Back to ISO 42001

Navigating the timeline and steps to get ISO 42001 certified (2026 roadmap)

ISO 42001 certification is a project, not a weekend policy refresh. Timelines depend on AI maturity, scope size, and whether you already run ISO 27001 or SOC 2.

Related: Checklist · Cost guide


Key takeaways

  • Typical range: 4–12+ months from kickoff to initial certificate (varies widely).
  • Stage 1 reviews AIMS design; Stage 2 tests operation.
  • Reuse security program evidence to compress early phases.
  • Plan surveillance audits after certification.

Certification phases

  1. Scope AIMS (products, models, regions)
  2. Gap assessment vs clauses 4–10 and Annex A
  3. Implement policies, roles, controls
  4. Operate and collect evidence (monitoring, reviews)
  5. Internal audit and management review
  6. Certification body Stage 1 → Stage 2
  7. Surveillance and recertification planning

Sample timelines

Maturity Rough duration
Strong ISO 27001 + documented AI 4–7 months
SOC 2 + informal AI practices 6–9 months
Early AI governance 9–15 months

Disclaimer (legal note)

Timelines are estimates only. Informational—not guaranteed outcomes.

Need compliance without the complexity?

SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.

No credit card required

Filed under:

Author: SecureSlate Team

4.9(409 reviews)

Keep reading

Jul 5, 2026 · ISO 42001

ISO 42001 framework guide: AI management system certification in 2026

Jun 29, 2026 · ISO 42001

ISO 42001 automated compliance testing: 7 risk domains and how to run them in SecureSlate

Jun 25, 2026 · ISO 42001

ISO 42001 Controls

View more posts
Jamie
Virtual Agent

Hi! I'm Jamie. Curious about your current compliance challenges and how automation might help your team?