Let's talk
Oxford Infosec

ISO 42001 - AI ManagementIs our AI governed?

When you build with AI, deploy it into products, or embed it into operations, enterprise buyers, regulators, and investors start asking how it's governed, not just how it performs.

ISO 42001 is the world's first AI management system standard. We take small, fast-moving companies through scoping, implementation, and certification, then maintain the AI Management System so you stay certified through surveillance and recertification audits.

In short

  • 01A credible ISO 42001 certificate, achieved on the timeline your deal or investor needs.
  • 02Evidence ready for AI governance questionnaires, mapped to the EU AI Act and what buyers ask.
  • 03An AI Management System that keeps you certified through surveillance and recertification audits, not just the first one.

What problems we solve

Certification is the milestone; staying certified through every surveillance audit is the real work. You're in the right place if any of these sound familiar:

01

Buyers ask how our AI is governed

Enterprise procurement and investors now want AI governance, not just model performance.

02

We've no AI governance lead

Implementation stalls and fragments, and non-conformities surface during the audit.

03

We don't track AI's ethical and legal risks

Bias, harm, and regulatory exposure go unmanaged until they become incidents.

04

Our data science pipelines keep shifting

Evidence gaps open up and nobody owns the controls.

05

The AI rules keep changing

The EU AI Act and UK guidance evolve, and controls drift from how you actually build.

06

Due diligence keeps stalling deals

Buyers and investors want proof you govern AI responsibly, and you can't show it quickly.

How ISO 42001 certification works

01Basis
Fixed fee

Implementation

We confirm scope and accountability, run the AI risk assessment and Statement of Applicability, write the AIMS policies, and support the controls that close the gaps.

02Milestone
Stage 1 and Stage 2

Certification

We run the first internal audit and management review, clear the readiness findings, and take you through the Stage 1 and Stage 2 certification audit.

03Minimum term
12-month minimum

Maintenance

We keep evidence, AI risks, and policies current and liaise with the certification body, so you pass surveillance and recertification audits without firefighting.

That's the outline. The full service description sets out every activity, assumption, and exclusion.

Read the full service description

Companies we've worked with.

AmpereBeamBiographicaChalfenGeneral IndexHarbr DataJudge.meLightsonicResponsible MarketingSyntassoThe Key GroupZaptic

What we put in place

Each requirement is mapped to a real business process and justified in the Statement of Applicability. If a clause genuinely doesn't apply, we mark it not applicable rather than inventing work.

01AIMS scope and accountability
02AI asset and stakeholder mapping
03AI risk assessment and Statement of Applicability
04Responsible AI policy and objectives
05Data governance and model lifecycle controls
06Human oversight and explainability
07Bias and robustness testing
08Model register and data provenance
09Incident handling for AI
10Supplier and model marketplace assurance
11Staff AI governance awareness and training
12Internal audit and certification readiness

Who it's for

20 to 200 employees: large enough to face AI governance demands, small enough that enterprise templates would swamp the business

Building or deploying AI: developing models, embedding third-party AI into products, or using AI in regulated decisions

UK or EU: subject to the EU AI Act, UK AI Code of Practice, or sector-specific AI guidance

Under external pressure: AI governance questionnaires, investor due diligence, or contractual AI obligations

Baseline security in place: ISO 42001 assumes the security fundamentals already exist

What's not included

  • Hands-on engineering (your team enables controls)
  • Remediation actions you own and deliver
  • Foundational security hardening (Security Foundations covers this)
  • Travel and on-site costs unless pre-agreed
  • Strategic security leadership (that's the vCISO service)
Read the full service description

You work with a named Lead Consultant whose AI governance credentials are recognised (ISO/IEC 42001 Lead Implementer or Auditor, CIPP/E, CISSP). They are your single point of contact, accountable for delivery. Where it helps, we pair them with a compliance automation platform such as Drata, configured with a custom ISO 42001 control library, so evidence like model cards and bias test reports is collected continuously and your status shows on a live dashboard.

Term and pricing

Phase 1: Implementation

One-off

Fixed fee

Phase 2: Maintenance

12-month minimum

Recurring fee, renewable annually

With ISO 27001, vCISO, or DPO

Optional

Can be combined where it makes sense

Exact figures depend on your size, your starting point, and how much needs putting in place. Use the calculator for an indicative estimate.

Estimate the cost

Common questions

ISO 42001 FAQs

See whether ISO 42001 is the right move.

A short conversation is usually enough to tell whether AI certification is worth pursuing now, or whether a lighter-touch AI policy would do for the time being. If something else suits you better, we'll say so.

Estimate the costGet in contact