ISO 42001 recertification

Gaining certification

External audit stage 1: Review of AIMS documentation External audit stage 2: Certification audit for AI systems Addressing non-conformities Running a surveillance audit ISO 42001 recertification

ISO 42001 recertification takes place every three years and involves a full re-audit equivalent to the original Stage 1 and Stage 2 assessments. The audit confirms that the AIMS remains effective and mature as AI risks evolve, new systems are introduced, and the standard is updated. It tests if your governance has adapted over the cycle, not just maintained the status quo. Preparation timeline (6–12 months out) Build on surveillance audits to avoid surprises.

Gap analysis (3–6 months prior): A gap analysis is typically performed three to six months prior to the audit and involves a self-assessment against clauses 4–10 and Annex A, sampling all AI systems and updating the Statement of Applicability to reflect new controls or risks.
Evidence refresh: Consolidate three years of monitoring logs, incident CAPAs, oversight records, model cards for the current portfolio.
Internal audit: Conduct a mock Stage 2 covering the full scope, addressing any emerging gaps like new regulations or AI failure modes.

Re-audit process Mirrors initial certification but with deeper scrutiny on longevity. Stage 1 Re-Review

1–2 days: Auditors check updated AIMS scope, policies, risks, and procedures to reflect three years of operation and changes.
Focus: The re-audit focuses on whether new AI systems have been integrated, whether risk and impact assessments remain current, and whether findings from prior surveillance audits have been fully closed.

Stage 2 Re-Audit The Stage 2 re-audit typically spans three to seven days and involves comprehensive sampling and testing across the full AIMS, including rotation of lower-risk systems into scope. Auditors conduct deep dives on approximately 10–20 AI systems, tracing them end to end to verify monitoring effectiveness, human oversight in production, and incident learning and feedback loops. The audit also reviews how the organization has managed system expansions, failures, and technology shifts, such as the introduction of new large language models or responses to drift-related incidents. Post-re-audit Nonconformities are handled in the same manner as the initial certification audit, with minor nonconformities required to be closed within 90 days and major nonconformities delaying recertification. Successful recertification extends the validity of the certificate for a further three years, with annual surveillance audits continuing during the cycle.

Sourcing ISO 42001 auditors

Download the SOC 2 prepkit for free.

We’ve consolidated all the basics. Check where you stand, and access ready-made templates to kickstart your SOC 2 journey.

The Sprinto advantage

The SOC 2 certification process can feel overwhelming. Sprinto simplifies this journey by automating up to 80% of the work, making it up to 5X faster and saving up to 60% of costs. Beyond just passing the audit, it maintains continuous compliance through real-time monitoring of security controls with 200+ integrations.

With Sprinto doing the heavy lifting, you can focus on growing your business with the confidence that your security and compliance are always one step ahead.

Schedule Demo Start Now

SOC Frameworks Overview

SOC 2 Basics

SOC 2 Compliance Process

Sprinto: Your ally for all things compliance, risk, governance

Schedule Demo