Vendor risk · AI governance

Vendor ISO-42001 Procurement Evidence Scrutiny Kit

A vendor says it is “ISO 42001 certified.” Find out whether that means an accredited certificate covering the AI system you’re buying — or a self-made slide. Six controls, an honest verdict.

ISO does not certify organizations — accredited certification bodies do. This kit grades the evidence on six controls and rejects anything you can confirm on neither axis: not real, or not in scope.

one-time · instant download · .xlsx · yours to keep

The problem

“ISO 42001 certified” is doing a lot of work in that sentence.

A certificate isn’t a certificate

It might be accredited and cover your exact AI system — or a readiness letter, a badge from an unaccredited body, or a certificate for an unrelated product.

Scope is where it hides

A real certificate whose scope excludes the module you’re buying is worthless as evidence for that purchase — and the scope statement is the part nobody reads.

Self-attestation looks the same

An “ISO 42001 aligned” slide and an accredited certificate arrive in the same email, formatted to look equivalent. They are not.

See it work

Mark the evidence. Read the verdict.

This is the live scoring logic from the workbook. Try the presets — Beacon Analytics scores four full controls and is still rejected; Cirrus AI is the same vendor after confirming scope.

Try a vendor:
Accredited certificate on file

Certificate exists, accreditation unconfirmed

Scope covers the AI system you are buying

Scope broad / ambiguous, coverage unconfirmed

Certification body is accredited

Accredited by UKAS / ANAB / RvA, confirmed

Certificate current, surveillance up to date

In-term, surveillance documented & on schedule

Independent audit evidence beyond the badge

Audit report or summary + SoA available

AI sub-processor / supply-chain coverage

AI supply chain documented & governed in scope

REJECTEDweakest control 1/2 · mean 1.67/2

Gate fired: certificate accreditation and scope coverage are both unconfirmed — no axis you can rely on. Confirm either one in writing to release the gate.

Fix first: Accredited certificate on file

The verdict is the weakest of the six controls, never the average. The dispositive gate fires only when both gate controls (⚡) are below full at once. Scores the evidence you assemble, never people.

This is the live engine. Score your whole vendor shortlist in one .xlsx Live verdicts, fix-first control, and a portfolio roll-up

Get the kit — $69

The standard

How an honest evidence check behaves.

Weakest link, not the average

A chain of proof is only as strong as its weakest control. Strong audit evidence never buys back an unconfirmable certificate, so the verdict is the weakest of the six.

Reject what you can’t confirm

When both gate controls are unconfirmed at once, the vendor is rejected regardless of the rest — and confirming either axis releases it. The gate worsens, never flatters.

Scores evidence, not vendors

It grades the procurement artifact you assemble from the vendor’s answers, never the vendor’s AI quality and never people. It connects to nothing.

How it works

Six controls, marked from what the vendor produced.

  1. 01

    Accredited certificate on file

    Self-attestation, unconfirmed certificate, or a full third-party certificate verifiable on the issuer register. A gate control.

  2. 02

    Scope covers the AI system you are buying

    Missing, ambiguous, or explicitly covering your system, processing, and data per the Statement of Applicability. A gate control.

  3. 03

    Certification body is accredited

    An unaccredited consultancy, an unconfirmed claim, or a body accredited by UKAS / ANAB / RvA under ISO/IEC 42006.

  4. 04

    Certificate current, surveillance up to date

    Expired, in-term but surveillance overdue, or in-term with surveillance documented and on schedule.

  5. 05

    Independent audit evidence beyond the badge

    A logo only, a certificate image, or an audit report or summary plus the Statement of Applicability for your review.

  6. 06

    AI sub-processor / supply-chain coverage

    Sub-processors and model providers unaddressed, named but unverified, or documented and governed within the certified scope.

What it is — and isn’t

A buyer’s evidence check, not an audit.

It is

  • A vendor-risk-management aid for your procurement file.
  • A deterministic, offline workbook you control.
  • A scorer of the evidence artifact you assemble.

It isn’t

  • An audit, certification, or conformity assessment.
  • A score of the vendor’s AI quality, or of any person.
  • Legal or compliance advice.

ISO does not certify organizations — independent, accredited certification bodies do, and they are accredited by national bodies such as UKAS, ANAB, or RvA under ISO/IEC 42006. This kit grades the evidence you assemble and is not an audit, a certification, or legal advice. Confirm any certificate on the issuing body’s public register, and have counsel or your assurance team review anything you intend to rely on.

Who it’s for

Anyone signing off on an AI vendor.

For you if

  • You run vendor risk, procurement, or security review.
  • An AI vendor just sent you a certificate or an “aligned” claim.
  • You need a defensible record of why you accepted or rejected it.

Not for you if

  • You want to certify your own AI management system (hire an accredited body).
  • You need a security-program review (see the Security Posture kit).
  • You want software that reads the vendor’s systems for you.

Pairs well with

Where this fits in your vendor stack.

Common questions

Answers before you buy.

It grades the ISO/IEC 42001 conformity evidence a vendor hands you during procurement — on six controls: whether an accredited certificate is on file, whether its scope covers the AI system you are buying, whether the certification body is itself accredited, whether the certificate is current with surveillance up to date, whether there is independent audit evidence beyond a badge, and whether the AI supply chain is covered. You mark each 0, 1, or 2 from what the vendor produced, and it returns ACCEPTED, VERIFY FIRST, or REJECTED per vendor, rolling your shortlist up to EVIDENCE DEFENSIBLE, GET PROOF FIRST, or DO NOT RELY.

Get the kit

Stop taking “certified” at face value.

  • Score your whole shortlist in one .xlsx.
  • Live verdicts, fix-first control, and a portfolio roll-up.
  • Deterministic, offline, yours to keep.
$69

one-time

Buy the Kit

← Browse all Quick Kits

Sold by RedHub AI LLC · Secured by Stripe · redhub.ai