How to Use This ISO 42001 Checklist
ISO 42001 (formally ISO/IEC 42001:2023) is the international standard for AI management systems (AIMS). It provides a structured framework for organisations that develop, provide, or use AI systems to do so responsibly and in line with regulatory expectations.
This checklist is split into two parts. The first covers the management system requirements in Clauses 4—10, which define how your organisation plans, supports, operates, and improves its AIMS. The second covers the 38 Annex A control objectives, which address specific risks and responsibilities across the AI system life cycle.
Work through each item in order. Use the Status column to track progress—mark items as Not Started, In Progress, or Complete. Where you identify gaps, cross-reference with our gap analysis guide and implementation guide for practical next steps.
Management System Requirements (Clauses 4—10)
These clauses follow the Annex SL high-level structure shared by ISO 27001, ISO 9001, and other management system standards. If your organisation already holds one of these certifications, you will recognise the pattern—but pay close attention to the AI-specific requirements such as AI risk assessment (6.1.2), AI system impact assessment (6.1.4), and operational controls for AI systems (8.2—8.4).
| Clause | Requirement | Key Actions | Status |
|---|---|---|---|
| 4.1 | Understanding the organisation and its context | Identify external and internal issues relevant to your AI activities and AIMS purpose | ☐ |
| 4.2 | Understanding the needs and expectations of interested parties | List stakeholders (regulators, customers, affected individuals) and their requirements for AI governance | ☐ |
| 4.3 | Determining the scope of the AIMS | Define boundaries—which AI systems, business units, and locations are in scope | ☐ |
| 4.4 | AI management system | Establish, implement, maintain, and continually improve the AIMS in line with the standard | ☐ |
| 5.1 | Leadership and commitment | Top management demonstrates commitment by setting AI policy, assigning resources, and integrating AIMS into business processes | ☐ |
| 5.2 | AI policy | Draft and approve an AI policy that includes commitments to responsible AI use, legal compliance, and continual improvement | ☐ |
| 5.3 | Organisational roles, responsibilities, and authorities | Assign AIMS roles (AI governance lead, risk owner, system owner) and communicate responsibilities | ☐ |
| 6.1.1 | Actions to address risks and opportunities (General) | Determine risks and opportunities that could affect AIMS outcomes | ☐ |
| 6.1.2 | AI risk assessment | Define and apply an AI risk assessment process covering likelihood, severity, and impact on individuals and groups | ☐ |
| 6.1.3 | AI risk treatment | Select risk treatment options and map them to Annex A controls; produce a Statement of Applicability | ☐ |
| 6.1.4 | AI system impact assessment | Assess potential impacts of AI systems on individuals, groups, and societies before deployment | ☐ |
| 6.2 | AI objectives and planning to achieve them | Set measurable AI objectives at relevant functions and levels; plan resources, responsibilities, and timelines | ☐ |
| 6.3 | Planning of changes | Ensure AIMS changes are planned, with consequences assessed and resources allocated | ☐ |
| 7.1 | Resources | Determine and provide the resources needed for the AIMS | ☐ |
| 7.2 | Competence | Ensure personnel have the necessary AI governance and technical competence; provide training where needed | ☐ |
| 7.3 | Awareness | Make sure all relevant staff understand the AI policy, their AIMS responsibilities, and the implications of non-conformance | ☐ |
| 7.4 | Communication | Determine internal and external communication requirements for the AIMS | ☐ |
| 7.5 | Documented information | Create, update, and control all documentation requirements demanded by the standard | ☐ |
| 8.1 | Operational planning and control | Plan, implement, and control the processes needed to meet AIMS requirements and deliver on AI objectives | ☐ |
| 8.2 | AI risk assessment | Perform AI risk assessments at planned intervals or when significant changes occur; retain documented results | ☐ |
| 8.3 | AI risk treatment | Implement the AI risk treatment plan and retain evidence of outcomes | ☐ |
| 8.4 | AI system impact assessment | Conduct impact assessments for AI systems in scope and document findings | ☐ |
| 9.1 | Monitoring, measurement, analysis, and evaluation | Define what to monitor, methods of measurement, and how often; evaluate AIMS performance | ☐ |
| 9.2 | Internal audit | Conduct planned internal audits to confirm the AIMS conforms to the standard and is effectively implemented. See our ISO 42001 audit guide | ☐ |
| 9.3 | Management review | Top management reviews AIMS performance, audit results, risk status, and improvement opportunities at planned intervals | ☐ |
| 10.1 | Continual improvement | Continually improve the suitability, adequacy, and effectiveness of the AIMS | ☐ |
| 10.2 | Nonconformity and corrective action | React to nonconformities, evaluate root causes, implement corrective actions, and review their effectiveness | ☐ |
Once you have worked through every clause, you should have a clear picture of where your AI Management System stands. The next step is to assess your position against the Annex A controls.
Everything you need for ISO 42001
Structured content, mapped risks and built-in workflows to help you govern AI responsibly and with confidence.
Annex A Control Objectives Checklist
Annex A of ISO 42001 contains 38 controls organised across nine areas. These controls are not all mandatory—your Statement of Applicability determines which apply based on your AI risk assessment. However, you must justify any exclusions. Use this checklist alongside our detailed Annex A controls guide for implementation detail.
| Control Ref | Control Name | Key Evidence Required | Status |
|---|---|---|---|
| A.2 — Policies Related to AI | |||
| A.2.2 | AI policy | Approved AI policy document, communication records | ☐ |
| A.2.3 | Alignment with other policies | Policy cross-reference matrix showing alignment with information security, data privacy, and ethics policies | ☐ |
| A.2.4 | Review of AI policy | Scheduled review records, version history, management sign-off | ☐ |
| A.3 — Internal Organisation | |||
| A.3.2 | AI roles and responsibilities | RACI matrix or role descriptions covering AI governance, development, and operations | ☐ |
| A.3.3 | Reporting of concerns | Documented reporting channel, escalation procedures, records of concerns raised | ☐ |
| A.4 — Resources for AI Systems | |||
| A.4.2 | Resource documentation | Inventory of AI system resources (data, compute, tools, personnel) | ☐ |
| A.4.3 | Data resources | Data inventories, data flow diagrams, access controls | ☐ |
| A.4.4 | Tooling resources | Register of AI development and deployment tools, version controls | ☐ |
| A.4.5 | System and computing resources | Infrastructure documentation, capacity plans, access controls | ☐ |
| A.4.6 | Human resources | Competency records, training plans, qualification evidence | ☐ |
| A.5 — Assessing Impacts of AI Systems | |||
| A.5.2 | AI system impact assessment process | Documented impact assessment methodology, assessment templates | ☐ |
| A.5.3 | Documentation of assessments | Completed impact assessment records for each in-scope AI system | ☐ |
| A.5.4 | Impact on individuals | Analysis of effects on individual rights, safety, and wellbeing; mitigation measures | ☐ |
| A.5.5 | Societal impacts | Assessment of broader societal effects including bias, fairness, and environmental impact | ☐ |
| A.6 — AI System Life Cycle | |||
| A.6.1.2 | Objectives for responsible development | Documented objectives covering fairness, transparency, accountability, and safety | ☐ |
| A.6.1.3 | Processes for responsible design | Design process documentation embedding responsible AI principles at each stage | ☐ |
| A.6.2.2 | Requirements specification | Functional and non-functional requirements including ethical and legal constraints | ☐ |
| A.6.2.3 | Documentation of design | System architecture documents, design decisions, trade-off records | ☐ |
| A.6.2.4 | Verification and validation | Test plans, test results, acceptance criteria, bias and performance testing records | ☐ |
| A.6.2.5 | Deployment | Deployment procedures, go-live checklists, rollback plans | ☐ |
| A.6.2.6 | Operation and monitoring | Monitoring dashboards, performance metrics, drift detection logs | ☐ |
| A.6.2.7 | Technical documentation | Model cards, system descriptions, algorithm documentation | ☐ |
| A.6.2.8 | Event logs | Logging procedures, log retention policies, audit trail evidence | ☐ |
| A.7 — Data for AI Systems | |||
| A.7.2 | Data for development | Data selection criteria, representativeness analysis, bias assessments | ☐ |
| A.7.3 | Acquisition of data | Data sourcing records, consent/licence documentation, legal basis | ☐ |
| A.7.4 | Quality of data | Data quality metrics, validation procedures, error handling records | ☐ |
| A.7.5 | Data provenance | Data lineage documentation, chain of custody records | ☐ |
| A.7.6 | Data preparation | Pre-processing pipelines, transformation logs, labelling procedures | ☐ |
| A.8 — Information for Interested Parties | |||
| A.8.2 | System documentation for users | User guides, capability statements, known limitations | ☐ |
| A.8.3 | External reporting | Published transparency reports, regulatory submissions | ☐ |
| A.8.4 | Communication of incidents | Incident notification procedures, communication templates, notification records | ☐ |
| A.8.5 | Information for interested parties | Stakeholder communication records, disclosure policies | ☐ |
| A.9 — Use of AI Systems | |||
| A.9.2 | Processes for responsible use | Acceptable use procedures, human oversight mechanisms, escalation paths | ☐ |
| A.9.3 | Objectives for responsible use | Measurable objectives for responsible AI use, monitoring criteria | ☐ |
| A.9.4 | Intended use | Documented intended use statements, boundary conditions, prohibited uses | ☐ |
| A.10 — Third-Party and Customer Relationships | |||
| A.10.2 | Allocating responsibilities | Responsibility assignment documents, contractual clauses for AI obligations | ☐ |
| A.10.3 | Suppliers | Supplier assessment records, due diligence reports, contractual AI requirements | ☐ |
| A.10.4 | Customers | Customer communication records, usage guidance, feedback mechanisms | ☐ |
Once you have assessed every control, compile your justifications into a Statement of Applicability. This document is a mandatory audit deliverable and maps each control to your risk treatment decisions.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
Why Choose ISMS.online for ISO 42001 Compliance?
Working through a checklist on paper is a start—but managing ongoing ISO 42001 compliance across teams, AI systems, and audit cycles requires a platform built for the job. ISMS.online maps directly to every item on this checklist:
- Pre-built ISO 42001 control sets — Every Annex A control is pre-loaded with guidance, so your team knows exactly what evidence to collect and where to store it.
- AI risk register — Conduct and document AI risk assessments (Clause 6.1.2) and AI system impact assessments (Clause 6.1.4) in a structured, auditable register.
- Policy and document management — Draft, version, approve, and distribute your AI policy and all supporting documentation from a single workspace.
- Statement of Applicability builder — Generate your SoA automatically from your risk treatment decisions, with full justification tracking for included and excluded controls.
- Audit management — Plan internal audits (Clause 9.2), assign findings, track corrective actions (Clause 10.2), and export evidence packs for external auditors. See our ISO 42001 audit guide for more.
- Evidence collection and linking — Attach evidence directly to controls and clauses. When your auditor asks for proof, it is already organised and ready.
- Integrated management system support — If you already run ISO 27001 or ISO 27701, ISMS.online lets you manage all standards from one platform with shared controls and reduced duplication.
Ready to move from checklist to action? Book a demo to see how ISMS.online accelerates your path to ISO 42001 certification.
FAQs
How many requirements are in ISO 42001?
ISO 42001 contains management system requirements across seven clauses (Clause 4 through Clause 10) plus 38 Annex A control objectives grouped into nine control areas. The clauses define how you establish, operate, and improve your AI management system, while the Annex A controls address specific AI governance responsibilities such as data quality, impact assessment, and third-party management.
Do I need to implement all 38 Annex A controls?
Not necessarily. The controls you implement depend on your AI risk assessment and the scope of your AI systems. You must document your decisions in a Statement of Applicability, justifying both the controls you have selected and those you have excluded. Auditors will review these justifications, so each exclusion needs a clear, risk-based rationale.
What is the difference between the clause requirements and Annex A controls?
The clause requirements (4—10) are mandatory for every organisation seeking certification. They define the management system framework: context, leadership, planning, support, operations, performance evaluation, and improvement. The Annex A controls are a reference set of objectives that you apply selectively based on your risk treatment plan. Think of the clauses as the engine of your AIMS and Annex A as the specific controls you bolt on to address identified risks.
How long does it take to complete this checklist and achieve certification?
Timelines vary by organisation size and maturity. An organisation with an existing ISO 27001 management system can typically achieve ISO 42001 certification in 3—6 months by extending its existing processes. Organisations starting from scratch should plan for 6—12 months. Using a platform like ISMS.online with pre-built templates and guided workflows can significantly reduce this timeline. Our implementation guide provides a detailed breakdown.
Can I use this checklist for an internal audit?
Yes. This checklist aligns directly with the requirements an external auditor will assess. Use it as a baseline for your internal audit programme (Clause 9.2) to identify nonconformities before your certification audit. For each item marked as incomplete, raise a finding and assign a corrective action with a deadline. Our ISO 42001 audit guide covers the full internal audit process.
