Stage 1 vs. Stage 2 Audit for ISO 42001

We are witnessing how AI is taking off across industries, but with great power comes great responsibility. Nearly 80% of corporate strategists believe AI is critical to their future success. But there is a massive problem. Only 30% of organizations have actually deployed AI governance in production. That is a huge “trust gap.”

In a world where 91% of companies admit they need to do more to reassure customers about how they use data, ISO 42001 has emerged as the world’s first international standard for AI Management Systems (AIMS). It is not just a “nice-to-have” anymore; it is how you stay in the game.

But when you decide to get certified, you will hear terms like “Stage 1” and “Stage 2.” If you are feeling confused, do not worry. Most businesses stumble here because they do not know the difference. In this blog, we will break down the ISO 42001 Stage 1 vs. Stage 2 audit so you can pass with flying colors and win more deals.

What is an ISO 42001 Stage 1 Audit?

An ISO 42001 Stage 1 audit (often called the documentation review or readiness review) is essentially a check to ensure your AI Management System (AIMS) is properly designed and ready for full certification. According to ISO guidance, Stage 1 focuses on evaluating whether the foundational elements are in place.

Auditors will review all the core documentation: your AIMS scope statement, AI policy, objectives, risk assessment methodology and results, AI impact assessment process, Statement of Applicability (SoA), risk treatment plan, roles & responsibilities, training records, internal audit and management review procedures, and other mandatory docs.

In practice, Stage 1 is quick and mostly remote, typically 1–2 days for most organizations. The Auditor scans your documents and may interview a few stakeholders to ensure you understand the standard’s requirements. For example, they will check that your SoA correctly maps which Annex A controls you apply and why. They will verify your scope (which AI systems and locations are included) and confirm you have defined roles (e.g., who is the AI risk owner) and basic processes.

Why does Stage 1 Audit Exist?

It gives both you and the Auditor confidence that you are ready for Stage 2. If the Auditor finds “Areas of Concern” (AOCs), e.g., missing documents or unclear processes, they document these in a report. You then have time (usually a few weeks) to address these gaps. In short, Stage 1 is about checking the blueprint, not the actual construction. Stage 1 “confirms that design and foundational elements of your AIMS align with the standard requirements”.

Key Focus of Stage 1 Audit

• Documentation Review: Scope, policy, objectives, risk/impact assessments, SoA, and key procedures.
• Design Audit: Check that your AIMS (management system design) is complete and aligned. This is a document-centric audit.
• Readiness Assessment: Identify any gaps before the main audit. The Auditor will report AOCs or potential nonconformities to be addressed before Stage 2.

Typical Stage 1 Audit Activities

• Scope and Policy: Auditor reviews your AI governance scope statement and policy documents (Clauses 4–5).
• Risk and SoA: They check your AI risk assessment methodology, results, AI impact assessment, and SoA (Clause 6) for completeness.
• Core Procedures: They ensure you have procedures for AI lifecycle management (design, deployment, monitoring) and support processes (training, audits, reviews).
• Interviews (brief): Possibly brief chats with AIMS stakeholders (e.g., AIMS owner, compliance lead) to confirm you know your system.

Output: After Stage 1, you receive a report (a close-out meeting) listing any AOCs. Unresolved AOCs could become formal nonconformities in Stage 2. Certification bodies typically allow 4–12 weeks between Stage 1 and Stage 2 to fix issues.

What is an ISO 42001 Stage 2 Audit?

The ISO 42001 Stage 2 audit is the main event. It is a full on-site (or hybrid) assessment of your AI Management System’s operational effectiveness. Where Stage 1 was about design, Stage 2 is about reality: Are you actually following the AI governance plan you documented? The Auditor will drill into how AI risks and controls play out in day-to-day operations.

Concretely, Stage 2 usually lasts 3–9+ days (depending on scope and organization size). The Auditor does deep dives into your AI systems, sampling representative AI projects or models, and reviews evidence of performance. Key focus areas include Clause 8 (operations and controls), as well as performance evaluation and improvement (Clauses 9–10). They will examine monitoring reports, incident/issue logs, audit results, management review records, etc., to confirm controls are working.

Typical Stage 2 Activities

• On-Site Walkthroughs: Visiting relevant teams (AI development, data science, operations). For each sampled AI system, the Auditor traces its lifecycle from design to deployment, confirming that controls such as bias testing, model validation, and oversight are in place.
• Interviews: In-depth Q&A with control owners and staff to check awareness and practices (e.g., “How do you monitor AI drift?”). Sessions with AI owners, operators, and leadership to validate procedures.
• Evidence Sampling: Auditor reviews operational records. Examples include training/competence records, risk treatment decisions, model cards, testing results (accuracy, bias, robustness), change logs, performance dashboards, incident reports, management review minutes, and corrective action records.
• Control Testing: They test whether each applicable Annex A control is implemented. For example, if your SoA says you apply a bias mitigation control, the Auditor will look for proof (e.g., bias test results). They will also check that continual improvement processes (internal audit, corrective actions) are effective.

At the end of Stage 2, the Auditor holds a closing meeting to present findings: conformities, minors (small fixes), majors (blockers), and observations. If there are major nonconformities, certification is withheld until they are fixed. Otherwise, you get a final report and the certification decision (often a committee review).

Stage 1 vs. Stage 2 ISO 42001 Audit

ISO 42001 Stage 1 Audit Checklists and Tips

ISO 42001 Stage 2 Audit Checklists and Tips

Conclusion

ISO 42001 certification is a journey, but a rewarding one. Stage 1 and Stage 2 audits are two separate checkpoints: first, verify your blueprint; then, validate your building. By understanding these stages (and following our checklists), you will turn the audit from a hurdle into a growth opportunity. You will not only “check the boxes” but truly strengthen your AI governance.

Remember: Stage 1 is your readiness review (done right, it is a dress rehearsal); Stage 2 is the full compliance test. Nail both, and you will emerge with a robust AI Management System and an official ISO 42001 certificate.

What’s the Next Step After Understanding Stage 1 vs. Stage 2 Audits?

By now, one thing should be clear:

• Passing an ISO 42001 audit is not about documentation alone.
• It is about proving that AI risks are identified, managed, and continuously governed.

And this is where most organizations struggle.

They understand the theory

But when it comes to:

• Building a real AI risk register
• Mapping controls to ISO 42001
• Preparing for Stage 2 evidence validation
• Handling auditor expectations

That’s where gaps start showing.

How Can You Actually Prepare for ISO 42001 Audits (Without Guesswork)?

This is exactly where InfosecTrain’s ISO 42001 Training comes in. Instead of just explaining the standard, the training focuses on practical implementation and audit readiness, so professionals can move from understanding → execution. Why InfosecTrain’s ISO 42001 Training Stands Out

• Learn how to prepare for both Stage 1 (readiness) and Stage 2 (certification) audits
• Build and implement an AI Risk Register aligned with ISO 42001
• Understand real auditor expectations and evidence requirements for 42001 Audit
• Work through practical scenarios, not just theory
• Get guidance from industry experts with hands-on audit experience

If the goal is not just to understand audits, but to clear them with confidence, then it is time to take the next step.

Explore InfosecTrain’s ISO 42001 Training and start building real-world AI governance expertise today.

TRAINING CALENDAR of Upcoming Batches For ISO/IEC 42001:2023 Lead Auditor Training

Start Date	End Date	Start - End Time	Batch Type	Training Mode	Batch Status
13-Jun-2026	12-Jul-2026	09:00 - 13:00 IST	Weekend	Online	[ Open ]	Enroll Now
08-Aug-2026	06-Sep-2026	19:00 - 23:00 IST	Weekend	Online	[ Open ]	Enroll Now