ISO/IEC 42001 was published in late 2023. Past papers do not exist. The first cohorts of certified Lead Auditors are still being seated. If you are sitting this exam in the next few weeks, you are doing it without the multi-year deck of practice material that 27001 candidates take for granted.
This guide is the prep plan we wish someone had handed us when we were the candidate, not the trainer. It applies whether you are sitting with PECB, CQI/IRCA, Exemplar Global or TRECCERT (the four personnel certifiers offering 42001 schemes), or training via BSI, TUV or DNV whose 42001 courses are typically CQI/IRCA-accredited. The exam format differs slightly between providers but the underlying knowledge - ISO/IEC 42001:2023, ISO 19011:2018 audit guidance, and ISO/IEC 23894:2023 AI risk guidance - is identical.
published
controls
pre-tab
(PECB)
What you are actually being tested on
42001 Lead Auditor exams test three things, in roughly equal measure:
- AIMS structure and clause recall - can you locate and apply a specific 42001 requirement under time pressure, and explain why it sits in the management-system layer (clauses 4-10) versus the AI-specific layer (clauses 6.1.4 and 8.4).
- AI-specific audit judgement - can you tell an AI system impact assessment from an AI risk assessment, an AIMS scope from an AI-system scope, and a 42001 control from a generic management-system requirement.
- ISO 19011 audit-process judgement - the same evidence-vs-finding, competence-vs-independence, shall-vs-should judgement that any Lead Auditor exam tests, applied to AI-system audits.
The first cohort of 42001 candidates almost universally underestimate point 2. Walking in with strong 27001 instincts is helpful for the High-Level Structure but actively misleading on the AI-specific clauses.
The three traps that catch most 42001 candidates
Across the candidates we have coached, the same three trap patterns account for the majority of avoidable losses.
42001-specific
AI risk assessment vs AI system impact assessment
This is the single trap that catches almost every first-time 42001 sitter. The two artefacts sit at different clauses in 42001, serve different purposes, and feed different operational clauses. Candidates routinely swap them in answers, and the exam routinely sets up scenarios where one is correct and the other is not.
Different clauses, different purposes, different operational feeds
The shorthand
Risk = what could go wrong. Impact = consequences on people.
If you cannot answer โwhich one is required when?โ without thinking, drill until you can. The exam will not give you the clause number - it will hand you a scenario and let you choose the wrong one.
42001-specific
AIMS scope vs AI system scope
The AI management system has a scope (clause 4.3). Each individual AI system inside it has its own scope (referenced in the impact assessment and Annex A controls). The exam will hand you a scoping question and the wrong answer will be the OTHER level.
A useful test: if the question mentions stakeholders, the boundary of the certification, or organisational context, the scope in question is the AIMS scope. If it mentions a model, a use case, an input/output pair, or affected persons, the scope is the AI-system scope.
42001-specific
AI-specific roles vs generic management-system roles
42001 introduces roles that did not exist in 27001 - AI ethics function, AI risk owner, AI system impact assessment owner. The exam will mention one in a stem and a wrong answer will be a generic management-system role (top management, internal auditor) that sounds plausible but is not the role the standard names for that responsibility.
Practise reading role-related stems with your finger on Annex A.2 (roles) and clause 5.3.
Open-book strategy
PECB 42001 Lead Auditor (and most other providers) is open-book. The same rules apply as on any open-book exam: open-book means you can verify, not learn. Three hours is not enough to look up everything you do not remember.
Two specifics for 42001
Pre-tab three standards. Annex A is reference, not memory.
ISO/IEC 42001:2023, ISO 19011:2018, and ISO/IEC 23894:2023 (AI risk guidance). Number-tab the main-body clauses (4.3 scope, 6.1.2 + 6.1.4 + 8.2 + 8.4, 7.5 documented information, 9.2 internal audit, 9.3 management review, 10.2 nonconformity) and the relevant Annex A controls.
42001 Annex A controls are listed by reference, not as a memorisation target. The exam tests whether you can navigate to the right one given a scenario, not whether you can recite all of them. Practise looking them up by topic, not by number.
Time management
A 12-question, 3-hour PECB exam gives you 15 minutes per question with no buffer. Real timing for 42001:
outline
cleanly
check
question
The second sanity check is where 42001 candidates win or lose. The standard is new enough that examiners specifically test term precision; sloppy answers that confuse impact and risk lose marks they would otherwise carry.
The 2-to-4-week plan
If you are 2 weeks out:
- Days 1-4: Go through your course material end-to-end - the slides, handouts, exercises from the five-day course. Most candidates need ~4 focused days for this. Focus on clauses 6.1 (all of it - General, AI risk, AI risk treatment, AI system impact), 8 (operations), and Annex A control families.
- Days 5-8: Active retrieval only. Drop the re-reading. Practice questions with rationales in Mindset Prep, especially on the impact-vs-risk trap. (10 free per exam are on this site.)
- Days 9-11: One full mock under timed conditions. Score yourself honestly. Note every term-precision slip.
- Days 12-13: Targeted re-read of the course-material sections + clauses you got wrong AND a fresh pass through 23894 risk-treatment language. Drill the trap patterns Mindset Prep surfaced in the mock.
- Day 14: Light review, light exercise, early sleep. Do not study the night before.
If you are 4 weeks out, double the active-retrieval phase and add a second mock exam. The biggest mistake 42001 candidates make at the 4-week mark is reading 42001 cover-to-cover again instead of drilling the impact-vs-risk and AIMS-vs-AI-system distinctions.
What 27001 experience does and does not buy you
If you already hold an ISO 27001 Lead Auditor credential, you start ~40% prepared. The High-Level Structure (clauses 4-10) is identical across both standards; ISO 19011 audit method is identical; the audit-vocabulary rules (evidence, finding, nonconformity) are identical.
Carries across
~40% prepared
- High-Level Structure (clauses 4-10)
- ISO 19011 audit principles + method
- Audit-vocabulary rules (evidence, finding, nonconformity)
- Modal verb discipline (shall vs should)
Genuinely new
~60% fresh content
- AI-specific clauses (6.1.4, 8.4, AI-tagged Annex A)
- Risk treatment via ISO/IEC 23894 (not 27005)
- New roles (AI ethics function, AI risk owner)
- Impact-vs-risk distinction (no 27001 analogue)
A common failure pattern: senior 27001 auditors over-confidently sit 42001, treat it as 27001-with-different-controls, and lose marks across the AI-specific clauses. Treat 42001 as its own standard.
The single biggest failure pattern
After dozens of 42001 candidates, the most common failure pattern is term confusion under time pressure. Candidates use โrisk assessmentโ when they mean โimpact assessmentโ, โAIMSโ when they mean โAI systemโ, and reference 27001 clauses (6.1.3) when the equivalent 42001 clause (6.1.3 too - similar number, different content) is what the question is actually testing.
Active practice with tagged trap patterns - knowing which trap each wrong answer uses - is what fixes term precision. Re-reading 42001 is not. This is what Mindset Prep is built around.
Where to start
Try the 10 free ISO 42001 Lead Auditor practice questions. Each one is tagged with the trap pattern it tests and the exact 42001 or 23894 clause it draws from. If three or more catch you out, the full adaptive bank (250+ 42001 LA questions, alongside the 27001 LA + LI + 42001 LI banks) is the next logical step. The 3-day free trial gets you in.