ISO 42001 controls list: A complete guide to Annex A
This ISO 42001 controls list is explained by Tempo Audits' auditors based on direct experience auditing and certifying AI companies against the standard. Use it as a practical reference to understand what each control requires and how it supports ISO 42001 certification.
What is the ISO 42001 controls list?
The ISO 42001 controls list refers to the 38 controls in Annex A of ISO/IEC 42001, the international standard for Artificial Intelligence Management Systems (AIMS). These controls are organised into nine control objectives (A.2-A.10) covering areas such as AI governance, risk management, data, system development, transparency, monitoring, and third-party relationships.
Organisations use these controls to identify which measures apply to their AI activities and document their decisions in a Statement of Applicability (SoA). Together, the controls support responsible AI management across the entire AI system lifecycle, from policy and oversight through to deployment, operation, and external providers.
Key facts about ISO 42001 Annex A controls
ISO 42001 vs ISO 27001 Annex A controls: What's different?
If you're already certified to ISO 27001, you'll find some familiar governance and management concepts in ISO 42001. However, ISO 42001 introduces different controls specifically for managing AI systems, including transparency, human oversight, AI impact assessments, and responsibilities across the AI lifecycle.
Many organisations integrate both standards to manage information security and AI responsibly.
The 9 ISO 42001 Annex A control objectives
Each of the nine control objectives addresses a specific area of AI management. Together, they help organisations establish clear responsibilities, assess risks, improve transparency, and demonstrate that AI is being developed and used responsibly.
A.2 - Policies related to AI
This objective focuses on establishing documented policies for AI governance. These policies set expectations for how AI should be developed, used, monitored, and managed in line with organisational goals, legal requirements, and risk appetite.
A.3 - Internal organisation
Organisations need clear ownership of AI-related activities. The controls in this objective help define responsibilities, reporting lines, and governance structures so AI risks and decisions are managed effectively.
A.4 - Resources for AI systems
AI systems rely on people, technology, data, and infrastructure. These controls ensure organisations understand and document the resources needed to build, operate, maintain, and support AI systems.
A.5 - Assessing impacts of AI systems
Before deploying AI, organisations should understand how it could affect individuals, groups, and wider society. This objective focuses on identifying, assessing, and managing those potential impacts.
A.6 - AI system life cycle
These controls support the management of AI systems from initial design through to deployment, operation, monitoring, modification, and retirement. The aim is to maintain oversight throughout the system's existence.
A.7 - Data for AI systems
The quality of AI outputs depends heavily on the quality of the data used. This objective covers data acquisition, preparation, quality management, provenance, and governance to support reliable AI performance.
A.8 - Information for interested parties
Users and stakeholders often need information about how an AI system works and how it should be used. These controls support transparency by ensuring appropriate information is made available when required.
A.9 - Use of AI systems
This objective focuses on the responsible use of AI systems. It includes areas such as human oversight, monitoring, intended use, and processes that help organisations reduce misuse and unintended outcomes.
A.10 - Third-party and customer relationships
Many AI systems rely on suppliers, external providers, customers, or partners. These controls help organisations define responsibilities, manage risks, and establish clear expectations across those relationships.
ISO 42001 Annex A: Control requirements explained
A.2 - Policies related to AI
A.2.2 AI policy
Organisations should maintain a documented AI policy that defines how AI is governed, managed, and used responsibly. Auditors typically look for an approved policy, evidence of communication, and alignment with the organisation's objectives, risks, and AI activities.
A.2.3 Alignment with other policies
The AI policy should support and align with existing policies covering areas such as information security, privacy, compliance, and risk management. Auditors look for clear links between AI governance and the wider management system.
A.2.4 Policy review
AI policies should be reviewed regularly and updated when significant changes occur. Auditors expect evidence of scheduled reviews, version control, management approval, and updates reflecting new AI risks, technologies, or regulatory requirements.
Common Stage 2 finding: Organisations often have an AI policy in place, but cannot demonstrate regular reviews or clear alignment with their actual AI risks and risk appetite.
A.3 - Internal organisation
A.3.2 AI roles and responsibilities
Organisations should clearly define who is responsible for AI governance, oversight, development, risk management, and decision-making. Auditors typically review role descriptions, governance structures, accountability records, and evidence that responsibilities are understood in practice.
A.3.3 Reporting concerns about AI systems
Employees and stakeholders should have a documented way to raise concerns about AI systems, such as bias, safety, security, or unintended outcomes. Auditors look for reporting procedures, escalation routes, and records showing concerns are managed appropriately.Common Stage 2 finding: Many organisations define AI responsibilities but lack a documented process for reporting and escalating AI-specific concerns.
A.4 - Resources for AI systems
A.4.2 Resource documentation
Organisations should document the resources used to develop, operate, and support AI systems. Auditors typically review inventories covering datasets, models, infrastructure, software tools, and personnel involved in AI activities.
A.4.3 Data resources
The controls require organisations to identify and document the datasets used by AI systems. Auditors look for data catalogues, ownership records, data sources, usage restrictions, and evidence that datasets are suitable for their intended purpose.
A.4.4 Tooling resources
AI development and operation often rely on third-party tools, platforms, and frameworks. Auditors review records showing what tools are used, how they are managed, and whether associated risks have been assessed.
A.4.5 System and computing resources
Organisations should maintain records of the infrastructure supporting AI systems, including cloud environments, compute resources, storage, and supporting systems. Auditors typically review architecture diagrams and infrastructure documentation.
A.4.6 Human resources
People involved in AI governance, development, and oversight should have appropriate skills and responsibilities. Auditors review role profiles, competency records, training plans, and evidence that personnel are qualified for their AI-related duties.
Common Stage 2 finding: Resource inventories often exist but are incomplete, particularly for datasets, AI models, and third-party tools used within the AI environment.
A.5 - Assessing impacts of AI systems
A.5.2 Impact assessment process
Organisations should establish a documented process for assessing how AI systems could affect individuals, groups, and wider society. Assessments should be performed before deployment and reviewed when significant changes occur.
A.5.3 Documentation of assessments
Impact assessments should be recorded and retained as evidence. Auditors typically review completed assessments, identified risks, mitigation actions, decision-making records, and review outcomes.
A.5.4 Impacts on individuals or groups
Organisations should evaluate potential effects on users and affected individuals, including fairness, privacy, discrimination, safety, accessibility, and other relevant risks arising from AI use.
A.5.5 Societal impacts
Beyond individual users, organisations should consider broader societal impacts where relevant, such as misinformation, environmental effects, public trust, and wider economic or social consequences.
Common Stage 2 finding: Many organisations assess technical and operational risks but fail to document impacts on individuals and society in a structured and repeatable way.
A.6 - AI system life cycle
A.6.1.2 Objectives for responsible development
Organisations should define objectives that guide the responsible development and operation of AI systems. Auditors look for documented goals linked to governance, risk management, compliance, and intended outcomes.
A.6.1.3 Responsible design processes
AI systems should be designed using documented processes that consider safety, transparency, fairness, and risk from the outset. Auditors review design controls and supporting governance records.
A.6.2.2 Requirements and specification
Requirements should be documented before development begins. Auditors expect clear functional, technical, legal, and business requirements that define what the AI system is intended to achieve.
A.6.2.3 Design documentation
Organisations should maintain documentation explaining how AI systems are designed and built. Evidence often includes architecture diagrams, model documentation, design decisions, and technical specifications.
A.6.2.4 Verification and validation
Verification and validation activities demonstrate that the AI system performs as intended and meets defined requirements. Auditors closely examine testing evidence, validation results, approval records, and identified issues.
A.6.2.5 Deployment
Deployment processes should be documented and controlled to reduce implementation risks. Auditors review release procedures, approvals, testing outcomes, and records of production deployments.
A.6.2.6 Operation and monitoring
Once deployed, AI systems should be monitored to ensure they continue operating as expected. Auditors typically review performance metrics, monitoring activities, incident records, and corrective actions.
A.6.2.7 Technical documentation
Technical documentation should provide sufficient information to understand, manage, maintain, and assess the AI system throughout its use. Auditors often review model documentation, operating procedures, and system records.
A.6.2.8 Event logs
Event logs help organisations track AI system activity, investigate incidents, and demonstrate accountability. Auditors frequently review logging arrangements, retention periods, and evidence that logs are actively monitored.
Common Stage 2 focus: Auditors often spend the most time reviewing verification and validation evidence (A.6.2.4) and event logging controls (A.6.2.8), as these provide strong evidence that AI systems are operating as intended
A.7 - Data for AI systems
A.7.2 Data for development and enhancement
Organisations should identify and manage the data used to develop, train, test, and improve AI systems. Auditors typically review data inventories, ownership records, usage controls, and evidence that data is appropriate for its intended purpose.
A.7.3 Acquisition of data
Data should be obtained from reliable and authorised sources. Auditors look for records showing where data originated, how it was collected, applicable permissions, and any legal, contractual, or licensing requirements.
A.7.4 Quality of data
Data quality has a direct impact on AI performance. Organisations should define criteria for assessing accuracy, completeness, consistency, relevance, and timeliness, with evidence that quality checks are performed.
A.7.5 Data provenance
Organisations should be able to demonstrate where data comes from and how it has been handled throughout its lifecycle. Auditors review provenance records, lineage documentation, and evidence that data sources can be traced.
A.7.6 Data preparation
Data preparation activities such as cleansing, labelling, transformation, and filtering should be documented and controlled. Auditors typically review preparation procedures, change records, and evidence supporting data integrity.
Common Stage 2 finding: Organisations often know where their data originates but cannot provide documented evidence showing data lineage, provenance, and how datasets have changed over time.
A.8 - Information for interested parties
A.8.2 System documentation and user information
Users should receive sufficient information to understand how an AI system should be used. Documentation often includes intended use, limitations, expected outputs, human oversight requirements, and known risks.
A.8.3 External reporting
Organisations should establish processes for communicating relevant information about AI systems to external parties when required. Auditors review reporting procedures, responsibilities, and examples of external communications.
A.8.4 Communication of incidents
There should be a documented process for communicating AI-related incidents to relevant stakeholders. Auditors look for incident communication plans, escalation procedures, testing records, and evidence that the process works in practice.
A.8.5 Information for interested parties
Organisations should determine what information customers, regulators, users, and other stakeholders require regarding their AI systems. Auditors review how these information needs are identified, maintained, and communicated.
Common audit focus: Auditors often verify that incident communication processes are documented, assigned, and tested rather than simply referenced within broader policies.
A.9 - Use of AI systems
A.9.2 Processes for responsible use
Organisations should establish processes that promote the safe and responsible use of AI systems. This typically includes governance controls, monitoring activities, escalation procedures, and defined responsibilities for users.
A.9.3 Objectives for responsible use
Clear objectives should define what responsible AI use means within the organisation. Auditors look for measurable objectives linked to governance, compliance, risk management, and ongoing performance monitoring.
A.9.4 Intended use of the AI system
The intended use of each AI system should be clearly documented. Organisations should define where, how, and by whom the system should be used, along with any restrictions or limitations.
Common Stage 2 finding: Organisations often document intended use statements but lack a formal process for identifying, monitoring, and responding to use outside those defined boundaries.
A.10 - Third-party and customer relationships
A.10.2 Allocating responsibilities
Where multiple parties are involved in developing, supplying, or using AI systems, responsibilities should be clearly defined. Auditors review governance arrangements, contracts, and documentation showing ownership of AI-related activities.
A.10.3 Suppliers
Organisations should assess and manage AI-related risks associated with suppliers and external providers. Auditors typically review supplier evaluations, due diligence records, contractual controls, and ongoing monitoring activities.
A.10.4 Customers
Customers should receive appropriate information about the organisation's AI systems and their respective responsibilities. Auditors review customer-facing documentation, contractual terms, usage guidance, and communication processes.
Common audit focus: Auditors frequently check whether AI responsibilities are explicitly documented in supplier and customer agreements rather than being assumed or informally understood.
How to work through the ISO 42001 controls: An auditor's sequence
There is no mandatory order for implementing ISO 42001 controls. However, based on Tempo Audit's certification experience, organisations typically achieve smoother Stage 2 audits when they build the foundations first and then work towards operational and external-facing controls.
Reviews
Trusted by fast-moving tech teams across the world who value a more human audit experience.

FAQs
Trusted by fast-moving tech teams across the world who value a more human audit experience.
To achieve ISO 42001 certification, organisations need to establish an AI Management System that governs how artificial intelligence is developed, deployed, or used. This typically includes an AI policy, risk assessments, defined roles and responsibilities, impact assessments, and controls for managing AI-related risks.
The exact requirements will depend on how your organisation uses AI and the scope of certification.
Preparation typically starts with understanding how AI is used within your organisation and defining the scope of your AI Management System. From there, you'll need to identify risks, assign responsibilities, document processes, and carry out internal reviews before certification.
The preparation stage can take a few months for most organisations. Once the audit process begins, clients typically receive their ISO 42001 certificate within one month of starting the Stage 1 audit. This usually includes a 2 to 3 week gap before Stage 2, followed by a further 3 to 7 days for the certificate and audit report to be issued, assuming everything is in order.
The cost of ISO 42001 certification depends on the size and scope of your organisation. Factors such as the number of employees, the complexity of your AI activities, and whether you already have management systems such as ISO 27001 in place can all affect the audit time and cost required.
At Tempo Audits, we provide fixed-fee quotations with clear pricing and no hidden costs.
The best ISO 42001 auditors combine certification expertise with a strong understanding of technology and AI. Tempo Audits specialises in working with software, SaaS, and AI companies, with auditors who understand modern technology environments and AI governance.
As a UKAS-accredited certification body for ISO 27001 and currently progressing through UKAS accreditation for ISO 42001, Tempo Audits delivers practical, remote-first audits designed for fast-moving technology businesses.
Yes. At Tempo Audits, ISO 42001 audits are delivered remotely using secure video calls and document-sharing tools. Before the audit, we'll agree on a schedule and explain what information needs to be prepared. Throughout the process, you'll meet with your auditor, review evidence, and discuss findings just as you would during an on-site audit.
Remote delivery does not reduce audit quality, but it does make the process faster, more flexible, and easier for modern technology businesses.
Yes. Internal audits are a requirement of ISO 42001 and help organisations assess whether their AI Management System is operating effectively. In practice, this involves reviewing processes, controls, and evidence to identify any gaps before an external certification audit.
If you're implementing ISO 42001 yourself, Tempo Audits can introduce you to trusted internal auditors, although we cannot perform internal audits ourselves.
ISO 42001 is still a relatively new standard, having been published in 2023. As a result, many organisations are only beginning to explore AI governance, and the number of certification bodies offering ISO 42001 certification remains limited.
That is changing quickly. As AI becomes more widely adopted and customers, investors, and regulators ask more questions about how it is managed, ISO 42001 is becoming an increasingly valuable way to build trust and stand out from competitors.
If you develop, provide, or rely on AI systems, ISO 42001 addresses risks and responsibilities that are not covered by ISO 27001 alone. The good news is that organisations with an established ISO 27001 management system can often build on existing processes, making the path to ISO 42001 certification more straightforward.
ISO 42001 is specifically designed for organisations that develop, provide, or use artificial intelligence. It helps ensure AI is managed responsibly, with clear processes for oversight, accountability, and risk management. ISO 9001, on the other hand, focuses on improving the overall quality of products, services, and business processes.
As organisations become more reliant on artificial intelligence, expectations around AI governance are increasing. Regulations such as the EU AI Act, along with growing scrutiny from customers and investors, are placing greater emphasis on how AI is managed and controlled. ISO 42001 provides a recognised framework for addressing these challenges.
Book a call
No forms, no faff – just a conversation and a quote. Prefer to skip straight to it? Fill out the application form and we'll get moving.
Alternatively, if you have all the details,
fill out this form here.





