Frequently Asked Questions

They serve different purposes. ISO 27001 covers information security — protecting data and systems. ISO 42001 is specifically for AI management — covering governance, risk management, and performance of AI systems. If you're deploying AI, you need both. ISO 27001 protects your AI systems; ISO 42001 ensures your AI systems are governed responsibly. The good news is they're complementary and can be implemented as an integrated system.

A typical comprehensive compliance audit takes 8-12 weeks, depending on your system complexity and existing documentation. The timeline includes scoping, on-site assessment, testing, remediation planning, and reporting. We always build in time for your teams to gather evidence and address gaps. We're transparent about timelines upfront so you know what to expect.

Some organizations have internal teams ready to implement governance. Many don't have the specialized expertise or bandwidth. External advisors like Terranova OCG bring frameworks, experience from multiple sectors, and independence that audit processes and regulators value. We typically work as partners with your teams, building internal capability while getting the job done right. Many clients use us for initial implementation, then maintain governance internally.

Costs vary based on complexity, scope, and timeline. Compliance audits typically range from £50k-150k depending on system scale. Policy development and regulatory alignment can be £30k-100k depending on breadth. Risk assessment engagements typically £20k-60k. Board advisory is usually structured as ongoing retainers. We always provide transparent pricing and scoping upfront, and we're flexible on engagement models. Get in touch for a specific quote.

If you're in the EU or serving EU customers, the EU AI Act applies. It takes effect in phases through 2025-2026. High-risk AI systems must meet strict governance requirements including documentation, testing, monitoring, and human oversight. The Act defines risk categories based on application type (hiring, law enforcement, etc.). We help organizations determine which of their systems are high-risk and what compliance means in practice.

CMMC is a cybersecurity maturity model required for US defense contractors. It combines security controls with compliance requirements. Levels range from 1 (basic) to 3 (advanced). If you're a defense contractor or work with defense systems, you need CMMC. Even if you're not currently doing defence work, CMMC certification is becoming a competitive advantage and requirement for government contracts. We specialize in helping contractors integrate AI governance with CMMC requirements.

NIST's AI RMF is a comprehensive framework for identifying and managing AI risks. It's not mandatory but is rapidly becoming the standard for responsible AI governance. It covers risks across the AI lifecycle from development through deployment. If you're deploying significant AI systems, NIST RMF alignment is expected by regulators, enterprise clients, and increasingly by boards. We help organizations implement NIST principles in practical ways.

Bias and fairness are critical governance concerns, especially for high-impact decisions (hiring, lending, clinical care). Governance requires documenting data sources, testing for bias across demographic groups, establishing fairness metrics, and creating processes for humans to override AI decisions. We help organizations design fairness frameworks, implement testing, and create governance processes that catch bias before deployment.

SOC 2 is an audit framework for service providers demonstrating controls over security, availability, processing integrity, confidentiality, and privacy. Enterprise clients increasingly require SOC 2 Type II attestation from vendors. If you're a service provider or SaaS company serving enterprises, SOC 2 is expected. SOC 2 builds trust with customers and creates accountability for your controls. We help organizations achieve SOC 2 compliance and annual attestation.

Yes. We help organizations prepare for regulatory inquiries, structure responses to compliance questions, and develop governance narratives that demonstrate compliance confidence. We've worked with organizations facing regulatory oversight from various authorities. We help you prepare while ensuring all documentation is honest and complete. We don't attend regulatory meetings on your behalf, but we prepare you thoroughly.

Simple: email contact@terranova-ocg.csoai.group to schedule an initial consultation. We'll discuss your governance challenges, understand your regulatory landscape, and recommend an approach. Initial consultations are free and confidential. We'll help you understand what governance means for your situation and what engagement might look like. There's no obligation — we're here to help you think through your options.

Governance isn't a one-time project — it's ongoing. Regulations change, your AI systems evolve, new risks emerge. Many clients contract with us for ongoing advisory, annual compliance reviews, or retainer-based relationships. We help with regulatory updates, framework revisions, and new AI system governance. Some clients use us for implementation then maintain internally with annual refresh engagements. We're flexible to match your needs.