ISO 9001:2026 Readiness · ISO 27001 · ISO 42001

Quality, Security, and AI.
The Trust Stack.

The trust stack for organisations that take AI seriously: ISO 9001 transition readiness, ISO 27001 information security, and ISO 42001 responsible AI governance integrated from the start by UK practitioners.

ISO 42001 — the AI management standard ISO 9001:2026 readiness integrated with ISO 27001 and ISO 42001 UK practitioners, no outsourcing Fixed-scope, no hidden costs

AI governance is the new compliance frontier — and most organisations aren't ready

  • AI systems deployed without documented governance, risk assessment, or oversight controls
  • ISO 27001 information security frameworks that don't account for AI-specific risks (model bias, data poisoning, explainability)
  • Quality management systems that haven't been updated to address AI-assisted processes
  • No structured approach to demonstrating responsible AI use to clients, regulators, or procurement teams

An integrated framework for trustworthy AI

  • ISO 42001 AI Management System embedded within your existing ISO 27001 and ISO 9001 governance framework
  • AI risk assessment methodology integrated with ISO 27001 information security risk process
  • AI system impact assessment (AIIA) and transparency documentation as mandatory ISO 42001 outputs
  • Single certification cycle covering quality, security, and AI — demonstrable to clients and procurement
Services

What we deliver

Structured, practitioner-led services from initial assessment through to post-certification support.

Integrated AI Trust Gap Analysis

A combined assessment across ISO 9001:2026 readiness themes, ISO 27001:2022, and ISO 42001:2023. We map your governance state, identify AI-specific risks and data flows, and produce a single prioritised action plan covering all three workstreams.

  • ISO 9001 transition themes assessed in parallel
  • AI system inventory and impact classification
  • Data governance and AI bias risk review
  • Integrated action plan across quality, security, and AI governance

ISO 42001 AI Management System

Full implementation of ISO 42001:2023 — the international standard for AI management systems. AI policy, AI risk assessment, AI system impact assessments, transparency documentation, and oversight controls aligned to your AI use cases.

  • AI policy and organisational roles (ISO 42001 §5)
  • AI risk and impact assessment (§6.1)
  • AI system impact assessment (AIIA) documentation
  • Transparency and explainability controls

Integrated IMS Documentation

A single documentation framework covering all three standards — shared policy structure, unified risk methodology extended to AI risks, ISO 27001 Statement of Applicability with AI-specific controls, and ISO 42001 mandatory documented information.

  • Combined Quality, Security, and AI Policy
  • Unified risk register (security + AI risks)
  • Statement of Applicability (ISO 27001 Annex A)
  • AI system register and impact assessment templates

Integrated Implementation

Embedding quality, information security, and AI governance into your operations simultaneously with one risk methodology, one management review, and one competence programme covering all three standards.

  • Shared management review covering all three standards
  • Integrated QISA objectives and KPI framework
  • AI competence and awareness programme
  • ISO 9001 transition-ready governance evidence

Internal Audit Programme

A single audit programme covering ISO 9001, ISO 27001, and ISO 42001. We design the schedule, train your lead auditor on all three standards, and conduct the first full cycle including AI system audits.

  • Combined audit schedule (all three standards)
  • AI management system audit methodology
  • Lead auditor training (2 days)
  • First full audit cycle conducted by us

Triple Certification Preparation

Stage 1 and Stage 2 preparation for ISO 9001, ISO 27001, and ISO 42001 — ideally with a single certification body offering combined scope. Mock audits, document review, and corrective action close-out across all three.

  • Combined mock audit across all three standards
  • AI system audit simulation
  • Stage 1 and Stage 2 attendance
  • Post-audit corrective action support
How it works

From AI risk to integrated governance readiness

01

Integrated Readiness Review

Combined assessment across ISO 9001 transition themes, ISO 27001, and ISO 42001 — including AI system inventory, impact classification, and data governance review.

02

IMS Architecture Design

Design of an integrated management system that extends your quality and security framework to cover AI governance — one policy structure, one risk methodology.

03

AI Management System

Implementation of ISO 42001: AI policy, AI risk assessment, system impact assessments, transparency controls, and oversight mechanisms for your specific AI use cases.

04

Documentation & SoA

Complete documentation package including ISO 27001 Statement of Applicability, ISO 42001 AI system register, impact assessments, and all mandatory documented information.

05

Internal Audit & Close-out

First combined internal audit across all three standards, including AI system audits. Corrective action close-out before certification stage 1.

06

Triple Certification

Stage 1 and Stage 2 with a UKAS-accredited certification body. ISO 42001 certification demonstrates responsible AI governance to clients, regulators, and partners.

Who we are

Built by people who have done this from the inside

Rotix is a professional services practice founded by people who have spent careers implementing standards, managing audits, and building management systems for real organisations — not as consultants parachuted in, but as practitioners embedded in the work.

Our team brings together expertise in Quality Management, Information Security, Computing, Engineering, and Business Leadership. We added ISO 42001 to our practice early because we understand both the governance standard and the technology it is trying to control.

For 2026, that also means helping clients prepare for ISO 9001 transition themes without dressing up draft expectations as final rules. If you want one integrated governance framework for quality, security, and AI, built on evidence rather than hype, let's talk.

Operations & QMS

Lead quality practitioner with hands-on IMS implementation experience across technology, professional services, and infrastructure sectors.

Computing & AI Governance

Computing and information security background; leads ISO 27001 Annex A implementation, AI risk assessment, and ISO 42001 AI system impact assessments.

Business & Compliance

Business leadership and audit background; client engagement, management review facilitation, and AI governance communication to boards and procurement.

Free resources

Useful starting points

Practical resources to help you understand what's involved before you commit to anything.

ISO 42001 Readiness Checklist

A clause-by-clause self-assessment checklist covering the mandatory requirements of ISO 42001:2023. Understand your AI governance position before you start.

Download free

AI System Impact Assessment Template

A structured AIIA template aligned to ISO 42001 Annex B. Identify and document AI system risks, impact levels, and transparency requirements for each system you deploy.

Download free

ISO 27001 + ISO 42001 Integration Guide

How to extend your ISO 27001 information security risk assessment to cover AI-specific risks without duplicating your risk methodology or documentation framework.

Download free
Pricing

Transparent, straightforward pricing

Prices shown are starting points for a defined scope. Your exact investment is confirmed after an initial conversation — no hourly rates, no scope creep.

Starter
Gap analysis and documentation
£ 6,995
starts from
For organisations beginning their AI governance journey alongside quality and security certification.
  • Integrated gap analysis (all three standards)
  • AI system inventory and impact classification
  • IMS documentation framework
  • AI system impact assessments (AIIA)
  • Statement of Applicability (ISO 27001)
  • Combined risk register (security + AI risks)
  • Full implementation support
  • Internal audit programme
Most popular
Growth
Full implementation through triple certification
£ 13,995
starts from
For organisations that need full integrated implementation and triple certification in quality, security, and AI governance.
  • Everything in Starter
  • Full IMS implementation (all three standards)
  • ISO 42001 AI management system in full
  • ISO 27001 Annex A control implementation
  • Combined internal audit (first cycle)
  • Lead auditor training (2 days, all three)
  • Triple certification preparation
  • Post-certification maintenance
Elite
AI-forward organisations and complex environments
POA
tailored scope
For organisations with complex AI portfolios, multiple business units, or regulatory obligations requiring bespoke governance architecture.
  • Everything in Growth
  • Multi-system AI governance architecture
  • Post-certification maintenance (year 1)
  • Surveillance audit preparation (all three)
  • AI governance board reporting pack
  • Continual improvement programme
  • Dedicated practitioner contact
  • Priority response SLA
Cost+ Services

Additional services

Available across all packages and priced separately based on scope. Every engagement is different — we scope and quote each service individually.

Digital QMS & Process Automation
  • QMS Software ImplementationConfiguring digital QMS platforms — Microsoft 365, SharePoint, or Activ — to manage document control, audits, and non-conformities.
  • Business Process AutomationReplacing manual, paper-based processes with automated digital workflows including document approval and review cycles.
  • Document Control System SetupSecure, version-controlled cloud storage on SharePoint or Google Drive, configured to meet ISO document control requirements.
IT Risk & Audit Services
  • IT Risk AssessmentsIdentifying and evaluating threats to information security and operational technology across your environment.
  • Internal IT AuditsConducting internal audits to evaluate compliance with ISO 27001, Cyber Essentials, or your own internal IT policies.
  • Supplier Security AuditsAuditing the IT security posture of your key suppliers to understand and manage third-party risk.
Strategic IT Consulting
  • IT Governance & Strategy PlanningAligning your IT infrastructure with business strategy and quality objectives to support long-term growth.
  • Virtual CIO (vCIO) ServicesActing as a part-time IT Director to manage your technology roadmap, vendor relationships, and IT investment decisions.
  • AI Readiness & Security AssessmentsAdvising on the adoption of AI technologies, including compliance with emerging AI governance frameworks such as ISO 42001.
Technical Training & Awareness
  • Staff Information Security TrainingEducating your team on phishing recognition, password management, data protection obligations, and secure working practices.
  • ISO Training ServicesIn-house training programmes for ISO 9001, ISO 27001, or ISO 22301 — from awareness sessions to lead auditor preparation.

All additional services are scoped and quoted individually.

FAQ

Common questions

What is ISO 42001 and who needs it?
ISO 42001:2023 is the international standard for Artificial Intelligence Management Systems. It provides a framework for organisations that develop, deploy, or use AI systems to govern those systems responsibly — covering risk assessment, transparency, human oversight, and accountability. Any organisation using AI in a material way in its operations or products should be considering ISO 42001, particularly those subject to the EU AI Act, public sector procurement, or financial services regulation.
Can we prepare for ISO 9001:2026 while implementing ISO 27001 and ISO 42001?
Yes. We treat ISO 9001 as a readiness and transition workstream until the final text is published, while continuing to implement the shared governance structure, risk processes, management reviews, audits, and evidence controls needed for ISO 27001 and ISO 42001.
What is an AI System Impact Assessment (AIIA)?
The AIIA is a mandatory ISO 42001 output (Annex B). It documents each AI system's purpose, the data it processes, the decisions it influences, its potential for harm, and the controls in place to mitigate those harms. We produce AIIAs for each of your material AI systems as part of the implementation.
Do we need to be an AI company to pursue ISO 42001?
No. ISO 42001 applies to any organisation that uses AI systems — not just those that build them. If you use AI for customer service, document processing, recruitment screening, credit decisions, predictive maintenance, or any other material function, ISO 42001 is relevant. We work with organisations that deploy third-party AI as well as those that develop their own models.
Is ISO 42001 certification available now?
Yes. ISO 42001:2023 was published in December 2023 and UKAS-accredited certification is available in the UK. Several major certification bodies including BSI and Bureau Veritas are offering ISO 42001 certification, including combined scopes with ISO 27001.
How long does triple certification take?
Typically 5–9 months depending on the number and complexity of AI systems, your existing ISO 27001 maturity, and your organisation's size. If you already hold ISO 27001, adding ISO 42001 can be done in 3–5 months. We'll give you a realistic timeline after the initial gap analysis and AI system inventory.

Ready to build the trust stack for your AI-enabled organisation?

Get a free integrated readiness assessment covering ISO 9001 transition themes, ISO 27001, and ISO 42001 — no obligation.