ISO 42001 checklist: Every clause and control your auditor will check

ISO 42001 gives organisations a structured way to manage the risks, responsibilities and governance requirements that come with artificial intelligence. This checklist walks through the ISO 42001 clauses and Annex A controls your auditor is likely to review during certification.

It is designed for organisations preparing for an ISO 42001 audit, especially teams building, providing or using AI systems in products, services or internal operations. By working through each section, you can understand what evidence to prepare, where your gaps may be, and how your AI Management System should be documented before your Stage 2 audit.

By the end, you should have a clearer view of the policies, risk assessments, impact assessments, governance records and operational evidence needed to support ISO 42001 certification.

Key takeaways

Before working through the full checklist, there are three important things to understand.

  1. ISO 42001 includes management system clauses and Annex A controls. The clauses set out how your AI Management System should be established, operated, monitored and improved.
  2. Not every Annex A control will necessarily apply in the same way to every organisation. Your Statement of Applicability should explain which controls are included, which are excluded, and why.
  3. Completing the checklist is not the same as being certified, but it should help you prepare the evidence your auditor will expect to see during the certification process.

ISO 42001 Management System Requirements: Clauses 4–10

Clauses 4–10 define how your organisation establishes, operates, monitors and improves its AI Management System. These are the core management system requirements your auditor will work through when assessing whether your AI governance is structured, documented and effective.

Clause 4: Context of the organisation

Your auditor will want to understand the internal and external factors that affect your use of AI. This includes the purpose of your AI Management System, the needs and expectations of interested parties, and the scope of the system.

Evidence may include:

  • A defined AI Management System scope
  • Internal and external issue analysis
  • Interested party register
  • Documented AI-related requirements
  • Scope statement approved by leadership

Clause 5: Leadership

This clause focuses on accountability, ownership and leadership commitment. Your auditor will check that senior management has taken responsibility for the AI Management System and that relevant roles are clearly assigned.

Evidence may include:

  • Approved AI policy
  • Evidence of leadership commitment
  • Assigned AI governance roles
  • Documented responsibilities
  • Internal communication records

Clause 6: Planning

Your auditor will review how your organisation identifies AI-related risks and opportunities, plans actions to address them, and sets objectives for the AI Management System.

Evidence may include:

  • AI risk assessment records
  • Risk treatment plan
  • AI system impact assessments
  • AI objectives and plans
  • Statement of Applicability draft with justifications

Clause 7: Support

This clause covers the resources, competence, awareness and documented information needed to support the AI Management System. Your auditor will check that people involved in AI governance have the right training, responsibilities and access to controlled documentation.

Evidence may include:

  • Competence records
  • Training logs
  • Awareness records
  • Documented information control procedure
  • Version history for key AI governance documents

Clause 8: Operation

Clause 8 is about putting your AI governance processes into practice. Your auditor will look for evidence that planned controls are operating and that AI risks are being managed through day-to-day processes.

Evidence may include:

  • Operational procedures
  • Completed risk assessments
  • Completed impact assessments
  • Evidence of controls implemented from the risk treatment plan
  • Records showing how AI systems are managed in practice

Clause 9: Performance evaluation

Your auditor will check how you monitor, measure, review and evaluate the performance of your AI Management System. This includes internal audits and management reviews.

Evidence may include:

  • Monitoring and measurement records
  • Internal audit report
  • Management review minutes
  • Actions and decisions from reviews
  • Performance indicators for AI governance

Clause 10: Improvement

This clause focuses on continual improvement. Your auditor will look for evidence that issues are identified, investigated and addressed, and that the AI Management System improves over time.

Evidence may include:

  • Nonconformity records
  • Corrective action log
  • Root cause analysis
  • Evidence of improvement activity
  • Follow-up actions linked to management review outputs

ISO 42001 Annex A Controls: All 38 Controls by Area

Annex A contains 38 controls grouped across nine areas. These controls help organisations address AI-specific governance, risk, transparency, accountability and operational requirements.

Not all controls will apply in the same way to every organisation. Your Statement of Applicability should explain which controls are relevant, which are excluded, and the justification for each decision.

A.2: Policies related to AI

This area covers AI policy, alignment with other policies, and policy review.

Evidence may include:

  • Approved AI policy
  • Cross-reference to information security, data protection and privacy policies
  • Policy version history
  • Policy review records
  • Evidence that the AI policy has been communicated to relevant teams

A.3: Internal organisation

This area covers AI roles, responsibilities and reporting of concerns.

Evidence may include:

  • RACI matrix or role descriptions for AI governance
  • Defined responsibilities for AI development, deployment and oversight
  • Reporting channels for AI-related concerns
  • Escalation procedures
  • Records showing concerns or issues are reviewed appropriately

A.4: Resources for AI systems

This area covers the resources needed to develop, operate and manage AI systems, including data, tooling, compute and people.

Evidence may include:

  • AI system resource inventory
  • Data flow diagrams
  • Tool register
  • Compute and infrastructure records
  • Competency records and training plans

A.5: Assessing impacts of AI systems

This area covers impact assessment processes, documentation and consideration of individual and societal impacts.

Evidence may include:

  • Completed impact assessments for in-scope AI systems
  • Bias and fairness analysis
  • Risk and impact mitigation records
  • Review and approval records
  • Evidence that impacts are reassessed when systems change

A.6: AI system life cycle

This area covers responsible design, requirements specification, verification, deployment, monitoring and technical documentation across the AI system life cycle.

Evidence may include:

  • Design documentation
  • Requirements specifications
  • Test plans and results
  • Model cards or system documentation
  • Deployment checklists
  • Monitoring dashboards or review records

A.7: Data for AI systems

This area covers data acquisition, data quality, provenance and preparation.

Evidence may include:

  • Data lineage records
  • Data quality metrics
  • Validation procedures
  • Consent and licence documentation
  • Pre-processing pipeline records
  • Records of data limitations or known issues

A.8: Information for interested parties

This area covers user documentation, external reporting and incident communication.

Evidence may include:

  • User guides and capability statements
  • Published transparency reports
  • External communication procedures
  • Incident notification procedures
  • Records of communications with customers, users or other interested parties

A.9: Use of AI systems

This area covers responsible use processes, objectives and intended use documentation.

Evidence may include:

  • Acceptable use procedures
  • Human oversight mechanisms
  • Intended use statements
  • Prohibited use boundaries
  • Records showing users understand how systems should and should not be used

A.10: Third-party and customer relationships

This area covers responsibility allocation, supplier management and customer communication.

Evidence may include:

  • Contractual AI obligation clauses
  • Supplier assessments
  • Due diligence records
  • Customer guidance
  • Feedback mechanisms
  • Records showing responsibilities are clear between your organisation, suppliers and customers

The Statement of Applicability: what it is and why your auditor needs it

Once you have reviewed the Annex A controls, you need to document your decisions in a Statement of Applicability.

The Statement of Applicability explains which Annex A controls apply to your organisation, which controls do not apply, and the justification for each decision. It should also link back to your AI risk assessment and risk treatment decisions, so your auditor can see that your control choices are evidence-based rather than arbitrary.

For ISO 42001 certification, the Statement of Applicability is a key audit document. Your auditor will use it to understand your control environment, test whether your decisions make sense, and confirm that your evidence supports the controls you say are in place.

A strong Statement of Applicability should include:

  • Each Annex A control
  • Whether the control is included or excluded
  • The justification for inclusion or exclusion
  • Links to relevant risks, impact assessments or treatment decisions
  • References to supporting evidence
  • Ownership and review information

If your Statement of Applicability is incomplete, unclear or disconnected from your risk assessment, it can create issues during the audit. The aim is not to include every control by default, but to make clear, justified and auditable decisions.

From checklist complete to certificate issued

Once you have worked through the clauses and controls, the next step is to move from preparation into the certification process.

The process usually follows four stages:

  1. Stage 1 audit: document review
    Your auditor reviews your AI Management System documentation, checks your Statement of Applicability, and identifies any gaps before Stage 2. This is typically remote and can often be completed quickly, depending on scope and readiness.
  2. Stage 2 audit: evidence review
    Your auditor reviews evidence against the applicable clauses and Annex A controls. This is where they test whether your AI Management System is operating in practice, not just documented.
  3. Certification decision
    After Stage 2, the certification decision is made. If conformity is confirmed, or any nonconformities are successfully closed, your certificate can be issued alongside the audit report.
  4. Ongoing surveillance
    Certification is not a one-off exercise. Surveillance audits check that your AI Management System continues to operate effectively and improve over time.
01

Stage 1 audit

Tempo reviews your AI Management System documents, Statement of Applicability and readiness for Stage 2.

02

Stage 2 audit

Your auditor tests evidence against the applicable clauses and Annex A controls to confirm the system is operating.

03

Certification decision

Once conformity is confirmed, or any nonconformities are closed, your certificate and audit report can be issued.

04

Ongoing surveillance

Surveillance audits check that your AI Management System continues to operate, improve and stay certification-ready.

Preparing for your ISO 42001 audit

This checklist should help you understand what your auditor will be looking for, but every organisation’s scope, risk profile and AI use cases will be different.

For some companies, ISO 42001 will focus on a limited number of internal AI use cases. For others, it may cover customer-facing AI products, complex supplier relationships, high-impact AI systems or regulated environments.

The key is to make sure your AI Management System is clear, evidence-based and proportionate to the way your organisation actually uses AI.

Tempo Audits helps organisations complete ISO 42001 audits with a practical, tech-focused approach. If you are preparing for certification, we can help you understand the audit process, what evidence to prepare, and how to move from readiness to certification.

Reviews

Trusted by fast-moving tech teams across the world who value a more human audit experience.

We transferred to Tempo from one of the established certification bodies — and we are delighted with the choice. Our audit was one of the smoothest we’ve had in terms of collaboration and engagement.
Laurence, Director of IT & Client Services @ RDT
If Carlsberg did auditors… We use Tempo for our ISO 27001 auditing and I'm thrilled that we were introduced. They ensured that the process dovetailed so smoothly with our ongoing operational activities that the impact was barely noticeable.
Jason, Director of Operations @ The Risk Factor
The Tempo team moved really fast to help us meet our timeframes — it’s rare to have an audit firm move at the speed of a start-up.
Ellie, COO @ Everblue Technology
Alfonso was nothing short of brilliant. Having worked with many auditors over the years, he stood out for his clarity, professionalism, and kindness. He completely changed my view of auditors.
Amardeep, Director @ Blue Edge
Tempo lives up to its name. No other company we contacted was faster or more straightforward during the process.
Lukas, CEO @ Noreja Intelligence
Is it weird to say I had a good time? We had worked with a more traditional auditor, but they didn't understand the needs/tech of our start-up. Tempo knew how to use our ISMS software and understood our business.
Jonny, Head of Engineering @ Nomio

Resources

No items found.

ISO 42001 Resources

FAQs

Trusted by fast-moving tech teams across the world who value a more human audit experience.

ISO 42001 certification follows a three-year certification cycle rather than a one-off audit. Organisations complete an initial Stage 1 and Stage 2 certification audit, followed by annual surveillance audits in Years 2 and 3, before undergoing recertification at the end of the three-year cycle.Typical annual surveillance audit costs range from £1,600-£9,000 (€1,872–€10,530) depending on organisation size, certification scope, and complexity. Recertification audits are typically more comprehensive and are priced separately from surveillance activities.

In practice, organisations do not usually "fail" an ISO 42001 audit. Where auditors identify non-conformities, organisations are given the opportunity to address them before certification is granted or maintained.The impact on cost depends on the type and number of findings:

  • Minor non-conformities are addressed through corrective action plans and evidence submission on how the company plan to close them in the coming months. The auditor will sign them off, and once approved, certification can be issued.
  • Major non-conformities require remediation to be finalised before they're closed, and certification can be awarded.
  • Additional charges generally only arise if significant extra audit time is required to verify corrective actions.

There is therefore no fixed cost for "failing" an audit. Instead, any additional costs relate to the effort required to close outstanding findings (which is a requirement in ISO 42006). At Tempo Audits, the cost of closing up to five non-conformities is included within the standard certification fee. Where more than five findings are raised, additional audit time is charged in increments of 0.25 audit days (£250 (€293)) for each additional group of up to five non-conformities, or part thereof.In reality, most organisations do not exceed five findings during the certification process.

Yes. Where both certification bodies are accredited by UKAS or another recognised IAF accreditation body, there is a defined certification transfer process. This allows organisations to transfer certification without restarting the entire certification cycle. The incoming certification body reviews existing certification records, audit history, and certification status before accepting the transfer.Non-accredited certifications are different. Because there is no recognised accreditation framework governing transfers, organisations may be required to undergo a new certification process if they later move to an accredited certification body.

No. Tempo Audits' certification fees cover the independent certification audit process only, including:

  • Stage 1 audit
  • Stage 2 audit
  • Annual surveillance audits
  • Recertification audits
  • Certification decision and certificate issuance

Consultancy, implementation support, training, internal resource costs, and compliance platforms are separate services and are not required to obtain certification.

Book a call

No forms, no faff – just a conversation and a quote. Prefer to skip straight to it? Fill out the application form and we'll get moving.

Alternatively, if you have all the details,
fill out this form here.