Instant downloadAuditor-writtenSecure Stripe checkout

ISO 42001 Requirements: The Complete Documentation Checklist

An ISO 42001 requirements checklist makes a new and unfamiliar standard concrete. Because ISO 42001 follows the same Harmonised Structure as ISO 27001 and ISO 9001, the checklist splits into management-system documents (Clauses 4–10) and AI-specific artefacts like the AI impact assessment. This ISO 42001 requirements checklist walks through both so your AI management system is audit-ready.

ISO 42001 requirements checklist toolkit templates
A toolkit that turns this ISO 42001 requirements checklist into ready-to-edit files.

Documents vs. records

ISO 42001 asks for two kinds of documented information: documents you write up front (policies, processes, plans) and records your AIMS generates as it runs (assessment results, audit findings, review minutes). Auditors want both — one shows intent, the other shows it’s working.

The mandatory documents (Clauses 4–10)

  1. Scope of the AIMS (4.3) — which parts of the organization and which AI systems are covered.
  2. AI Policy (5.2) — top management’s direction on responsible AI.
  3. AI Risk Assessment process (6.1.2) — how you identify and evaluate AI risks.
  4. AI Risk Treatment process (6.1.3) — how you decide what to do about them.
  5. AI System Impact Assessment process (6.1.4) — how you assess impacts on individuals, groups, and society. This is unique to ISO 42001.
  6. Statement of Applicability — which Annex A controls apply, and why.
  7. AI Objectives (6.2) — measurable goals for your AIMS.

The mandatory records

  • Evidence of competence (7.2)
  • Results of AI risk assessment and treatment (8.2 / 8.3)
  • Results of AI system impact assessments (8.4)
  • Monitoring and measurement results (9.1)
  • Internal audit programme and results (9.2)
  • Management review minutes (9.3)
  • Nonconformities and corrective actions (10.2)

The Annex A documents most organizations also need

Depending on which Annex A controls your Statement of Applicability marks as applicable, you’ll typically also produce:

  • AI roles and responsibilities
  • AI system lifecycle / development procedures
  • Data management process for AI (data quality, provenance, governance)
  • Transparency and information provisions for users and affected parties
  • Responsible-use guidance for AI systems
  • Third-party and supplier requirements for AI

Important: Your exact document set depends on your scope and Statement of Applicability. Always confirm against the current text of ISO/IEC 42001:2023 and your certification body’s expectations.

Skip the blank page.

The ISO 42001 Toolkit includes every document below — AI policy, risk and impact assessment templates, Statement of Applicability, and lifecycle procedures — as editable, auditor-written files mapped to ISO/IEC 42001:2023.

Get the ISO 42001 Toolkit →

How to work through your ISO 42001 requirements checklist

Begin with the management-system backbone: scope, AI policy, objectives, roles, risk assessment, and the operational controls that keep your AI systems governed. Then add what makes ISO 42001 distinctive — the AI system impact assessment, which examines how your AI affects individuals and society, and the Annex A controls you select to treat those risks. If you already run ISO 27001, much of the structure will feel familiar and can be reused. The standard is published by ISO, and building your ISO 42001 requirements checklist around real AI use cases keeps it meaningful rather than theoretical.

Frequently asked questions

What’s the most distinctive ISO 42001 document?

The AI system impact assessment. Unlike a standard risk assessment, it looks outward — at how your AI affects people and society — and it’s central to the standard.

Do we need every Annex A control documented?

No — only the ones your risk and impact assessments make applicable. Justify any exclusions in your Statement of Applicability.

New to the standard? Start with our complete guide to ISO 42001.

Treat the checklist as living: AI systems and their risks evolve quickly, so revisit your impact assessments and controls whenever you ship a significant model or new use case.

A final tip: don’t let the novelty of AI governance intimidate you. Most of an ISO 42001 requirements checklist is ordinary management-system discipline — policies, roles, risk assessment, and review — wrapped around a handful of genuinely AI-specific artefacts. Nail those artefacts and the rest is familiar territory.

Shopping Cart