ISO 42001 for UK businesses: when to certify and the cost

What is ISO 42001?

ISO/IEC 42001 is an international standard for an AI management system, published by the International Organization for Standardization in December 2023 and adopted by the British Standards Institution as BS ISO/IEC 42001. It sets out the requirements for an organisation to establish, implement, maintain, and continually improve a management system specifically for its use and development of AI. In the UK, ISO 42001 is increasingly asked about in procurement processes, due diligence reviews, and investor conversations, and it is the standard most UK businesses should look at first if they are considering a formal AI governance framework.

The standard is structured similarly to ISO 27001: a plan-do-check-act management system, Annex A controls, required roles, documented policies, and a focus on risk-based thinking. It is not a technical certification of a particular AI system. It is a certification that the organisation has the management system in place to deploy AI responsibly. The distinction matters, because ISO 42001 does not tell you whether your model is safe; it tells you that you have the organisational discipline to answer that question yourself.

How ISO 42001 differs from ISO 27001 and the EU AI Act

Three overlapping frameworks commonly get confused. ISO 27001 is the information security management system standard. The EU AI Act is an EU regulation with extraterritorial scope. ISO 42001 is an AI-specific management system standard. They coexist and the differences are practical.

Framework	Type	Primary scope	Status for UK businesses
ISO 27001	Voluntary international standard	Information security management system	Widely adopted; common procurement baseline
ISO 42001	Voluntary international standard (BS ISO/IEC 42001)	AI management system	Emerging; some procurement asks, no legal requirement
EU AI Act	EU regulation	Risk-based rules for AI placed on EU market	Applies to UK businesses with EU exposure

A UK business already certified to ISO 27001 can usually extend its management system to ISO 42001 more cheaply than a first-time certifier, because many of the core controls (documentation, internal audit, management review, corrective action) are shared. Complying with ISO 42001 does not make an organisation compliant with the EU AI Act, and vice versa; the EU AI Act is a legal requirement where it applies, and ISO 42001 is a voluntary management-system framework that addresses some but not all of the Act's obligations. For the broader regulatory picture, see our EU AI Act guide for UK SMEs.

Typical certification costs for UK businesses

Certification cost has two components: the internal cost of building the management system and the external cost of the certification body's audits. Both vary with organisation size and complexity. The figures below are indicative bands based on market conditions in April 2026 for UK businesses and should be treated as a planning guide, not a quote.

Business size	Indicative internal cost	Indicative external audit cost (stage 1 + stage 2)	Ongoing annual (surveillance + maintenance)
Small UK SME (under 50 staff, one site, limited AI footprint)	£10,000 to £30,000	£5,000 to £12,000	£3,000 to £8,000
Mid-market UK business (50 to 500 staff, broader AI footprint)	£25,000 to £80,000	£10,000 to £25,000	£6,000 to £18,000
Enterprise UK business (500+ staff, multi-site, complex AI estate)	£60,000 to £200,000+	£20,000 to £50,000+	£15,000 to £40,000+

Two cost drivers consistently catch UK businesses by surprise. The first is the internal document production effort: policies, risk registers, data inventories, and evidence logs together usually require 15 to 40 person-days over the programme. The second is the cost of the internal audit and management review rounds before the certification body's visits. Both are avoidable only in the sense that skipping them usually means failing the stage 2 audit.

The role of UKAS-accredited certification bodies

ISO 42001 certification in the UK is issued by certification bodies accredited by the United Kingdom Accreditation Service (UKAS). UKAS accreditation is how an organisation can demonstrate that the certificate it holds was issued by a competent assessor against the published standard, not by a commercial certifier with a looser interpretation. UKAS publishes the current list of accredited certification bodies for each standard on its website; that list should be the reference point before engaging any certification body, and it is worth confirming accreditation scope specifically for ISO 42001 rather than assuming a body accredited for ISO 27001 is also accredited for ISO 42001.

We do not name specific bodies in this article because accreditation scope changes over time and the authoritative source is the UKAS register itself. A certificate from a non-UKAS-accredited body will satisfy some procurement requirements and not others; for regulated-sector procurement (financial services, healthcare, public sector), UKAS accreditation is usually expected.

A realistic 12 to 18 month path to certification

For a UK business starting without an existing management system, the typical path to ISO 42001 certification is 12 to 18 months end to end. A faster programme is possible for organisations already certified to ISO 27001 or with mature AI governance, but compressing the timeline below 9 months without that head start tends to produce a certificate that covers the paperwork rather than the practice.

1. Months 1 to 2: scope and gap analysis. Define what is in scope (the organisation, its AI systems, its development and deployment activities). Conduct a gap analysis against ISO 42001's clauses and Annex A controls. Produce a prioritised remediation plan.
2. Months 3 to 6: management system build. Draft the required policies, procedures, risk registers, data inventories, and roles. Train staff in the new processes. Integrate with existing management systems where relevant (ISO 27001, ISO 9001).
3. Months 6 to 10: operate and evidence. Run the management system for a period sufficient to produce real evidence of operation: risk assessments conducted, incidents logged, changes controlled, management reviews held. Certification bodies want to see the system operating, not just documented.
4. Months 10 to 12: internal audit and management review. Conduct the required internal audit and management review rounds. Address findings before the certification body arrives.
5. Months 12 to 15: stage 1 and stage 2 audits. The certification body conducts a documentation review (stage 1) followed by an implementation audit (stage 2). Major non-conformities must be closed before certification is issued.
6. Months 15 to 18: certification issued and first surveillance. The certificate is typically valid for three years with annual surveillance audits and a recertification audit in year three.

What the Annex A controls actually cover

Annex A of ISO 42001 lists the control objectives and controls an organisation considers when building its AI management system. The controls are grouped across policy, organisation, resources, impact assessment, AI lifecycle, third-party relationships, and information for interested parties. They are not prescriptive in the way technical controls in a cybersecurity standard can be; each control is a requirement to think about and document a specific aspect of AI governance, with the organisation deciding how rigorously to apply it given its risk profile.

Four control groups deserve particular attention for UK businesses in 2026. The impact assessment controls require a structured assessment of each AI system's impact on individuals, groups, and society; for UK businesses, this dovetails naturally with the Information Commissioner's Office expectations around Data Protection Impact Assessments where personal data is processed. The AI lifecycle controls cover design, development, deployment, and retirement, including model validation and monitoring. The third-party relationship controls address the reality that most UK businesses buy rather than build AI, and the standard therefore expects documented due diligence on AI vendors and suppliers. The information-for-interested-parties controls sit alongside UK GDPR transparency obligations and procurement documentation requests.

Applying Annex A pragmatically is the main skill in a successful certification programme. Over-applying every control to every AI use is expensive and usually unnecessary; under-applying leaves the organisation exposed to audit findings. A defensible middle path is a risk-based tiering of AI systems, with control depth matched to tier. This tiering is usually the first policy document drafted and the last one updated; treat it as a living artefact, not a one-off.

When ISO 42001 is worth pursuing, and when it is not

ISO 42001 is a material investment. Four circumstances make the investment worthwhile for UK businesses in 2026. First, procurement pull: you are losing deals or points in scoring because enterprise or public-sector buyers are asking about your AI governance and the answer is informal. Second, regulated-sector exposure: financial services, healthcare, or legal practices where AI use is increasingly scrutinised. Third, multi-jurisdiction operations where a single standard reduces the overhead of explaining your governance to each jurisdiction separately. Fourth, investor or acquisition preparation where a recognised certification reduces due diligence friction.

Four circumstances make it premature or disproportionate. Very small organisations with a limited AI footprint where the annual audit cost exceeds the commercial benefit. Organisations whose AI use is transient, experimental, or exploratory; certifying a fast-moving programme produces churn in the management system. Organisations whose primary compliance pressure is the EU AI Act; meeting the Act's specific obligations is a more direct use of budget than an adjacent management system. Organisations without any existing management system discipline; ISO 42001 is harder as a first management system than as an extension of an existing one, and a sensible first move is ISO 27001 or the UK Cyber Essentials family.

For a broader view of AI governance outside the certification lens, see our AI security risks guide and the Knowledge Hub strategy section.

Ongoing maintenance after certification

ISO 42001 certification is not a one-time event. Annual surveillance audits and a recertification audit in year three are mandatory, and the management system must operate continuously between audits: risk assessments refreshed, incidents logged and addressed, changes to the AI estate captured, internal audits and management reviews conducted on schedule. Organisations that treat certification as an exercise completed at the stage 2 audit and then forget about it typically fail surveillance in year one. Budget one to two person-days per month of internal effort for ongoing operation, plus the external surveillance audit fee.

Two practical habits separate certificates that survive from ones that do not. A single named owner for the management system, resourced to spend a meaningful fraction of their time on it rather than as a small addition to another role. And a management review that is held as scheduled, with senior leadership present, even when there is no specific incident to discuss. These two habits alone close the overwhelming majority of surveillance findings before they become findings.

Where to start

If you are considering ISO 42001, a sensible first step is a gap analysis against the standard's clauses and Annex A controls, framed against your actual AI footprint and your existing management systems. That output tells you whether the 12 to 18 month path is realistic, and whether the investment is commensurate with the procurement, regulatory, or investor pressure driving the question. For support with gap analysis, scoping, and management-system design, see our AI strategy service, our Enterprise AI service, and our AI readiness service for earlier-stage reviews. For the wider AI governance context, the Knowledge Hub strategy section collects related articles.