Find the one clause-groupblocking your certification.
ISO 42001 is the AI-governance standard you can actually be certified against — and the one enterprise procurement now asks for. Score your AI Management System across the six clause-groups and get an honest verdict: CERTIFIABLE, GAPS TO CLOSE, or NOT READY — plus the exact fixer to buy next.
A readiness diagnostic, not legal advice. This is a self-assessment and gap diagnostic — not an ISO 42001 certification, a certification audit, or an accredited audit opinion. ISO does not certify organizations; certification is performed by independent accredited bodies. Effective dates are planning context only. It grades the management system you describe and scores no person. Confirm certification scope and obligations with a qualified auditor or counsel.
A high average hides the one gap that blocks certification.
frameworks you can be certified against — ISO 42001 is it. NIST and the EU Act are not certifiable.
clause-groups an auditor checks. Your weakest mandatory one decides whether you can certify.
the worked sample: a healthy mean, still blocked, because one mandatory control sits at the floor.
Certification bodies do not average your readiness. They look for the load-bearing mandatory controls — an AI policy, a risk-assessment process, a management review — and if one is missing, the rest does not rescue it. This diagnostic scores the way an auditor reads: the weakest clause-group is the verdict, and a mandatory group at the floor is a hard stop.
Score your AIMS. Watch the weakest mandatory control decide the verdict.
The verdict is the weakest clause-group, never the average. A readiness diagnostic, not an ISO 42001 certification or audit. Evaluation date 2026-06-29 is planning context only. It grades the system you describe, not people. Not legal advice.
The same verdict, reproducible from the command line.
A zero-dependency Python engine reproduces every number in the workbook and the demo. Point it at a CSV of your entities and it returns the verdict, the weakest clause-group, and the fixer to buy next.
$ python3 engine.py your-aims.csv ====================================================================== ISO 42001 AIMS READINESS & GAP DIAGNOSTIC Evaluation date: 2026-06-29 ====================================================================== AIMS / ENTITY: Meridian Health AI Program Verdict: NOT READY [GATED by a mandatory clause-group] Weakest clause-group: Risk & Impact Assessment (40/100) | Mean (context only): 80/100 ---------------------------------------------------------------- # Clause-group ISO Score Verdict 1 Context & Leadership Clauses 4-5 100 MATURE 2 *AI Policy Clause 5.2 100 MATURE 3 *Risk & Impact Assessment Clauses 6 & 8, Annex A 40 PARTIAL 4 Operational Controls Clause 8, Annex A 80 MATURE 5 Performance & Internal Audit Clause 9 80 MATURE 6 *Management Review & Improvement Clauses 9.3 & 10 80 MATURE (* = mandatory clause-group; one at/below the floor hard-stalls the AIMS) GATE: Mandatory clause-group 'Risk & Impact Assessment' (Clauses 6 & 8, Annex A) scores 40 (at/below the 40 floor) — a mandatory control this weak blocks certification on its own, regardless of the mean. FIX FIRST: Risk & Impact Assessment (Clauses 6 & 8, Annex A) at 40/100 -> Buy next: AI Risk Register & Treatment-Tracking System (/systems/ai-risk-register-treatment-tracking-system) ====================================================================== PORTFOLIO: NOT READY TO CERTIFY ====================================================================== A readiness self-assessment and gap diagnostic, not an ISO 42001 certification or audit. ISO does not certify organizations. Effective dates are planning context only. Scores the system you describe, not people. Not legal advice.
Scored the way ISO 42001 is structured.
Scope, interested parties, top-management accountability, and named AI roles.
A documented, approved AI policy that frames objectives and commits to responsible AI.
A risk-assessment process, a maintained risk register, and impact assessments.
Data governance, system/model cards, human oversight, supplier assurance, logging.
Performance monitoring and a conducted internal audit of the AIMS.
Documented top-management review and continual improvement.
Each clause-group is crosswalked to a NIST AI RMF function and the relevant EU AI Act articles, so if you already run those frameworks, the evidence carries over. Build the AIMS once; satisfy all three.
An honest readiness read, not a certificate.
- A deterministic gap diagnostic that scores your AIMS the way an auditor reads it.
- A router that names your fix-first clause-group and the exact drop that closes it.
- A reproducible workbook + engine + demo, all giving the same verdict.
- A crosswalk to NIST AI RMF and the EU AI Act for work you have already done.
- Not an ISO 42001 certification, a certification audit, or an audit opinion.
- Not a guarantee of any certification outcome — ISO does not certify organizations.
- Not a tool that scores or ranks any person.
- Not legal advice, and effective dates are planning context only.
A readiness diagnostic, not legal advice. This is a self-assessment and gap diagnostic — not an ISO 42001 certification, a certification audit, or an accredited audit opinion. ISO does not certify organizations; certification is performed by independent accredited bodies. Effective dates are planning context only. It grades the management system you describe and scores no person. Confirm certification scope and obligations with a qualified auditor or counsel.
Anyone who has to prove AI governance — fast.
Where the gaps route next.
Classify your AI systems by EU risk tier and produce FRIA / system cards. The legal-exposure sibling to this certification-readiness kit.
Stand up governance on Govern / Map / Measure / Manage. Where a Management Review gap routes.
The living register a Risk & Impact Assessment gap routes to. Build the artifact here; prove the clause-group there.
Straight answers before you buy.
No. It is a readiness self-assessment and gap diagnostic. It tells you which clause-group is holding you back from certification and which fixer to buy next. ISO does not certify organizations — certification is performed by independent accredited certification bodies after a formal audit. This kit gets you ready for that audit; it is not the audit and not an audit opinion.
You score your AI Management System 0–5 on each of the six ISO 42001 clause-groups, on the evidence you could put in front of an auditor today. The verdict is the weakest clause-group, never the average — an AIMS is only as certifiable as its weakest mandatory control. CERTIFIABLE means the weakest group is 75+ with no mandatory hard-stall; GAPS TO CLOSE means closeable gaps remain; NOT READY means the weakest group is below 40 or a mandatory group sits at the floor.
Because three clause-groups are mandatory — AI Policy, Risk & Impact Assessment, and Management Review & Improvement — and a certification body will not certify a system that is missing one of them, however strong the rest looks. If any mandatory group scores at or below the floor, the verdict is NOT READY regardless of the mean. In the worked sample, a program with a mean of 80 still reads NOT READY because its mandatory Risk & Impact group sits at the floor. The average hides it; the gate catches it.
Yes. Each clause-group is crosswalked to a NIST AI RMF function and the relevant EU AI Act articles, so if you already run those frameworks you can reuse the work. ISO 42001 is the one of the three you can actually be certified against, which is what enterprise procurement increasingly asks for. The EU AI Act Readiness Kit covers your EU legal-exposure classification; this kit covers your certification readiness — they are siblings, not substitutes.
It names your weakest clause-group as the one to fix first and points to the exact RedHub drop that closes it — for example, a Risk & Impact gap routes to the impact-assessment tooling, a Management Review gap routes to the NIST AI RMF kit, and a policy gap routes to the AI Governance & Acceptable Use Starter Kit. Close that gap, re-score, and the verdict moves when the weakest mandatory control moves.
No. It is deterministic and offline. You enter your own marks in the workbook or run the Python engine locally; nothing uploads, nothing connects, and no AI scores you. The same logic runs in the workbook, the engine, and the on-page demo, so every number is reproducible. It grades the management system you describe — it scores no person.
Know exactly where you stand
before the auditor does.
One purchase, lifetime access, 12 months of updates. $249, once.
A readiness diagnostic, not legal advice. This is a self-assessment and gap diagnostic — not an ISO 42001 certification, a certification audit, or an accredited audit opinion. ISO does not certify organizations; certification is performed by independent accredited bodies. Effective dates are planning context only. It grades the management system you describe and scores no person. Confirm certification scope and obligations with a qualified auditor or counsel.
Sold by RedHub AI LLC · Secured by Stripe · redhub.ai