not automatically accredited for ISO 42001. Ask for the accreditation certificate and check the specific scope on the accreditation body’s public registry (ANAB in the US, UKAS in the UK, ENAC in Spain, DAkkS in Germany). If the scope does not list ISO 42001, the certificate they issue is not accredited for 42001 regardless of what the marketing says.

### 2. Under which scheme standard do you operate?

ISO/IEC 42006 is the scheme standard that governs how certification bodies audit AI management systems. It defines auditor competence, audit duration rules, and impartiality requirements specific to AI certification. A certifier who cannot name their scheme, or whose processes do not reflect 42006 requirements, is operating outside the international framework.

### 3. What is the composition of your audit team?

ISO 42001 audits require auditors with specific competence in AI systems, not just management systems in general. Ask how many certified AI auditors the body employs, what their technical background is (data science, ML engineering, AI governance), and what AI-specific training the lead auditor has completed. A 27001 auditor retraining on 42001 is not the same as an auditor with hands-on AI expertise.

### 4. How do you handle impartiality?

An accredited certification body cannot also consult its clients. That separation is not a commercial preference; it is a requirement of ISO/IEC 17021. Ask how the body separates certification work from any advisory or training services it or its affiliates offer. A vendor that both implements and certifies cannot issue an accredited certificate.

### 5. Where is your certificate recognized?

Certification recognition is tied to accreditation body agreements. ANAB certificates are recognized across IAF signatories. UKAS and ENAC certificates carry specific weight in their respective regions. If your customers, investors, or regulators are in the EU, an ENAC, UKAS, or DAkkS-backed certificate carries different weight than a certificate from a body outside the IAF MLA network.

### 6. What is your methodology beyond the standard?

ISO 42001 defines what to audit, not how. Methodology is where certification bodies differentiate: digital evidence collection, remote audit capability, integration with GRC platforms, continuous assurance approaches. Ask for a walkthrough of how audits are actually conducted. A body that relies entirely on document binders and on-site visits is not operating at the current standard of practice.

### 7. What references can you provide in my sector?

ISO 42001 certification looks different in fintech than in healthcare than in HR tech than in industrial AI. Ask for references from organizations in your sector that have completed certification or surveillance. Ask specifically what the audit focused on and where findings were raised. A body with no sector-specific experience will treat your audit as a learning exercise at your expense.

> A certification body is not a vendor selling a document. It is a counterparty whose reputation and accreditation chain become inseparable from your certificate.
>

## Reframing the question

The question procurement usually asks is “Which certification body is cheapest and fastest?” The question the executive sponsor should ask is “Which certification body will issue the certificate that best opens the doors we are trying to open?”

The answers rarely point to the same vendor. Fast and cheap is usually the opposite of strategic, because fast and cheap is what markets eventually discount.

## The structural shift

For most of the history of certification, bodies competed on geography and brand recognition. Clients chose local or global depending on footprint, and chose established names for risk-aversion.

AI certification is changing this. The specialization required (technical AI competence, AI Act fluency, AIMS methodology) has pulled differentiation back toward substance. A large generalist body without dedicated AI auditing capability is no longer a safer choice than a smaller specialist, simply because the question on the table is now “do you actually understand AI governance?” and generalist capability does not automatically answer yes.

## What this means for your organization

Build a short list of three, not one. Ask the seven questions of all three. The answers reveal the quality of each body as much as the questions reveal the quality of your evaluation.

Prioritize accreditation and competence over price. The price gap between the best and the cheapest certification body is usually 20–40%. The value gap in the resulting certificate is much larger and, unlike the price, becomes apparent only in the commercial moments that matter.

Treat the selection decision as a three-year commitment. You are buying the initial audit, two surveillance audits, and a recertification. Switching certification bodies mid-cycle is expensive and signals instability to the market.

> The cheapest certificate is the one that costs the most to replace when your investor, customer, or regulator does not recognize it.
>

Ready to move from documentation to certification?

📩 [[email protected]](mailto:[email protected]) · 🌐 [zertia.ai](http://zertia.ai)

Your fast track to compliance starts here

Our team is ready to support your compliance, cybersecurity, and privacy needs. Complete the contact form or reach out to [email protected], and our experts will guide you through the next steps.