ISO 42001 Documentation List: What Auditors Expect

Documentation Requirements Overview

ISO 42001, like other ISO management system standards, requires organizations to maintain documented information for AIMS effectiveness. Documentation serves multiple purposes:

• Demonstrates conformity to standard requirements
• Provides evidence for certification audits
• Ensures consistency in AI governance practices
• Facilitates knowledge transfer and training
• Supports continual improvement

The standard distinguishes between documents (policies, procedures, guidelines) and records (evidence of activities performed).

Mandatory Documents

The following documents are explicitly required by ISO 42001:

Governance Documents

• AIMS Scope Statement (4.3) - Defines boundaries and applicability of the AI Management System
• AI Policy (5.2) - Top management commitment to responsible AI, framework for objectives
• AI Objectives (6.2) - Measurable goals for AIMS aligned with AI policy

Risk Management Documents

• AI Risk Assessment Methodology (6.1.2) - Process for identifying and evaluating AI-specific risks
• AI Risk Treatment Plan (6.1.3) - Selected treatments for identified risks
• Statement of Applicability (6.1.3) - Annex A controls selected/excluded with justification
• AI Impact Assessment Process (6.1.4) - Methodology for assessing AI system impacts

Operational Documents

• Operational Procedures (8.1) - Documented procedures for operational planning and control
• Internal Audit Program (9.2) - Audit schedule, criteria, and methodology

Required Records

Records provide evidence that processes were performed. ISO 42001 requires retention of:

Risk and Impact Records

• AI Risk Assessment Results (6.1.2, 8.2) - Documented risk assessments for AI systems
• AI Risk Treatment Results (8.3) - Evidence of risk treatment implementation
• AI Impact Assessment Results (6.1.4, 8.4) - Documented impact assessments

Competence and Awareness Records

• Competence Evidence (7.2) - Training records, qualifications, experience documentation

Performance Records

• Monitoring and Measurement Results (9.1) - AIMS performance metrics
• Internal Audit Results (9.2) - Audit reports and findings
• Management Review Minutes (9.3) - Records of management review meetings

Improvement Records

• Nonconformity Records (10.2) - Documented nonconformities and corrective actions

Recommended Documents

While not explicitly mandated, the following documents are typically expected by auditors:

Supporting Procedures

• AI System Inventory - Register of all AI systems in scope
• Roles and Responsibilities Matrix - RACI chart for AIMS activities
• AI Incident Response Procedure - Process for AI-specific incidents
• AI Change Management Procedure - Process for managing AI system changes
• Supplier Management Procedure - Governance of third-party AI services
• Data Quality Management Procedure - Processes for training data quality

Technical Documentation

• AI System Documentation - Architecture, design decisions, model cards
• Model Training Records - Training data, parameters, validation results
• Performance Monitoring Dashboards - Ongoing model performance metrics

What Auditors Look For

Stage 1 Audit (Documentation Review)

Auditors will verify:

• All mandatory documents exist and are approved
• Scope statement is clear and justified
• AI policy addresses responsible AI principles
• Risk assessment methodology is appropriate for AI risks
• Statement of Applicability covers relevant Annex A controls
• Document control procedures are established

Stage 2 Audit (Implementation Review)

Auditors will verify:

• Documented procedures are being followed
• Records demonstrate actual implementation
• AI risk assessments cover systems in scope
• Impact assessments address relevant concerns
• Internal audits have been conducted
• Management review has occurred
• Nonconformities are being addressed

Auditors are not looking for perfection - they are looking for a functioning system with evidence of implementation and continuous improvement. Well-organized, accessible documentation significantly improves audit efficiency.

Documentation Best Practices

Keep It Practical

• Write procedures that reflect actual practices
• Avoid over-documentation - focus on what adds value
• Use templates and checklists for consistency

Maintain Accessibility

• Ensure relevant personnel can access needed documents
• Use clear naming conventions and organization
• Consider a document management system for larger implementations

Demonstrate Links

• Show traceability from risks to controls to evidence
• Link AI objectives to policy commitments
• Connect nonconformities to corrective actions

Version Control

• Maintain clear version history
• Ensure current versions are identifiable
• Archive superseded versions appropriately