Navigating the timeline and steps to get ISO 42001 certified (2026 roadmap)
by SecureSlate Team in ISO 42001
4.9(409 reviews)
ISO 42001 certification is a project, not a weekend policy refresh. Timelines depend on AI maturity, scope size, and whether you already run ISO 27001 or SOC 2.
Related: Checklist · Cost guide
Key takeaways
- Typical range: 4–12+ months from kickoff to initial certificate (varies widely).
- Stage 1 reviews AIMS design; Stage 2 tests operation.
- Reuse security program evidence to compress early phases.
- Plan surveillance audits after certification.
Certification phases
- Scope AIMS (products, models, regions)
- Gap assessment vs clauses 4–10 and Annex A
- Implement policies, roles, controls
- Operate and collect evidence (monitoring, reviews)
- Internal audit and management review
- Certification body Stage 1 → Stage 2
- Surveillance and recertification planning
Sample timelines
| Maturity | Rough duration |
|---|---|
| Strong ISO 27001 + documented AI | 4–7 months |
| SOC 2 + informal AI practices | 6–9 months |
| Early AI governance | 9–15 months |
Disclaimer (legal note)
Timelines are estimates only. Informational—not guaranteed outcomes.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required
Related blogs
Jun 1, 2026 · ISO 42001
AI roles in ISO 42001 certification explained (owners, RACI, and competence)
SecureSlate Team
Jun 1, 2026 · ISO 42001
Best practices for ongoing ISO 42001 compliance (surveillance, change, and monitoring)
SecureSlate Team
Jun 1, 2026 · ISO 42001
How much does it cost to get ISO 42001 certified? (2026 budget breakdown)
SecureSlate Team
