What the Stage 1 Audit Actually Is (And Is Not)
Before you start pulling documents together, it helps to understand what your auditor is actually trying to do during a Stage 1 audit. A lot of businesses treat it like a full certification audit and either over-prepare in the wrong areas or panic unnecessarily. Neither helps.
On this page
The Stage 1 audit for ISO 42001 is a readiness review. Your auditor from the certification body is checking whether your AI Management System is designed well enough to proceed to the Stage 2 assessment, where they will test whether the system is actually working. Think of it as a structural check before the full inspection.
Specifically, the auditor will be looking at your documented system, the scope of your AIMS, your understanding of the standard's requirements, your risk and impact assessments related to AI, and whether your organisation is genuinely ready to be audited at Stage 2. They are not expecting perfection. They are expecting evidence of a coherent, intentional system.
What makes ISO 42001 different from other management system standards is the subject matter. You are not just managing quality or environmental impact. You are managing the development, deployment, or use of artificial intelligence systems, which brings its own set of risks, ethical considerations, and technical complexity. Your Stage 1 auditor will want to see that you understand this.
Get Your Scope Statement Right First
The scope of your AI Management System is the foundation of everything else in your Stage 1 audit. If your scope is vague, too broad, or inconsistent with what your organisation actually does, the auditor will flag it immediately and you will likely receive a major finding before the audit has properly begun.
Your scope needs to clearly define which AI systems, products, or services are covered by the AIMS. It needs to reflect the boundaries of your organisation that are included, and it needs to be consistent with the context and interested party analysis you have done under Clause 4.
Common Scope Mistakes to Avoid
The most common mistake is writing a scope that sounds impressive but does not reflect reality. For example, a company that uses a single AI-powered customer service chatbot should not write a scope that implies it governs all AI development activities across the enterprise. Auditors see through this quickly, and it creates problems in Stage 2 when they try to verify the system against that scope.
Another common issue is excluding significant AI systems from scope without a documented justification. If you use AI tools for recruitment screening and AI tools for fraud detection, but only include the fraud detection system in scope, your auditor will want to understand why. That is fine if you have a documented reason. It is not fine if the exclusion was simply to make the audit easier.
For a practical walkthrough of how to approach scope definition in management systems generally, the article on determining the scope of management systems is worth reading before you finalise your ISO 42001 scope document.
The Documents Your Auditor Will Ask For
Stage 1 audits are heavily document-focused. Your auditor will work through your documented information to assess whether your system has been designed in accordance with the standard. Here is what you need to have ready.
AI Policy
ISO 42001 requires a documented AI policy that is appropriate to the purpose of the organisation and provides a framework for setting AI objectives. Your policy needs to include a commitment to responsible AI, a commitment to continual improvement, and a commitment to satisfying applicable requirements. It must be communicated within the organisation and available to interested parties as appropriate.
A one-page policy statement that reads like a marketing brochure will not pass. The auditor wants to see something that is specific to your AI context, signed off by top management, and actually reflects how your organisation approaches AI governance.
Context and Interested Party Analysis
Clause 4 of ISO 42001 requires you to understand your organisation and its context, and to identify the needs and expectations of interested parties. For AI systems, this is particularly important because the range of affected parties is often broader than in other management systems. Regulators, users of AI outputs, data subjects, employees affected by AI decisions, and the broader public can all be relevant interested parties depending on your AI use case.
Your documented analysis needs to show that you have thought carefully about who is affected by your AI systems and what their legitimate expectations are. This feeds directly into your risk and impact assessment, so it needs to be thorough.
AI Risk and Impact Assessment
This is the document that most organisations struggle with for ISO 42001, and it is the one your auditor will spend the most time reviewing at Stage 1. The standard requires you to assess both the risks to the organisation from AI and the impacts of AI on people and society.
The impact assessment component is unique to ISO 42001 and reflects the fact that AI systems can cause harm to individuals and communities in ways that traditional risk management frameworks do not capture well. You need to have assessed things like algorithmic bias, privacy impacts, transparency issues, and the potential for AI outputs to cause harm if incorrect or misused.
Your assessment does not need to be exhaustive at Stage 1, but it does need to demonstrate a systematic approach. An auditor reviewing a company that uses AI for credit decisioning, for example, will want to see that you have considered the risk of discriminatory outcomes and what controls you have in place.
AI Objectives
You need documented AI objectives that are measurable, consistent with your AI policy, and linked to your risk and impact assessment. These objectives should reflect what responsible AI governance actually looks like in your organisation, not just generic statements about being ethical or transparent.
Roles, Responsibilities, and Competence
ISO 42001 places significant emphasis on having the right people responsible for AI governance. Your auditor will want to see documented roles and responsibilities for AI management, evidence that the people in those roles have the necessary competence, and evidence that top management is genuinely engaged with AI governance rather than treating it as a compliance checkbox.
Understanding the AI-Specific Requirements
If you have experience with other ISO management system standards like ISO 9001 or ISO 27001, you will find the structure of ISO 42001 familiar. It follows the same High Level Structure. But there are several AI-specific requirements that have no direct equivalent in other standards, and these are the areas where organisations most often have gaps at Stage 1.
For a solid grounding in what ISO 42001 covers as a standard, the article on understanding the ISO IEC 42001 standard for AI management systems covers the key concepts well before you get into audit preparation.
Annex A Controls
ISO 42001 includes an Annex A with a set of controls covering areas such as AI system lifecycle, data governance, transparency, human oversight, and AI system safety. You need to have documented which controls are applicable to your organisation and justified any exclusions in a Statement of Applicability.
This is similar to the approach used in ISO 27001, where the Statement of Applicability is a core audit document. Your auditor will use your Statement of Applicability to understand what controls you have implemented and why certain controls may not apply to your situation.
Human Oversight Mechanisms
One of the things that distinguishes ISO 42001 from a purely technical standard is its emphasis on human oversight of AI systems. Your auditor will want to see that you have identified where human oversight is required in your AI processes, how that oversight is implemented, and what happens when an AI system produces an output that requires human review or intervention.
For organisations that have highly automated AI pipelines, this can be a significant gap. If your AI system makes decisions with no human in the loop, you need to have documented why that is appropriate and what safeguards exist.
Supplier and Third-Party AI
Many organisations use AI systems developed and maintained by third parties, whether that is a cloud-based AI platform, an AI-powered SaaS product, or a custom model developed by an external vendor. ISO 42001 requires you to manage the AI-related risks that come from these relationships.
At Stage 1, your auditor will want to see that you have identified which AI systems are provided by third parties, what your contractual and governance arrangements with those providers look like, and how you monitor and manage the AI-related risks they introduce.
Practical Steps to Take in the Weeks Before Your Stage 1 Audit
With the conceptual groundwork covered, here is a practical checklist of what to do in the weeks leading up to your Stage 1 audit.
Conduct an Internal Gap Assessment
Before your auditor arrives, you should know exactly where your gaps are. Work through each clause of ISO 42001 and assess your documented system against the requirements. Be honest. The purpose of this exercise is to find problems before the auditor does, not to convince yourself that everything is fine.
Pay particular attention to Clause 6 (Planning), Clause 8 (Operation), and Annex A. These are the areas where most organisations have the most work to do.
Review Your Internal Audit Program
ISO 42001 requires you to have an internal audit program in place. At Stage 1, your auditor will want to see that you have planned internal audits of your AIMS. You do not necessarily need to have completed a full internal audit before Stage 1, but you need to have a documented program and a plan. If you have completed an internal audit, bring the report. It demonstrates that your system is operational, not just designed.
For guidance on running effective internal audits, the article on how to run ISO internal audits that actually find problems is a practical resource worth working through before your Stage 1.
Brief Your Top Management
Your auditor will almost certainly want to speak with a member of top management during the Stage 1 audit. This does not need to be a lengthy interview, but the person they speak with needs to be able to demonstrate genuine understanding of and commitment to the AIMS.
Brief your CEO, Managing Director, or equivalent on the AI policy, the key AI risks your organisation has identified, the AI objectives, and their personal responsibilities under the management system. An executive who responds to auditor questions with blank looks or defers everything to the quality manager is a red flag that auditors note.
Organise Your Document Control
All of your documented information needs to be controlled, version-managed, and accessible. If your documents are scattered across shared drives, email threads, and individual laptops, fix this before the audit. Your auditor will ask to see specific documents and you need to be able to produce them quickly and confidently.
A simple document register that lists your key AIMS documents, their version numbers, approval status, and location is usually sufficient. It does not need to be elaborate.
Prepare for the Opening Meeting
The opening meeting at the start of your Stage 1 audit is your opportunity to set the scene. Be ready to walk the auditor through your organisation, your AI systems, and the scope of your AIMS in plain terms. Have your key documents ready to present. Know who in your team will be available to the auditor and what areas they cover.
The 8 things to do before an ISO Stage 1 readiness audit article covers the general preparation steps that apply across all management system standards, and most of them are directly relevant to ISO 42001 as well.
What Happens If You Receive Findings at Stage 1
Receiving findings at Stage 1 is not unusual and it is not the end of the world. The purpose of Stage 1 is partly to identify issues before Stage 2, so that you have time to address them. Minor findings at Stage 1 are common. Major findings that prevent progression to Stage 2 are less common but do occur, particularly for organisations that have rushed their system development.
If you receive a major finding at Stage 1, your certification body will advise you on what needs to be resolved before Stage 2 can proceed. This typically means revising documentation, conducting additional analysis, or implementing controls that are currently absent. Take the findings seriously, address them systematically, and provide objective evidence that the issues have been resolved.
One thing to keep in mind is that findings at Stage 1 are an opportunity, not a failure. An auditor who identifies a gap in your AI impact assessment methodology before Stage 2 is doing you a favour. It is far better to fix it now than to receive a major non-conformance at Stage 2 that delays your certification.
If you are concerned about what constitutes a valid audit finding and how to respond to one, the article on the formal process for disputing an ISO audit finding explains your rights and options clearly.
Choosing the Right Certification Body for ISO 42001
Not all certification bodies have the same level of expertise in ISO 42001. Because the standard is relatively new, the pool of accredited auditors with genuine AI management experience is still developing. When selecting a certification body, ask specifically about the AI expertise of the auditors they will assign to your audit. Ask whether they have conducted ISO 42001 audits before and in what sectors.
ISO 42001 was published in December 2023 and the accreditation landscape is still maturing. This means your choice of certification body matters more for this standard than for well-established standards like ISO 9001 or ISO 14001. An auditor who understands AI governance, algorithmic risk, and the specific controls in Annex A will conduct a more useful audit than one who is applying a generic management system audit approach to an unfamiliar standard.
If you are still in the process of selecting a certification body or an ISO 42001 consultant, the article on how to compare ISO 42001 consultants for AI certification covers the key questions to ask and what to look for in a provider with genuine AI certification experience.
Getting Help With Your ISO 42001 Preparation
ISO 42001 is a genuinely complex standard to implement, particularly for organisations that are new to formal management systems or that have AI systems with significant ethical or societal implications. Getting the right support early makes a material difference to how your Stage 1 audit goes.
If you are looking for a consultant or certification body with verified ISO 42001 experience, CertBetter connects businesses with vetted providers who have been assessed for their credentials and track record. You submit one form, receive up to three competing quotes, and can compare providers based on their actual experience with AI management systems. The service is completely free for businesses seeking certification support.
