For teams pursuing ISO 42001 certification

Find the one clause-groupblocking your certification.

ISO 42001 is the AI-governance standard you can actually be certified against — and the one enterprise procurement now asks for. Score your AI Management System across the six clause-groups and get an honest verdict: CERTIFIABLE, GAPS TO CLOSE, or NOT READY — plus the exact fixer to buy next.

Get the Diagnostic — $249one-time · instant download · yours to keep

A readiness diagnostic, not legal advice. This is a self-assessment and gap diagnostic — not an ISO 42001 certification, a certification audit, or an accredited audit opinion. ISO does not certify organizations; certification is performed by independent accredited bodies. Effective dates are planning context only. It grades the management system you describe and scores no person. Confirm certification scope and obligations with a qualified auditor or counsel.

Five deliverables · runnable
Readiness workbook (.xlsx)
core
Runnable Python engine
runnable
Clause-group config
editable
Assessment Facilitator Playbook
docx
Gap-Closure Runbook
docx
Works alongside
EU AI Act Kit · NIST RMF Kit · 90-Day Audit Triage
01The Problem

A high average hides the one gap that blocks certification.

1 of 3

frameworks you can be certified against — ISO 42001 is it. NIST and the EU Act are not certifiable.

6

clause-groups an auditor checks. Your weakest mandatory one decides whether you can certify.

80 → NOT READY

the worked sample: a healthy mean, still blocked, because one mandatory control sits at the floor.

Certification bodies do not average your readiness. They look for the load-bearing mandatory controls — an AI policy, a risk-assessment process, a management review — and if one is missing, the rest does not rescue it. This diagnostic scores the way an auditor reads: the weakest clause-group is the verdict, and a mandatory group at the floor is a hard stop.

02See It Work

Score your AIMS. Watch the weakest mandatory control decide the verdict.

AIMS readiness — score 0–5 on evidence
Context & Leadership
Clauses 4-5
100MATURE
AI Policymandatory
Clause 5.2
100MATURE
Risk & Impact Assessmentmandatory
Clauses 6 & 8, Annex A
40PARTIAL
Operational Controls
Clause 8, Annex A
80MATURE
Performance & Internal Audit
Clause 9
80MATURE
Management Review & Improvementmandatory
Clauses 9.3 & 10
80MATURE
NOT READY
weakest 40/100 · mean 80/100 (context only)
Gated by a mandatory clause-group at/below the 40 floor — a mandatory control this weak blocks certification on its own, regardless of the mean.
Fix first: Risk & Impact Assessment (Clauses 6 & 8, Annex A) at 40/100
AI Risk Register & Treatment-Tracking System · /systems/ai-risk-register-treatment-tracking-system

The verdict is the weakest clause-group, never the average. A readiness diagnostic, not an ISO 42001 certification or audit. Evaluation date 2026-06-29 is planning context only. It grades the system you describe, not people. Not legal advice.

03The Runnable Engine

The same verdict, reproducible from the command line.

A zero-dependency Python engine reproduces every number in the workbook and the demo. Point it at a CSV of your entities and it returns the verdict, the weakest clause-group, and the fixer to buy next.

$ python3 engine.py your-aims.csv

======================================================================
ISO 42001 AIMS READINESS & GAP DIAGNOSTIC
Evaluation date: 2026-06-29
======================================================================

AIMS / ENTITY: Meridian Health AI Program
  Verdict: NOT READY  [GATED by a mandatory clause-group]
  Weakest clause-group: Risk & Impact Assessment (40/100)   |   Mean (context only): 80/100
  ----------------------------------------------------------------
  #  Clause-group                     ISO                Score  Verdict
  1   Context & Leadership            Clauses 4-5          100  MATURE
  2  *AI Policy                       Clause 5.2           100  MATURE
  3  *Risk & Impact Assessment        Clauses 6 & 8, Annex A    40  PARTIAL
  4   Operational Controls            Clause 8, Annex A     80  MATURE
  5   Performance & Internal Audit    Clause 9              80  MATURE
  6  *Management Review & Improvement Clauses 9.3 & 10      80  MATURE
  (* = mandatory clause-group; one at/below the floor hard-stalls the AIMS)
  GATE: Mandatory clause-group 'Risk & Impact Assessment' (Clauses 6 & 8, Annex A) scores 40 (at/below the 40 floor) — a mandatory control this weak blocks certification on its own, regardless of the mean.
  FIX FIRST: Risk & Impact Assessment (Clauses 6 & 8, Annex A) at 40/100
  -> Buy next: AI Risk Register & Treatment-Tracking System  (/systems/ai-risk-register-treatment-tracking-system)

======================================================================
PORTFOLIO: NOT READY TO CERTIFY
======================================================================
A readiness self-assessment and gap diagnostic, not an ISO 42001
certification or audit. ISO does not certify organizations. Effective
dates are planning context only. Scores the system you describe, not
people. Not legal advice.
04The Six Clause-Groups

Scored the way ISO 42001 is structured.

Cl. 4–5
Context & Leadership

Scope, interested parties, top-management accountability, and named AI roles.

Cl. 5.2
mandatory
AI Policy

A documented, approved AI policy that frames objectives and commits to responsible AI.

Cl. 6 & 8
mandatory
Risk & Impact Assessment

A risk-assessment process, a maintained risk register, and impact assessments.

Cl. 8 / Annex A
Operational Controls

Data governance, system/model cards, human oversight, supplier assurance, logging.

Cl. 9
Performance & Internal Audit

Performance monitoring and a conducted internal audit of the AIMS.

Cl. 9.3 & 10
mandatory
Management Review & Improvement

Documented top-management review and continual improvement.

Each clause-group is crosswalked to a NIST AI RMF function and the relevant EU AI Act articles, so if you already run those frameworks, the evidence carries over. Build the AIMS once; satisfy all three.

05What This Is — And Isn't

An honest readiness read, not a certificate.

What it is
  • A deterministic gap diagnostic that scores your AIMS the way an auditor reads it.
  • A router that names your fix-first clause-group and the exact drop that closes it.
  • A reproducible workbook + engine + demo, all giving the same verdict.
  • A crosswalk to NIST AI RMF and the EU AI Act for work you have already done.
What it isn't
  • Not an ISO 42001 certification, a certification audit, or an audit opinion.
  • Not a guarantee of any certification outcome — ISO does not certify organizations.
  • Not a tool that scores or ranks any person.
  • Not legal advice, and effective dates are planning context only.

A readiness diagnostic, not legal advice. This is a self-assessment and gap diagnostic — not an ISO 42001 certification, a certification audit, or an accredited audit opinion. ISO does not certify organizations; certification is performed by independent accredited bodies. Effective dates are planning context only. It grades the management system you describe and scores no person. Confirm certification scope and obligations with a qualified auditor or counsel.

06Who It's For

Anyone who has to prove AI governance — fast.

Founders and operators whose enterprise prospects ask for ISO 42001 in procurement.
Compliance and security leads standing up an AIMS for the first time.
Consultants running AI-governance readiness engagements who need a defensible scoring spine.
Teams already on NIST or the EU Act who want the certifiable framework next.
08Common Questions

Straight answers before you buy.

No. It is a readiness self-assessment and gap diagnostic. It tells you which clause-group is holding you back from certification and which fixer to buy next. ISO does not certify organizations — certification is performed by independent accredited certification bodies after a formal audit. This kit gets you ready for that audit; it is not the audit and not an audit opinion.

Know exactly where you stand
before the auditor does.

One purchase, lifetime access, 12 months of updates. $249, once.

A readiness diagnostic, not legal advice. This is a self-assessment and gap diagnostic — not an ISO 42001 certification, a certification audit, or an accredited audit opinion. ISO does not certify organizations; certification is performed by independent accredited bodies. Effective dates are planning context only. It grades the management system you describe and scores no person. Confirm certification scope and obligations with a qualified auditor or counsel.

Sold by RedHub AI LLC · Secured by Stripe · redhub.ai