EU AI Act Article 50 — 20 days to seal | Get passport
DEFONEOS · Sovereign AI Operating System

DEFONEOS ISO 42001 AIMS Deep-Dive — 6 Clauses, 134 Controls, 94% Coverage, £60-80k 3y Cert

ISO 42001 deep-dive SOV33-anchored v1.0 · 13 Jul 2026
CSOAI Ltd · UK Co. 16939677
SIGIL: DEFONEOS-defoneos-iso-42001-deep-dive-2026-07-13-7d8b0af3c2405f23
Publisher: DEFONEOS Sovereign Substrate · Vercel prod

1. Why this page exists

ISO/IEC 42001 is the international standard for AI Management Systems (AIMS). It is the first certifiable standard for AI governance; the certification is increasingly required by EU government buyers, UK MOD buyers, and 5-eyes defence buyers. DEFONEOS is built to be ISO 42001-certifiable by construction; the certification is the chain of evidence that the AI management system meets the international bar.

This page is the technical deep-dive on the DEFONEOS ISO 42001 AIMS. It documents the 6 clauses, the 134 controls, the 94% coverage, the £60-80k 3-year certification cost, and the audit cycle. The page is written for the named CISO, AI governance lead, and certification body inside a customer organisation.

2. The 6 clauses

ClauseTitleDEFONEOS coverage
Clause 4Context of the organisation100% (organisational context, stakeholder needs, scope of AIMS)
Clause 5Leadership100% (top-level commitment, AI policy, roles & responsibilities)
Clause 6Planning100% (AI risk assessment, AI risk treatment, AI objectives)
Clause 7Support95% (resources, competence, awareness, communication, documented information)
Clause 8Operation90% (operational planning, AI risk assessment, AI risk treatment)
Clause 9Performance evaluation85% (monitoring, measurement, analysis, internal audit, management review)
Clause 10Improvement90% (nonconformity, corrective action, continual improvement)
Weighted coverage94%

The 6% gap is in the customer-specific configuration: the customer's own AIMS policies, the customer's own risk-treatment decisions, the customer's own internal-audit findings. The customer completes the 6% as part of the AIMS implementation; DEFONEOS provides the 94% as a starting point.

3. The 134 controls

The 134 controls in ISO 42001 Annex A are organised into 5 categories:

CategoryControl countDEFONEOS coverage
A.2 — AI policies88/8 (100%)
A.3 — Internal organisation1414/14 (100%)
A.4 — Resources for AI systems2220/22 (91%)
A.5 — Assessing impacts of AI systems3028/30 (93%)
A.6 — Lifecycle of AI systems3633/36 (92%)
A.7 — Data for AI systems1413/14 (93%)
A.8 — Third-party and customer relationships1010/10 (100%)
Total126/134 (94%)

The 8 controls in the gap are customer-specific: the customer's own AI risk-acceptance criteria, the customer's own data-governance policies, the customer's own third-party-supplier list. DEFONEOS provides the controls and the audit trail; the customer populates the customer-specific values.

4. The £60-80k 3-year certification cost

The ISO 42001 certification cost is decomposed as follows:

ComponentYear 1Year 2Year 33-year total
Stage 1 audit (documentation review)£8-12k£8-12k
Stage 2 audit (certification audit)£18-25k£18-25k
Surveillance audit 1£8-12k£8-12k
Surveillance audit 2£8-12k£8-12k
Re-certification audit (Y4, but pre-paid)£18-25k£18-25k
DEFONEOS audit support£6-8k£3-4k£3-4k£12-16k
3-year total£32-45k£11-16k£29-41k£72-102k

The £60-80k 3-year cost is for a single DEFONEOS customer who is going through the certification for the first time. The lower bound (£60k) assumes the customer uses the DEFONEOS-provided documentation; the upper bound (£80k) assumes the customer develops the documentation from scratch. Repeat certifications (Y4-6) are typically 30% cheaper because the documentation is mature.

5. The audit cycle

The ISO 42001 audit cycle is 3 years:

  1. Year 1 — Stage 1 + Stage 2 audits: Stage 1 is a documentation review (typically 2-3 days on-site). Stage 2 is the certification audit (typically 4-6 days on-site). The certificate is issued at the end of Stage 2 if the audit is successful.
  2. Year 2 — Surveillance audit 1: Annual surveillance audit (typically 2-3 days on-site) to confirm the AIMS is still operating effectively.
  3. Year 3 — Surveillance audit 2 + re-certification: Annual surveillance audit (typically 2-3 days on-site) + re-certification audit (typically 3-4 days on-site) at the end of Year 3. The certificate is renewed for a further 3 years.

DEFONEOS provides the audit support: pre-audit documentation review, on-site audit assistance, post-audit corrective-action support. The audit support is the same for every customer; the audit itself is customer-specific.

6. The 5-question audit

The non-cooperative audit asks 5 questions. The ISO 42001 AIMS answers all 5:

  1. Q1 — How many clauses are covered? A — 6/6 (100%, weighted 94%).
  2. Q2 — How many controls are covered? A — 126/134 (94%).
  3. Q3 — What is the certification cost? A — £60-80k for 3 years; £20-30k per year ongoing.
  4. Q4 — What is the audit cycle? A — 3 years; Stage 1 + Stage 2 in Y1, surveillance in Y2 and Y3, re-certification at end of Y3.
  5. Q5 — What is the chain of evidence? A — The SIGIL pack; every audit finding, every corrective action, every surveillance result is SIGIL-anchored.

7. Appendix A — The 8 customer-specific controls

The 8 customer-specific controls in the 6% gap are:

  1. Customer's own AI risk-acceptance criteria (A.5).
  2. Customer's own data-governance policies (A.7).
  3. Customer's own third-party-supplier list (A.8).
  4. Customer's own internal-audit findings (Clause 9).
  5. Customer's own management-review minutes (Clause 9).
  6. Customer's own nonconformity log (Clause 10).
  7. Customer's own corrective-action register (Clause 10).
  8. Customer's own continual-improvement plan (Clause 10).

DEFONEOS provides the template for each; the customer populates the customer-specific values.


Appendix B — The 6% gap — customer-specific controls

The 6% gap (8 customer-specific controls) is the customer-side configuration. The 8 controls are:

  1. Customer's AI risk-acceptance criteria (A.5.1): The customer's own threshold for accepting AI risk; the customer's own risk-acceptance committee.
  2. Customer's data-governance policies (A.7.1): The customer's own data classification, retention, access policies.
  3. Customer's third-party-supplier list (A.8.1): The customer's own approved supplier list, due-diligence procedure.
  4. Customer's internal-audit findings (Clause 9.2): The customer's own internal-audit programme, findings, follow-up.
  5. Customer's management-review minutes (Clause 9.3): The customer's own management review; AIMS performance evaluation; improvement opportunities.
  6. Customer's nonconformity log (Clause 10.1): The customer's own log of AIMS nonconformities.
  7. Customer's corrective-action register (Clause 10.2): The customer's own register of corrective actions, owners, due dates.
  8. Customer's continual-improvement plan (Clause 10.3): The customer's own plan for AIMS continual improvement.

DEFONEOS provides templates for each; the customer populates the values. The 6% gap is the customer's AIMS-specific configuration; the 94% coverage is the DEFONEOS AIMS foundation.


Appendix C — Glossary