Vendor ISO-42001 Procurement Evidence Scrutiny Kit
A vendor says it is “ISO 42001 certified.” Find out whether that means an accredited certificate covering the AI system you’re buying — or a self-made slide. Six controls, an honest verdict.
ISO does not certify organizations — accredited certification bodies do. This kit grades the evidence on six controls and rejects anything you can confirm on neither axis: not real, or not in scope.
one-time · instant download · .xlsx · yours to keep
The problem
“ISO 42001 certified” is doing a lot of work in that sentence.
A certificate isn’t a certificate
It might be accredited and cover your exact AI system — or a readiness letter, a badge from an unaccredited body, or a certificate for an unrelated product.
Scope is where it hides
A real certificate whose scope excludes the module you’re buying is worthless as evidence for that purchase — and the scope statement is the part nobody reads.
Self-attestation looks the same
An “ISO 42001 aligned” slide and an accredited certificate arrive in the same email, formatted to look equivalent. They are not.
See it work
Mark the evidence. Read the verdict.
This is the live scoring logic from the workbook. Try the presets — Beacon Analytics scores four full controls and is still rejected; Cirrus AI is the same vendor after confirming scope.
Certificate exists, accreditation unconfirmed
Scope broad / ambiguous, coverage unconfirmed
Accredited by UKAS / ANAB / RvA, confirmed
In-term, surveillance documented & on schedule
Audit report or summary + SoA available
AI supply chain documented & governed in scope
Gate fired: certificate accreditation and scope coverage are both unconfirmed — no axis you can rely on. Confirm either one in writing to release the gate.
Fix first: Accredited certificate on file
The verdict is the weakest of the six controls, never the average. The dispositive gate fires only when both gate controls (⚡) are below full at once. Scores the evidence you assemble, never people.
This is the live engine. Score your whole vendor shortlist in one .xlsx Live verdicts, fix-first control, and a portfolio roll-up
Get the kit — $69The standard
How an honest evidence check behaves.
Weakest link, not the average
A chain of proof is only as strong as its weakest control. Strong audit evidence never buys back an unconfirmable certificate, so the verdict is the weakest of the six.
Reject what you can’t confirm
When both gate controls are unconfirmed at once, the vendor is rejected regardless of the rest — and confirming either axis releases it. The gate worsens, never flatters.
Scores evidence, not vendors
It grades the procurement artifact you assemble from the vendor’s answers, never the vendor’s AI quality and never people. It connects to nothing.
How it works
Six controls, marked from what the vendor produced.
- 01
Accredited certificate on file
Self-attestation, unconfirmed certificate, or a full third-party certificate verifiable on the issuer register. A gate control.
- 02
Scope covers the AI system you are buying
Missing, ambiguous, or explicitly covering your system, processing, and data per the Statement of Applicability. A gate control.
- 03
Certification body is accredited
An unaccredited consultancy, an unconfirmed claim, or a body accredited by UKAS / ANAB / RvA under ISO/IEC 42006.
- 04
Certificate current, surveillance up to date
Expired, in-term but surveillance overdue, or in-term with surveillance documented and on schedule.
- 05
Independent audit evidence beyond the badge
A logo only, a certificate image, or an audit report or summary plus the Statement of Applicability for your review.
- 06
AI sub-processor / supply-chain coverage
Sub-processors and model providers unaddressed, named but unverified, or documented and governed within the certified scope.
What it is — and isn’t
A buyer’s evidence check, not an audit.
It is
- A vendor-risk-management aid for your procurement file.
- A deterministic, offline workbook you control.
- A scorer of the evidence artifact you assemble.
It isn’t
- An audit, certification, or conformity assessment.
- A score of the vendor’s AI quality, or of any person.
- Legal or compliance advice.
ISO does not certify organizations — independent, accredited certification bodies do, and they are accredited by national bodies such as UKAS, ANAB, or RvA under ISO/IEC 42006. This kit grades the evidence you assemble and is not an audit, a certification, or legal advice. Confirm any certificate on the issuing body’s public register, and have counsel or your assurance team review anything you intend to rely on.
Who it’s for
Anyone signing off on an AI vendor.
For you if
- You run vendor risk, procurement, or security review.
- An AI vendor just sent you a certificate or an “aligned” claim.
- You need a defensible record of why you accepted or rejected it.
Not for you if
- You want to certify your own AI management system (hire an accredited body).
- You need a security-program review (see the Security Posture kit).
- You want software that reads the vendor’s systems for you.
Pairs well with
Where this fits in your vendor stack.
AI Vendor & Sub-Processor Data-Flow Register
The privacy / DPA lane — govern the data flows once you accept a vendor.
ViewAI Vendor Reliability & Spend-Justification Scorecard
The uptime / renewal lane — is the ongoing spend justified?
ViewNIST AI RMF / US AI Governance Readiness Kit
Stand up your own governance, crosswalked to ISO 42001.
ViewCommon questions
Answers before you buy.
It grades the ISO/IEC 42001 conformity evidence a vendor hands you during procurement — on six controls: whether an accredited certificate is on file, whether its scope covers the AI system you are buying, whether the certification body is itself accredited, whether the certificate is current with surveillance up to date, whether there is independent audit evidence beyond a badge, and whether the AI supply chain is covered. You mark each 0, 1, or 2 from what the vendor produced, and it returns ACCEPTED, VERIFY FIRST, or REJECTED per vendor, rolling your shortlist up to EVIDENCE DEFENSIBLE, GET PROOF FIRST, or DO NOT RELY.
Procurement evidence is a chain of proof, and a chain is only as strong as its weakest link. A vendor can have a beautiful audit report and named sub-processors, but if you cannot confirm the certificate covers your system, the strong controls do not buy that back. So the headline verdict is the single weakest control, never a flattering average. The mean is shown for context only.
Two of the six controls are gate controls: whether the certificate's accreditation is confirmed, and whether its scope coverage is confirmed. If BOTH are below full at the same time, the vendor is REJECTED no matter how strong the other four controls are — because you can confirm neither that the certificate is real nor that it covers your system, and evidence you cannot confirm on either axis is not evidence. Confirm either axis in writing and the gate releases. In the worked example, Beacon Analytics carries four full controls and a 1.67 mean and is still REJECTED for exactly this; Cirrus AI is the same vendor after confirming scope, and it rises to VERIFY FIRST.
Not on its own. ISO does not certify organizations — independent certification bodies do, and those bodies are themselves accredited by national accreditation bodies such as UKAS, ANAB, or RvA under ISO/IEC 42006. “Certified” can mean an accredited certificate that covers your exact AI system, or a self-made “aligned” slide, a certificate for an unrelated product, or a badge from a body no one accredits. This kit is built to tell those apart and to make you confirm accreditation on the issuer's public register rather than taking the claim at face value.
No. It is a vendor-risk-management aid that grades the evidence artifact you assemble from a vendor's answers — it runs no audit, issues no certification, performs no conformity assessment, and is not legal advice. It connects to nothing and contacts no one. It scores the evidence, never people. Confirm accreditation on the national accreditation body's register, and have counsel or your assurance team review anything you intend to rely on.
One .xlsx with three tabs — Start Here, Dashboard, and Evidence Scrutiny — that opens in Excel, Google Sheets, or Numbers. No install, no login, nothing to connect. It ships pre-filled with a six-vendor worked example you overwrite with your own shortlist; every verdict, the control to fix first, and the portfolio roll-up recompute live from your marks. One-time purchase, yours to keep.
Get the kit
Stop taking “certified” at face value.
- Score your whole shortlist in one .xlsx.
- Live verdicts, fix-first control, and a portfolio roll-up.
- Deterministic, offline, yours to keep.
Sold by RedHub AI LLC · Secured by Stripe · redhub.ai