How to certify ISO 42001 in an SME: a step-by-step guide for 2026

·

If your company uses, develops or integrates artificial intelligence systems, you have probably already heard of ISO 42001:2023. Published in December 2023 by the International Organization for Standardization (ISO), it is the first international standard that sets out the requirements for an AI management system (AIMS). Its arrival coincides with the gradual entry into force of the European AI Act (EU Regulation 2024/1689) and with growing pressure from clients, public procurement bodies and insurers demanding proof of responsible AI use. The question we get every week at Summum Calidad is always the same: «Can an SME get ISO 42001 certified, or is this only for large corporations?». The answer is yes, and in this article we explain exactly how to do it.

What is ISO 42001 and why does it matter in 2026

ISO/IEC 42001:2023 («Information technology — Artificial intelligence — Management system») defines the requirements that an AI management system must meet in order to develop, provide or use AI products and services responsibly. Its structure follows the ISO Annex SL (the same high-level structure as ISO 9001, ISO 27001 or ISO 14001), which makes integration with existing management systems significantly easier.

In 2026, the standard gains relevance for three concrete reasons:

Structure of the standard: what it actually requires

ISO 42001 has 10 main clauses aligned with Annex SL. Clauses 1 to 3 are introductory; clauses 4 to 10 are normative (mandatory for certification):

Clause Name What it requires in practice
4 Context of the organisation Identify interested parties and the scope of the AIMS; determine whether the organisation is a developer, provider or user of AI.
5 Leadership AI policy approved by top management; defined roles and responsibilities (can be a committee or a designated AI officer).
6 Planning Assessment of AI-specific risks and impacts; measurable AIMS objectives and plans to achieve them.
7 Support Resources, competences, awareness, communication and system documentation.
8 Operation Operational controls over the AI lifecycle: design, data, training, deployment, monitoring and retirement.
9 Performance evaluation Internal AIMS audit; management review with performance metrics.
10 Improvement Management of non-conformities, corrective actions and continual improvement of the system.

The standard also includes Annex A with 38 reference controls grouped into 9 domains (AI policy, internal organisation, resources, impact assessment, AI system lifecycle, data, information for interested parties, responsible use and third-party relationships). Not all controls are mandatory for every organisation; the AIMS must justify which ones apply and which are excluded through a Statement of Applicability, just as in ISO 27001.

ISO 42001 vs the AI Act: two frameworks that complement each other

A common mistake is to think they are interchangeable. They are not. The AI Act (EU Regulation 2024/1689) is binding legislation with a risk-based classification of systems (unacceptable, high, limited, minimal) and specific legal obligations. ISO 42001 is a voluntary management standard that any organisation can adopt regardless of whether its systems fall within the scope of the AI Act.

The practical relationship between the two frameworks is as follows: complying with ISO 42001 does not exempt an organisation from the obligations of the AI Act, but a certified AIMS provides documented evidence that the organisation has AI governance processes in place, which facilitates regulatory compliance auditing. The European Commission has indicated that harmonised standards under the AI Act (still under development by CEN/CENELEC) will incorporate elements of ISO 42001.

For actual AI Act legal compliance management — system classification, registration in the EUDB, mandatory technical documentation — Summum Consultoría's dedicated AI Act adaptation service covers that ground.

Steps to certify ISO 42001 in an SME: the real process

At Summum Calidad we guide organisations of 15 to 250 employees through a structured process that, starting from scratch, typically takes between 4 and 8 months depending on the starting point and the complexity of AI use within the company. Certification is issued by a certification body accredited by ENAC (AENOR, Bureau Veritas, SGS, Applus+ and others); our role is to prepare the organisation until it is ready for that external audit.

Phase 1 — Initial assessment (weeks 1–3)

The first step is a gap analysis between the organisation's current state and the standard's requirements. We identify which AI systems are in use or under development, who manages them, what documentation exists and which Annex A controls are already in place de facto even if not formalised. In many SMEs that already hold ISO 9001 or ISO 27001, the overlap is 30–40 %, which considerably reduces the effort required.

Phase 2 — AIMS design (weeks 4–10)

With the assessment in hand, we design the management system: AI policy, scope, AI systems inventory, risk and impact map, Statement of Applicability and risk treatment plan. This phase involves the most intensive collaboration with the management team: top management must approve the policy and be convinced that the AIMS is not bureaucracy but a real control tool.

Phase 3 — Implementation and training (weeks 11–22)

We implement the operational controls, train the team responsible for the AIMS and establish monitoring and review mechanisms. An SME does not need a full AI department: a designated AI officer (who can be the same CTO or systems manager) together with clear procedures is sufficient to meet the requirements of clauses 5 and 7.

Phase 4 — Internal audit and management review

Before the certification audit, we carry out a complete internal audit of the AIMS and a formal management review. The result is a report identifying minor non-conformities or areas for improvement that are corrected before the external audit, maximising the chances of achieving certification at the first attempt.

Certification audit (accredited body)

The external audit is conducted by the certification body in two stages: document review (Stage I) and on-site audit (Stage II). If there are no major non-conformities, the organisation receives the ISO 42001 certificate, valid for 3 years with annual surveillance audits.

To learn more about our methodology, visit the ISO 42001 implementation and certification service at Summum Calidad.

Indicative costs: factors that determine the budget

The total cost of an ISO 42001 certification project in an SME has three main components: implementation consultancy, the certification audit by the accredited body and the internal personnel time costs.

Component Indicative market range Variables that affect it
Implementation consultancy €8,000 – €25,000 Size of the organisation, number of AI systems in scope, existence of other already certified ISO systems.
Certification audit (accredited body) €3,000 – €8,000 Chosen body (AENOR, BV, SGS…), required audit days, number of sites in scope.
Surveillance audits (years 2 and 3) €1,500 – €3,500 / year Certification body, complexity of AIMS maintenance.

These ranges are indicative market data based on similar projects published by sector bodies and on our experience accompanying ~200 ISO certifications since 2007. Summum does not publish fees: each project receives a personalised quote after the initial assessment. SMEs that already have ISO 9001 or ISO 27001 in place tend to be at the lower end of the consultancy range, as they can leverage shared documentation and controls.

Which sectors are certifying first

In mid-2026, the sectors with the highest ISO 42001 certification activity in Spain are:

Integration with other ISO management systems

One of the most practical advantages of ISO 42001 is its alignment with Annex SL. If your organisation already holds ISO 9001 (quality), ISO 27001 (information security) or ISO 14001 (environment), the incremental effort to certify ISO 42001 is significantly lower. Clauses 4, 5, 6, 7, 9 and 10 are almost identical in structure; what is specific to ISO 42001 is in clause 8 (operation covering the AI lifecycle) and Annex A (AI controls).

This integration allows a single management manual, an integrated policy, a single internal audit programme and a single management review to be maintained, reducing the overall administrative burden of the integrated system.

Frequently asked questions

Is ISO 42001 mandatory or voluntary?

ISO 42001 is a voluntary standard: no Spanish or European law requires certification. However, the European AI Act (EU Regulation 2024/1689) does impose direct legal obligations on operators of high-risk AI systems, and having an AIMS conforming to ISO 42001 makes it easier to demonstrate compliance to the competent authority. Additionally, clients, public procurement bodies and insurers may require it contractually as a condition of access.

How long does it take to certify ISO 42001 from scratch?

The typical timeline for an SME starting from scratch, with no other ISO management system in place, is 6 to 9 months. If ISO 27001 or ISO 9001 already exists, the timeline shortens to 4–6 months, as documentation, controls and audit culture already in place can be leveraged. The most common bottleneck is not technical but organisational: getting top management to dedicate time to approving the AI policy and the AIMS responsibilities.

Does every company that uses AI need to certify ISO 42001?

No. The standard is useful when the organisation develops, deploys or manages AI systems in processes that involve real risk (decisions affecting people, critical processes, systems with continuous machine learning) or when there is a commercial or regulatory expectation to demonstrate governance. An SME that uses ChatGPT or Copilot to draft emails probably does not need a certified AIMS. A company that uses AI to assess credit applications, screen candidates or control quality on a production line does have solid grounds for certification.

Does Summum Calidad issue the ISO 42001 certificate?

No. Summum Calidad is a consultancy, not a certification body. We guide the organisation through the entire design, implementation and audit preparation process, but the certificate is issued by an ENAC-accredited body (such as AENOR, Bureau Veritas, SGS, Applus+ or others). This separation is fundamental: the certificate has value precisely because it is granted by an independent, accredited entity — not by whoever implemented the system.