ISO 42001 audits: Your 101 preparation guide (Stage 1, Stage 2, and evidence)
by SecureSlate Team in ISO 42001
4.9(409 reviews)
An ISO 42001 audit evaluates whether your AIMS is designed and operating effectively—covering governance, AI risk, lifecycle controls, and continual improvement.
Related: 4 lessons learned · Collaborate with auditors
Key takeaways
- Stage 1 = documentation and readiness for the AIMS.
- Stage 2 = controls operating in practice (interviews + evidence).
- Auditors sample AI systems in scope—not every model on day one, but be consistent.
- Internal audit before the CB reduces surprises.
Stage 1 audit
Expect review of:
- AIMS scope and context
- AI policy and roles
- Risk assessment methodology
- SoA and control matrix
- Management review plans
Outcome: readiness findings before Stage 2.
Stage 2 audit
Expect:
- Walkthroughs of production AI workflows
- Evidence of monitoring, incidents, change control
- Supplier/third-party AI governance
- Training and competence records
Audit evidence pack
Organize by control ID:
- Policies (versioned)
- Risk register and treatment
- Model inventory and assessments
- Monitoring logs / dashboards
- Internal audit and CAPA records
Disclaimer (legal note)
Audit practices vary by certification body. Informational only.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required
Related blogs
