Stop doing ISO 42001 the old way

---

ISO 42001 certification is ushering in a new era of artificial intelligence governance. For organizations working with AI, it offers a structured approach to managing risks, ensuring transparency, and building trust in AI systems. But if you’re still treating ISO 42001 like any other management system standard—or applying outdated ISO practices—you’re missing the point.

AI systems present dynamic and novel compliance risks that demand more than a tick-the-box exercise. Continuing down the old ISO path leads to weak documentation, misaligned controls, and auditors asking tough questions you’re not ready to answer. There’s a better way to do this.

The old way: checklist compliance and siloed documentation

Historically, ISO certifications like 27001 or 9001 followed a well-understood path: define your scope, build documented policies, complete an internal audit, hold a management review, and walk into Stage 1 audit with a binder full of evidence. That approach, while effective for static systems, doesn't scale to the variable nature of AI governance.

Manual processes dominate. Preparing for ISO 42001 “the old way” often means writing policies from scratch, maintaining a spreadsheet inventory of AI systems, and tracking Annex A control applicability in Word documents. It’s labor intensive—and error prone.

Scoping is unclear. Teams try to reuse existing ISO documentation without adapting it to cover the lifecycle and risk profile of AI systems. That causes confusion around which AI models, pipelines, or datasets are truly in scope. Misaligned Statements of Applicability (SoAs) become audit red flags.

Evidence gets lost in translation. Without centralized document control, organizations struggle to connect their risk assessments, internal audits, and AI System Impact Assessments (AIsIA). Auditors start to doubt if governance is real or just for show.

ISO 42001 moves fast, but the old method doesn’t.

Common challenges in today’s AIMS audits

Even organizations experienced with ISO standards are encountering surprises with ISO 42001. Oversimplifying the process or ignoring specific AI-related expectations leads to avoidable setbacks.

Incomplete readiness derails timelines. Your AIMS must be operational for at least three months before Stage 2. That includes completing your internal audit and management review. Many organizations show up at Stage 1 without those components in place, triggering deferrals or repeat assessments.

Weak AIsIA documentation undermines risk posture. Clause 6.1.4 requires a risk-based impact assessment of AI systems. But too often, this takes the form of a thin checklist rather than an in-depth evaluation of data quality, model bias, or stakeholder impact.

Auditor mismatch causes misalignment. Not all certification bodies are accredited—or even qualified—to assess ISO 42001. As of 2025, only a few are formally recognized by national accreditation bodies with AI-specific competency (under ISO 42006 requirements). Choosing a CB without AIMS accreditation can jeopardize your certification’s credibility.

Evidence management breaks down. From document versioning to proof of clause coverage, many audit findings stem from messy documentation and unclear control ownership. This delays certification and damages auditor confidence.

ISO 42001 implementation is complex, and compliance won’t scale without the right tooling and strategy.

The future of ISO 42001: what to expect by 2026

As adoption grows, ISO 42001 will evolve beyond early adopters. By 2026, expect serious shifts in three key areas:

AI governance will become a boardroom priority. Organizations won’t just pursue ISO 42001 for compliance. Regulators, customers, and partners will expect evidence of trustworthy AI practices. Certification will shift from optional to essential.

Certification bodies will raise the bar. With ISO/IEC 42006 taking effect, AIMS certification bodies will need competencies in machine learning, data governance, and impact assessment. Auditors will expect a deeper integration between your technical and compliance teams.

Framework overlap will increase. ISO 42001 is designed to align with frameworks like ISO 27001 and ISO 9001. In 2026, more organizations will seek multi-framework compliance models that minimize duplication and map controls once and reuse evidence everywhere.

If you build your program the old way—manually, in silos, and without accounting for this future—you’ll find yourself starting over in two years. It’s time to move forward, not circle back.

How Thoropass modernizes ISO 42001 readiness

Thoropass is designed for what ISO 42001 really means: real-time system accountability, integrated risk management, and enduring audit readiness. We help modern compliance teams avoid common traps and move with confidence toward certification.

Pre-built templates, tailored for AIMS. Our ISO 42001 policies, control sets, and guided AIsIA workflows eliminate guesswork. You won’t be writing from scratch or retrofitting general policy documents. Every template is mapped to relevant clauses and Annex A controls so your documentation holds up during audits.

Automated evidence pulls and centralized control mapping. With integrations into your infrastructure and workflows, Thoropass collects and updates your evidence automatically. We help you demonstrate clause coverage and maintain traceable, audit-ready records—without last-minute scrambling.

Multi-framework support with reuse built in. ISO 27001, SOC 2, and now ISO 42001 all require overlapping controls. Our platform maps one control to multiple frameworks, slashing duplicate work. Updates to a control apply everywhere it’s relevant.

Expert-led audits with no conflict of interest. Our team includes ISO-qualified auditors who are separate from implementation support. We never grade our own work, giving you clean separation and full independence in the audit process.

Always-on support and continuous monitoring. Compliance shouldn’t be a once-a-year push. With Thoropass, your AIMS stays current—and you stay ahead of emerging AI risks and regulatory shifts.

The bottom line

Stop doing ISO 42001 the old way. Manual policy writing, stale risk assessments, and scattered documentation aren’t just inefficient—they’re incompatible with modern AI governance.

Compliance should scale with your business, not slow it down. Thoropass delivers a smarter path to ISO 42001 certification with automation, clarity, and built-in audit expertise. We’ve already achieved ISO 42001 certification ourselves, and we bring that operational knowledge directly into our platform.

Your AI systems are modern. Your compliance program should be too.

Let’s build audit readiness that lasts. Schedule a discovery session today.