Last updated: July 14, 2026
ISO 42001 requirements come in two layers: seven mandatory management system clauses (Clauses 4 through 10) covering context, leadership, planning, support, operation, performance evaluation, and improvement, plus 38 Annex A controls grouped under nine objectives. The clauses are compulsory for every certified organization; the Annex A controls are selected through your AI risk assessment and justified in a Statement of Applicability.
This post is part of our complete guide to AI governance. If you are new to the standard, start with our overview of what ISO 42001 is and come back for the detail.
Key takeaways
- Clauses 4 through 10 are mandatory for certification; Annex A controls are risk-based and justified in a Statement of Applicability.
- Clause 6 requires both an AI risk assessment and an AI impact assessment, the standard’s clearest departure from ISO 27001.
- Clause 8 makes you manage the full AI system lifecycle, from requirements and design through monitoring and decommissioning.
- Annex A contains 38 controls under nine objectives; Annex B provides implementation guidance for each one.
- Auditors expect documented evidence: policies, assessments, the SoA, internal audit results, and management review records.
How are ISO 42001 requirements structured?
Like every modern ISO management standard, ISO/IEC 42001:2023 uses the harmonized structure: Clauses 1 through 3 cover scope, references, and terms, and the auditable requirements live in Clauses 4 through 10. Here is the map:
| Clause | Name | What it requires |
|---|---|---|
| 4 | Context of the organization | Define your role in the AI value chain and the scope of your AIMS |
| 5 | Leadership | An AI policy, top management commitment, and assigned accountability |
| 6 | Planning | AI risk assessment, AI impact assessment, risk treatment, and objectives |
| 7 | Support | Resources, competence, awareness, communication, and documentation |
| 8 | Operation | Operational control across the entire AI system lifecycle |
| 9 | Performance evaluation | Monitoring, measurement, internal audit, and management review |
| 10 | Improvement | Nonconformity handling, corrective action, and continual improvement |
Clause 4: What is the context of the organization?
You determine the internal and external issues relevant to your use of AI, identify interested parties and their expectations, and, critically, define your role or roles: AI provider, developer, or user. That role determination shapes everything downstream, because a company fine-tuning foundation models carries different obligations than one embedding a vendor’s chatbot. The clause ends with a documented AIMS scope.
Clause 5: What does leadership have to do?
Top management must establish an AI policy aligned with organizational strategy, ensure the AIMS gets resources, and assign roles, responsibilities, and authorities for AI governance. Auditors read this clause as a test of whether AI governance is owned at the executive level or delegated into a corner.
Clause 6: What planning is required?
This is the heart of the standard. You need a documented AI risk assessment process, a risk treatment plan tied to Annex A controls, measurable AI objectives, and, distinctively, an AI system impact assessment that considers consequences for individuals, groups of individuals, and society as a whole. The impact assessment is what separates ISO 42001 from security-only frameworks: it forces questions about fairness, transparency, and downstream harm, not just organizational risk.
Clause 7: What support is required?
Resources, competence, and awareness: people working under the AIMS must understand the AI policy and their part in it. The clause also covers communication and documented information, meaning version-controlled, retrievable records of the system’s policies and evidence.
Clause 8: What does operation cover?
Clause 8 turns plans into controlled processes across the AI system lifecycle: requirements, design, development, verification and validation, deployment, operation and monitoring, and decommissioning. It also requires you to perform the risk and impact assessments from Clause 6 at planned intervals and when significant changes occur, and to control externally provided AI systems, components, and data.
Clause 9: How is performance evaluated?
You monitor and measure the AIMS, run internal audits at planned intervals, and hold management reviews that examine audit results, nonconformities, risk assessment outcomes, and opportunities to improve. Certification auditors expect at least one full internal audit and management review cycle before Stage 2.
Clause 10: What does improvement require?
When something goes wrong (a nonconformity, an incident, a control failure), you correct it, analyze the cause, and act to prevent recurrence, keeping records of the whole loop. Continual improvement of the AIMS is an explicit, auditable requirement.
What are the 38 Annex A controls?
Annex A is a reference catalog of 38 controls organized under nine objectives: policies related to AI, internal organization, resources for AI systems, assessing impacts of AI systems, the AI system lifecycle, data for AI systems, information for interested parties, use of AI systems, and third-party and customer relationships. They are governance and accountability controls rather than technical security controls: think documented data provenance, human oversight mechanisms, and communication of system limitations, not firewall rules.
Annex B provides implementation guidance for every control, Annex C catalogs potential AI risk sources and objectives to feed your risk assessment, and Annex D addresses how the standard applies across domains and sectors. Treat Annex B as your build manual: auditors frequently use it as their own reference for what good looks like.
What is the Statement of Applicability?
The Statement of Applicability (SoA) is the document that connects your risk assessment to Annex A. For each of the 38 controls, it records whether the control applies, why, and how it is implemented, plus a justification for every exclusion. It is usually the first document a certification auditor reads, because it reveals in one page whether your control selection follows your actual risks or was copied from a template.
What documentation do auditors expect?
At minimum: the AIMS scope, the AI policy, risk assessment methodology and results, impact assessment results, the SoA, a risk treatment plan, competence records, internal audit program and reports, management review minutes, and nonconformity and corrective action records. Clause 8 adds lifecycle documentation for the AI systems in scope, such as design records, verification results, and monitoring logs.
How do ISO 42001 requirements map to the EU AI Act?
There is substantial overlap. The Act’s high-risk obligations (risk management, data governance, technical documentation, logging, human oversight, accuracy and robustness) correspond closely to Clause 6, Clause 8, and the Annex A controls on data, lifecycle, and oversight. Following the Digital Omnibus adopted in June 2026, most high-risk obligations now apply from December 2, 2027, with AI in regulated products following in August 2028. An ISO 42001 certificate does not by itself create a presumption of conformity with the Act, but it builds the operational machinery the Act assumes you have. See our breakdown of what the EU AI Act means for security and GRC teams.
Frequently asked questions
Are all 38 Annex A controls mandatory?
No. You implement the controls your risk assessment justifies and document the reasoning for every inclusion and exclusion in your Statement of Applicability. Unjustified exclusions are a fast route to audit findings.
What is the difference between an AI risk assessment and an AI impact assessment?
The risk assessment looks inward at consequences for your organization: legal exposure, security, reputation, operations. The impact assessment looks outward at consequences for individuals, groups, and society: fairness, safety, rights, and access. ISO 42001 requires both, and auditors check that they are distinct exercises.
Do the requirements apply if we only use third-party AI tools?
Yes. The standard explicitly covers organizations that use AI systems rather than build them. Your scope narrows toward responsible use, oversight, and vendor management, and several Annex A controls on third-party relationships become central.
How long does it take to implement the requirements?
Organizations with an existing ISO 27001 ISMS commonly reach audit readiness in six to twelve months, since Clauses 4, 5, 7, 9, and 10 mirror machinery they already run. The genuinely new work is Clause 6’s dual assessments and the AI-specific Annex A controls.
Do we need certification, or is alignment enough?
It depends on who is asking. If enterprise buyers or regulators expect independent proof, certification is the artifact that ends the conversation. If you need internal discipline first, aligning to the requirements now and certifying later is a common and sensible path.
Compyl’s ISO 42001 compliance platform cross-maps these requirements against the frameworks you already run, generates your Statement of Applicability, and collects lifecycle evidence automatically, so meeting the standard becomes an extension of your existing GRC program rather than a second one.