An ISO 42001 readiness assessment is a board-level evidence review: it tests whether your AI management system has a defined scope, named owners, risk and impact assessments, operating controls, management review and improvement records before certification preparation is realistic.
The useful output is not a generic maturity score. It is a decision paper: what is in scope, what evidence exists, which gaps block external assurance, and what has to be built before the board spends time and money on an independent audit.
Key takeaways
- Readiness means evidence, not intent: a board needs a current AI inventory, named accountability, risk records, operating controls and review minutes.
- The review applies to organisations that develop, provide or use AI, especially where customers, regulators, funders or public-sector buyers are asking for assurance.
- The board decision is whether to align first, prepare for certification, narrow the scope or pause because the evidence base is still too thin.
- ISO/IEC 42001 gives the management-system spine, NIST AI RMF gives the risk-management method, and UK GDPR defines the data-protection duties where personal data is involved.
- Cost and timetable are driven by scope, number and risk of systems, supplier reliance, existing management-system discipline and the quality of records already available.
- If the board cannot yet name the systems in scope, start with the Board AI Scorecard. If it needs a gap map and evidence pack, use the AI governance diagnostic.
Who the assessment is for
ISO says ISO/IEC 42001 is for organisations of any size that develop, provide or use AI-based products or services, including public bodies, companies and non-profits. That wide scope matters for boards: the question is not whether the organisation is an AI company, but whether AI is now part of its decisions, services, products or internal operations.
The review is most useful in four situations. First, a customer or procurement framework has started asking whether you are aligned to, or certified against, ISO/IEC 42001. Second, the audit committee wants a defensible view of AI risk before approving new systems. Third, a public-sector buyer, funder or regulator expects evidence of responsible use. The GOV.UK AI Playbook, for example, gives public-sector organisations guidance on using AI safely, responsibly and effectively. Fourth, personal data or automated decisions are involved, which brings the ICO and UK GDPR into the board's assurance frame.
This is not a replacement for a certification audit. It is the step before that. A readiness review tells the board whether the management system is mature enough to put in front of an auditor, or whether the sensible route is to align, operate and gather records first. For a clause-by-clause explanation, read what ISO/IEC 42001 asks of a board. For the choice between standards, read ISO 42001 vs NIST AI RMF.
ISO 42001 readiness assessment: the board decision
A board should not start by asking for a certification price. It should start with five decisions it can record in the minutes.
- Scope: which business units, services, AI systems, suppliers and data flows are in scope for the first management-system boundary?
- Assurance destination: is the immediate aim internal assurance, customer evidence, regulatory confidence or preparation for independent certification?
- Risk order: which systems affect people, money, safety, public services or legal rights, and therefore need deeper evidence first?
- Accountability: who owns the AI management system, who owns each gap, and who can require operating teams and suppliers to produce records?
- Timing: what must be true before the board authorises certification preparation, and what can wait until the system has operated for a full review cycle?
The same answers drive cost and timetable. Scope determines the number of systems, teams, sites and suppliers to review. Risk determines how much evidence is needed for impact assessment, testing, monitoring and human review. Existing management-system discipline changes the effort: a board already running ISO 27001 or ISO 9001-style document control, internal audit and management review starts ahead of a board with policies in shared drives and no dated evidence trail. The quality of the AI inventory also matters. If the organisation cannot list its AI systems, the first cost is discovery, not certification.
The board minute should therefore be a readiness decision, not a procurement note. A defensible conclusion might be: align to the standard this quarter; run the first management review in six months; revisit independent audit once scope, evidence and owners are stable.
Evidence table for readiness
The evidence pack should be small enough to inspect and strong enough to test. A useful rule is that every control should have an owner and a dated artefact. A policy without a record of operation is not readiness; it is a claim waiting to be tested.
| Readiness area | Evidence the board should ask for | Owner |
|---|---|---|
| Scope and inventory | A current AI system register covering internal tools, vendor features, pilots and retired systems | AI management-system owner |
| AI policy | A board-approved policy with allowed, restricted and prohibited uses, plus a review date | Executive owner |
| Roles and accountability | Named accountable owner for the management system and named owners for high-risk systems | CEO or delegated executive |
| Risk and impact assessment | Dated assessments for material systems, with changes recorded after incidents or new uses | Risk lead |
| Data protection | DPIA screening, lawful basis, transparency wording and Article 22 analysis where personal data or automated decisions are involved | DPO or privacy lead |
| Supplier governance | AI due-diligence questions, contract clauses, model-change notification routes and exit controls | Procurement and legal |
| Operating controls | Approval gates, human review routes, test records, monitoring logs and incident records | Product or service owner |
| Assurance | Internal-audit findings, management-review minutes and a record of what changed after review | Board or audit committee |
The AI register is the spine of the pack. It should not be a one-off spreadsheet. It should show which systems are live, who owns them, what risk decision was made, which controls apply and when the last review changed anything. We have set out the case for treating the AI risk register as living evidence, because this is where readiness becomes visible.
Framework mapping: ISO, NIST and UK GDPR
The mapping should prevent duplicate work. The same artefact can often satisfy several frameworks if it is designed properly.
| Framework | What readiness means | Evidence to test |
|---|---|---|
| ISO/IEC 42001 | ISO describes an AI management system as policies, objectives and processes for responsible development, provision or use of AI systems. Readiness means those elements exist and operate. | Scope, AI policy, objectives, risk and impact records, selected controls, review minutes and improvement log |
| NIST AI RMF | NIST's AI RMF is voluntary and designed to help organisations manage AI risks across design, development, deployment and use. Readiness means risks are governed, mapped, measured and managed in practice. | Risk methodology, system context maps, test and monitoring evidence, treatment decisions and residual-risk acceptance |
| UK AI regulation | The UK government response confirms five principles for regulators to apply within their remits: safety, transparency, fairness, accountability and contestability. | A principle-to-control map, board accountability record, disclosure evidence, fairness testing and redress routes |
| UK GDPR and ICO guidance | The ICO's AI guidance applies where AI involves personal data, and the ICO notes that guidance is under review following the Data (Use and Access) Act 2025. Readiness means the data-protection analysis is current. | Lawful basis, DPIA, data-minimisation record, transparency wording, accuracy checks and individual-rights process |
| DPIA and automated decisions | ICO DPIA guidance says a DPIA is required where processing is likely to result in high risk. Its automated decision-making guidance requires attention to information, human intervention, challenge routes and regular checks where Article 22 is engaged. | DPIA screening, meaningful human review design, challenge process, bias checks and records of regular system review |
This mapping is also the best way to control the work. If one approval record can show the ISO owner, the NIST risk treatment, the UK principle addressed and the ICO data-protection safeguards, the board has one evidence trail rather than four disconnected compliance exercises. That is the practical shape of an AI governance framework UK boards can defend.
Common mistakes and next steps
The first mistake is treating readiness as a certificate quotation exercise. A price without scope, inventory, risk profile and evidence quality is not useful. The board should understand the drivers before it asks a certification body for an audit plan.
The second mistake is counting documents instead of operating records. A policy, register and risk template may be necessary, but readiness turns on dated evidence: who approved the system, which risk was accepted, what test failed, what changed after review.
The third mistake is ignoring personal data because ISO/IEC 42001 is voluntary. If the system profiles people, informs legal or similarly significant decisions, uses special-category data or affects access to services, UK GDPR analysis belongs in the readiness pack from the start.
The fourth mistake is starting too wide. A whole-organisation boundary can be attractive on paper and impossible to evidence in practice. A narrower first scope, with the highest-risk systems properly assessed, is often the more defensible route. The board can expand the boundary once the review cycle works.
The final mistake is leaving controls in prose. A statement that humans remain accountable means little unless the workflow actually routes decisions to a competent reviewer, records the review and gives affected people a route to challenge. The same applies to source citation, access control and audit trails. The control has to operate in process or code, and the evidence should be generated as the control runs. That is the standard we apply to our own systems.
Use the Board AI Scorecard if the board needs a quick baseline across accountability, risk, policy, data and assurance. Use the AI governance diagnostic when the decision needs a formal gap map, evidence table, board paper and sequence of work against ISO/IEC 42001, NIST and UK data-protection duties. If the gaps are already understood and the board wants implementation support, the next conversation sits under our services.
Sources: ISO/IEC 42001 official page · GOV.UK AI Playbook · NIST AI Risk Management Framework · UK government AI regulation response · ICO guidance on AI and data protection · ICO DPIA guidance · ICO automated decision-making and profiling guidance
