ISO 42001:2023 controls: All you need to know (Annex A and Statement of Applicability)
by SecureSlate Team in ISO 42001
4.9(409 reviews)
ISO/IEC 42001:2023 includes Annex A—a control set for AI-specific risks across the lifecycle (data, development, deployment, monitoring, transparency, and supplier AI).
Related: Main requirements · Collection
Key takeaways
- Annex A is selected based on AI risk, not implemented blindly.
- Your SoA documents applicable controls and exclusions.
- Controls align with themes also found in ISO 27001—reuse evidence where possible.
- Other annexes (B–D) provide implementation guidance and sector notes.
Annex structure
Annex A groups controls around:
- AI policies and roles
- Data for AI systems
- Model development and validation
- Deployment and monitoring
- Transparency and communication
- Third-party and customer AI relationships
Exact control IDs should be tracked in your compliance tool against owners and tests.
Statement of Applicability
The SoA links each control to:
- Applicable (yes/no) and justification
- Implementation status
- Related policies and evidence locations
Evidence examples
- Model cards and risk assessments
- Dataset lineage and quality checks
- Production monitoring dashboards
- Human oversight procedures for high-risk automation
- Vendor AI due diligence records
Disclaimer (legal note)
Control interpretation follows your certification body. Informational only.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required
Related blogs
