ISO 42001 audits: Your 101 preparation guide (Stage 1, Stage 2, and evidence)
An ISO 42001 audit evaluates whether your AIMS is designed and operating effectively—covering governance, AI risk, lifecycle controls, and continual improvement.
Related: 4 lessons learned · Collaborate with auditors
Key takeaways
- Stage 1 = documentation and readiness for the AIMS.
- Stage 2 = controls operating in practice (interviews + evidence).
- Auditors sample AI systems in scope—not every model on day one, but be consistent.
- Internal audit before the CB reduces surprises.
Stage 1 audit
Expect review of:
- AIMS scope and context
- AI policy and roles
- Risk assessment methodology
- SoA and control matrix
- Management review plans
Outcome: readiness findings before Stage 2.
Stage 2 audit
Expect:
- Walkthroughs of production AI workflows
- Evidence of monitoring, incidents, change control
- Supplier/third-party AI governance
- Training and competence records
Audit evidence pack
Organize by control ID:
- Policies (versioned)
- Risk register and treatment
- Model inventory and assessments
- Monitoring logs / dashboards
- Internal audit and CAPA records
Disclaimer (legal note)
Audit practices vary by certification body. Informational only.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required
Jun 1, 2026 · ISO 42001
AI roles in ISO 42001 certification explained (owners, RACI, and competence)
SecureSlate Team
Jun 1, 2026 · ISO 42001
Best practices for ongoing ISO 42001 compliance (surveillance, change, and monitoring)
SecureSlate Team
Jun 1, 2026 · ISO 42001
How much does it cost to get ISO 42001 certified? (2026 budget breakdown)
SecureSlate Team
