ISO 42001 Annex A Controls Explained with Examples

Annex A Overview

ISO 42001 Annex A provides a reference set of control objectives organized into domains. Unlike prescriptive controls, these are objectives - the organization determines how to achieve them based on their context and risk assessment.

Annex A Structure

Annex A is organized into the following domains:

• A.2 - AI Policies
• A.3 - Internal Organization
• A.4 - Resources for AI Systems
• A.5 - AI System Lifecycle
• A.6 - Data for AI Systems
• A.7 - AI System Information
• A.8 - Use of AI Systems
• A.9 - Third-Party Relationships

A.2 AI Policies

This domain ensures organizational policies address AI-specific governance requirements.

A.2.2 AI Policy

Objective: Establish management direction and commitment for responsible AI through documented policies.

Implementation Example:

• Documented AI policy approved by executive leadership
• Policy addresses fairness, transparency, human oversight, and safety
• Commitment to compliance with applicable AI regulations
• Policy communicated to all relevant personnel
• Annual policy review and update process

A.2.3 Review of AI Policies

Objective: Ensure AI policies remain suitable and effective over time.

Implementation Example:

• Scheduled annual policy review
• Triggered reviews when significant changes occur (new regulations, major incidents)
• Review considers effectiveness, stakeholder feedback, and emerging best practices

A.3 Internal Organization

Controls ensuring appropriate organizational structure and accountability for AI governance.

A.3.2 Roles and Responsibilities

Objective: Clearly define and assign responsibilities for AI governance.

Implementation Example:

• AI Governance Committee with executive representation
• Designated AI Ethics Officer or equivalent role
• RACI matrix for AI development, deployment, and monitoring
• Clear escalation paths for AI-related decisions

A.3.3 Reporting

Objective: Establish reporting mechanisms for AI governance matters.

Implementation Example:

• Monthly AI governance dashboard to leadership
• Quarterly reports on AI risk status and incidents
• Channels for reporting AI ethics concerns

A.4 Resources for AI Systems

Controls addressing human, technical, and financial resources for AI governance.

A.4.2 Human Resources

Objective: Ensure personnel have necessary competencies for their AI-related roles.

Implementation Example:

• Competency requirements defined for AI roles
• Mandatory AI ethics training for developers and operators
• Specialized training on bias detection and mitigation
• Background checks for personnel with access to sensitive AI systems

A.4.4 Computing Resources

Objective: Provide adequate computing infrastructure for AI systems.

Implementation Example:

• Dedicated AI development and production environments
• Scalable infrastructure for model training and inference
• Security controls for AI infrastructure
• Capacity planning for AI workloads

A.5 AI System Lifecycle

Controls spanning the entire AI system lifecycle from design through retirement.

A.5.2 AI System Design

Objective: Incorporate responsible AI principles into system design.

Implementation Example:

• Design review checklist including fairness, explainability, and safety
• Architecture documentation addressing AI-specific concerns
• Human oversight mechanisms designed into systems

A.5.4 AI System Development

Objective: Implement responsible development practices.

Implementation Example:

• Code review requirements for AI components
• Version control for models and training code
• Testing procedures including bias and fairness testing
• Model cards documenting intended use and limitations

A.5.5 AI System Verification and Validation

Objective: Verify AI systems meet requirements and perform as intended.

Implementation Example:

• Test plans covering functional and non-functional requirements
• Validation against fairness metrics and thresholds
• User acceptance testing for AI-driven features
• Performance testing under realistic conditions

A.5.6 AI System Deployment

Objective: Control the deployment of AI systems into production.

Implementation Example:

• Deployment approval process with governance sign-off
• Staged rollout (canary, blue-green) for high-risk systems
• Rollback procedures documented and tested
• Post-deployment monitoring activation

A.5.7 AI System Operation and Monitoring

Objective: Maintain oversight of AI systems in production.

Implementation Example:

• Real-time performance monitoring dashboards
• Model drift detection and alerting
• Fairness metric monitoring over time
• Incident response procedures for AI issues

A.5.8 AI System Documentation

Objective: Maintain comprehensive documentation of AI systems.

Implementation Example:

• Model cards for each deployed model
• System architecture and data flow documentation
• Training data documentation and lineage
• User guides and operational runbooks

A.5.9 AI System Retirement

Objective: Properly decommission AI systems when no longer needed.

Implementation Example:

• Retirement approval process
• Data retention and disposal procedures
• Notification to dependent systems and users
• Archive of documentation for regulatory purposes

A.6 Data for AI Systems

Controls addressing data quality, management, and governance for AI systems.

A.6.2 Data Quality

Objective: Ensure data used for AI systems meets quality requirements.

Implementation Example:

• Data quality metrics defined (completeness, accuracy, timeliness)
• Data profiling and quality assessment before use
• Data cleaning and preprocessing standards
• Quality monitoring for ongoing data pipelines

A.6.3 Data Provenance

Objective: Maintain records of data origin and transformations.

Implementation Example:

• Data lineage tracking from source to model
• Documentation of data sources and acquisition methods
• Version control for training datasets
• Audit trail of data transformations

A.6.4 Data Preparation

Objective: Properly prepare data for AI system use.

Implementation Example:

• Documented data preparation procedures
• Bias assessment of training data
• Data augmentation with documented rationale
• Train/test/validation split procedures

A.7 AI System Information

Controls ensuring transparency and information availability about AI systems.

A.7.2 Recording Information about AI Systems

Objective: Document relevant information about AI systems.

Implementation Example:

• AI system registry with key metadata
• Purpose and intended use documentation
• Known limitations and constraints recorded
• Performance characteristics documented

A.7.3 Providing Information to Interested Parties

Objective: Communicate appropriate information to stakeholders.

Implementation Example:

• User-facing disclosures when AI is involved in decisions
• Transparency reports for high-impact systems
• Information available for regulatory inquiries
• Customer-facing documentation about AI capabilities

A.8 Use of AI Systems

Controls governing the responsible use and operation of AI systems.

A.8.2 Intended Use

Objective: Ensure AI systems are used for intended purposes.

Implementation Example:

• Documented intended use statements for each AI system
• Prohibited use cases explicitly defined
• User agreements acknowledging appropriate use
• Monitoring for misuse or scope creep

A.8.3 Processes Regarding AI System Output

Objective: Appropriately handle and use AI system outputs.

Implementation Example:

• Guidance on interpreting AI outputs
• Human review requirements for high-stakes decisions
• Procedures for challenging or overriding AI recommendations
• Documentation of how AI outputs inform decisions

A.9 Third-Party Relationships

Controls for managing external parties in the AI ecosystem.

A.9.2 Monitoring and Review of Third-Party Services

Objective: Maintain oversight of third-party AI services.

Implementation Example:

• Inventory of third-party AI services in use
• Due diligence assessments before procurement
• Contractual requirements for responsible AI practices
• Periodic review of third-party performance and compliance
• Incident notification requirements in contracts

A.9.4 AI System Component Sourcing

Objective: Govern sourcing of AI components (models, data, tools).

Implementation Example:

• Assessment of pre-trained models before adoption
• Licensing and intellectual property review
• Security assessment of AI tools and frameworks
• Vendor risk assessment for AI suppliers

Annex A controls are not one-size-fits-all. Your Statement of Applicability should reflect your organization's specific AI systems, risks, and context. A control that is critical for one organization may be non-applicable for another.

Frequently Asked Questions

How many controls are in ISO 42001 Annex A?

The standard includes controls across multiple domains covering AI policy (A.2), internal organization (A.3), resources (A.4), AI system lifecycle (A.5), data (A.6), system information (A.7), use of AI systems (A.8), and third-party relationships (A.9).

Are ISO 42001 controls similar to ISO 27001?

Some overlap in governance and risk management areas, but ISO 42001 adds AI-specific controls for bias, fairness, transparency, and human oversight that are not present in ISO 27001. Organizations with ISO 27001 can leverage existing governance controls.

What is the hardest ISO 42001 control to implement?

AI impact assessment and bias monitoring are typically the most challenging due to technical complexity and evolving best practices. Organizations often need specialized tools and expertise for fairness testing and model monitoring.

Do controls apply to all AI systems equally?

No — control implementation should be proportionate to the risk level and impact of each AI system. The Statement of Applicability (SoA) documents which controls apply and why, with justification for any exclusions.

How do auditors verify AI controls?

Through evidence of governance processes, technical documentation, model monitoring records, and demonstration of human oversight mechanisms. Auditors use a combination of interviews, document review, observation, and technical verification.