Annex A Overview

ISO 42001 Annex A provides a reference set of control objectives organized into domains. Unlike prescriptive controls, these are objectives - the organization determines how to achieve them based on their context and risk assessment.

Using Annex A

During risk treatment (Clause 6.1.3), compare your selected controls against Annex A to ensure nothing relevant has been overlooked. Document your Statement of Applicability (SoA) explaining why each control is included or excluded.

Annex A Structure

Annex A is organized into the following domains:

  • A.2 - AI Policies
  • A.3 - Internal Organization
  • A.4 - Resources for AI Systems
  • A.5 - AI System Lifecycle
  • A.6 - Data for AI Systems
  • A.7 - AI System Information
  • A.8 - Use of AI Systems
  • A.9 - Third-Party Relationships

A.2 AI Policies

This domain ensures organizational policies address AI-specific governance requirements.

A.2.2 AI Policy

Objective: Establish management direction and commitment for responsible AI through documented policies.

Implementation Example:

  • Documented AI policy approved by executive leadership
  • Policy addresses fairness, transparency, human oversight, and safety
  • Commitment to compliance with applicable AI regulations
  • Policy communicated to all relevant personnel
  • Annual policy review and update process

A.2.3 Review of AI Policies

Objective: Ensure AI policies remain suitable and effective over time.

Implementation Example:

  • Scheduled annual policy review
  • Triggered reviews when significant changes occur (new regulations, major incidents)
  • Review considers effectiveness, stakeholder feedback, and emerging best practices

A.3 Internal Organization

Controls ensuring appropriate organizational structure and accountability for AI governance.

A.3.2 Roles and Responsibilities

Objective: Clearly define and assign responsibilities for AI governance.

Implementation Example:

  • AI Governance Committee with executive representation
  • Designated AI Ethics Officer or equivalent role
  • RACI matrix for AI development, deployment, and monitoring
  • Clear escalation paths for AI-related decisions

A.3.3 Reporting

Objective: Establish reporting mechanisms for AI governance matters.

Implementation Example:

  • Monthly AI governance dashboard to leadership
  • Quarterly reports on AI risk status and incidents
  • Channels for reporting AI ethics concerns

A.4 Resources for AI Systems

Controls addressing human, technical, and financial resources for AI governance.

A.4.2 Human Resources

Objective: Ensure personnel have necessary competencies for their AI-related roles.

Implementation Example:

  • Competency requirements defined for AI roles
  • Mandatory AI ethics training for developers and operators
  • Specialized training on bias detection and mitigation
  • Background checks for personnel with access to sensitive AI systems

A.4.4 Computing Resources

Objective: Provide adequate computing infrastructure for AI systems.

Implementation Example:

  • Dedicated AI development and production environments
  • Scalable infrastructure for model training and inference
  • Security controls for AI infrastructure
  • Capacity planning for AI workloads

A.5 AI System Lifecycle

Controls spanning the entire AI system lifecycle from design through retirement.

A.5.2 AI System Design

Objective: Incorporate responsible AI principles into system design.

Implementation Example:

  • Design review checklist including fairness, explainability, and safety
  • Architecture documentation addressing AI-specific concerns
  • Human oversight mechanisms designed into systems

A.5.4 AI System Development

Objective: Implement responsible development practices.

Implementation Example:

  • Code review requirements for AI components
  • Version control for models and training code
  • Testing procedures including bias and fairness testing
  • Model cards documenting intended use and limitations

A.5.5 AI System Verification and Validation

Objective: Verify AI systems meet requirements and perform as intended.

Implementation Example:

  • Test plans covering functional and non-functional requirements
  • Validation against fairness metrics and thresholds
  • User acceptance testing for AI-driven features
  • Performance testing under realistic conditions

A.5.6 AI System Deployment

Objective: Control the deployment of AI systems into production.

Implementation Example:

  • Deployment approval process with governance sign-off
  • Staged rollout (canary, blue-green) for high-risk systems
  • Rollback procedures documented and tested
  • Post-deployment monitoring activation

A.5.7 AI System Operation and Monitoring

Objective: Maintain oversight of AI systems in production.

Implementation Example:

  • Real-time performance monitoring dashboards
  • Model drift detection and alerting
  • Fairness metric monitoring over time
  • Incident response procedures for AI issues

A.5.8 AI System Documentation

Objective: Maintain comprehensive documentation of AI systems.

Implementation Example:

  • Model cards for each deployed model
  • System architecture and data flow documentation
  • Training data documentation and lineage
  • User guides and operational runbooks

A.5.9 AI System Retirement

Objective: Properly decommission AI systems when no longer needed.

Implementation Example:

  • Retirement approval process
  • Data retention and disposal procedures
  • Notification to dependent systems and users
  • Archive of documentation for regulatory purposes

A.6 Data for AI Systems

Controls addressing data quality, management, and governance for AI systems.

A.6.2 Data Quality

Objective: Ensure data used for AI systems meets quality requirements.

Implementation Example:

  • Data quality metrics defined (completeness, accuracy, timeliness)
  • Data profiling and quality assessment before use
  • Data cleaning and preprocessing standards
  • Quality monitoring for ongoing data pipelines

A.6.3 Data Provenance

Objective: Maintain records of data origin and transformations.

Implementation Example:

  • Data lineage tracking from source to model
  • Documentation of data sources and acquisition methods
  • Version control for training datasets
  • Audit trail of data transformations

A.6.4 Data Preparation

Objective: Properly prepare data for AI system use.

Implementation Example:

  • Documented data preparation procedures
  • Bias assessment of training data
  • Data augmentation with documented rationale
  • Train/test/validation split procedures

A.7 AI System Information

Controls ensuring transparency and information availability about AI systems.

A.7.2 Recording Information about AI Systems

Objective: Document relevant information about AI systems.

Implementation Example:

  • AI system registry with key metadata
  • Purpose and intended use documentation
  • Known limitations and constraints recorded
  • Performance characteristics documented

A.7.3 Providing Information to Interested Parties

Objective: Communicate appropriate information to stakeholders.

Implementation Example:

  • User-facing disclosures when AI is involved in decisions
  • Transparency reports for high-impact systems
  • Information available for regulatory inquiries
  • Customer-facing documentation about AI capabilities

A.8 Use of AI Systems

Controls governing the responsible use and operation of AI systems.

A.8.2 Intended Use

Objective: Ensure AI systems are used for intended purposes.

Implementation Example:

  • Documented intended use statements for each AI system
  • Prohibited use cases explicitly defined
  • User agreements acknowledging appropriate use
  • Monitoring for misuse or scope creep

A.8.3 Processes Regarding AI System Output

Objective: Appropriately handle and use AI system outputs.

Implementation Example:

  • Guidance on interpreting AI outputs
  • Human review requirements for high-stakes decisions
  • Procedures for challenging or overriding AI recommendations
  • Documentation of how AI outputs inform decisions

A.9 Third-Party Relationships

Controls for managing external parties in the AI ecosystem.

A.9.2 Monitoring and Review of Third-Party Services

Objective: Maintain oversight of third-party AI services.

Implementation Example:

  • Inventory of third-party AI services in use
  • Due diligence assessments before procurement
  • Contractual requirements for responsible AI practices
  • Periodic review of third-party performance and compliance
  • Incident notification requirements in contracts

A.9.4 AI System Component Sourcing

Objective: Govern sourcing of AI components (models, data, tools).

Implementation Example:

  • Assessment of pre-trained models before adoption
  • Licensing and intellectual property review
  • Security assessment of AI tools and frameworks
  • Vendor risk assessment for AI suppliers

Annex A controls are not one-size-fits-all. Your Statement of Applicability should reflect your organization's specific AI systems, risks, and context. A control that is critical for one organization may be non-applicable for another.

ISO 42001 Annex A Controls Implementation