ISO 42001 Annex A sets out reference control objectives and 38 controls that the organisation considers as part of the AI risk treatment process under Clause 6.1.3. The controls are grouped into nine sections and are documented in the Statement of Applicability with the inclusion or exclusion decision and justification recorded for each. This section of the Knowledge Base covers every Annex A section in plain language, explaining what each control means in practice and what an organisation needs to do to comply.
The Annex A controls work as a structured checklist to make sure no important control area has been overlooked. They are not exhaustive, and the organisation can design additional controls or draw them from other sources where the risk treatment requires it. Annex B provides implementation guidance for each Annex A control.
The relationship between the main clauses and Annex A is the same as in ISO 27001. The main clauses set the management system requirements - context, leadership, planning, support, operation, performance evaluation and improvement. Annex A provides the reference set of controls that the organisation considers when treating the risks identified through the risk assessment process under Clause 6.1.2. The Statement of Applicability under Clause 6.1.3 records which controls have been selected and provides justification for the inclusion or exclusion of each.
A.2 Policies related to AI covers the AI policy itself, alignment with other organisational policies, and the periodic review of the AI policy.
A.3 Internal organization covers the definition and allocation of AI roles and responsibilities and the process for reporting concerns about the organisation's role with respect to AI systems.
A.4 Resources for AI systems covers the documentation of resources used by AI systems including data resources, tooling resources, system and computing resources, and human resources.
A.5 Assessing impacts of AI systems covers the AI system impact assessment process, the documentation of impact assessments, and the assessment of impacts on individuals, groups and societies.
A.6 AI system life cycle is the largest section of Annex A. It covers the management guidance for AI system development including objectives and processes, and the AI system life cycle covering requirements, design and development documentation, verification and validation, deployment, operation and monitoring, technical documentation, and event logs.
A.7 Data for AI systems covers data management for AI development, data acquisition, data quality, data provenance and data preparation.
A.8 Information for interested parties of AI systems covers system documentation for users, external reporting capabilities, the communication of incidents, and the reporting of information to interested parties.
A.9 Use of AI systems covers the processes for responsible use of AI systems, objectives for responsible use, and intended use of AI systems according to their accompanying documentation.
A.10 Third-party and customer relationships covers the allocation of responsibilities across the AI system life cycle, supplier management, and the consideration of customer expectations and needs.
The Statement of Applicability is the formal output of the AI risk treatment process. It lists every Annex A control, records whether the control is included in the organisation's AI management system, and provides justification for inclusion or exclusion. Where additional controls beyond Annex A have been adopted, those are also recorded in the Statement of Applicability. The Statement of Applicability is reviewed and updated as part of the management system, with significant changes approved by top management as required by Clause 6.1.3.
The Annex A structure will be familiar to anyone certified to ISO 27001. Same control reference table, same Statement of Applicability concept, same risk-based selection process. The content is different - the controls address AI-specific concerns rather than information security concerns - but the framework is the same.
For organisations integrating ISO 42001 with ISO 27001, the Statement of Applicability for each standard remains separate but the management of the two can be integrated. Some Annex A controls under ISO 42001 overlap with controls under ISO 27001, and the organisation's response to the overlapping requirements can be shared rather than duplicated.
When auditing the Annex A controls, I work systematically through the Statement of Applicability, verifying each included control is implemented and effective and confirming each excluded control has a justification that stands up against the risk assessment. The Annex A audits are typically split across the audit programme rather than tackled in one go.