ISO/IEC 42001:2023 only landed two years ago. Most candidates approaching the Lead Auditor exam have done the course but cannot find a clear answer to a simple question: what does the exam actually look like? This guide is that answer, verified against the current PECB Candidate Handbook v1.4 and noting where other providers differ.
The exam at a glance
For PECB ISO/IEC 42001 Lead Auditor:
questions
limit
mark
proctored
- 80 multiple-choice questions with three options each (one correct, two distractors). A mix of stand-alone questions and scenario-based sets - each scenario is a short company case, followed by five linked questions.
- 3 hours (180 minutes) - ~2.25 minutes per question on average, with scenario sets adding reading time on top.
- Open-book. PECB allows three reference items: a hard copy of ISO/IEC 42001, your training course materials, and any personal notes from the training course (via the PECB Exams app or printed).
- 70% to pass. Below that is a fail; you can re-sit (some PECB-accredited courses bundle a re-sit attempt - check with your training partner).
- Remote-proctored by default. You sit at your own desk on your own machine, with a live proctor watching via webcam. Paper-based sittings are available through your PECB-accredited training partner.
Other providers (BSI, Exemplar Global) run slightly different format mixes. The knowledge tested is the same; the timing and answer style differ.
The seven competency domains, weighted
PECB distributes the 80 questions across seven competency domains, with explicit weights published in the candidate handbook. The domains are not equally weighted. Calibrating prep against the actual weights leaves marks on the table.
PECB 42001 LA verified domain weighting (Candidate Handbook v1.4)
- Fundamental AIMS principles and concepts (12 questions / 15%) - what an AIMS is, why ISO 42001 exists, ethical considerations baked into the standard.
- AI management system requirements (8 questions / 10%) - 42001 clauses 4-10: context, leadership, planning, support, operation, performance evaluation, improvement.
- Fundamental audit concepts and principles (16 questions / 20%) - ISO 19011 vocabulary, the seven audit principles, evidence types.
- Preparing an ISO/IEC 42001 audit (9 questions / 11.25%) - scope, criteria, audit programme, audit plan, document review.
- Conducting an ISO/IEC 42001 audit (19 questions / 23.75%) - opening meeting, evidence gathering, interview technique, findings. Biggest single chunk of marks.
- Closing an ISO/IEC 42001 audit (7 questions / 8.75%) - report, distribution, follow-up, corrective action verification.
- Managing an ISO/IEC 42001 audit programme (9 questions / 11.25%) - the programme manager view, multi-audit coordination, competence management.
Domain 5 (Conducting) alone is worth nearly 1 in every 4 questions. Front-load it.
Roughly 45% of the exam tests comprehension/application/analysis; 55% tests evaluation. The evaluation half is where scenario-based questions cluster.
What makes 42001 different from 27001 LA
If you already hold ISO 27001 Lead Auditor, four things are genuinely new:
New content
Two new operational artefacts
The AI risk assessment (clause 6.1.2) and the AI system impact assessment (clause 6.1.4) sit side by side. They are not the same thing - and the exam tests whether you know which is required when. The impact assessment in particular has no 27001 analogue.
New content
38 Annex A controls
Smaller and more focused than 27001โs 93, but organised around AI-specific concerns: data quality, model lifecycle, AI ethics function, human oversight, redress mechanisms.
New content
New roles
AI risk owner, AI system impact assessment owner, AI ethics function. The exam will name these specifically. Generic โtop managementโ or โinternal auditorโ distractor options will be wrong on roles questions.
New content
ISO/IEC 23894 reference
42001 leans on ISO/IEC 23894:2023 for AI risk-treatment guidance. 27001 LA candidates are used to ISO/IEC 27005 in that role. You need to know 23894 by name and broad shape, not deep clause.
What carries across cleanly:
- Clauses 4-10 (High-Level Structure - identical structure to every modern ISO management-system standard).
- ISO 19011 audit principles and method.
- Audit-vocabulary precision (evidence vs finding vs nonconformity).
- Modal verb discipline (shall vs should).
Open-book mechanics
Open-book sounds generous. It is not. Three hours for 80 questions is not enough time to look up everything you do not remember.
The rule
Open-book means you can verify, not learn.
PECB allows three reference items: ISO/IEC 42001, your course materials, and personal notes from the training (via PECB Exams app or printed). Pre-tab ISO/IEC 42001:2023, ISO 19011:2018, and ISO/IEC 23894:2023. Tab the boundary between clause 6.1.2 (AI risk assessment) and clause 6.1.4 (AI system impact assessment). When a question lands on either, your finger should be on the right page in seconds.
Common mistakes that lose marks
Mark loss
Confusing AI risk assessment with AI system impact assessment
Covered in detail in our how to pass ISO 42001 Lead Auditor exam guide. This single confusion accounts for more lost marks than any other single error on first-time 42001 sittings.
Mark loss
Modal-verb misreads under MCQ pressure
ISO 42001:2023 is full of โshallโ clauses. ISO 19011:2018 is full of โshouldโ clauses. Under three-hour MCQ pressure, a distractor that softens โshallโ to โshouldโ reads as correct. Train your eye to flag the modal verb on every requirement question.
Mark loss
AIMS scope vs AI system scope
The management system has one scope (clause 4.3). Each AI system inside it has its own (referenced in the impact assessment and Annex A controls). The exam will hand you a scoping question and the wrong answer will be the OTHER level. Read every scoping stem twice before answering.
Mark loss
Misreading the scenario in a scenario set
Each scenario set is one short company case followed by five linked questions. If you misread the scenario, you can lose all five marks. Read the scenario twice before touching the questions, and mark the details that look like findings or nonconformities as you go.
What to expect on exam day
Per the PECB remote-proctored format:
- Government-issued photo ID required. Bring it to the desk.
- Camera on the entire time. The proctor monitors continuously.
- Clear workspace. Allowed materials are your pre-tabbed printed standard, course materials, and personal notes (or those uploaded via the PECB Exams app). Check your booking confirmation.
- Bathroom breaks are typically permitted but the clock keeps running. Plan around that.
- Submission is electronic into the PECB Exams application. Online MCQ candidates receive instant results.
Online MCQ results arrive immediately. Paper-based sittings take two to four weeks. You receive a pass/fail and, if you fail, a domain-level breakdown for the re-sit.
The most under-prepared part of the syllabus
In our experience coaching 42001 candidates, the most under-prepared area is clauses 6.1.4 and 8.4 - the AI system impact assessment lifecycle. Almost every candidate can talk about the AIMS-level risk assessment because it looks like 27001. Very few can confidently explain when an impact assessment is triggered, what it must include, how often it gets refreshed, and how it feeds the operational controls.
If you read only one section of 42001 a second time before sitting, make it clauses 6.1.4 and 8.4.
Where to start
Try the 10 free ISO 42001 Lead Auditor practice questions. Each is a PECB-style multiple-choice item tagged with the trap pattern it tests and the exact 42001 or 23894 clause it draws from. If three or more catch you out, the full Mindset Prep bank for 42001 LA gives you 350+ SME-verified questions across all seven competency domains. The 3-day free trial gets you in.