Key Takeaways
  • ISO 42001 requires documented information specific to AI governance beyond standard management system documents
  • Mandatory AI-specific documents include AI policy, AI system inventory, AI risk assessment, AI impact assessment, and data management records
  • Model governance documentation (training data, model versioning, validation results) is essential audit evidence
  • Organizations must maintain records of AI-related decisions, including deployment approvals and human oversight actions
  • Documentation should be proportionate to the AI system's risk level and complexity

Documentation Requirements Overview

ISO 42001, like other ISO management system standards, requires organizations to maintain documented information for AIMS effectiveness. Documentation serves multiple purposes:

  • Demonstrates conformity to standard requirements
  • Provides evidence for certification audits
  • Ensures consistency in AI governance practices
  • Facilitates knowledge transfer and training
  • Supports continual improvement

The standard distinguishes between documents (policies, procedures, guidelines) and records (evidence of activities performed).

Mandatory Documents

The following documents are explicitly required by ISO 42001:

Governance Documents

  • AIMS Scope Statement (4.3) - Defines boundaries and applicability of the AI Management System
  • AI Policy (5.2) - Top management commitment to responsible AI, framework for objectives
  • AI Objectives (6.2) - Measurable goals for AIMS aligned with AI policy

Risk Management Documents

  • AI Risk Assessment Methodology (6.1.2) - Process for identifying and evaluating AI-specific risks
  • AI Risk Treatment Plan (6.1.3) - Selected treatments for identified risks
  • Statement of Applicability (6.1.3) - Annex A controls selected/excluded with justification
  • AI Impact Assessment Process (6.1.4) - Methodology for assessing AI system impacts

Operational Documents

  • Operational Procedures (8.1) - Documented procedures for operational planning and control
  • Internal Audit Program (9.2) - Audit schedule, criteria, and methodology
Document Control

All documented information must be controlled per Clause 7.5, including version control, approval processes, access controls, and retention requirements.

Required Records

Records provide evidence that processes were performed. ISO 42001 requires retention of:

Risk and Impact Records

  • AI Risk Assessment Results (6.1.2, 8.2) - Documented risk assessments for AI systems
  • AI Risk Treatment Results (8.3) - Evidence of risk treatment implementation
  • AI Impact Assessment Results (6.1.4, 8.4) - Documented impact assessments

Competence and Awareness Records

  • Competence Evidence (7.2) - Training records, qualifications, experience documentation

Performance Records

  • Monitoring and Measurement Results (9.1) - AIMS performance metrics
  • Internal Audit Results (9.2) - Audit reports and findings
  • Management Review Minutes (9.3) - Records of management review meetings

Improvement Records

  • Nonconformity Records (10.2) - Documented nonconformities and corrective actions

While not explicitly mandated, the following documents are typically expected by auditors:

Supporting Procedures

  • AI System Inventory - Register of all AI systems in scope
  • Roles and Responsibilities Matrix - RACI chart for AIMS activities
  • AI Incident Response Procedure - Process for AI-specific incidents
  • AI Change Management Procedure - Process for managing AI system changes
  • Supplier Management Procedure - Governance of third-party AI services
  • Data Quality Management Procedure - Processes for training data quality

Technical Documentation

  • AI System Documentation - Architecture, design decisions, model cards
  • Model Training Records - Training data, parameters, validation results
  • Performance Monitoring Dashboards - Ongoing model performance metrics

What Auditors Look For

Stage 1 Audit (Documentation Review)

Auditors will verify:

  • All mandatory documents exist and are approved
  • Scope statement is clear and justified
  • AI policy addresses responsible AI principles
  • Risk assessment methodology is appropriate for AI risks
  • Statement of Applicability covers relevant Annex A controls
  • Document control procedures are established

Stage 2 Audit (Implementation Review)

Auditors will verify:

  • Documented procedures are being followed
  • Records demonstrate actual implementation
  • AI risk assessments cover systems in scope
  • Impact assessments address relevant concerns
  • Internal audits have been conducted
  • Management review has occurred
  • Nonconformities are being addressed

Auditors are not looking for perfection - they are looking for a functioning system with evidence of implementation and continuous improvement. Well-organized, accessible documentation significantly improves audit efficiency.

Documentation Best Practices

Keep It Practical

  • Write procedures that reflect actual practices
  • Avoid over-documentation - focus on what adds value
  • Use templates and checklists for consistency

Maintain Accessibility

  • Ensure relevant personnel can access needed documents
  • Use clear naming conventions and organization
  • Consider a document management system for larger implementations

Demonstrate Links

  • Show traceability from risks to controls to evidence
  • Link AI objectives to policy commitments
  • Connect nonconformities to corrective actions

Version Control

  • Maintain clear version history
  • Ensure current versions are identifiable
  • Archive superseded versions appropriately

Frequently Asked Questions

What documents does ISO 42001 require?

ISO 42001 requires an AI policy, AIMS scope statement, AI system inventory, AI risk assessment, AI impact assessment, data management procedures, model governance records, monitoring evidence, Statement of Applicability, internal audit program, and management review minutes.

Is an AI policy the same as an information security policy?

No — the AI policy must address responsible AI principles, ethical considerations, and AI-specific governance commitments beyond information security. It covers fairness, transparency, accountability, human oversight, and societal impact.

What records do auditors expect for ISO 42001?

Auditors expect AI system lifecycle records, risk treatment evidence, model performance monitoring data, incident and anomaly reports, management review minutes, internal audit findings, competence evidence, and nonconformity records with corrective actions.

Can ISO 42001 documentation be electronic?

Yes, any format is acceptable as long as version control, access control, and retention requirements defined in Clause 7.5 are met. Electronic document management systems are commonly used.

How much documentation is typical for ISO 42001?

Documentation volume should be proportionate to scope. Organizations with 5-10 AI systems typically maintain 30-50 documented items for a mature AIMS, including policies, procedures, risk assessments, impact assessments, and operational records.

ISO 42001 Documentation Audit Preparation