ISO/IEC 42001:2023 · Annex A
The full ISO 42001 Annex A controls
ISO/IEC 42001:2023 lists 38 Annex A controls for governing AI responsibly, grouped into 9 categories. Here is every control by reference and title, what each category governs, and how you select them for your AI Statement of Applicability.
Overview
What are the ISO 42001 Annex A controls?
Annex A of ISO/IEC 42001:2023 is a catalogue of 38 controls for the responsible development, provision and use of AI. They are grouped into 9 categories (A.2 to A.10), and each category also states a control objective that its controls work towards.
As with ISO 27001, Annex A is a menu. You assess each control against your scope and the risks and impacts of your AI systems, apply the ones that fit, and record every applicable-or-excluded decision, with a justification, in your AI Statement of Applicability.
The controls
All 38 controls, by category
Reference and title for every Annex A control. The detailed implementation guidance for each is in Annex B of the standard; this is the list itself.
Policies related to AI A.2 · 3 controls
Your top-level AI policy, how it aligns with your other organisational policies, and keeping it under review.
| Ref | Control |
|---|---|
| A.2.2 | AI policy |
| A.2.3 | Alignment with other organizational policies |
| A.2.4 | Review of the AI policy |
Internal organization A.3 · 2 controls
Who is accountable for AI in the organisation, and how people report concerns about an AI system.
| Ref | Control |
|---|---|
| A.3.2 | AI roles and responsibilities |
| A.3.3 | Reporting of concerns |
Resources for AI systems A.4 · 5 controls
Documenting the data, tooling, computing and human resources your AI systems depend on.
| Ref | Control |
|---|---|
| A.4.2 | Resource documentation |
| A.4.3 | Data resources |
| A.4.4 | Tooling resources |
| A.4.5 | System and computing resources |
| A.4.6 | Human resources |
Assessing impacts of AI systems A.5 · 4 controls
The process for assessing how an AI system affects individuals, groups and society, and recording those assessments.
| Ref | Control |
|---|---|
| A.5.2 | AI system impact assessment process |
| A.5.3 | Documentation of AI system impact assessments |
| A.5.4 | Assessing AI system impact on individuals or groups of individuals |
| A.5.5 | Assessing societal impacts of AI systems |
AI system life cycle A.6 · 9 controls
Responsible objectives, design, development, verification, deployment, operation and event logging across the AI life cycle.
| Ref | Control |
|---|---|
| A.6.1.2 | Objectives for responsible development of AI system |
| A.6.1.3 | Processes for responsible AI system design and development |
| A.6.2.2 | AI system requirements and specification |
| A.6.2.3 | Documentation of AI system design and development |
| A.6.2.4 | AI system verification and validation |
| A.6.2.5 | AI system deployment |
| A.6.2.6 | AI system operation and monitoring |
| A.6.2.7 | AI system technical documentation |
| A.6.2.8 | AI system recording of event logs |
Data for AI systems A.7 · 5 controls
Data quality, acquisition, provenance and preparation for the data your AI systems are built and run on.
| Ref | Control |
|---|---|
| A.7.2 | Data for development and enhancement of AI system |
| A.7.3 | Acquisition of data |
| A.7.4 | Quality of data for AI systems |
| A.7.5 | Data provenance |
| A.7.6 | Data preparation |
Information for interested parties of AI systems A.8 · 4 controls
What you tell users and other parties: system documentation, external reporting, and communicating incidents.
| Ref | Control |
|---|---|
| A.8.2 | System documentation and information for users |
| A.8.3 | External reporting |
| A.8.4 | Communication of incidents |
| A.8.5 | Information for interested parties |
Use of AI systems A.9 · 3 controls
Using AI systems responsibly, for their intended purpose, against defined objectives.
| Ref | Control |
|---|---|
| A.9.2 | Processes for responsible use of AI systems |
| A.9.3 | Objectives for responsible use of AI system |
| A.9.4 | Intended use of the AI system |
Third-party and customer relationships A.10 · 3 controls
Allocating responsibilities across suppliers and customers throughout the AI supply chain.
| Ref | Control |
|---|---|
| A.10.2 | Allocating responsibilities |
| A.10.3 | Suppliers |
| A.10.4 | Customers |
Applicability
From the list to your AI Statement of Applicability
The controls list is the starting point. Certification turns on what you do with it: selecting the applicable controls, implementing them with real policies, procedures and impact assessments, and recording every applicable-or-excluded decision, with a justification, in your AI Statement of Applicability.
PolicyMint generates that documentation. It selects the controls that fit your AI systems, writes the documents that satisfy them, and assembles your AI Statement of Applicability so it never drifts from the documents behind it. See what ISO 42001 requires and the documents you need.
To track implementation status control by control, our sister tool ControlStack maps the same 38 controls in an interactive tracker: PolicyMint generates the documents, ControlStack tracks where each control stands.
ISO 42001 controls FAQ
ISO 42001 controls, answered
The questions people ask about Annex A of the AI management standard.
How many controls does ISO 42001 have?
ISO/IEC 42001:2023 defines 38 Annex A controls, organised under 9 control categories (A.2 to A.10). Each category also states a control objective. You select the controls that apply to your AI systems and record that in your AI Statement of Applicability.
What are the ISO 42001 Annex A categories?
Policies related to AI, Internal organization, Resources for AI systems, Assessing impacts of AI systems, AI system life cycle, Data for AI systems, Information for interested parties of AI systems, Use of AI systems, and Third-party and customer relationships.
Do I need to apply all 38 controls?
No. As with ISO 27001, you assess each control against your scope and the risks and impacts of your AI systems, apply the relevant ones, and justify any exclusions in your Statement of Applicability.
How is ISO 42001 Annex A different from ISO 27001 Annex A?
ISO 27001 Annex A covers information security (93 controls, 4 themes). ISO 42001 Annex A covers responsible AI management (38 controls, 9 categories): impact assessment, the AI life cycle, data quality and provenance, transparency, and responsible use. Both sit under the same clause 4 to 10 management structure.
Where does this controls list come from?
It is Annex A of ISO/IEC 42001:2023, the international standard for AI management systems. We publish the reference and title of each control; the implementation guidance in Annex B remains the property of ISO and IEC.
How does PolicyMint help with the controls?
It selects the applicable AI controls from your business profile, generates the policies, procedures and impact-assessment documents that satisfy them, and assembles your AI Statement of Applicability so it stays in step with those documents.
Stop staring at an empty document set
Set up your business once. Get the documents you actually need, written for how you really operate, in your branding, checked before you see them.
When we launch, your first documents are on us. No credit card, no sales call.