Skip to main content
Back to all posts
Cover image for "ISO 42001 in Six Months: A Realistic Rollout Plan"

ISO 42001 in Six Months: A Realistic Rollout Plan

A pragmatic, phase-by-phase plan for standing up an AI Management System against ISO/IEC 42001 — without freezing the rest of the org.

ISO/IEC 42001 is the first management-system standard for AI, and the clock to certifiable readiness is shorter than most teams expect.

Months 1–2 — Scope and inventory

Define the AIMS scope narrowly: only the AI systems you actually ship. Inventory each one with intended purpose, data classes, risk class, and human-oversight model. Don't try to boil the ocean.

Months 3–4 — Controls and evidence

Map your inventory to Annex A controls. The high-leverage ones are A.6 (AI system lifecycle), A.7 (data for AI systems), and A.10 (third-party relationships). For each control, capture the evidence you'll show an auditor — not just the policy.

Months 5–6 — Internal audit and gap close

Run an internal audit, fix the top five findings, schedule the stage-1 review. Most failures at this point are documentation drift, not control gaps — a healthy register and one named owner per control fixes 80% of it.