ISO 42001 Policies: What You Need and How to Write Them
ISO 42001 policies are the documented governance foundations on which every AI management system is built. They define your organisation’s commitments, principles, and rules for managing artificial intelligence responsibly — and they are among the first documents auditors examine during Stage 1 of the certification process. Without properly structured ISO 42001 policies in place, no amount of technical control implementation will satisfy certification requirements, because auditors need to see that AI governance is directed from the top of the organisation, not just managed at an operational level.
The ISO 42001 standard requires several mandatory policies and a broader set of documented information that together demonstrate active leadership engagement with AI governance. According to the official ISO standard publication, policy requirements flow primarily from Clause 5 (Leadership) and Clause 7 (Support), as well as from Annex A Domain 1 which addresses AI policy controls specifically. Furthermore, ISO 42001 policies must be living documents — regularly reviewed, updated when circumstances change, and genuinely communicated across the organisation rather than filed and forgotten.
This article covers every ISO 42001 policy your organisation needs, what each policy must contain, how to structure them effectively, and the common mistakes that cause policy-related audit findings.
Tl; DR:
Concern: Incomplete, generic, or unreviewed ISO 42001 policies are one of the most common causes of Stage 1 audit findings — explore what good governance documentation looks like at our ISO 42001 certification hub.
Overview: ISO 42001 requires a mandatory AI policy plus a structured set of supporting policies and documented information covering roles, risk management, AI objectives, operational controls, and continual improvement.
Solution: CertPro CPA LLC develops audit-ready ISO 42001 policies tailored to your organisation’s specific AI systems, risk profile, and governance context — not generic templates that fail under auditor scrutiny.
Why ISO 42001 Policies Matter More Than Controls
Many organisations approaching ISO 42001 certification focus first on technical controls — the operational governance measures that protect against AI risks. However, experienced auditors consistently find that policy weaknesses cause more certification failures than control gaps. The reason is straightforward: controls without policies lack governance direction. An AI monitoring process without a documented monitoring policy is an informal practice, not a governed control.
ISO 42001 policies establish the authority and intent behind every operational control in the management system. They answer the question of why your organisation manages AI in a particular way — connecting operational practices to leadership commitments, organisational values, and regulatory obligations. Without strong ISO 42001 policies at the top of the governance hierarchy, the entire AIMS lacks the coherence that certification requires.
Additionally, policies are the primary tool through which senior leadership demonstrates its commitment to AI governance — a direct requirement of Clause 5 of the standard. Auditors verify leadership engagement partly by examining whether policies carry genuine leadership sign-off, whether they reflect the organisation’s specific AI context, and whether they have been actively communicated to relevant staff. Generic downloaded templates with a leadership signature do not satisfy these requirements.
The Mandatory AI Policy: What ISO 42001 Requires
The cornerstone of all ISO 42001 policies is the mandatory AI policy required by Clause 5.2 and Annex A Control A.2.2. This is not optional — every organisation seeking certification must produce, approve, and maintain a formal AI policy that meets specific content requirements defined in the standard.
What the AI Policy Must Include
- A statement of the organisation’s commitment to responsible AI management and continual improvement of the AIMS
- The AI governance principles that guide how the organisation develops, deploys, and uses AI systems
- A commitment to meeting applicable legal, regulatory, and contractual requirements related to AI
- A commitment to setting and pursuing measurable AI objectives aligned with the policy’s principles
- The scope of the AI management system — or a reference to the separately documented scope statement
- Clear assignment of overall accountability for AI governance at senior leadership level
Beyond these mandatory elements, an effective AI policy also references the organisation’s position on specific AI governance topics — human oversight, algorithmic transparency, AI ethics principles, and stakeholder accountability. The more specific the policy is to your organisation’s actual AI context, the more credibility it carries with auditors.
Format and Approval Requirements
ISO 42001 does not prescribe a specific format for the AI policy, but it does require that the policy be documented as formal information, approved at the highest appropriate leadership level, communicated to all relevant staff, and made available to interested parties where appropriate. In practice, this means the policy should carry a formal approval signature, a version number, an effective date, and a review schedule.
The review schedule matters particularly. Auditors check whether ISO 42001 policies are genuinely maintained — they will ask when the policy was last reviewed and what prompted any revisions. A policy with an unchanged date from years ago signals that it is not being actively governed, regardless of how well-written it was at initial approval.
Supporting ISO 42001 Policies Your AIMS Needs
AI Risk Management Policy
The AI risk management policy defines how your organisation identifies, assesses, treats, and monitors AI-related risks. It should establish the risk assessment methodology — how risks are identified, what scoring approach is used for likelihood and impact, what risk appetite thresholds apply, and how the risk treatment plan is developed and maintained. This policy connects directly to Clause 6 planning requirements and feeds into the risk register that auditors review at Stage 1. Our dedicated AI risk management guide covers what the risk management policy must contain and how the risk assessment process works in practice.
AI Lifecycle Management Policy
The AI lifecycle management policy governs how AI systems are managed from conception through decommissioning. It defines the governance gates that must be passed at each lifecycle stage — objectives documentation before development begins, validation against acceptance criteria before deployment, monitoring thresholds during operation, and controlled retirement at end of life. This policy is the governance anchor for the Annex A Domain 5 lifecycle controls. Our article on AI lifecycle requirements explains what each lifecycle stage requires in terms of governance controls and documented evidence.
AI Data Governance Policy
The AI data governance policy addresses how data used to train, validate, and operate AI systems is sourced, assessed, and managed. It must cover data quality standards for training data, bias assessment requirements, data provenance documentation obligations, consent and privacy requirements for personal data used in AI training, and data retention and disposal obligations for AI training datasets.
For organisations subject to GDPR, India’s DPDP Act, or equivalent data protection regulations, the AI data governance policy must be consistent with — and ideally integrated with — existing privacy and data management policies. Conflicts between AI data practices and privacy obligations are a common source of audit findings in organisations that treat AI governance and privacy governance as separate programmes.
Human Oversight Policy
The human oversight policy defines how your organisation ensures that humans remain meaningfully in control of consequential AI-driven decisions. It must specify which AI systems require human review of outputs, what the human review process involves, who has authority to override AI system recommendations, and how escalation works when AI outputs are ambiguous or potentially harmful.
Auditors pay particular attention to the human oversight policy because it directly addresses one of the most distinctive governance requirements of ISO 42001 — the principle that AI should augment rather than replace human judgement in high-stakes contexts. A vague or generic human oversight policy signals that the organisation has not genuinely thought through its AI governance obligations at an operational level.
AI Supplier Management Policy
The AI supplier management policy governs how your organisation evaluates, contracts with, and oversees third-party providers of AI systems, components, or services. It must define the criteria used to assess AI supplier governance practices, the contractual requirements imposed on AI suppliers, and the ongoing oversight processes applied to supplier relationships. This policy is particularly important for organisations that rely heavily on third-party AI tools — SaaS platforms, cloud AI services, or licensed AI models. Without a formal supplier management policy, the Annex A supplier governance controls lack direction.
AI Incident Management Policy
The AI incident management policy defines how your organisation responds to AI-related incidents — unexpected outputs, performance failures, bias events, or system errors that affect individuals or operations. It must cover incident detection triggers, severity classification, escalation paths, investigation procedures, stakeholder notification requirements, and corrective action processes.
Many organisations have IT incident management policies but lack AI-specific incident management guidance. The ISO 42001 policies requirement in this area goes beyond conventional IT incident response — it requires governance processes specifically designed for AI failure modes, including the option to withdraw AI systems from operation during serious incident investigation.
Mandatory Documented Information Beyond Policies
| Document | Required By | Key Content |
|---|---|---|
| AIMS Scope Statement | Clause 4.3 | AI systems in scope, organisational boundaries, exclusion justifications |
| AI Objectives | Clause 6.2 | Measurable objectives with plans for achievement, monitoring, and review |
| AI Risk Register | Clause 6.1 | Identified risks, likelihood and impact assessments, treatment decisions |
| Risk Treatment Plan | Clause 6.1.3 | Risk-to-control mapping, implementation owners, timelines |
| Statement of Applicability | Annex A | Every Annex A control with applicability decision and implementation status |
| Internal Audit Programme and Reports | Clause 9.2 | Audit schedule, completed reports, findings and corrective actions |
| Management Review Records | Clause 9.3 | Review inputs covered, decisions made, improvement actions assigned |
| Competency and Training Records | Clause 7.2 | Evidence of appropriate knowledge and training for AIMS roles |
| Corrective Action Records | Clause 10.1 | Nonconformities identified, root cause analysis, corrective actions taken |
See our full scope guide for what the AIMS scope statement must contain.
How to Structure ISO 42001 Policies for Audit Readiness
Standard Policy Header Elements
Every policy in your ISO 42001 documentation framework should include a standard header containing: the document title and unique reference number, the version number and effective date, the author and approver names and roles, the next review date, and a brief change history table. This metadata allows auditors to quickly verify currency and governance.
Purpose and Scope Section
Each policy should open with a clear statement of its purpose — why the policy exists and what governance objective it serves — and a definition of its scope — which AI systems, business units, and activities it applies to. This section should be specific enough that readers can immediately determine whether the policy applies to their work.
Policy Statements Section
The core of each policy is a set of clear, specific policy statements — declarative statements of what the organisation will or will not do in the relevant governance area. Policy statements should be verifiable — auditors should be able to test compliance with each statement through examination of operational records, not just documentation review.
Roles and Responsibilities Section
Each policy should define who is responsible for implementing it, who is accountable for compliance, and who has authority to approve exceptions. This section connects the policy to Clause 5 leadership requirements and ensures that accountability is clear throughout the governance hierarchy.
Review and Maintenance Section
Finally, each policy should specify how and when it will be reviewed — at minimum annually, and whenever significant changes occur in the regulatory environment, organisational structure, or AI system portfolio. The review commitment must be genuine — auditors check whether reviews are actually occurring on schedule.
Common ISO 42001 Policy Mistakes That Cause Audit Findings
- Using generic templates without customisation — Policies downloaded from online sources and lightly edited rarely address the organisation’s specific AI systems, risk profile, or governance context. Auditors spot generic templates quickly and question whether the organisation genuinely understands its AI governance obligations.
- Policies not approved at the right level — The AI policy specifically must be approved at senior leadership level. Policies approved only at a middle management level signal that AI governance has not achieved the leadership visibility the standard requires.
- Policies not communicated to relevant staff — Having policies on a document management system that staff cannot find or have not read does not satisfy the communication requirement. Auditors interview staff and ask about policies — staff should be able to articulate the key principles without referring to documentation.
- Policies that conflict with each other — Inconsistencies between ISO 42001 policies — for example, a human oversight policy that conflicts with an AI lifecycle management policy on approval authorities — create audit findings and signal poor governance programme design.
- No documented review history — Policies without documented review dates, reviewer names, or change histories appear unmanaged to auditors. Every review — even where no changes result — should be documented.
Integrating ISO 42001 Policies with ISO 27001 Documentation
For organisations already certified against ISO 27001, integrating ISO 42001 policies with the existing ISMS documentation framework reduces duplication and simplifies ongoing maintenance. Several ISO 42001 policies can be built as extensions of existing ISO 27001 policies rather than standalone documents.
For example, the AI risk management policy can be written as an annex or supplement to the existing information security risk management policy — sharing the same risk assessment methodology and risk appetite framework while addressing AI-specific risk categories. Similarly, the AI incident management policy can extend existing IT incident management policies with AI-specific content.
This integrated approach reduces the total documentation volume your team needs to maintain and simplifies the audit evidence trail — auditors can see how AI governance integrates with the broader management system rather than existing as a parallel silo. Our ISO 42001 vs ISO 27001 comparison and our transition guide cover integration strategy in detail.
Build Audit-Ready ISO 42001 Policies with CertPro
CertPro CPA LLC develops ISO 42001 policies tailored to your organisation’s specific AI systems, risk profile, and regulatory context — not generic templates that fail under auditor scrutiny. Our licensed CPA auditors build documentation to the standard that certification body auditors expect.
Start Building Your ISO 42001 Policy Framework with CertPro →
FAQ
What is the mandatory AI policy required by ISO 42001?
The mandatory AI policy is a formal document required by Clause 5.2 and Annex A Control A.2.2 of the standard. It must express the organisation’s commitment to responsible AI management, define AI governance principles, commit to meeting applicable requirements, establish AIMS objectives, and be approved at senior leadership level and communicated to all relevant staff.
How many policies does an ISO 42001 AIMS require?
A comprehensive AIMS typically requires six to eight core policies: the mandatory AI policy, plus supporting policies covering AI risk management, AI lifecycle management, AI data governance, human oversight, AI supplier management, and AI incident management. The exact set depends on your organisation’s AI context and the Annex A controls applicable to your scope.
Can we reuse our ISO 27001 policies for ISO 42001?
Some ISO 27001 policies can be extended or supplemented to satisfy ISO 42001 requirements — particularly risk management and incident management policies. However, ISO 42001 requires AI-specific policy content that ISO 27001 policies do not contain by default. A careful gap analysis against ISO 42001 requirements will identify which existing policies can be extended and which need to be created from scratch.
How often do ISO 42001 policies need to be reviewed?
At minimum, all ISO 42001 policies should be reviewed annually. Additionally, they should be reviewed whenever significant changes occur — new AI systems deployed within scope, material changes to the regulatory environment, significant organisational restructuring, or AI-related incidents that reveal gaps in existing policy provisions. Every review must be documented, even where no changes result.
What happens if our AI policy does not meet ISO 42001 requirements at Stage 1?
A non-compliant AI policy at Stage 1 typically results in a major nonconformity finding that must be remediated before Stage 2 can proceed. The certification body will specify what is missing or inadequate and allow a defined period — usually 30 to 90 days — for the organisation to revise and resubmit the policy for review before Stage 2 is scheduled.
Does the AI policy need to be publicly available?
ISO 42001 requires the AI policy to be available to interested parties where appropriate. For most organisations, this means making the policy available to customers, suppliers, and regulators on request — and potentially publishing it publicly if customer or regulatory expectations make public availability appropriate. The standard does not mandate public publication, but it does require that relevant stakeholders can access the policy when needed.
