ISO/IEC 42001 · Annex A Controls
The Complete ISO 42001
Annex A Controls Catalog
ISO/IEC 42001:2023 organizes its 38 Annex A controls into nine control objectives (A.2–A.10). This catalog lists every control and what it governs — the reference set you tailor into your AI Management System and justify in your Statement of Applicability.
ISO/IEC 42001:2023 · AI Management System · Last reviewed July 2026
Overview
What Annex A actually is
ISO/IEC 42001 is split the same way ISO 27001 is. The auditable requirements live in clauses 4–10 (context, leadership, planning, support, operation, performance evaluation, improvement). Annex A is the catalog of 38 controls you draw from to treat the AI risks and impacts those clauses make you assess. Annex B gives implementation guidance for each control.
You are not expected to implement all 38. You assess your AI systems, decide which controls apply, and record that reasoning in the Statement of Applicability. The nine objectives below are the spine of every AIMS.
The Catalog
All 38 controls, by objective
Each objective below lists its controls with the reference number from ISO/IEC 42001:2023 and a one-line statement of what the control is for. Use it to scope your SoA and to brief stakeholders on what the standard will ask of them.
Policies Related to AI
3 controlsA documented AI policy, set and reviewed by leadership and aligned with the organization’s other policies.
- A.2.2AI policy
Establish and document an organization-wide policy for the responsible development and use of AI.
- A.2.3Alignment with other organizational policies
Reconcile the AI policy with existing policies — security, privacy, quality, HR, procurement.
- A.2.4Review of the AI policy
Review the AI policy at planned intervals and when significant changes occur.
Internal Organization
2 controlsClear roles, responsibilities, and accountability for AI, including a safe route to raise concerns.
- A.3.2AI roles and responsibilities
Define and allocate roles and responsibilities for AI across the organization.
- A.3.3Reporting of concerns
Provide a mechanism for people to report concerns about AI systems.
Resources for AI Systems
5 controlsThe data, tooling, compute, system, and human resources an AI system depends on — documented and managed.
- A.4.2Resource documentation
Identify and document the resources required for each AI system in scope.
- A.4.3Data resources
Document the data resources used by AI systems and how they are managed.
- A.4.4Tooling resources
Document the tools (frameworks, libraries, platforms) used to build and run AI.
- A.4.5System and computing resources
Document the systems and computing resources that AI systems rely on.
- A.4.6Human resources
Ensure the competence of people responsible for the AI system across its lifecycle.
Assessing Impacts of AI Systems
4 controlsA repeatable process for assessing the consequences of AI systems for individuals, groups, and society.
- A.5.2AI system impact assessment process
Establish a process to assess the potential consequences of AI systems.
- A.5.3Documentation of AI system impact assessments
Document the results of each AI system impact assessment.
- A.5.4Assessing impact on individuals or groups
Assess potential impacts on individuals and groups of individuals.
- A.5.5Assessing societal impacts
Assess broader societal impacts of the AI system.
AI System Life Cycle
9 controlsResponsible design, development, verification, deployment, operation, monitoring, and documentation of AI.
- A.6.1.2Objectives for responsible development
Define objectives that guide responsible AI development.
- A.6.1.3Processes for responsible design and development
Define and apply processes for responsible AI design and development.
- A.6.2.2AI system requirements and specification
Specify functional, performance, and responsible-AI requirements.
- A.6.2.3Documentation of design and development
Document AI system design and development decisions.
- A.6.2.4Verification and validation
Verify and validate the AI system against its requirements before release.
- A.6.2.5AI system deployment
Manage deployment with defined criteria and controls.
- A.6.2.6Operation and monitoring
Monitor AI systems in operation, including performance and model drift.
- A.6.2.7Technical documentation
Maintain technical documentation across the lifecycle.
- A.6.2.8Recording of event logs
Record event logs to support traceability and incident analysis.
Data for AI Systems
5 controlsGovernance of training, testing, and operational data — quality, acquisition, provenance, and preparation.
- A.7.2Data for development and enhancement
Define the data needed to develop and improve AI systems.
- A.7.3Acquisition of data
Govern how data is acquired, including rights and consent.
- A.7.4Quality of data
Manage the quality of data used by AI systems.
- A.7.5Provenance of data
Establish and record the provenance of data.
- A.7.6Data preparation
Govern how data is prepared (labeling, cleaning, transformation).
Information for Interested Parties
4 controlsTransparency and documentation provided to users, regulators, and affected parties — including incidents.
- A.8.2System documentation and information for users
Provide users the information needed to use the AI system appropriately.
- A.8.3External reporting
Enable external reporting of adverse effects of AI systems.
- A.8.4Communication of incidents
Communicate AI incidents to relevant interested parties.
- A.8.5Information for interested parties
Provide interested parties the information necessary to assess the AI system.
Use of AI Systems
3 controlsResponsible, intended-purpose use of AI in operation, with human oversight where it matters.
- A.9.2Processes for responsible use
Define processes for the responsible use of AI systems.
- A.9.3Objectives for responsible use
Set objectives that guide responsible use.
- A.9.4Intended use of the AI system
Use AI systems in line with their documented intended purpose.
Third-Party & Customer Relationships
3 controlsRisks introduced by suppliers, foundation models, and customers across the AI value chain.
- A.10.2Allocating responsibilities
Allocate responsibilities across the AI value chain.
- A.10.3Suppliers
Manage AI-related risks arising from suppliers and external components.
- A.10.4Customers
Address AI-related responsibilities and information needs of customers.
Control references and objectives per ISO/IEC 42001:2023, Annex A. Control names are summarized for reference; refer to the published standard for the normative text and to Annex B for implementation guidance. Applicability is determined per organization in the Statement of Applicability.
Putting It to Work
From catalog to Statement of Applicability
Annex A only earns its keep once it is tailored. The path from the catalog above to an audit-ready AIMS runs through four steps.
1 — Inventory & impact
Build the AI system inventory, then run the A.5 impact assessment for each system. Impacts on people and society drive which controls you need.
2 — Risk-to-control mapping
Map each AI risk to the Annex A control(s) that treat it. A control with no risk behind it is hard to justify; a risk with no control is a gap.
3 — Statement of Applicability
Record every control as applicable or not, with justification and implementation status. This is the document Stage 1 auditors open first.
4 — Implement & evidence
Stand up the applicable controls and capture the evidence — policies, logs (A.6.2.8), impact assessments, supplier reviews — that proves they operate.
Want the mapping done for you? Our AI risk & impact assessment guide shows the methodology, the certification guide walks the audit, and our template pack includes a pre-built SoA aligned to all 38 controls.
Keep Exploring
More in the ISO 42001 Hub
AI Governance & AIMS
How an AI Management System is structured under ISO 42001 — policy, accountability, and principles.
AI Risk & Impact Assessment
Annex A.5 methodology for AI risk and system impact assessments, with a register structure.
Certification Process
Stage 1, Stage 2, and surveillance — the two-stage audit path and how to prepare for it.
EU AI Act Mapping
How ISO 42001 controls map onto EU AI Act obligations — and what certification does and does not prove.
Templates & Downloads
The AIMS template pack — AI use-case register, AI policy, risk and impact assessment, and SoA.
Frequently Asked Questions
The questions teams ask when they first open Annex A.
How many controls are in ISO 42001 Annex A?
ISO/IEC 42001:2023 Annex A contains 38 controls organized into nine control objectives, referenced A.2 to A.10. The objectives cover AI policy, internal organization, resources, AI impact assessment, the AI system life cycle, data for AI, information for interested parties, use of AI systems, and third-party and customer relationships. Annex B of the standard provides implementation guidance for each control.
Are all 38 Annex A controls mandatory?
No. As with ISO 27001, the Annex A controls are a reference set. The mandatory requirements are in clauses 4–10. During implementation you assess your AI risks and impacts, then justify in the Statement of Applicability (SoA) which controls are applicable, which are not, and why. An auditor checks that your inclusions and exclusions are reasoned and consistent with your risk and impact assessments.
What is the difference between ISO 42001 Annex A and ISO 27001 Annex A?
ISO 27001 Annex A (93 controls in four themes) governs information security. ISO 42001 Annex A (38 controls in nine objectives) governs AI-specific concerns — impact on people and society, the AI lifecycle, data quality and provenance, transparency, and foundation-model/third-party risk. Both share the same Annex SL management-system backbone, so an organization with an ISO 27001 ISMS can extend it into an integrated AI management system and reuse much of its governance machinery.
What is the Statement of Applicability (SoA) in ISO 42001?
The SoA is the document that lists every Annex A control, states whether it is applicable, references the justification, and records its implementation status. It is mandatory and is one of the first artifacts a certification auditor reviews at Stage 1. A well-built SoA traces each applicable control back to a specific AI risk or impact, and each exclusion to a documented reason.
Does ISO 42001 require an AI impact assessment for each control?
The impact-assessment objective (A.5) requires a process for assessing the consequences of AI systems on individuals, groups, and society, and documentation of the results. It is not a per-control assessment; rather, the impact assessment — together with the AI risk assessment — drives which Annex A controls you implement and how. ISO/IEC 42005:2025 is the companion standard that provides the impact-assessment methodology. Objective A.5 is one of the areas auditors probe most closely.
Written By Expert Auditors
Keep Exploring
Related Reading
ISO 42001 Knowledge Hub
AIMS controls, EU AI Act mapping, risk assessment and guides.
Read moreAI Governance & AIMS
How an AI Management System is structured — policy, accountability, principles.
Read moreEU AI Act Mapping
How ISO 42001 controls map onto EU AI Act obligations.
Read moreAI Risk Assessment
Risk identification, impact analysis and treatment for AI systems.
Read moreISO 42001 Certification Guide
From gap analysis to Stage 2 audit — the path to an AIMS certificate.
Read moreAnnex A Controls Overview
All 93 controls across organizational, people, physical and tech domains.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours