Ask ten consultants how long ISO 42001 implementation takes and you will get ten answers, ranging from three months to two years. Some of this is honest disagreement. Most of it is a category error: the number depends on what you are actually measuring.
A realistic working assumption for a mid-sized organization, with no prior ISO management system in place, is twelve months from kickoff to certification. Faster is possible when an ISO 27001 foundation exists. Slower is common when the organization underestimates the governance work.
## The common belief
The belief that sells badly-scoped projects is that 42001 is mostly documentation. Write the policies, update the risk register, train the team, book the audit. In that framing, three to six months feels reasonable.
The framing omits the part of the work that actually determines whether certification is defensible: the operational cycles. The standard requires evidence that the system is running, not just designed. Running takes time.
## A realistic 12-month sequence
The roadmap below assumes a company with existing data governance maturity but no formal AIMS. Adjust up or down based on starting point.
### Months 1–2: Scope and gap assessment
Define the scope of the management system. Which legal entities, which AI systems, which geographies. Inventory all AI systems currently developed or deployed. Perform a gap analysis against ISO 42001 clauses 4–10 and the Annex A controls. Output: a gap report and an implementation plan with named owners.
### Months 2–4: Governance and policy layer
Establish the AI governance structure. This typically includes executive sponsorship, an AI steering committee or equivalent, and defined roles for AI risk, AI ethics, and AI operations. Draft and approve the AI policy, supporting sub-policies (data, use of third-party AI, human oversight), and objectives aligned with business strategy.
### Months 3–5: Risk management framework
Build the AI risk management methodology. ISO 42001 references ISO/IEC 23894 as practical guidance. Define how risks are identified, assessed, treated, and monitored across the AI lifecycle. Populate the risk register with real risks from the AI inventory, not hypothetical examples. This is where many implementations stall because the work is substantive, not cosmetic.
### Months 4–7: Process design and rollout
Design and deploy the operational processes: AI use case intake, pre-deployment review, data lifecycle management, model documentation, third-party AI assessment, incident response, change management, monitoring. Processes must be integrated with existing operations, not parallel to them. Train the teams that will execute them.
### Months 6–9: Operate and collect evidence
Run the management system. This phase is often misunderstood as “waiting.” It is not. It is when the system produces the evidence the auditor will eventually examine: risk assessments for real use cases, approval decisions, monitoring records, incident logs, supplier evaluations, internal communications. Three months of real operation is the typical minimum.
### Months 9–10: Internal audit and management review
Conduct a full internal audit against ISO 42001. Identify non-conformities and treat them. Convene a formal management review with executive participation. Document the review minutes, decisions, and resulting actions. Both are explicit requirements of the standard.
### Months 10–11: Stage 1 audit (documentation review)
The certification body conducts a Stage 1 audit, focused on verifying that the management system is documented, designed, and ready for Stage 2. Findings from Stage 1 are typically minor if the internal audit was thorough. Allow 3–6 weeks between stages to address any observations.
### Months 11–12: Stage 2 audit (operational audit)
The certification body audits the management system in operation. Auditors interview staff, review evidence, test control effectiveness, and assess whether the AIMS is genuinely running. Major non-conformities block certification; minor ones require a corrective action plan. On successful closure, the certificate is issued, typically within 4–6 weeks.
> ISO 42001 is not a project you finish. It is a capability you build. The 12-month roadmap ends with a certificate; the management system keeps running.
>
## What drives the timeline up or down
Three factors compress the timeline: an existing ISO 27001 certification (shared governance, risk, and audit structures), a clearly defined AI inventory with established ownership, and executive sponsorship that unblocks cross-functional work.
Three factors extend the timeline: scope ambiguity (“we’ll figure out which systems later”), delegating the project entirely to a technical team without business ownership, and trying to certify AI systems that are still in active development without stable governance wrapped around them.
## What this means for your organization
Budget twelve months, not six. A certificate obtained in six months almost always reflects a system that has not been operated long enough to generate meaningful evidence. The audit may pass; the system may still fail in its first real test.
Plan around the operation phase, not the documentation phase. Policies can be drafted quickly. Real risk assessments, real monitoring records, and real incident handling take calendar time.
Engage the certification body early. A Stage 0 or pre-audit conversation with the certification body clarifies scope, evidence expectations, and common pitfalls before the implementation locks in.
—
Ready to move from documentation to certification?
📩 [[email protected]](mailto:[email protected]) · 🌐 [zertia.ai](http://zertia.ai)
–
