ISO 42001 Audit Evidence Pack: What Certifiers Actually Ask UK Organisations to Show

UK certifiers conducting ISO 42001 audits request specific documentary artefacts and, in our experience working with UK organisations preparing for first-time certification, most underestimate the depth of evidence required.

The standard reads as a management system specification, but in practice an auditor’s checklist is concrete: dated policies, named owners, sampled records and version-controlled minutes.

In our client work, organisations that treat ISO 42001 audit evidence as a paperwork exercise to be completed in the final weeks before stage 2 frequently fail to certify on first attempt. The AI management system exists in principle. Policies have been drafted. Risk assessments have been completed at a point in time. What is missing is the operational trail that demonstrates the system runs continuously, which is precisely what stage 2 audits test.

This post sets out the seven evidence categories we see UK certifiers request, the difference between stage 1 and stage 2 audits, and realistic timelines for assembling an audit-ready evidence pack.

Audit requirements and certifier expectations may vary between UKAS-accredited certification bodies, so the detail below reflects our interpretation and client experience rather than a universal checklist.

The seven evidence categories we see UK certifiers request

ISO 42001 audits typically request evidence in seven categories: the AI management system policy, AI risk register, AI system impact assessments, supplier and third-party controls, operational monitoring records, incident response logs and management review minutes.

This taxonomy is reflected in how we group the standard’s requirements; ISO 42001:2023 itself does not prescribe these exact named categories, but each category will require dated entries, named owners and version control.

AI Management System policy. The foundational document defining scope, objectives, roles and the organisation’s approach to AI risk. Auditors check for board-level approval, a review date and alignment with stated AI use cases. A generic policy lifted from a template and never reviewed against actual systems is a frequent non-conformity finding.

AI risk register. A live record of identified risks across AI systems, with assessed likelihood, impact, mitigation owners and review dates.

Certifiers sample entries and ask whether the controls described are operating. A risk register with no updates since the initial assessment signals a stale system.

AI system impact assessments. Documented assessments of each AI system’s effect on individuals, groups and the organisation, including fairness, transparency and accountability considerations.

Auditors expect one assessment per material system, not a single blanket document.

Supplier and third-party controls. Evidence that AI suppliers and model providers have been assessed, contracted with appropriate clauses and monitored.

This includes due diligence records, contract terms covering AI-specific risks, and ongoing assurance activities.

Operational monitoring records. Logs and reports showing AI systems are monitored in production for performance, drift, bias and unintended behaviour. Stage 2 auditors may sample these records to confirm monitoring happens routinely.

Incident response logs. Records of AI-related incidents, near-misses and the response taken. An empty log is acceptable only if accompanied by evidence the detection mechanism works.

Management review minutes. Dated minutes from management reviews of the AI management system, showing senior accountability, decisions taken and actions tracked to closure.

Please note, most organisations underestimate how heavily auditors weigh this category.

Stage 1 versus stage 2: what each audit tests

Stage 1 is a documentation review phase where the certifier confirms your AI management system policies, scope and risk approach exist on paper.

Stage 2 is an operational audit, which verifies whether that documented system is same one in use, audited through interviews, sampled records and evidence walkthroughs.

Stage 1 finds gaps; stage 2 confirms the system really operates.

The duration of the Stage 1 audit varies by certifier and organisation size, but typically runs one to two days, producing a findings report identifying documentation gaps before stage 2 begins. Organisations often misread stage 1 as the harder of the two. It isn’t.

A clean stage 1 report means the documentation is consistent with the standard, but stage 2 is where certification is won or lost. Auditors interview named control owners, sample records across the audit period and walk through specific AI systems to test whether described controls operate as they have been documented.

The gap most commonly exposed at stage 2 is between a well-written policy and the absence of records showing the policy has been applied and is in use.

How long evidence pack preparation takes

Plan for between two and four months - eight to sixteen weeks of focused work - to assemble a complete ISO 42001 evidence pack from scratch. Timelines depend on AI system inventory size, existing ISO 27001 maturity and whether impact assessments have been previously completed.

Organisations with mature ISO 27001 management systems and live AI governance can compress this to around six weeks; those starting fresh typically need a full quarter.

Organisations already certified to ISO 27001 (and to a certain extent, ISO 9001 too) have an advantage. The management system architecture, document control disciplines and audit response patterns transfer directly.

What doesn’t transfer is the AI-specific content: risk taxonomy, impact assessment methodology and supplier controls reflecting model-specific concerns.

What usually takes longer than planned is operational monitoring records. Auditors typically expect to see records spanning a meaningful audit period, often around three months, though the specific period applied is at the certifier’s discretion.

An organisation that begins logging the week before stage 2 will be found out. Again, this is among the most common reasons first-time certification attempts are deferred.

See also

The ISO 42001 audit evidence FAQ is the deeper Q&A version of this material, covering the next layer of detail on each evidence category. The ISO 42001 certification readiness checklist covers the full programme structure (governance, AI inventory, risk assessment and controls) for teams building the management system before audit evidence collection begins. The ISO 42001 vs ISO 27001 comparison is the upstream piece if you are still deciding which standard your AI programme actually needs.

What an audit-ready evidence pack looks like

A pack ready for stage 2 has each of the seven categories indexed, version controlled and cross-referenced to the standard’s clauses. Each artefact carries a named owner, a date and a review schedule. Sampling is straightforward because records are organised by AI system and by time period rather than by document type.

We assist our customers by assembling audit-ready evidence packs aligned to the certifier’s checklist, working alongside the organisation’s existing governance team.

Certification decisions rest with the independent certifier; our role is to identify gaps between documentation and operation before the certifier does, so the management system being evidenced is the one in use.

Common questions on ISO 42001 audit evidence

The body above answers the headline questions on the seven evidence categories, the Stage 1 vs Stage 2 split and how long pack preparation takes. The questions below are the next layer - the practical follow-ons we get asked most often once those basics are settled. For the full AEO-optimised Q&A set including the headline questions, the ISO 42001 audit evidence FAQ is the deeper companion.

What happens if a gap is discovered during the Stage 2 audit?

Stage 2 findings are categorised as either minor or major non-conformities. Minor findings require a corrective action plan with agreed timescales; certification still proceeds once the plan is accepted. Major findings block certification until evidence of remediation is reviewed and accepted by the certifier - typically a follow-up visit or document review four to eight weeks later.

A clean Stage 1 with a strong, dated evidence trail is the best protection against major findings at Stage 2. In our experience, the findings that escalate to major are almost always pattern failures - absent monitoring across multiple AI systems, not a single missing log.

How long must we retain ISO 42001 audit evidence after certification?

Retention is set by the organisation’s own document control policy, but UK certifiers typically expect at least one full surveillance cycle of evidence to be retrievable - three years as a working minimum.

Sector regulators may require longer for specific records: the ICO and FCA both expect automated-decision logs to be retained for the applicable statutory period under UK GDPR and the relevant financial services rules, which can run materially longer than three years.

Treat retention as a deliberate design decision when the management system is built, not a question to answer the first time a record is asked for.

Can ISO 42001 evidence be assembled centrally or does it have to sit with each AI system owner?

Both, with a clear ownership model.

The AI management system policy, the AI risk register and the management review minutes sit centrally and are owned by the AI management system lead. Operational monitoring records, incident logs and AI system impact assessments live with the AI system owners and are pulled into the central pack at audit time.

Auditors test the join. Central documents must reconcile with what the system owners actually hold - a risk register entry with no monitoring record behind it, or an impact assessment that the AI system owner has never seen, are common Stage 2 findings.

Find the gaps before the certifier does

If your Stage 2 audit is within the next two quarters, this is the right moment to walk the evidence pack from an auditor’s perspective - not your own.

Book a half-hour audit-readiness walkthrough with a QL Security practitioner. We trace the joins between policy, risk register, monitoring records and management review the way Stage 2 sampling will, and surface the pattern gaps that fail first-time certifications.