ISO 42001 Implementation
& Certification.
From gap assessment to certification-audit readiness: one AI Management System, built, operated and evidenced, so an accredited certification body can certify it. Delivered by a practitioner-led team with hardcore cybersecurity backgrounds, offensive and defensive, and a proven track record implementing ISO/IEC 42001, not consultants working from a template.
ISO 42001 implementation is the work of building an AI Management System (AIMS) that an accredited certification body can certify. It covers gap assessment, AI risk methodology, the Statement of Applicability, required policies and documented information, internal audit and management review, ending in certification-audit readiness.
We implement. We don't certify directly ourselves, a deliberate separation that preserves impartiality: the organization that builds your AIMS cannot also be the one that certifies it. But certification is included in the package. We've partnered with multiple reputable, accredited certification bodies, so we coordinate that relationship for you end to end rather than leaving you to source an auditor on your own.
What's Included
The Scope of an
Implementation Engagement.
Every engagement is scoped individually, but the deliverables below are what an ISO/IEC 42001 implementation covers end to end.
- Gap assessment. Every AI system in scope reviewed against Clauses 4–10 and Annex A, mapped against what already exists.
- AIMS scope and AI system inventory. A defined boundary for the management system and a living record of which AI systems it covers.
- AI risk assessment and treatment methodology. A repeatable way to identify, assess and treat AI-specific risk, not a one-time exercise.
- AI system impact assessments. Documented per system, covering effects on individuals, groups and society where relevant.
- Statement of Applicability (SoA). Every Annex A control addressed, with justification for inclusion or exclusion.
- Policies, procedures and documented information. The AI policy, roles and responsibilities, and the records an auditor will ask to see.
- Internal audit program and management review. Run before the external audit, so nonconformities are found and closed while it costs nothing to do so.
- Certification-audit readiness. Mock interviews, evidence review, and advisory support through the accredited body's Stage 1 and Stage 2 audits.
How the Engagement Runs
Five Phases,
One AIMS.
Timing runs three to twelve-plus months, depending on how many AI systems are in scope, the maturity of your existing management systems, and overall complexity. The phases below show the typical shape of the work for a mid-size engagement.
| Phase | Timing | What we deliver | What we need from you |
|---|---|---|---|
| Gap assessment & scoping | Month 1 | AI system inventory review, scope statement, roadmap, and an honest go/no-go recommendation. | Access to AI system owners and existing documentation. |
| Build the AIMS | Months 2–4 | AI policy, risk methodology, risk assessment & treatment, impact assessments, Statement of Applicability, roles and responsibilities. | Review and sign-off from AI system owners and leadership. |
| Operate & evidence | Months 4–6 | Controls run in practice; the system starts generating the evidence trail an auditor needs. | Day-to-day operation of the AIMS by your own team. |
| Internal audit & management review | Months 6–8 | Internal audit against ISO/IEC 42001, findings raised and closed, management review conducted. | Availability of relevant staff for interviews and evidence review. |
| Certification audit: Stage 1 & Stage 2 | Months 7–9 | Audit-readiness preparation, plus coordination with one of our partnered, accredited certification bodies through Stage 1 and Stage 2. | Direct engagement with the certification body's auditors. |
Organizations with ISO 27001 already in place typically compress the "Build the AIMS" phase, since context, leadership, risk process and internal audit program can extend rather than start from zero. Multiple AI systems, multiple jurisdictions, or higher-risk deployments extend the timeline accordingly, up to twelve months and beyond.
Who This Is For
Four Reasons Organizations
Start Here.
Building AI governance from scratch
No management system in place yet for the AI you're deploying, and a board, customer or regulator has started asking how it's governed.
Already ISO 27001 certified
You want to extend an existing, mature ISMS to cover AI systems rather than run a second, disconnected management system.
Answering a due-diligence request
A customer, procurement team or regulator has asked how your AI is governed, and "we're careful" isn't going to be an acceptable answer for much longer.
Working toward a specific audit date
Certification has been committed to, internally or externally, and the AIMS needs to be built and evidenced against a real deadline.
Integration With ISO 27001
One Management System,
Not Two.
ISO/IEC 42001 and ISO/IEC 27001 both follow the Annex SL high-level structure: context, leadership, planning, support, operation, performance evaluation and improvement map onto each other clause for clause. If you already run a certified ISMS, the AIMS is built as an extension of it, with a shared risk process, a shared internal audit program and a shared management review, rather than as a parallel system your team has to maintain twice.
In practice, this is the single biggest factor in how fast an implementation moves. Organizations without ISO 27001 build the underlying management-system muscle and the AIMS at the same time; organizations with it in place are usually just extending scope.
Who Delivers This
reconn, Led by
Shenoy Sandeep.
reconn is an AI-first cybersecurity firm based in Business Bay, Dubai, led by founder Shenoy Sandeep. Every AIMS we build is implemented by a team with hardcore cybersecurity backgrounds, both offensive and defensive, and a proven track record delivering ISO/IEC 42001 in practice, not a certificate earned once and never applied.
The same team also delivers PECB-accredited ISO/IEC 42001 Lead Implementer and Lead Auditor training across the UAE, so the people teaching the standard are the same people implementing it.
- Hands-on offensive and defensive AI security experience, not GRC theory alone
- Proven ISO/IEC 42001 implementation track record across live AI systems
- PECB-accredited Lead Implementer and Lead Auditor training, delivered in-house
- Led by Shenoy Sandeep, PECB Certified Trainer and founder of reconn
Frequently Asked Questions
Questions,
Answered.
What exactly happens during a gap assessment?
We review every AI system in scope against ISO/IEC 42001's Clauses 4–10 and Annex A controls, look at what governance already exists (especially if you hold ISO 27001), and produce a scope statement and roadmap. It ends with an honest recommendation on whether certification is worth pursuing yet.
Do you certify our AI Management System?
Not directly ourselves. Impartiality rules mean whoever builds your AIMS cannot also certify it. But certification is included in the package: we've partnered with multiple reputable, accredited certification bodies, so we coordinate the certification audit on your behalf rather than leaving you to find and manage that relationship yourself.
Can this be delivered remotely, or does it have to be on-site?
Most workshops, documentation reviews and risk assessment sessions run effectively over video call. We deliver on-site in Dubai, Abu Dhabi and across the Emirates for kickoff, internal audit and audit-readiness sessions where being in the room speeds things up.
What if we already have ISO 27001 in place?
You move faster. ISO 27001 and ISO 42001 share the Annex SL high-level structure, so context, leadership, risk process, internal audit program and management review can be extended rather than built twice. Organizations with a mature ISMS typically compress the AIMS build phase considerably.
How much does an ISO 42001 implementation engagement cost?
It depends on the number of AI systems in scope and the maturity of your existing management systems, so we don't publish a fixed price. The gap assessment call establishes scope first; you get a specific quote after that, not before.
What do you need from us during the engagement?
Access to the people who own and operate your AI systems, existing documentation (even if incomplete), and time from leadership at key sign-off points: policy approval, risk acceptance, and the management review. The AIMS has to be genuinely run by your organization, not handed to you as a binder.
What happens if we don't pass the certification audit?
It's rare when the internal audit and management review beforehand are done properly, since they're designed to surface the same nonconformities an external auditor would find. If a nonconformity is raised, you get a defined period to correct it and provide evidence, rather than restarting the process.
How is this different from hiring a general GRC consultant?
reconn is a hardcore cybersecurity firm first, an AI management-system consultancy second. The team implementing your AIMS has hands-on offensive and defensive security experience and a proven ISO/IEC 42001 implementation track record, not just a certificate. You work directly with the practitioners doing the work, led by Shenoy Sandeep, not an account manager relaying instructions from someone else.
Do you also deliver ISO 42001 training?
Yes. The same team that implements AIMS for clients also delivers PECB-accredited ISO/IEC 42001 Lead Implementer and Lead Auditor training in Dubai, Abu Dhabi and across the UAE, for organizations that want to build or audit their own AIMS in-house.