"*" indicates required fields
Linford & Company LLP is not currently accredited to perform third-party certification audits against ISO/IEC 42001:2023. This page describes the certification policies and processes Linford & Company follows and will continue to follow when accredited certification audits for this standard become available; until then, no certificate issued under this scheme is an accredited certificate.
Linford & Company LLP is an ANAB-accredited certification body for ISO/IEC 27001:2022; that accredited service is delivered separately and is described on our ISO 27001 services page.
The International Organization for Standardization (ISO) is a non-governmental, independent global body. One of ISO’s main objectives is to bring together experts to develop relevant international standards that drive process innovation and address shared challenges across industries worldwide.
ISO/IEC 42001:2023, “Information technology — Artificial intelligence — Management system,” specifies the requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS). It is the first certifiable international standard for the governance of AI and applies to organizations that provide or use AI-based products or services, regardless of size or sector.
ISO/IEC 42001 follows ISO’s Harmonized Structure and includes a normative Annex A reference set of 38 AI-specific controls covering policies for AI, internal organization, resources, AI system impact assessment, AI system lifecycle, data for AI systems, information for interested parties, use of AI systems, and third-party relationships. Annex B provides implementation guidance, Annex C lists AI-related organizational objectives and risk sources, and Annex D addresses sector and domain integration.
Audit competence for ISO 42001 certification bodies is established by ISO/IEC 42006.
ISO/IEC 42001 has rapidly become the reference framework for organizations that need to demonstrate responsible AI governance to regulators, enterprise customers, and the public.
Under the EU AI Act, organizations providing high-risk AI systems must operate documented risk management, data governance, transparency, human oversight, and post-market monitoring practices. An AIMS conforming to ISO/IEC 42001 provides defensible, audit-ready evidence that these governance practices are in place.
The standard is also conceptually aligned with the U.S. NIST AI Risk Management Framework (Govern, Map, Measure, Manage), meaning organizations already using NIST AI RMF can extend that work into a certifiable management system without starting over.
ISO 42001 AI management certification is an independent attestation that an organization’s AIMS conforms to the requirements of the standard. Certification is granted by an accredited certification body following a structured, two-stage audit and is maintained through annual surveillance over a three-year cycle.
Certification does not endorse any particular AI system, model, or vendor. It evaluates how the organization’s AI governance framework governs the AI systems it builds, buys, deploys, and depends on, including risk treatment, impact assessment, transparency obligations, and oversight throughout the AI lifecycle.
The cost of an ISO 42001 certification audit varies based on the scope of the AIMS, the number and risk profile of AI systems in scope, the organization’s role across the AI value chain (provider, deployer, distributor), the number of physical and virtual locations, and integration with other management systems already in place. Linford & Company provides an accurate, detailed, and dependable quote before any audit engagement begins.
The ISO/IEC 42001 audit and certification process is structured and consistently repeatable. The activities include the following steps:
The following steps describe the typical certification activities Linford & Company performs, based on the requirements of ISO/IEC 17021-1 and ISO/IEC 42006.
The application and pre-certification processes at Linford & Company are streamlined and efficient. Interested applicants enter their organization details into the “Request a Certification Assessment” form at the top of this services page. Applicants are then contacted and provided with an application to gather additional scope information used to determine technology expertise, staffing requirements, level of effort, including auditor hours, and other scoping details. The applicant returns the completed application to is***********@*******co.com or to their primary contact at Linford & Company. Client acceptance and impartiality review activities will be performed; based on the results, the applicant will enter into an executed certification agreement with Linford & Company.
Linford & Company will request the necessary artifacts and confirm with the client that the initial audit is ready to commence. The audit plan will be communicated to the client, and audit dates will be agreed upon in advance. The audit program for the initial certification includes a two-stage initial audit.
Stage 1 Audit
An evaluation of the design of the AIMS is performed in Stage 1. Linford & Company will audit the AIMS documentation supporting the design of the system. Inquiries are made, and documents supporting the AIMS scope, including personnel, AI systems in scope, the organization’s roles across the AI value chain, sites within scope, and connected third parties, are reviewed and evaluated. The auditor confirms that the organization has performed an internal audit, completed regular management reviews, and conducted AI risk assessment and AI system impact assessment activities consistent with Annex A. With this information evaluated, Linford & Company will determine whether the client is ready to move to Stage 2.
Stage 2 Audit
The objective of Stage 2 is to assess the implementation and operating effectiveness of the AIMS. Stage 2 is performed at the client’s site(s) or through virtual meetings that provide evidence of the client’s development, deployment, and monitoring environments for the AI systems in scope. Testing covers AI policies, lifecycle controls, data quality, transparency, and information for interested parties, oversight of third-party AI components, and incident management. At the conclusion of Stage 2, Linford & Company will determine whether to issue certification.
When all certification steps are completed satisfactorily, Linford & Company will grant certification in the form of a certificate to the client. The initial three-year certification cycle starting date will be on, or reasonably timed after, the date of the certification decision.
If it is determined that the client does not meet the requirements necessary for certification, a certification refusal will be communicated to the client with sufficient detail regarding the rationale for the decision and the available next steps.
Surveillance Audits: In order to maintain certification, continuing certification activity is required. This is carried out through surveillance audits. Linford & Company conducts surveillance audits at least once annually, except during recertification years. The first surveillance audit after initial certification must occur within 12 months of the documented certification cycle starting date.
Process to Maintain Certification: Along with the continuing surveillance audits, the client is expected to operate its controls and processes in the manner understood during the initial examination procedures. Linford & Company will enable the client to retain certification by demonstrating ongoing compliance with the requirements of the management system standard.
Linford & Company makes additional details publicly available, in accordance with ISO/IEC 17021-1 §8.1, in the companion “ISO/IEC 42001:2023 Certification — Detailed Public Information” PDF. The PDF covers:
Download the full ISO/IEC 42001:2023 Certification — Detailed Public Information PDF.
Our seasoned auditors translate the requirements of ISO/IEC 42001:2023 into a defensible, evidence-driven assessment so your AI management system can be certified with confidence.
Our approach maps 42001 to the EU AI Act, NIST AI RMF, and customer due diligence questionnaires so a single AIMS investment produces durable, multi-purpose evidence.
We audit how AI risk and impact assessments actually shape the systems your teams build, buy, and deploy, from data sourcing through post-deployment monitoring.
AI governance demands auditors who understand both management systems and the underlying technology. Our engagements are led by experienced senior auditors who can have substantive conversations with your engineering and ML teams.
Looking to get ISO 42001 certified? Complete the form above, and we will connect you with one of our expert auditors. We keep your contact information private and use it solely to communicate with you regarding your ISO 42001 audit. We do not sell or share your details with third parties.
"*" indicates required fields
"*" indicates required fields
