GovernanceRegulation

ISO 42001: What UK SMEs Need to Know Before Pursuing Certification

29 May 2026Last reviewed 29 May 20266 min readBy Simon Steggles· Fractional AI Director Birmingham, UK

Who this is for:UK SME leaders and governance professionals evaluating whether ISO 42001 certification or alignment is right for their organisation.

TL;DR

ISO 42001 is the international standard for AI management systems. UK SMEs do not need formal certification but should pursue alignment. Building a compliant management system typically costs £15,000 to £30,000 for initial certification from a standing start.

Key takeaways

ISO 42001 certification is not legally required but is becoming a de facto procurement requirement in public sector contracts.
For most UK SMEs, alignment over certification is the right position: build a compliant system and certify only if commercially required.
Initial certification from a standing start typically costs £15,000 to £30,000 for an SME including specialist support.
Annual surveillance audits add £1,500 to £3,000 per year after initial certification.
Start with a gap analysis: one day at £1,750 to understand the distance from ISO 42001 compliance.

ISO 42001 was published in December 2023. It is the first international standard specifically for AI management systems. In the two years since publication it has moved from a specialist topic to a mainstream procurement requirement, particularly in public sector and regulated industry contracts.

UK SMEs are asking two questions: do we need it, and what does it actually involve? Here are the honest answers.

What ISO 42001 Covers

ISO 42001 follows the Annex SL high-level structure used by ISO 9001, ISO 14001, and ISO 27001. If your organisation already holds any of those certifications, the management system architecture will be familiar.

The standard covers: organisational context and stakeholder requirements, leadership commitment and AI policy, planning including risk and opportunity assessment, support including resources and competence, operational controls for AI system development and deployment, performance evaluation, and continual improvement.

The distinctive element of ISO 42001 compared to other management system standards is its treatment of AI-specific risks: bias, opacity, safety, and the obligations that arise when AI systems affect people. The standard requires organisations to consider these risks systematically and to document their controls.

Do UK SMEs Need ISO 42001 Certification?

Certification is not legally required for any UK organisation at present. The EU AI Act does not mandate ISO 42001 certification, though it does require documented risk management and governance controls that ISO 42001 alignment satisfies.

Where certification is becoming a de facto requirement is in procurement. Several UK public sector frameworks, including NHS supply chain and some central government frameworks, are beginning to ask for evidence of AI governance capability. ISO 42001 certification is the cleanest way to provide that evidence.

For most UK SMEs, the practical answer is: ISO 42001 alignment over certification. Build a management system that would pass an ISO 42001 audit, document it properly, and be ready to certify if a commercial relationship requires it. That position is defensible, cost-effective, and delivers the governance benefits without the certification timeline and cost.

What ISO 42001 Alignment Involves in Practice

For a UK SME starting from scratch, building an ISO 42001-aligned AI management system typically involves the following.

Defining the scope of your AI management system. Which AI systems, which parts of the organisation, which stakeholders.
Documenting your organisational context. What internal and external factors affect your AI activities. What your stakeholders expect.
Getting board-level commitment. ISO 42001 requires evidence of leadership commitment. This means a named owner at board level and a written AI policy approved by the board.
Building your AI register. Every AI system in scope must be documented with purpose, data inputs, decision influence, and risk classification.
Conducting a risk assessment. For each AI system, assess the risks across the standard's AI-specific risk categories.
Implementing controls. For each identified risk, document the control in place and the evidence that it is operating.
Setting up performance monitoring and review. Regular internal audits and a management review process.

For an SME with five to ten AI systems in scope, this process typically takes four to six weeks of work spread across the organisation, with specialist support for the AI governance framework design and documentation.

What Certification Costs

ISO 42001 certification requires an accredited certification body. In the UK, UKAS-accredited bodies including BSI and Bureau Veritas are offering ISO 42001 audits. The audit itself typically costs £3,000 to £8,000 for an SME depending on scope and the certification body. Annual surveillance audits add a further £1,500 to £3,000 per year.

The larger cost is the preparation. Building a compliant management system, closing the gaps identified in a pre-assessment, and producing the documentation required for audit typically costs more than the audit itself. Budget a total of £15,000 to £30,000 for a UK SME to achieve initial certification from a standing start, including specialist support.

Where to Start if You Are Considering ISO 42001

Start with a gap analysis. A structured review of your current AI governance position against the ISO 42001 requirements tells you how far you are from compliance and which gaps are largest. That review typically takes one day and costs £1,750. The output is a prioritised action list and a realistic timeline to certification or alignment.

Book a gap analysis to understand your current position and the most cost-effective path to ISO 42001 alignment or certification.

About the author

Simon Steggles — Fractional AI Director

Simon helps UK SMEs and councils put AI to work safely. Royal Navy 1984–90 (Cat 3 PV at the time, now superseded by DV); current NPPV3 Police vetting for public-sector work; ISACA AI Governance certified. Based in Birmingham. £300K+ recovered for councils, 43% cost reduction in manufacturing, zero data-protection incidents across every engagement.

More about Simon

Want help applying this?

Grab the free AI Readiness Checklist or book a 30-minute strategy call with Simon — no pitch, no slide deck, just practical advice for your situation.

Free AI Readiness Checklist

Or call 07973 210 895

Use this framework next

AI Governance Policy Template for UK Organisations

An editable AI governance policy template for UK organisations covering acceptable use, approval, oversight, GDPR Article 22 and incident response.

Open framework

Related case studies

ManufacturingAnonymised

Manufacturing 43% cost cut

A West Midlands manufacturing SME was being out-priced by automated competitors. Manual quality control and reordering were burning 40+ staff hours a week. We piloted AI computer vision on one production line, proved the numbers, then rolled it across the site — 43% cost reduction and £180K annual savings inside 90 days.

Legal ServicesAnonymised

Law firm 60% faster, £2.1M

Senior fee-earner time was being lost to document review and client intake admin that could have been delegated, but governance worries kept blocking AI adoption. AI-Si.com delivered a governance framework first, then deployed document AI under it — 60% faster processing, onboarding cut from 5 days to 1, and £2.1M of new revenue identified through market analysis.

Find Out Where AI Can Save or Generate Money in Your Organisation

Book a free 30-minute call with Simon. Bring a real problem — staff time, governance worry, vendor proposal, failing pilot — and leave with a concrete first step you can take next week.

07973 210 895