ISO 42001 controls list: A complete guide to Annex A

This ISO 42001 controls list is explained by Tempo Audits' auditors based on direct experience auditing and certifying AI companies against the standard. Use it as a practical reference to understand what each control requires and how it supports ISO 42001 certification.

Key takeaways

1

ISO 42001 Annex A contains 38 controls across nine objectives, helping organisations manage AI governance, risks, transparency, and accountability.

2

Not every control applies to every organisation. Controls are selected through the AI Risk Assessment and justified through a Statement of Applicability (SoA).

3

Successful certification depends on documented evidence, particularly around impact assessments, AI governance, data management, and lifecycle controls.

What is the ISO 42001 controls list?

The ISO 42001 controls list refers to the 38 controls in Annex A of ISO/IEC 42001, the international standard for Artificial Intelligence Management Systems (AIMS). These controls are organised into nine control objectives (A.2-A.10) covering areas such as AI governance, risk management, data, system development, transparency, monitoring, and third-party relationships.

Organisations use these controls to identify which measures apply to their AI activities and document their decisions in a Statement of Applicability (SoA). Together, the controls support responsible AI management across the entire AI system lifecycle, from policy and oversight through to deployment, operation, and external providers.

Key facts about ISO 42001 Annex A controls

📋

38 controls grouped across 9 control objectives

🔍

Not all 38 controls are mandatory — the Statement of Applicability determines which apply

🤖

Covers the full AI system lifecycle, including development, deployment, operation, and third-party use

Annex A is a reference set of controls, not a prescriptive checklist to be implemented in full

ISO 42001 vs ISO 27001 Annex A controls: What's different?

If you're already certified to ISO 27001, you'll find some familiar governance and management concepts in ISO 42001. However, ISO 42001 introduces different controls specifically for managing AI systems, including transparency, human oversight, AI impact assessments, and responsibilities across the AI lifecycle.

ISO 27001 Annex A covers

  • Information security policies A.5
  • Identity and access management A.5.15–A.5.18
  • Cryptography and key management A.8.24–A.8.28
  • Supplier relationships and third-party security A.5.19–A.5.23
  • Information security incident management A.5.24–A.5.27
  • ICT readiness for business continuity A.5.29–A.5.30
  • Compliance with legal, regulatory and contractual requirements A.5.31–A.5.37
  • Monitoring, logging and technical controls A.8
  • Risk treatment and security management throughout the ISMS

ISO 42001 Annex A adds

  • AI-specific policies and governance A.2
  • AI roles, responsibilities and accountability A.3
  • AI system resource documentation A.4
  • AI impact assessments on individuals and society A.5
  • AI system life cycle controls A.6
  • Data quality, provenance and preparation for AI A.7
  • Transparency and information for AI system users A.8
  • Responsible use processes and human oversight A.9
  • Third-party and customer AI responsibilities A.10

Many organisations integrate both standards to manage information security and AI responsibly.

The 9 ISO 42001 Annex A control objectives

Each of the nine control objectives addresses a specific area of AI management. Together, they help organisations establish clear responsibilities, assess risks, improve transparency, and demonstrate that AI is being developed and used responsibly.

A.2 - Policies related to AI

This objective focuses on establishing documented policies for AI governance. These policies set expectations for how AI should be developed, used, monitored, and managed in line with organisational goals, legal requirements, and risk appetite.

A.3 - Internal organisation

Organisations need clear ownership of AI-related activities. The controls in this objective help define responsibilities, reporting lines, and governance structures so AI risks and decisions are managed effectively.

A.4 - Resources for AI systems

AI systems rely on people, technology, data, and infrastructure. These controls ensure organisations understand and document the resources needed to build, operate, maintain, and support AI systems.

A.5 - Assessing impacts of AI systems

Before deploying AI, organisations should understand how it could affect individuals, groups, and wider society. This objective focuses on identifying, assessing, and managing those potential impacts.

A.6 - AI system life cycle

These controls support the management of AI systems from initial design through to deployment, operation, monitoring, modification, and retirement. The aim is to maintain oversight throughout the system's existence.

A.7 - Data for AI systems

The quality of AI outputs depends heavily on the quality of the data used. This objective covers data acquisition, preparation, quality management, provenance, and governance to support reliable AI performance.

A.8 - Information for interested parties

Users and stakeholders often need information about how an AI system works and how it should be used. These controls support transparency by ensuring appropriate information is made available when required.

A.9 - Use of AI systems

This objective focuses on the responsible use of AI systems. It includes areas such as human oversight, monitoring, intended use, and processes that help organisations reduce misuse and unintended outcomes.

A.10 - Third-party and customer relationships

Many AI systems rely on suppliers, external providers, customers, or partners. These controls help organisations define responsibilities, manage risks, and establish clear expectations across those relationships.

ISO 42001 Annex A: Control requirements explained

A.2 - Policies related to AI

A.2.2 AI policy

Organisations should maintain a documented AI policy that defines how AI is governed, managed, and used responsibly. Auditors typically look for an approved policy, evidence of communication, and alignment with the organisation's objectives, risks, and AI activities.

A.2.3 Alignment with other policies

The AI policy should support and align with existing policies covering areas such as information security, privacy, compliance, and risk management. Auditors look for clear links between AI governance and the wider management system.

A.2.4 Policy review

AI policies should be reviewed regularly and updated when significant changes occur. Auditors expect evidence of scheduled reviews, version control, management approval, and updates reflecting new AI risks, technologies, or regulatory requirements.

Common Stage 2 finding: Organisations often have an AI policy in place, but cannot demonstrate regular reviews or clear alignment with their actual AI risks and risk appetite.

A.3 - Internal organisation

A.3.2 AI roles and responsibilities

Organisations should clearly define who is responsible for AI governance, oversight, development, risk management, and decision-making. Auditors typically review role descriptions, governance structures, accountability records, and evidence that responsibilities are understood in practice.

A.3.3 Reporting concerns about AI systems

Employees and stakeholders should have a documented way to raise concerns about AI systems, such as bias, safety, security, or unintended outcomes. Auditors look for reporting procedures, escalation routes, and records showing concerns are managed appropriately.Common Stage 2 finding: Many organisations define AI responsibilities but lack a documented process for reporting and escalating AI-specific concerns.

A.4 - Resources for AI systems

A.4.2 Resource documentation

Organisations should document the resources used to develop, operate, and support AI systems. Auditors typically review inventories covering datasets, models, infrastructure, software tools, and personnel involved in AI activities.

A.4.3 Data resources

The controls require organisations to identify and document the datasets used by AI systems. Auditors look for data catalogues, ownership records, data sources, usage restrictions, and evidence that datasets are suitable for their intended purpose.

A.4.4 Tooling resources

AI development and operation often rely on third-party tools, platforms, and frameworks. Auditors review records showing what tools are used, how they are managed, and whether associated risks have been assessed.

A.4.5 System and computing resources

Organisations should maintain records of the infrastructure supporting AI systems, including cloud environments, compute resources, storage, and supporting systems. Auditors typically review architecture diagrams and infrastructure documentation.

A.4.6 Human resources

People involved in AI governance, development, and oversight should have appropriate skills and responsibilities. Auditors review role profiles, competency records, training plans, and evidence that personnel are qualified for their AI-related duties.

Common Stage 2 finding: Resource inventories often exist but are incomplete, particularly for datasets, AI models, and third-party tools used within the AI environment.

A.5 - Assessing impacts of AI systems

A.5.2 Impact assessment process

Organisations should establish a documented process for assessing how AI systems could affect individuals, groups, and wider society. Assessments should be performed before deployment and reviewed when significant changes occur.

A.5.3 Documentation of assessments

Impact assessments should be recorded and retained as evidence. Auditors typically review completed assessments, identified risks, mitigation actions, decision-making records, and review outcomes.

A.5.4 Impacts on individuals or groups

Organisations should evaluate potential effects on users and affected individuals, including fairness, privacy, discrimination, safety, accessibility, and other relevant risks arising from AI use.

A.5.5 Societal impacts

Beyond individual users, organisations should consider broader societal impacts where relevant, such as misinformation, environmental effects, public trust, and wider economic or social consequences.

Common Stage 2 finding: Many organisations assess technical and operational risks but fail to document impacts on individuals and society in a structured and repeatable way.

A.6 - AI system life cycle

A.6.1.2 Objectives for responsible development

Organisations should define objectives that guide the responsible development and operation of AI systems. Auditors look for documented goals linked to governance, risk management, compliance, and intended outcomes.

A.6.1.3 Responsible design processes

AI systems should be designed using documented processes that consider safety, transparency, fairness, and risk from the outset. Auditors review design controls and supporting governance records.

A.6.2.2 Requirements and specification

Requirements should be documented before development begins. Auditors expect clear functional, technical, legal, and business requirements that define what the AI system is intended to achieve.

A.6.2.3 Design documentation

Organisations should maintain documentation explaining how AI systems are designed and built. Evidence often includes architecture diagrams, model documentation, design decisions, and technical specifications.

A.6.2.4 Verification and validation

Verification and validation activities demonstrate that the AI system performs as intended and meets defined requirements. Auditors closely examine testing evidence, validation results, approval records, and identified issues.

A.6.2.5 Deployment

Deployment processes should be documented and controlled to reduce implementation risks. Auditors review release procedures, approvals, testing outcomes, and records of production deployments.

A.6.2.6 Operation and monitoring

Once deployed, AI systems should be monitored to ensure they continue operating as expected. Auditors typically review performance metrics, monitoring activities, incident records, and corrective actions.

A.6.2.7 Technical documentation

Technical documentation should provide sufficient information to understand, manage, maintain, and assess the AI system throughout its use. Auditors often review model documentation, operating procedures, and system records.

A.6.2.8 Event logs

Event logs help organisations track AI system activity, investigate incidents, and demonstrate accountability. Auditors frequently review logging arrangements, retention periods, and evidence that logs are actively monitored.

Common Stage 2 focus: Auditors often spend the most time reviewing verification and validation evidence (A.6.2.4) and event logging controls (A.6.2.8), as these provide strong evidence that AI systems are operating as intended

A.7 - Data for AI systems

A.7.2 Data for development and enhancement

Organisations should identify and manage the data used to develop, train, test, and improve AI systems. Auditors typically review data inventories, ownership records, usage controls, and evidence that data is appropriate for its intended purpose.

A.7.3 Acquisition of data

Data should be obtained from reliable and authorised sources. Auditors look for records showing where data originated, how it was collected, applicable permissions, and any legal, contractual, or licensing requirements.

A.7.4 Quality of data

Data quality has a direct impact on AI performance. Organisations should define criteria for assessing accuracy, completeness, consistency, relevance, and timeliness, with evidence that quality checks are performed.

A.7.5 Data provenance

Organisations should be able to demonstrate where data comes from and how it has been handled throughout its lifecycle. Auditors review provenance records, lineage documentation, and evidence that data sources can be traced.

A.7.6 Data preparation

Data preparation activities such as cleansing, labelling, transformation, and filtering should be documented and controlled. Auditors typically review preparation procedures, change records, and evidence supporting data integrity.

Common Stage 2 finding: Organisations often know where their data originates but cannot provide documented evidence showing data lineage, provenance, and how datasets have changed over time.

A.8 - Information for interested parties

A.8.2 System documentation and user information

Users should receive sufficient information to understand how an AI system should be used. Documentation often includes intended use, limitations, expected outputs, human oversight requirements, and known risks.

A.8.3 External reporting

Organisations should establish processes for communicating relevant information about AI systems to external parties when required. Auditors review reporting procedures, responsibilities, and examples of external communications.

A.8.4 Communication of incidents

There should be a documented process for communicating AI-related incidents to relevant stakeholders. Auditors look for incident communication plans, escalation procedures, testing records, and evidence that the process works in practice.

A.8.5 Information for interested parties

Organisations should determine what information customers, regulators, users, and other stakeholders require regarding their AI systems. Auditors review how these information needs are identified, maintained, and communicated.

Common audit focus: Auditors often verify that incident communication processes are documented, assigned, and tested rather than simply referenced within broader policies.

A.9 - Use of AI systems

A.9.2 Processes for responsible use

Organisations should establish processes that promote the safe and responsible use of AI systems. This typically includes governance controls, monitoring activities, escalation procedures, and defined responsibilities for users.

A.9.3 Objectives for responsible use

Clear objectives should define what responsible AI use means within the organisation. Auditors look for measurable objectives linked to governance, compliance, risk management, and ongoing performance monitoring.

A.9.4 Intended use of the AI system

The intended use of each AI system should be clearly documented. Organisations should define where, how, and by whom the system should be used, along with any restrictions or limitations.

Common Stage 2 finding: Organisations often document intended use statements but lack a formal process for identifying, monitoring, and responding to use outside those defined boundaries.

A.10 - Third-party and customer relationships

A.10.2 Allocating responsibilities

Where multiple parties are involved in developing, supplying, or using AI systems, responsibilities should be clearly defined. Auditors review governance arrangements, contracts, and documentation showing ownership of AI-related activities.

A.10.3 Suppliers

Organisations should assess and manage AI-related risks associated with suppliers and external providers. Auditors typically review supplier evaluations, due diligence records, contractual controls, and ongoing monitoring activities.

A.10.4 Customers

Customers should receive appropriate information about the organisation's AI systems and their respective responsibilities. Auditors review customer-facing documentation, contractual terms, usage guidance, and communication processes.

Common audit focus: Auditors frequently check whether AI responsibilities are explicitly documented in supplier and customer agreements rather than being assumed or informally understood.

How to work through the ISO 42001 controls: An auditor's sequence

There is no mandatory order for implementing ISO 42001 controls. However, based on Tempo Audit's certification experience, organisations typically achieve smoother Stage 2 audits when they build the foundations first and then work towards operational and external-facing controls.

1

Start with A.2 and A.3 — Governance before everything else

Start with policies, roles, responsibilities and reporting mechanisms. These controls create the governance framework that supports the rest of the AI management system and provides clear ownership for AI-related decisions.

2

Complete A.5 — Assess AI impacts early

Carry out impact assessments before implementing detailed controls. Understanding how AI systems may affect individuals, groups and society helps prioritise risks and shape appropriate governance measures.

3

Work through A.4 — Document resources

Create inventories for datasets, AI models, tooling, infrastructure and personnel. Resource documentation often underpins evidence across multiple areas of ISO 42001 and is frequently reviewed during audits.

4

Build A.6 and A.7 — Life cycle and data controls together

These objectives are closely connected and are often implemented together. Data governance, development processes, testing, monitoring and technical documentation form the operational core of the AI management system.

5

Complete A.8 and A.10 — Transparency and third parties

Once internal controls are established, focus on user information, stakeholder communications, supplier management and responsibility allocation. These help demonstrate transparency and accountability.

6

Finalise A.9 — Formalise responsible use processes

Finally, document how AI systems are intended to be used, monitored and overseen in practice. By this stage, the supporting governance, data, life cycle and third-party controls should already be in place.

Reviews

Trusted by fast-moving tech teams across the world who value a more human audit experience.

We transferred to Tempo from one of the established certification bodies — and we are delighted with the choice. Our audit was one of the smoothest we’ve had in terms of collaboration and engagement.
Laurence, Director of IT & Client Services @ RDT
If Carlsberg did auditors… We use Tempo for our ISO 27001 auditing and I'm thrilled that we were introduced. They ensured that the process dovetailed so smoothly with our ongoing operational activities that the impact was barely noticeable.
Jason, Director of Operations @ The Risk Factor
The Tempo team moved really fast to help us meet our timeframes — it’s rare to have an audit firm move at the speed of a start-up.
Ellie, COO @ Everblue Technology
Alfonso was nothing short of brilliant. Having worked with many auditors over the years, he stood out for his clarity, professionalism, and kindness. He completely changed my view of auditors.
Amardeep, Director @ Blue Edge
Tempo lives up to its name. No other company we contacted was faster or more straightforward during the process.
Lukas, CEO @ Noreja Intelligence
Is it weird to say I had a good time? We had worked with a more traditional auditor, but they didn't understand the needs/tech of our start-up. Tempo knew how to use our ISMS software and understood our business.
Jonny, Head of Engineering @ Nomio

Resources

No items found.

ISO 42001 Resources

FAQs

Trusted by fast-moving tech teams across the world who value a more human audit experience.

To achieve ISO 42001 certification, organisations need to establish an AI Management System that governs how artificial intelligence is developed, deployed, or used. This typically includes an AI policy, risk assessments, defined roles and responsibilities, impact assessments, and controls for managing AI-related risks.

The exact requirements will depend on how your organisation uses AI and the scope of certification.

Preparation typically starts with understanding how AI is used within your organisation and defining the scope of your AI Management System. From there, you'll need to identify risks, assign responsibilities, document processes, and carry out internal reviews before certification.

The preparation stage can take a few months for most organisations. Once the audit process begins, clients typically receive their ISO 42001 certificate within one month of starting the Stage 1 audit. This usually includes a 2 to 3 week gap before Stage 2, followed by a further 3 to 7 days for the certificate and audit report to be issued, assuming everything is in order.

The cost of ISO 42001 certification depends on the size and scope of your organisation. Factors such as the number of employees, the complexity of your AI activities, and whether you already have management systems such as ISO 27001 in place can all affect the audit time and cost required.

At Tempo Audits, we provide fixed-fee quotations with clear pricing and no hidden costs.

The best ISO 42001 auditors combine certification expertise with a strong understanding of technology and AI. Tempo Audits specialises in working with software, SaaS, and AI companies, with auditors who understand modern technology environments and AI governance.

As a UKAS-accredited certification body for ISO 27001 and currently progressing through UKAS accreditation for ISO 42001, Tempo Audits delivers practical, remote-first audits designed for fast-moving technology businesses.

Yes. At Tempo Audits, ISO 42001 audits are delivered remotely using secure video calls and document-sharing tools. Before the audit, we'll agree on a schedule and explain what information needs to be prepared. Throughout the process, you'll meet with your auditor, review evidence, and discuss findings just as you would during an on-site audit.

Remote delivery does not reduce audit quality, but it does make the process faster, more flexible, and easier for modern technology businesses.

Yes. Internal audits are a requirement of ISO 42001 and help organisations assess whether their AI Management System is operating effectively. In practice, this involves reviewing processes, controls, and evidence to identify any gaps before an external certification audit.

If you're implementing ISO 42001 yourself, Tempo Audits can introduce you to trusted internal auditors, although we cannot perform internal audits ourselves.

ISO 42001 is still a relatively new standard, having been published in 2023. As a result, many organisations are only beginning to explore AI governance, and the number of certification bodies offering ISO 42001 certification remains limited.

That is changing quickly. As AI becomes more widely adopted and customers, investors, and regulators ask more questions about how it is managed, ISO 42001 is becoming an increasingly valuable way to build trust and stand out from competitors.

If you develop, provide, or rely on AI systems, ISO 42001 addresses risks and responsibilities that are not covered by ISO 27001 alone. The good news is that organisations with an established ISO 27001 management system can often build on existing processes, making the path to ISO 42001 certification more straightforward.

ISO 42001 is specifically designed for organisations that develop, provide, or use artificial intelligence. It helps ensure AI is managed responsibly, with clear processes for oversight, accountability, and risk management. ISO 9001, on the other hand, focuses on improving the overall quality of products, services, and business processes.

As organisations become more reliant on artificial intelligence, expectations around AI governance are increasing. Regulations such as the EU AI Act, along with growing scrutiny from customers and investors, are placing greater emphasis on how AI is managed and controlled. ISO 42001 provides a recognised framework for addressing these challenges.

Book a call

No forms, no faff – just a conversation and a quote. Prefer to skip straight to it? Fill out the application form and we'll get moving.

Alternatively, if you have all the details,
fill out this form here.