ISO 42001:2023 controls: All you need to know (Annex A and Statement of Applicability)
ISO/IEC 42001:2023 includes Annex A—a control set for AI-specific risks across the lifecycle (data, development, deployment, monitoring, transparency, and supplier AI).
Related: Main requirements · Collection
Key takeaways
- Annex A is selected based on AI risk, not implemented blindly.
- Your SoA documents applicable controls and exclusions.
- Controls align with themes also found in ISO 27001—reuse evidence where possible.
- Other annexes (B–D) provide implementation guidance and sector notes.
Annex structure
Annex A groups controls around:
- AI policies and roles
- Data for AI systems
- Model development and validation
- Deployment and monitoring
- Transparency and communication
- Third-party and customer AI relationships
Exact control IDs should be tracked in your compliance tool against owners and tests.
Statement of Applicability
The SoA links each control to:
- Applicable (yes/no) and justification
- Implementation status
- Related policies and evidence locations
Evidence examples
- Model cards and risk assessments
- Dataset lineage and quality checks
- Production monitoring dashboards
- Human oversight procedures for high-risk automation
- Vendor AI due diligence records
Disclaimer (legal note)
Control interpretation follows your certification body. Informational only.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required
Jun 1, 2026 · ISO 42001
AI roles in ISO 42001 certification explained (owners, RACI, and competence)
SecureSlate Team
Jun 1, 2026 · ISO 42001
Best practices for ongoing ISO 42001 compliance (surveillance, change, and monitoring)
SecureSlate Team
Jun 1, 2026 · ISO 42001
How much does it cost to get ISO 42001 certified? (2026 budget breakdown)
SecureSlate Team
