ISO 42001 documentation requirements can feel heavier than AI governance itself. Most teams know they need an AI policy, a risk assessment and audit records, but they get stuck on the practical question: what exactly should be written, controlled and ready to show a certification body? This checklist gives you the documentation-first view: the policies, procedures, registers, records and evidence your AI management system needs.
Quick Answer
ISO 42001 documentation requirements include the documented information needed to define, operate, monitor and improve an Artificial Intelligence Management System (AIMS). Companies should prepare an AIMS scope, AI policy, AI risk method, AI risk register, AI risk treatment plan, Statement of Applicability, AI system impact assessment records, objectives, competence evidence, internal audit records, management review minutes and corrective action records.
A practical ISO 42001 checklist should also include Annex A evidence for AI policies, roles, resources, impact assessments, lifecycle controls, data controls, transparency, use of AI systems and third-party relationships. This gives auditors a clear route from requirements to evidence.
In This Guide
- What ISO 42001 Mandatory Documents Are Required for Certification?
- ISO 42001 Documentation Checklist for Clauses 4 to 10
- ISO 42001 Annex A Controls: What Evidence Do You Need?
- How to Prepare AI Management System Documentation for an ISO 42001 Audit
- ISO 42001 Documentation Templates: What Should Be Included?
- Common ISO 42001 Documentation Mistakes to Avoid
- Frequently Asked Questions
- Next Steps
What ISO 42001 Mandatory Documents Are Required for Certification?
ISO 42001 uses the modern ISO term documented information, which covers both documents you maintain and records you retain. In plain English, you need controlled policies and procedures, plus evidence showing those processes actually happened.
The exact document count depends on your scope, AI use cases and risk profile. A small SaaS company using AI internally may have a leaner pack than a healthcare platform developing high-impact AI models. Most certification-ready AIMS packs include more than 20 controlled items.
What is an AI Management System in ISO 42001?
An AI Management System is the set of policies, roles, processes, controls and records an organization uses to govern responsible AI. If you are still at the early awareness stage, start with this plain-English guide to what ISO 42001 is and how it works.
For documentation purposes, an AIMS must show governance, risk assessment, impact assessment, operational control, monitoring, audit, management review and continual improvement.
Does ISO 42001 require an AI policy?
Yes. ISO 42001 requires an AI policy under Clause 5.2. The policy should set management direction for responsible AI, define commitments, support AI objectives and align with related policies such as information security, privacy, product safety, quality, HR and supplier management.
A weak AI policy says “we use AI responsibly.” A useful AI policy explains ownership, permitted AI use, risk assessment triggers, human oversight and escalation rules.
How many ISO 42001 documents does a company need?
There is no single magic number because ISO 42001 allows organizations to combine documented information where practical. A realistic pack usually includes 8 to 12 core policies and procedures, 5 to 8 live registers or matrices, 6 to 10 recurring records and Annex A evidence mapped to 38 controls across A.2 to A.10.
Do not measure readiness by page count. Measure it by traceability: can you connect each AI system to an owner, risk assessment, impact assessment, treatment decision and monitoring evidence?
Quick check: Pick one AI system. Can you show its owner, purpose, data sources, risk assessment, impact assessment, approval decision and monitoring evidence in under 10 minutes? If not, your documentation is not audit-ready yet.
ISO 42001 Documentation Checklist for Clauses 4 to 10
The clause-by-clause checklist below gives you the practical document pack view. It focuses on what a certification auditor is likely to ask for during Stage 1 document review and Stage 2 implementation audit.
| Document name | ISO 42001 clause | Purpose | Typical owner | Template needed |
|---|---|---|---|---|
| AIMS scope statement | 4.3 | Defines business units, locations, AI systems and activities covered | Compliance Manager | Scope template |
| AI policy | 5.2 | Sets commitments and direction for responsible AI | Top Management | Policy template |
| AI roles and responsibilities matrix | 5.3 | Assigns accountability for AI governance, use, review and escalation | AIMS Lead | RACI matrix |
| AI system inventory | 4.3 and 8.1 | Lists AI systems, owners, purpose, suppliers, data and lifecycle stage | AIMS Lead | Register template |
| AI risk assessment methodology | 6.1.2 | Explains how AI risks are identified, analysed and evaluated | Risk Owner | Procedure template |
| AI risk register | 6.1.2 and 8.2 | Records risks, controls, ratings and residual risk decisions | Risk Owner | Register template |
| AI risk treatment plan | 6.1.3 and 8.3 | Shows treatments, owners, deadlines and implementation status | Risk Owner | Action plan |
| Statement of Applicability | 6.1.3 | Maps Annex A controls to applicability, justification and evidence | AIMS Lead | SoA template |
| AI system impact assessment | 6.1.4 and 8.4 | Assesses impacts on people, groups, society and the organization | Product Owner | Assessment template |
| AIMS objectives and plan | 6.2 | Defines measurable objectives, resources, owners and timing | Top Management | Objectives template |
| Competence and training records | 7.2 | Proves people in AI-related roles are competent | HR or AIMS Lead | Training matrix |
| Monitoring and measurement records | 9.1 | Shows AIMS performance and AI control effectiveness | AIMS Lead | KPI report |
| Internal audit programme and report | 9.2 | Plans and records audits of clauses, controls and evidence | Internal Auditor | Audit template |
| Management review and corrective action records | 9.3 and 10.2 | Records leadership review, nonconformities, actions and effectiveness | Top Management | Minutes and action forms |
What is an ISO 42001 AI risk assessment?
An ISO 42001 AI risk assessment is a structured process for identifying, analysing and evaluating risks linked to AI systems. It should cover risks to the organization and risks caused by the AI system, including bias, misuse, security, privacy, transparency, safety, human oversight, performance drift and supplier dependency.
What is an ISO 42001 Statement of Applicability?
An ISO 42001 Statement of Applicability, often called an SoA, explains which Annex A controls apply to your AIMS, why they apply, how they are implemented and where the evidence is stored. A good SoA gives a short justification, names the owner and points to the proof.
How do you document AI impact assessments for ISO 42001?
AI impact assessments should document the AI system’s purpose, intended users, affected groups, decision impact, data categories, known limitations, human oversight, potential harms and mitigation measures. For higher-risk AI use cases, treat the impact assessment as an approval gate before deployment.
Pro tip: Give every AI system a unique ID and use it across your inventory, risk register, impact assessment, supplier review and monitoring records. This makes audit evidence traceable fast.
ISO 42001 Annex A Controls: What Evidence Do You Need?
ISO 42001 Annex A contains 38 AI-specific controls grouped from A.2 to A.10. Your organization does not prove readiness by creating 38 separate policies. You prove readiness by showing that each applicable control has an owner, implementation method and evidence.
What evidence supports ISO 42001 Annex A controls?
Useful Annex A evidence normally falls into six categories: policy, procedure, register, matrix, record and system evidence. For example, A.2 policies related to AI may be supported by an AI policy and acceptable use policy. A.7 data for AI systems may be supported by data quality criteria, data provenance records and dataset approval evidence.
A.10 third-party and customer relationships are important when your organization uses external AI tools, embedded AI in SaaS platforms or outsourced model development. If shadow AI is already a concern, this guide on shadow AI and third-party risk is a useful supporting read.
What records do ISO 42001 auditors ask for?
Auditors ask for design evidence and operating evidence. Design evidence shows the process exists, such as a policy, methodology or procedure. Operating evidence proves the process has been used, such as completed assessments, training logs, supplier reviews, approval records, monitoring outputs and corrective actions.
Can ISO 42001 documents support EU AI Act compliance?
ISO 42001 documents can support EU AI Act compliance because they create a structured record of AI governance, risk management, impact assessment, human oversight, data controls, transparency and supplier management. However, ISO 42001 certification is not the same as legal compliance with the EU AI Act or any other AI regulation.
Quick check: Your SoA should not be a dead document. Review it whenever you add a new AI system, change a model, onboard an AI supplier or update your risk method.
How to Prepare AI Management System Documentation for an ISO 42001 Audit
Preparing for an ISO 42001 audit is less about perfect wording and more about proving the AIMS works. Stage 1 focuses on document readiness. Stage 2 checks implementation, interviews process owners and samples evidence.
If you need the broader process, timelines and audit stages, read the ISO 42001 certification complete guide alongside this checklist.
How do I prepare ISO 42001 documents for audit?
- Define your AIMS scope: Decide which business units, AI systems, products, services, locations and third-party arrangements are included.
- Create your AI inventory: List every AI system with owner, purpose, supplier, users, data, risk level and lifecycle stage.
- Approve your AI policy: Make sure top management has approved it and relevant employees understand it.
- Run AI risk assessments: Apply one method consistently and record inherent risk, controls, treatment and residual risk.
- Complete AI impact assessments: Assess affected people, intended use, misuse, limitations, oversight, transparency and potential harm.
- Build the Statement of Applicability: Map Annex A controls to applicability, implementation status, justification, owner and evidence.
- Collect operating records: Retain training logs, supplier reviews, monitoring reports, approvals, audit findings and review minutes.
- Test traceability before audit: Select two AI systems and follow each one from inventory to risk, impact, treatment, monitoring and review evidence.
What evidence shows ISO 42001 documents are implemented?
Implementation evidence should show dates, owners, decisions and outcomes. A policy without training records is weak. A risk method without completed assessments is weak. A supplier procedure without supplier reviews is weak. Auditors want to see that people follow the process, not just that the process exists.
ISO 42001 Documentation Templates: What Should Be Included?
ISO 42001 templates are useful when they give you structure, clause mapping and audit language without forcing you into a generic AI policy. They save time, but they still need customization.
What should ISO 42001 templates include?
A strong ISO 42001 template pack should include policies, procedures, registers, matrices and records for scope, AI policy, AI inventory, risk assessment, risk treatment, Statement of Applicability, AI impact assessment, roles, supplier review, internal audit, management review and corrective action. For organizations comparing standards or buying multiple document packs, the ISO documentation toolkit collection is the best place to review available templates by standard.
Can ISO 42001 templates replace an AI governance consultant?
Templates are usually enough when you have a clear scope, a manageable number of AI systems, internal ownership and someone who can customize documents honestly. A consultant is still useful when your AI systems affect safety, healthcare, credit, employment, biometrics, critical infrastructure or regulated decision-making.
Pro tip: Do not buy ISO 42001 templates just to fill folders. Buy them to create a working evidence system. Every template should have an owner, review frequency and link to audit evidence.
Common ISO 42001 Documentation Mistakes to Avoid
Most ISO 42001 documentation problems come from weak ownership, poor traceability and documents that do not match real AI use.
What are the most common ISO 42001 documentation mistakes?
- Writing an AI policy that nobody uses: The policy must connect to approvals, acceptable use, risk assessment and escalation.
- Forgetting third-party AI tools: AI embedded in SaaS products can still create governance, data and transparency risks.
- Treating the AI inventory as optional: Without an inventory, you cannot reliably scope risks, impact assessments or controls.
- Copying ISO 27001 documents and renaming them: ISO 42001 adds AI-specific concerns such as impact, transparency, lifecycle, data and human oversight.
- Leaving the Statement of Applicability too vague: “Implemented” is not enough. Add justification, owner and evidence location.
- Completing impact assessments after deployment: Impact assessment should influence design, approval and control decisions.
How do you avoid ISO 42001 audit nonconformities?
Check whether your documents match reality. If your AI policy says all AI systems are approved before use, your AI inventory and approval records should prove it. Before Stage 2, sample two AI systems and verify the evidence trail from inventory through management review.
Frequently Asked Questions
What documents are required for ISO 42001 certification?
ISO 42001 certification normally requires an AIMS scope, AI policy, AI risk method, AI risk register, risk treatment plan, Statement of Applicability, AI impact assessment records, objectives, competence evidence, monitoring records, internal audit reports, management review minutes and corrective action records. Annex A evidence is also needed for applicable AI controls.
How many mandatory documents does ISO 42001 require?
ISO 42001 does not work best as a fixed document-count exercise because organizations can combine documented information where practical. Most certification-ready AIMS packs include more than 20 controlled items once policies, procedures, registers, assessments, audit records, review minutes and Annex A evidence are included.
Can ISO 42001 help with EU AI Act documentation?
ISO 42001 can help with EU AI Act documentation by creating a structured management system for AI governance, risk assessment, impact assessment, human oversight, data management, monitoring and supplier control. It does not automatically prove legal compliance, because legal obligations depend on your role, jurisdiction and AI system classification.
How long does ISO 42001 documentation take to prepare?
ISO 42001 documentation often takes 4 to 12 weeks for a small or mid-sized organization, depending on AI complexity, internal availability and whether templates are used. The writing is only part of the work; you also need risk assessments, impact assessments, operating evidence, internal audit and management review.
Can I use ISO 42001 templates instead of hiring a consultant?
You can use ISO 42001 templates instead of hiring a consultant when your scope is clear, your AI systems are manageable and someone internally can own implementation. A consultant may still be useful for high-risk AI, regulated sectors, complex supply chains or tight certification deadlines.
What is the difference between ISO 42001 and ISO 27001 documentation?
ISO 27001 documentation focuses on information security management, including security risk assessment, controls and information assets. ISO 42001 documentation focuses on AI management, including AI inventory, AI risk assessment, AI impact assessment, lifecycle controls, data for AI systems, transparency, human oversight and third-party AI relationships.
Next Steps
ISO 42001 documentation requirements are manageable when you treat them as an evidence system, not a writing project. Start with your AIMS scope, AI inventory, AI policy, risk method, impact assessments and Statement of Applicability. Then build the records that prove your controls operate in real life.
Ready to prepare your AIMS documents faster? The ISO 42001 Documentation Toolkit gives you ready-made templates for policies, procedures, registers and audit evidence, so you are not building your certification documentation from a blank page.


