AI Governance and ISO 42001 Certification for UK Businesses
AI governance your business can stand behind.
Not a template. Not a box-ticking exercise. Governance that reflects how your business actually operates.
Organisations using AI must be able to demonstrate accountability. That means documented policies, risk assessments, clear roles, and evidence of ongoing oversight. Data protection law does not cover this in full. Specific AI governance does.
Not every business needs full ISO 42001 certification. We also deliver standalone AI policies, risk registers, and governance frameworks for organisations that want documented governance without the certification pathway.
This is not optional anymore.
Regulators, clients, and insurers are catching up with AI adoption. The question is not whether your organisation needs a governance framework. It is whether yours is fit for purpose.
Regulators expect it
The ICO has published clear guidance on AI accountability. Organisations must be able to demonstrate how AI systems are governed, audited, and controlled. GDPR covers some of this, but not all of it. Specific AI governance closes the gap.
Clients are beginning to ask
Commercially sophisticated clients, particularly those in financial services, healthcare, and the public sector, are starting to include AI governance in their supplier due diligence. ISO 42001 certification answers those questions before they become a barrier to winning work.
AI mistakes scale differently
A human error affects one task. An ungoverned AI tool used across a business can introduce the same error across hundreds of outputs. Governance frameworks exist to catch systemic risk before it becomes systemic harm.
Documentation is protection
If something goes wrong, the question will be: what did you have in place? A documented governance framework, with clear roles, risk registers, and audit processes, is evidence that you took reasonable steps. The absence of it is not a neutral position.
Governance that is fit for purpose.
The ICO has stated that organisations should appoint a senior individual with overall oversight of AI systems, carry out impact assessments for high-risk AI use, establish documented processes for monitoring AI outputs, and ensure governance is reviewed and updated as AI use evolves. Most businesses have not yet done this in any documented way.
Practical governance. Not paperwork.
Everything we produce is written for your business, not copied from a template. It should be usable by the people who need to follow it, not filed and forgotten.
AI Use Policy
A written policy covering acceptable use, prohibited uses, data handling, supervision requirements, and staff responsibilities. Written in plain English. Specific to your business and the tools your team actually uses.
AI Risk Register
A documented register of the AI systems and tools your business uses, the risks associated with each, the controls in place, and who is responsible. The foundation of any credible governance framework.
Roles and Responsibilities Framework
Clarity on who owns AI governance at organisational level. Who the senior responsible individual is. How oversight is structured. What gets escalated and to whom.
Audit and Review Process
A structured process for regular governance reviews. What to check, how often, who is responsible, and what good looks like. Designed to be sustainable, not a one-off exercise.
ISO 42001 Certification Pathway
For organisations seeking formal certification, we build the complete AI Management System required by the standard and guide you through to independent audit and certification. See below for detail.
The standard that changes things.
The world’s first certifiable AI management standard
Published in December 2023, ISO 42001 is the international standard for establishing, implementing, maintaining, and continually improving an AI Management System within an organisation. It is the only AI governance framework in the world that is independently certifiable.
It is not a technical standard about how AI works. It is a governance standard about how organisations use AI responsibly. The question is never about the algorithm. It is always about the people, the processes, and the accountability.
From first conversation to certified.
Every engagement is fixed price. You know what you are committing to before we start. The process is straightforward, and we do the heavy lifting.
Discovery
We start by understanding your business. What AI tools are in use, how they are being used, what existing policies look like (if any), and what your risk profile is. This takes one or two sessions and gives us everything we need to scope the work accurately.
Gap analysis
We map your current position against the ICO’s requirements and, where applicable, the ISO 42001 standard. You get a clear picture of what is already in place, what is missing, and what needs to be built.
Build
We write the policies, build the risk register, establish the governance structure, and document everything. You review and refine. The output is governance that is genuinely yours, not a template with your logo on it.
Certification (optional)
For businesses pursuing ISO 42001, we prepare you for the independent audit and work with an accredited certification body to complete the formal certification process. We stay alongside you throughout.
Fixed price. No surprises.
All prices shown are exclusive of VAT. Certification body audit fees are separate and will be confirmed during scoping.
AI Policy and Governance Package
Everything your business needs to demonstrate credible AI governance. Policy, risk register, roles framework, and audit process. No certification pathway included.
ISO 42001 Certification Pathway
The complete AI Management System built to the ISO 42001 standard, plus preparation and support through the independent certification audit. Includes everything in the governance package.
Things people usually ask.
Does my business actually need ISO 42001 certification?
Probably not yet, but that depends on your client base and your ambitions. ISO 42001 makes the most sense for businesses targeting clients who include AI governance in their due diligence, or for organisations that want to position themselves as leaders before it becomes table stakes. What every business using AI should have is a documented governance framework. We can deliver that without the certification pathway if that is the right fit for where you are now.
How is ISO 42001 different from a generic AI policy?
A generic AI policy tells your team what they can and cannot do. ISO 42001 goes further: it requires you to establish a full management system around AI, covering risk assessment, impact assessment, governance structure, monitoring, continuous improvement, and independent audit. The certification is what makes it credible to people outside your organisation.
How long does the ISO 42001 process take?
For a business with little existing governance in place, typically three to five months from starting with us to completing the certification audit. The timeline depends on the complexity of your AI use, how many tools need to be documented, and the availability of the certification body. We will give you a realistic timeline before you commit to anything.
What does ISO 42001 certification actually cost?
Our fee for building the AI Management System and guiding you through the process is scoped and fixed before we begin. The certification body charges a separate audit fee, which varies depending on the size and complexity of your organisation. We will confirm both figures during the scoping conversation so you know the full cost upfront.
We already have a data protection policy. Does that cover AI governance?
Partially. UK GDPR and data protection obligations are a component of responsible AI use, but they do not cover the full picture. AI governance also requires you to address how AI outputs are supervised, which tools are appropriate for which tasks, how risk is assessed and documented, and how governance is reviewed over time. A data protection policy is a starting point, not a complete governance framework.
Who owns the governance documents you produce?
You do. Everything we produce belongs to your organisation. There are no licensing arrangements, no ongoing dependencies, and no reason to come back to us unless you want to. The governance framework is yours to maintain and evolve.
Not sure what your business needs?
Tell us where you are and we will tell you what makes sense. If a standalone governance framework is the right fit, we will say so. If ISO 42001 certification makes sense for your organisation, we will explain exactly what that involves.
Fixed price always. No obligation. Plain English.
Let’s start a conversation
No commitment. We’ll come back to you within one working day.