Instant downloadAuditor-writtenSecure Stripe checkout

ISO 42001 Annex A Controls Explained

The ISO 42001 Annex A controls are the catalogue of AI-governance safeguards you draw on to treat the risks your AI management system identifies. Unlike a rigid checklist, the ISO 42001 Annex A controls are selected based on your AI systems and their impact — covering areas like data governance, transparency, human oversight, and the AI system life cycle. You justify each choice in a Statement of Applicability.

ISO 42001 Annex A controls mapping toolkit
A toolkit mapping the ISO 42001 Annex A controls to editable policies.

What are the ISO 42001 Annex A controls?

Annex A of ISO/IEC 42001:2023 is a catalogue of reference controls for AI. You don’t apply all of them by default — you select the ones relevant to your risks and AI impact assessments, and record those decisions in your Statement of Applicability (SoA). Detailed implementation guidance for each control lives in Annex B.

The control areas

Annex A groups its controls into nine areas (A.2–A.10), covering roughly 38 controls in total:

  • A.2 Policies related to AI — establishing and reviewing your AI policy.
  • A.3 Internal organization — AI roles, responsibilities, and reporting of concerns.
  • A.4 Resources for AI systems — data, tooling, computing, and human resources.
  • A.5 Assessing impacts of AI systems — the AI impact assessment process and its use.
  • A.6 AI system life cycle — responsible design, development, and deployment.
  • A.7 Data for AI systems — data quality, provenance, and preparation.
  • A.8 Information for interested parties — transparency to users and affected people.
  • A.9 Use of AI systems — responsible and intended use.
  • A.10 Third-party and customer relationships — managing AI risk across the supply chain.

Note: Control numbering and counts can be updated between revisions — always confirm against the current text of ISO/IEC 42001:2023 and its annexes.

Every control, ready to implement.

The ISO 42001 Toolkit maps to the Annex A controls with ready-made policies and procedures — so you can build your Statement of Applicability without drafting each one from scratch.

Get the ISO 42001 Toolkit →

The supporting annexes

  • Annex B — implementation guidance for each control.
  • Annex C — potential AI-related organizational objectives and risk sources to consider.
  • Annex D — using the AI management system across different domains and sectors.

You choose which controls apply

As with ISO 27001, the key discipline is selection and justification. Your risk and impact assessments drive which controls are applicable; your Statement of Applicability records the decision and rationale for each. For the full document set that sits alongside these controls, see the ISO 42001 documentation checklist.

How to apply the ISO 42001 Annex A controls

Start from your AI risk and impact assessments, then map controls to the risks they address. The ISO 42001 Annex A controls span the AI life cycle: policies for responsible AI, roles and responsibilities, data quality and provenance, documentation and transparency for users, human oversight, and ongoing monitoring of deployed systems. You are not expected to implement every control — you select what your use cases justify and document exclusions with reasons. Supporting annexes give implementation guidance and map controls to concerns like societal impact. The standard is published by ISO, and tying each control to a real AI risk is what makes your programme defensible.

Frequently asked questions

How many controls are in ISO 42001 Annex A?

Around 38, grouped into nine control areas (A.2–A.10). Confirm the exact figure against your copy of the standard.

Do I have to implement them all?

No — only those your risk and impact assessments make relevant, with exclusions justified in your SoA.

New to ISO 42001? Start with our complete guide.

In short, treat the ISO 42001 Annex A controls as a risk-driven menu. Select what your AI actually needs, justify the rest as excluded, and your Statement of Applicability becomes a clear map an auditor can follow.

Shopping Cart