Dejan KosuticUnfortunately, ISO 42001 requires more documentation when compared to some other standards like ISO 27001 or ISO 9001. So if you don’t know where to start, this article will provide you with a breakdown of documents and records mapped with particular clauses and controls of the standard.
ISO 42001 requires more than 20 documents to be written, including the top-level AI Policy, AIMS Scope Document, AI Risk Management Methodology, Statement of Applicability, AI Risk Treatment Plan, and others.
The criteria for the list below on what must be documented was when a standard uses phrases like “shall retain documented information,” “shall be available as documented information,” or “shall be documented.”
ISO 42001 mandatory documents and records for the main clauses of the standard
In the table below, I analyzed which clauses from the main part of ISO 42001 (i.e., from clauses 4 to 10) must be documented.
| What must be documented | ISO 42001 clause | Usually documented through |
| Scope of the AIMS | Clause 4.3 | AIMS Scope Document |
| AI policy | Clause 5.2 | AI Policy |
| Actions taken to identify and address AI risks and opportunities | Clause 6.1.1 | AI Risk Register; AI Risk Assessment & Treatment Report |
| AI risk assessment process | Clause 6.1.2 | AI Risk Management Methodology |
| AI risk treatment process | Clause 6.1.3 | AI Risk Management Methodology |
| Statement of applicability | Clause 6.1.3 | Statement of Applicability |
| AI risk treatment plan | Clause 6.1.3 | AI Risk Treatment Plan |
| Results of the AI system impact assessment | Clause 6.1.4 | AI System Impact Assessment Report |
| AI objectives | Clause 6.2 | AIMS Objectives |
| Evidence of competence | Clause 7.2 | CVs, training certificates, etc. |
| Results of the AI risk assessment | Clause 8.2 | AI Risk Register; AI Risk Assessment & Treatment Report |
| Results of the AI risk treatment | Clause 8.3 | AI Risk Register; AI Risk Assessment & Treatment Report |
| Results of the AI system impact assessment | Clause 8.4 | AI System Impact Assessment Report |
| Results of monitoring and measurement | Clause 9.1 | Various automatic reports and dashboards created by AI systems; Monitoring & Measurement Report |
| Internal audit program | Clause 9.2 | Internal Audit Program |
| Internal audit results | Clause 9.2 | Internal Audit Report |
| Results of management reviews | Clause 9.3 | Management Review Minutes |
| Evidence of nonconformities, actions taken, and results of corrective action | Clause 10.2 | Corrective Action Form |
List of mandatory documents and records for ISO 42001 Annex A
Unlike other standards, such as ISO 27001, ISO 42001 requires all controls to be documented. Therefore, the table below lists all 38 controls, with suggested ways to document them. The idea here was to reduce the number of documents by covering several controls with a particular document.
Note: If a company excludes a particular control by marking it as not applicable in the Statement of Applicability, then the document does not need to be written for that control.
| What must be documented | ISO 42001 control | Usually documented through |
| Policy for the design and development of AI systems | Control A.2.2 | AI Systems Design and Development Policy |
| Policy for the use of AI systems | Control A.2.2 | AI Systems Acceptable Use Policy |
| Other policies affected by AI systems | Control A.2.3 | AI Policy |
| Review AI policy at planned intervals | Control A.2.4 | AI Policy |
| Define roles and responsibilities | Control A.3.2 | AI Policy |
| Process to report concerns about AI systems | Control A.3.3 | AI Policy |
| Required resources | Control A.4.2 | AI Policy; Register of AI Resources |
| Utilized data resources | Control A.4.3 | Register of AI Resources |
| Utilized tooling resources | Control A.4.4 | Register of AI Resources |
| Utilized computing resources | Control A.4.5 | Register of AI Resources |
| Utilized human resources | Control A.4.6 | Register of AI Resources |
| Establish a process for AI system impact assessment | Control A.5.2 | AI System Impact Assessment Methodology |
| Document the results of AI system impact assessments | Control A.5.3 | AI System Impact Assessment Report |
| Potential impacts of AI systems on individuals | Control A.5.4 | AI System Impact Assessment Report |
| Potential societal impacts of AI systems | Control A.5.5 | AI System Impact Assessment Report |
| Objectives for responsible development of AI systems | Control A.6.1.2 | AI Systems Design and Development Policy |
| Processes for the design and development of AI systems | Control A.6.1.3 | AI Systems Design and Development Policy |
| Requirements for AI systems | Control A.6.2.2 | AI Systems Design and Development Policy; Functional Requirements for AI System |
| AI system design and development | Control A.6.2.3 | AI Systems Design and Development Policy |
| AI system verification and validation measures | Control A.6.2.4 | AI Systems Design and Development Policy |
| AI system deployment plan | Control A.6.2.5 | AI Systems Operating Procedures |
| Necessary elements for the ongoing operation of the AI system | Control A.6.2.6 | AI Systems Operating Procedures |
| AI system technical documentation | Control A.6.2.7 | AI Systems Operating Procedures |
| AI system event logs | Control A.6.2.8 | AI Systems Operating Procedures; various logs from AI systems |
| Data management processes for the development of AI systems | Control A.7.2 | AI Systems Data Management Policy |
| Details about the acquisition and selection of the data | Control A.7.3 | AI Systems Data Management Policy; Register of AI Resources |
| Requirements for data quality | Control A.7.4 | AI Systems Data Management Policy; Register of AI Resources |
| Process for recording the provenance of data | Control A.7.5 | AI Systems Data Management Policy |
| Criteria for selecting data preparations and data preparation methods to be used | Control A.7.6 | AI Systems Data Management Policy |
| Provide necessary information to users of the AI system | Control A.8.2 | Policy for Handling AI Suppliers and Customers |
| Provide capabilities for interested parties to report adverse impacts | Control A.8.3 | Policy for Handling AI Suppliers and Customers |
| Plan for communicating incidents to users | Control A.8.4 | Policy for Handling AI Suppliers and Customers |
| Obligations for reporting information towards interested parties | Control A.8.5 | Policy for Handling AI Suppliers and Customers |
| Processes for the responsible use of AI systems | Control A.9.2 | AI Systems Acceptable Use Policy |
| Objectives for responsible use of AI systems | Control A.9.3 | AI Systems Acceptable Use Policy |
| Ensure that the AI system is used according to its intended use | Control A.9.4 | AI Systems Acceptable Use Policy |
| Responsibilities within the AI system life cycle are allocated between the company and third parties | Control A.10.2 | Policy for Handling AI Suppliers and Customers |
| Ensure that usage of services and products from suppliers is aligned with responsible development and use of AI systems | Control A.10.3 | Policy for Handling AI Suppliers and Customers |
| Consider customer expectations and needs when developing and using AI systems | Control A.10.4 | Policy for Handling AI Suppliers and Customers |
Non-mandatory documents
Here are a few documents that are not mandatory according to ISO 42001; however, they could still be useful:
- Procedure for Document and Record Control (clause 7.5) — this is not directly related to AI governance; however, it is still very helpful to avoid any confusion with managing documents.
- Procedure for Monitoring of AI Systems (clause 9.1) — this is useful to set clear rules and responsibilities for continuous monitoring and measurement.
- Procedure for Internal Audit (clause 9.2) — this is also not directly related to AI governance; however, it’s also useful to set clear rules for the internal audit.
- Procedure for Corrective Action (clause 10.2) — again, this document is not directly related to AI governance; however, it is useful for setting clear rules for nonconformities and corrective actions.
- Various cybersecurity and privacy documents — they are not directly required by ISO 42001; however, this is where ISO 27001 and GDPR documents can be used.