AI Policy
The organisation must create a documented policy for AI system development and usage.
Plain language
This control means your business needs to write down clear rules for how you create and use AI systems. Without this, one part of your company might use AI in a way that causes mistakes, like sending the wrong product to a customer, and there'll be confusion over who or what is to blame.
Framework
ISO/IEC 42001:2023
Control effect
Preventative
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
19 May 2026
Maturity levels
N/A
Official control statement
The organisation shall document a policy for the development or use of AI systems.
Why it matters
Without a clear AI policy, departments might create AI that backfires-like chatbots giving wrong info-and no one knows who to hold responsible.
Operational notes
Always update the AI policy as technology and legal landscapes shift-not just once a year.
Implementation tips
- The board should draft a simple AI policy document outlining the company's goals and limits related to AI use, such as what data can be used or how decisions should be made. Start with a meeting to discuss guidelines and what the company values most about AI use.
- The AI lead should review this policy every year with relevant changes in technology and laws to keep it current. They can set a reminder in their calendar and prepare a brief summary of changes for the board.
- Procurement should ensure all AI software and services acquired align with the company's AI policy. This could mean adding a clause in supplier contracts specifying that their product must not violate defined ethical boundaries.
- Product owners need to make sure any new AI systems developed for their products adhere to this policy. They should include a policy check in their development review process, which could be a simple checklist.
- The data steward should ensure that how data is used in AI systems complies with the policy. They can spot-check datasets monthly to make sure nothing inappropriate or out-of-date is being used for training.
Audit / evidence tips
- AskRequest the organisation's AI policy and the date it was last reviewed. GoodThe policy is current, covers AI development and use, and aligns with industry regulations and company values.
- AskInterview the AI lead about recent policy updates. GoodThe AI lead can clearly describe recent changes and how they affected the policy.
- AskCheck a contract from a recent AI software purchase. GoodContracts have specific language ensuring software meets the company's AI ethical guidelines.
- AskReview a checklist used during AI system development. GoodChecklists show the organisation routinely ensures policy compliance in development.
- AskLook at a report from a data review meeting. GoodReports show regular reviews ensuring all data complies with AI policy requirements.
Cross-framework mappings
How Annex A 2.2 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.1 | Annex A 2.2 requires the organisation to document a policy specifically for the development or use of AI systems | |
| handshake Supports (2) expand_less | ||
| Annex A 5.4 | Annex A 2.2 requires the organisation to document a policy for AI system development or use | |
| Annex A 5.36 | Annex A 2.2 requires the organisation to document a policy for AI system development or use | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.