ISO 42001 Controls List: Annex A Explained in Full

The ISO 42001 controls list — formally documented in Annex A of the standard — is the operational heart of every AI management system certification. It defines the specific governance controls that organizations must evaluate, implement where applicable, and maintain as evidence of responsible AI management. Understanding the full Annex A controls list is essential for any organization pursuing ISO/IEC 42001:2023 certification, because the Statement of Applicability — which maps every control to your organization’s context — is one of the first documents auditors review during Stage 1.

Annex A in the ISO 42001 standard contains controls organized across eight distinct domains, covering everything from AI policies and organizational responsibilities through to AI system lifecycle management, human oversight mechanisms, and third-party supplier governance. According to the official ISO standard publication, each control must be assessed for applicability to your specific context. Controls that are applicable must be implemented and evidenced. Controls that are excluded must be formally justified in the Statement of Applicability.

This article walks through the complete ISO 42001 controls list domain by domain, explaining what each control requires, what implementation looks like in practice, and how the controls relate to each other across the full governance framework.

Tl; DR:

Concern: Organizations that misunderstand the Annex A controls list risk implementing the wrong controls, missing critical requirements, and failing Stage 1 audit — explore the full framework at our ISO 42001 hub.
Overview: The ISO 42001 controls list spans eight Annex A domains covering AI policies, organizational structure, AI system resources, impact assessment, lifecycle controls, human oversight, supplier management, and documentation.
Solution: CertPro CPA LLC maps the full Annex A controls list to your organization’s specific AI context, implements applicable controls, and prepares your Statement of Applicability to auditor standard.

What Is the ISO 42001 Controls List?

The ISO 42001 controls list is the collection of AI governance controls contained in Annex A of ISO/IEC 42001:2023. It serves the same purpose in the AIMS standard that Annex A serves in ISO 27001 — providing a structured reference set of controls that organizations use to treat the risks identified in their risk assessment process.

However, the ISO 42001 Annex A controls list addresses a fundamentally different risk domain from ISO 27001. While ISO 27001 controls focus on information security — confidentiality, integrity, and availability of data — the ISO 42001 controls list addresses AI-specific governance challenges: model bias, lack of explainability, inadequate human oversight, AI lifecycle failures, and the governance of third-party AI systems.

According to BSI’s AI management system guidance, the controls in Annex A are designed to work together as an integrated governance system rather than as isolated compliance checkboxes. Consequently, implementing individual controls in isolation without considering how they interact with risk assessment, scope definition, and organizational responsibilities produces a weaker AIMS than one where controls are designed and implemented as a coherent whole.

Annex A Domain 1: AI Policies

Control A.2.2: AI Policy

This control requires organizations to establish, document, and maintain a formal AI policy. The policy must be approved at senior leadership level and communicated across the organization. It should express the organization’s commitment to responsible AI use, define the principles that guide AI development and deployment decisions, and reference the objectives of the AI management system.

In practice, an effective AI policy is not a generic statement of intent. It references your specific AI systems and use cases, articulates your organization’s position on AI ethics and accountability, and establishes clear principles for human oversight and transparency. Auditors check that the policy is current, formally approved, and genuinely communicated — not simply filed away.

Control A.2.3: Organizational Roles and Responsibilities for AI

This control requires organizations to define and assign specific roles and responsibilities for AI governance. Who is accountable for AI risk assessment? Who owns the AIMS documentation? Who has authority to approve AI system deployments? These questions must be answered in documented role definitions — not left to informal understanding.

For many organizations, implementing this control requires establishing a new governance structure around AI — potentially including an AI governance committee, an AI risk owner role, and defined responsibilities for AI system owners across business units. Our ISO 42001 policies guide covers the documentation requirements for this control in detail.

Annex A Domain 2: Internal Organisation for AI

Control A.3.2: AI Roles Within Projects

This control requires organizations to define AI governance roles within specific AI development or deployment projects. Every AI project should have clearly assigned roles for risk assessment, data governance, model validation, and human oversight — documented in project governance frameworks rather than assumed from general organizational structures.

Control A.3.3: Responsibilities Related to AI System Impact Assessment

Before deploying any AI system, organizations must assess its potential impacts on individuals, communities, and society — and assign clear responsibility for conducting and documenting that assessment. This control establishes the governance process for AI impact assessment as a mandatory step in any AI system deployment.

Consequently, organizations implementing this control need both a documented impact assessment methodology and a defined process for who conducts assessments, who reviews them, and who has authority to approve deployment despite identified impacts. This governance structure is particularly important for high-risk AI applications in healthcare, financial services, and public sector contexts.

Annex A Domain 3: Resources for AI Systems

Control A.4.2: AI Knowledge and Expertise

This control requires organizations to ensure that people involved in AI system development and operation have appropriate knowledge and expertise. This includes technical competence in AI development, understanding of AI ethics and governance principles, and awareness of the regulatory context in which AI systems operate.

In practice, this control typically requires a competency framework for AI roles, a training programme to close identified gaps, and records of training completion. It connects directly to the Clause 7 support requirements in the main standard body.

Control A.4.3: AI System Impact on Individuals

Organizations must assess and document how their AI systems impact the individuals they affect — employees, customers, or members of the public. This control requires a systematic approach to identifying potential harms, discriminatory outcomes, and privacy impacts before AI systems are deployed.

Control A.4.4: Responsible AI Procurement

When procuring AI systems or components from third parties, organizations must apply governance standards to the procurement process. This includes evaluating supplier AI governance practices, assessing the provenance and quality of training data, and understanding the limitations and known failure modes of procured AI systems before deployment.

Annex A Domain 4: Assessing AI System Impacts

Control A.5.2: AI System Impact Assessment Process

This control requires a documented process for assessing the impacts of AI systems on individuals, groups, and society. The assessment must consider intended and unintended consequences, potential for discriminatory outcomes, privacy implications, and effects on human autonomy and decision-making.

Implementing this control means more than writing an assessment template. It means establishing a governance process with defined triggers for assessment, assigned responsibilities, review and approval workflows, and documentation requirements that runs consistently across every AI system deployment within your AIMS scope.

Control A.5.3: Documenting AI System Impacts

Organizations must maintain documented records of impact assessments conducted for each AI system. These records must be kept current as AI systems evolve, updated when significant changes are made to system objectives or deployment contexts, and retained as evidence of governance due diligence throughout the system’s operational life.

Annex A Domain 5: AI System Lifecycle Controls

Control A.6.1: AI System Objectives and Requirements

Before developing or deploying any AI system, organizations must document clear objectives and requirements. What should the system achieve? What constraints apply? What performance metrics define success? These documented objectives become the baseline against which system performance is evaluated throughout the lifecycle.

Control A.6.2: Data for AI Systems

This control addresses the governance of data used to train, validate, and operate AI systems. Organizations must ensure that training data is appropriate, representative, and free from biases that could produce discriminatory or harmful outputs. Data provenance, quality assessment processes, and data governance documentation are all required under this control.

Data governance for AI is significantly more complex than conventional data management. Training data sets can encode historical biases, demographic imbalances, or labelling errors that produce systematically harmful AI outputs. Consequently, this control requires both technical data quality processes and governance oversight of data selection and curation decisions.

Control A.6.3: AI System Development and Engineering

Organizations developing AI systems must follow documented engineering practices covering model architecture decisions, training methodology, validation approaches, and the management of model versions and updates. This control ensures that AI system development is a governed, repeatable process rather than an ad-hoc technical activity.

Control A.6.4: AI System Verification and Validation

Before deployment, AI systems must be formally verified against their documented requirements and validated to confirm they perform as intended in realistic operating conditions. This control requires documented testing methodologies, defined acceptance criteria, and formal sign-off processes before systems move into production environments.

Control A.6.5: AI System Production and Operations

Once deployed, AI systems must be operated under documented procedures that cover performance monitoring, incident detection, and operational oversight. This control requires organizations to define what normal AI system behaviour looks like, establish thresholds for performance degradation, and document escalation procedures when those thresholds are breached.

Control A.6.6: AI System Monitoring

Ongoing monitoring of AI system performance is a mandatory requirement under the ISO 42001 controls list. Systems must be monitored for performance drift, output quality degradation, changes in input data distribution, and emerging bias or fairness concerns. Monitoring must be continuous — not just at initial deployment — because AI system behaviour can change as the data environments they operate in evolve.

Control A.6.7: AI System Decommissioning

When AI systems are retired, organizations must follow a documented decommissioning process. This covers data disposal, documentation archiving, stakeholder notification, and governance sign-off on system retirement. Decommissioning governance prevents the risk of retired AI systems continuing to influence decisions or being reactivated without appropriate review.

Annex A Domain 6: Human Oversight of AI

Control A.7.2: Human Oversight Approach for AI Systems

This control requires organizations to define and document their approach to human oversight for each AI system within scope. The oversight approach must be proportionate to the risk level of the AI system — with higher-risk systems requiring more active and frequent human review of AI-generated outputs.

Implementing this control requires defining oversight mechanisms — such as human review workflows for AI-generated decisions, escalation procedures for uncertain outputs, and override processes for AI recommendations — and embedding them in operational procedures rather than leaving oversight to informal practice.

Control A.7.3: Transparency and Explainability

AI systems within scope must be operated with appropriate transparency. Relevant stakeholders — including individuals affected by AI-driven decisions — must be able to understand, at an appropriate level, how AI systems reach their outputs. This control requires both technical explainability capabilities and governance processes for communicating AI system logic to affected parties.

Annex A Domain 7: AI Supplier Management

Control A.8.2: Supplier Relationships for AI Systems

Organizations must establish formal governance processes for evaluating and managing AI system suppliers. This includes assessing supplier AI governance practices before procurement, including AI governance requirements in supplier contracts, and maintaining ongoing oversight of supplier AI system performance and changes.

This control has driven significant interest from procurement and vendor management teams. In practice, it requires AI-specific supplier assessment questionnaires, contract clauses covering AI governance obligations, and periodic supplier review processes. Our ISO 42001 risk management guide covers supplier risk assessment methodology in detail.

Control A.8.3: Supply Chain Considerations for AI

Beyond direct suppliers, organizations must consider AI governance implications across the broader supply chain. Training data provenance, third-party model components, and AI infrastructure dependencies all represent supply chain risks that must be assessed and documented under this control.

Annex A Domain 8: AI System Documentation

Control A.9.2: Documentation of AI Systems

Each AI system within scope must have comprehensive documentation covering its objectives, data inputs, model architecture, training methodology, validation results, deployment configuration, monitoring approach, and known limitations. This documentation must be maintained throughout the system’s operational life and updated whenever significant changes are made.

System documentation is a primary evidence source during Stage 2 certification audits. Auditors review AI system documentation to verify that lifecycle controls are genuinely implemented — not just described in policy documents. Consequently, documentation quality directly affects certification outcomes.

The Statement of Applicability: Mapping the Controls List to Your Organisation

The Statement of Applicability — commonly called the SoA — is the document that maps the full ISO 42001 controls list to your organization’s specific context. For every control in Annex A, the SoA must state whether the control is applicable, provide justification for the applicability decision, and confirm implementation status for applicable controls.

The SoA is one of the most scrutinised documents during Stage 1 audit. Auditors look for consistency between the SoA and the risk treatment plan — controls selected for implementation should map to identified risks, and exclusions should be justified based on genuine inapplicability rather than convenience.

Building a credible SoA requires a thorough risk assessment first — because control selection should flow from risk, not from convenience. Our AI risk management guide and our dedicated article on the ISO 42001 certification process explain how risk assessment feeds into the SoA in practice.

Get Expert Help Implementing the ISO 42001 Controls List

CertPro CPA LLC maps the full Annex A controls list to your organization’s specific AI context, implements applicable controls with operational evidence, and prepares a Statement of Applicability that satisfies Stage 1 auditor requirements. Contact us today to get started.

Start Your ISO 42001 Controls Implementation with CertPro →

FAQ