ISO 42001 Annex A Controls

ISO/IEC 42001:2023 is the first international standard for an Artificial Intelligence Management System (AIMS). Published jointly by ISO and IEC in December 2023, it sets out the requirements for organisations that develop, provide or use AI systems to govern them responsibly.

The standard is framework-neutral and applies to any organisation - a tech vendor training models, a bank deploying a chatbot, a hospital using AI for diagnosis, a government agency automating decisions. It sets out what an AI management system must do, not how to do it.

Like ISO 27001 for information security and ISO 9001 for quality, certification against ISO 42001 is voluntary but increasingly demanded by enterprise procurement, EU regulators, and customers who need assurance that AI is being managed responsibly.

An AI Management System (AIMS) is a documented, risk-based system for governing AI across an organisation - not a single tool or policy. It is the set of policies, processes, roles and technical controls that work together so AI is developed, deployed and used responsibly.

• Top-management commitment and explicit assignment of AI roles and responsibilities
• A defined scope - which AI systems, business units, and use cases are governed
• A documented AI risk assessment + AI system impact assessment process, repeated regularly
• Selection of controls justified by risk, documented in a Statement of Applicability
• Performance monitoring, internal audits and management reviews specific to AI
• A continual improvement loop tied to AI incidents, drift and emerging regulatory change

The defining difference from ISO 27001: ISO 42001 explicitly requires AI System Impact Assessments - evaluating impacts on individuals, groups and societies - not just on the organisation itself.

The body of ISO 42001 (Clauses 4-10) contains the requirements you must meet. Annex A controls are secondary; auditors start with these clauses.

• Clause 4 - Context: internal/external AI-relevant issues, interested parties, AIMS scope
• Clause 5 - Leadership: top management commitment, AI policy, roles and responsibilities
• Clause 6 - Planning: AI risk assessment, AI risk treatment, AI system impact assessment, AI objectives
• Clause 7 - Support: resources (data, tooling, computing, human), competence, awareness, communication, documented information
• Clause 8 - Operation: operational planning and control; perform AI risk assessment/treatment and impact assessment in practice
• Clause 9 - Performance evaluation: monitoring, measurement, internal audits, management reviews
• Clause 10 - Improvement: nonconformities and corrective action, continual improvement

Common misunderstanding: teams focus on Annex A "AI controls" and neglect Clauses 4-10. Most certification audit failures happen in the mandatory clauses, not the Annex A controls.

Annex A of ISO 42001:2023 lists 38 reference controls grouped into 9 themes. As with ISO 27001, the controls are a reference set - you implement the ones your risk assessment and impact assessment say you need, and document that selection in the Statement of Applicability.

• A.2 Policies related to AI (3 controls) - AI policy, alignment with other policies, review
• A.3 Internal organisation (2 controls) - AI roles and responsibilities, reporting concerns
• A.4 Resources for AI systems (5 controls) - documenting data, tooling, system/compute, human resources
• A.5 Assessing impacts of AI systems (4 controls) - impact assessment process, documentation, impacts on individuals, societal impacts
• A.6 AI system life cycle (9 controls) - objectives, processes, requirements, design/dev documentation, verification & validation, deployment, operation & monitoring, technical documentation, event logs
• A.7 Data for AI systems (5 controls) - data management, acquisition, quality, provenance, preparation
• A.8 Information for interested parties (4 controls) - user documentation, external reporting, incident communication, info to interested parties
• A.9 Use of AI systems (3 controls) - processes, objectives, intended use
• A.10 Third-party and customer relationships (3 controls) - allocating responsibilities, suppliers, customers

Annex B (normative) provides implementation guidance for each Annex A control. Annex C (informative) lists potential AI-related organisational objectives and risk sources. Annex D (informative) describes how an AIMS interacts with other management systems.

ISO 27001 has one risk lens: information security risks to the organisation. ISO 42001 has two:

• AI risk assessment - risks to the organisation from developing or using AI (security, performance, financial, reputational)
• AI system impact assessment - impacts on individuals, groups of individuals and societies from the AI system itself (fairness, autonomy, well-being, human rights, environment)
• Both feed into control selection - you cannot treat ISO 42001 as just "ISO 27001 with AI words"
• Impact assessment is the conceptual cousin of a Data Protection Impact Assessment (DPIA) under GDPR/APP 11, but explicitly extended to societal impact

This dual lens is why ISO 42001 introduces controls like A.5.4 (assessing impact on individuals) and A.5.5 (assessing societal impacts) that have no direct equivalent in ISO 27001.

A.6 is the biggest Annex A theme with 9 controls covering the entire AI lifecycle. These are the most operationally specific controls in the standard.

• A.6.1.2 - Objectives for responsible development (fairness, accountability, transparency, etc.)
• A.6.1.3 - Processes for responsible design and development
• A.6.2.2 - AI system requirements and specification
• A.6.2.3 - Documentation of AI system design and development
• A.6.2.4 - AI system verification and validation (including the evaluation criteria plan)
• A.6.2.5 - AI system deployment (with release criteria)
• A.6.2.6 - AI system operation and monitoring (concept drift, data drift, AI-specific security threats like data poisoning, model stealing)
• A.6.2.7 - AI system technical documentation (for users, partners, supervisory authorities)
• A.6.2.8 - AI system recording of event logs (traceability, anomaly detection)

A.6.2.6 explicitly calls out AI-specific information security threats including data poisoning, model stealing and model inversion. This is where ISO 42001 connects to AI/ML security practice - and where it aligns to the ASD ISM's March 2026 AI controls (ISM-2084 onwards).

A.7 covers the data side of AI systems - data is treated as a first-class resource because data quality and provenance directly determine model behaviour.

• A.7.2 Data for development and enhancement - data management processes
• A.7.3 Acquisition of data - categories, sources, characteristics, demographic considerations, data rights
• A.7.4 Quality of data - defined and measured against the intended purpose
• A.7.5 Data provenance - recording creation, update, transcription, abstraction, validation, transfer
• A.7.6 Data preparation - cleaning, imputation, normalisation, labelling, encoding criteria

Where ISO 27001 treats data as an asset to protect, ISO 42001 treats data as an input that shapes AI behaviour. Both lenses matter - most organisations need both standards working together.

A.8 codifies what many AI ethics frameworks describe as transparency and explainability - but in operational terms an organisation can actually implement and audit.

• A.8.2 System documentation and info for users - purpose, capabilities, limits, accuracy, human oversight needs
• A.8.3 External reporting - capabilities for users/external parties to report adverse impacts
• A.8.4 Communication of incidents - plan for notifying users when something goes wrong
• A.8.5 Information for interested parties - obligations to share with regulators or third parties

A.8 maps closely to the EU AI Act's transparency obligations for high-risk AI systems. Organisations meeting ISO 42001 A.8 will have done much of the heavy lifting for EU AI Act Article 13 transparency requirements.

A.10 addresses one of the highest-risk AI scenarios for most Australian organisations - using AI systems supplied by third parties rather than building your own.

• A.10.2 Allocating responsibilities - who is accountable across the AI life cycle (you, supplier, customer, partner)
• A.10.3 Suppliers - process to ensure supplier-provided AI services/products align with your responsible AI approach
• A.10.4 Customers - understanding customer expectations and the limits of valid use

Most Australian organisations are AI consumers, not AI builders. A.10 is therefore the most operationally relevant Annex A theme for them - covering the procurement, contract, monitoring and customer communication discipline needed to deploy third-party AI responsibly.

ISO 42001 is designed to integrate with other management system standards rather than replace them. The same High-Level Structure (HLS) used by ISO 27001:2022, ISO 9001 and ISO 14001 makes joint implementation efficient.

• ISO/IEC 27001 - information security management. Many ISO 42001 Annex A controls overlap with ISO 27001 Annex A (e.g. supplier relationships, incident management, asset documentation).
• ISO/IEC 27701 - privacy information management. Useful where AI processes PII.
• ISO/IEC 23894 - AI risk management guidance (companion to ISO 42001 Clause 6).
• ISO/IEC 22989 - AI concepts and terminology - the dictionary ISO 42001 builds on.
• ISO/IEC 23053 - AI/ML framework and life cycle reference.
• ISO 9001 - quality management. Useful for organisations whose AI quality is part of product quality.

Practical pattern: many organisations holding ISO 27001 are extending their existing ISMS scope to include ISO 42001 rather than running parallel programs. The shared HLS makes this efficient.

The US NIST AI RMF (released January 2023) is the most widely-referenced non-ISO AI risk framework. Many organisations adopt both.

• NIST AI RMF is a voluntary framework, not a certifiable standard - ISO 42001 IS certifiable
• NIST AI RMF organises around 4 functions: Govern, Map, Measure, Manage
• ISO 42001 maps cleanly: Govern (Clauses 4-5, A.2-A.3) / Map (A.4, A.7) / Measure (A.5, A.6.2.4) / Manage (A.6.2.5-A.6.2.8, A.10)
• Practical pattern: organisations use NIST AI RMF as the conceptual model and ISO 42001 as the certifiable framework that operationalises it

The EU AI Act is regulation, not standard - it is legally binding on organisations placing AI on the EU market. ISO 42001 is one of the most direct paths to demonstrating EU AI Act compliance.

• The EU AI Act categorises AI by risk: prohibited / high-risk / limited-risk / minimal-risk
• For high-risk AI systems, the Act mandates a risk management system, quality management system, technical documentation, transparency, human oversight, accuracy/robustness/cybersecurity, and post-market monitoring
• Every one of these requirements maps to ISO 42001 clauses and Annex A controls
• The European Commission has indicated harmonised standards based on ISO 42001 will provide presumption of conformity for AI Act requirements
• An organisation with a certified ISO 42001 AIMS is well-positioned to comply with the EU AI Act when it takes full effect (staggered through 2025-2027)

ISO 42001 sits alongside the Australian regulatory environment around AI rather than replacing any law.

• Privacy Act 1988 + Australian Privacy Principles (especially APP 11 - security) - applies whenever AI processes personal information; ISO 42001 A.7 (data) and A.5 (impact assessment) directly support APP 11 obligations
• OAIC guidance on AI - the Office of the Australian Information Commissioner publishes practical guidance on AI and privacy that complements ISO 42001 implementation
• NSW AI Assurance Framework - mandates an AI assurance process for NSW public sector AI use; ISO 42001 A.5 impact assessment satisfies most NSW AAF requirements
• ASD Information Security Manual (March 2026) - introduces GOV-08 (Executive AI Accountability) and ISM-2084-2103 (AI development and use controls); ISO 42001 + ISM is the strongest combined posture for Australian government suppliers
• Australian Government policy on AI in the APS - ISO 42001 alignment is increasingly expected of vendors selling AI to Commonwealth agencies

No Australian law currently mandates ISO 42001 certification, but procurement and risk-management expectations are moving in that direction quickly, particularly in critical infrastructure, finance, health and government.

Like ISO 27001, ISO 42001 certification is offered through PECB and other accredited training providers.

Mindset Cyber offers PECB-accredited ISO/IEC 42001 training that maps directly to the controls in this library. Both Lead Implementer (for those building AIMS programs) and Lead Auditor (for those reviewing/auditing) qualifications are available.

• ISO/IEC 42001 Lead Implementer - five-day course for those designing and running an AIMS program
• ISO/IEC 42001 Lead Auditor - five-day audit course; valuable for internal auditors and IRAP-style external reviewers extending into AI
• ISO/IEC 27001 Lead Implementer/Lead Auditor - recommended companion qualifications since most organisations implement both standards together
• PECB certification is internationally recognised and includes the official exam

All Mindset Cyber courses are delivered as self-paced eLearning or live weekend training.

Patterns we see organisations getting wrong when starting ISO 42001 work.

• Treating ISO 42001 as "ISO 27001 with AI words" - missing the impact assessment dimension entirely
• Conflating AI risk (to org) with AI system impact (to individuals/society) - they are different assessments with different audiences
• Skipping A.10 because "we don't make AI" - most organisations USE third-party AI, which is exactly what A.10 governs
• Documenting an AI policy but never reviewing or updating it as models/use cases evolve
• Not running impact assessment when retraining or substantively changing an existing AI system
• Treating training data quality (A.7.4) as a one-time check rather than an ongoing discipline as data drifts
• Ignoring AI-specific security threats (data poisoning, model stealing, model inversion) in Operation & Monitoring (A.6.2.6)

Key terms: AIMS = AI Management System. SoA = Statement of Applicability. AI System Impact Assessment ≠ AI Risk Assessment. NIST AI RMF = US National Institute of Standards and Technology AI Risk Management Framework. EU AI Act = Regulation (EU) 2024/1689.