ISO 42001 Readiness Checklist: Audit-Ready Evidence Guide

How to Use This Checklist

This readiness checklist helps you verify that your AI Management System is prepared for ISO 42001 certification audit. For each requirement, confirm you have the necessary documentation and evidence available.

Clause 4: Context of the Organization

4.1 Understanding the Organization and Its Context

• Documented analysis of external issues affecting AIMS (regulatory, market, technology)
• Documented analysis of internal issues (culture, capabilities, resources)
• Evidence these factors were considered in AIMS design

4.2 Understanding Stakeholder Needs

• List of interested parties relevant to AIMS
• Documented requirements of each interested party
• Evidence requirements were considered in AIMS

4.3 Determining the Scope

• AIMS scope statement clearly documented
• AI systems in scope identified with roles (developer/provider/user)
• Boundaries and applicability defined
• Any exclusions documented with justification
• Scope available to interested parties

4.4 AI Management System

• AIMS documented including processes and interactions
• Process map or system description showing AIMS components

Clause 5: Leadership

5.1 Leadership and Commitment

• Evidence of top management involvement in AIMS establishment
• Resource allocation decisions documented
• Communication from leadership on AI governance importance

5.2 AI Policy

• AI policy document exists
• Policy appropriate to organization's purpose
• Policy includes commitment to responsible AI principles
• Policy provides framework for AI objectives
• Policy includes commitment to continual improvement
• Policy approved by top management
• Evidence policy is communicated internally
• Policy available to relevant external parties

5.3 Organizational Roles, Responsibilities, and Authorities

• AIMS roles and responsibilities documented
• Responsibilities for AIMS conformity assigned
• Responsibility for reporting to top management assigned
• Evidence responsibilities are communicated

Clause 6: Planning

6.1.1 Actions to Address Risks and Opportunities

• Risks and opportunities to AIMS identified
• Actions to address risks/opportunities planned
• Evidence actions are integrated into AIMS

6.1.2 AI Risk Assessment

• AI risk assessment process documented
• Risk criteria defined (including AI-specific criteria)
• Risk assessments completed for all in-scope AI systems
• Risk levels determined based on criteria
• Risk assessment results retained

6.1.3 AI Risk Treatment

• Risk treatment options selected for each risk
• Controls determined for treatment implementation
• Statement of Applicability (SoA) documented
• SoA includes justification for inclusions/exclusions
• Risk treatment plan documented
• Risk treatment results retained

6.1.4 AI System Impact Assessment

• AI impact assessment process documented
• Impact assessments completed for relevant AI systems
• Impacts on individuals considered
• Societal impacts considered
• Impact assessment results retained

6.2 AI Objectives and Planning

• AI objectives established and documented
• Objectives are measurable
• Objectives are consistent with AI policy
• Plans to achieve objectives documented
• Evidence objectives are communicated

6.3 Planning of Changes

• Change management process for AIMS documented
• Evidence changes are conducted in planned manner

Clause 7: Support

7.1 Resources

• Evidence resources are determined and provided
• Budget allocation for AIMS visible

7.2 Competence

• Competence requirements defined for AIMS roles
• Evidence of competence for persons in AIMS roles
• Training records where competence was developed
• Evidence training effectiveness was evaluated

7.3 Awareness

• Evidence personnel are aware of AI policy
• Evidence personnel understand their contribution to AIMS
• Awareness training records

7.4 Communication

• Internal/external communication requirements documented
• Evidence of communications occurring

7.5 Documented Information

• Document control procedure exists
• Documents properly identified and described
• Version control in place
• Approval process evident
• Documents accessible to those who need them
• Protection from unauthorized changes
• Retention requirements defined

Clause 8: Operation

8.1 Operational Planning and Control

• Operational procedures documented
• Criteria for processes established
• Evidence processes are controlled per criteria
• Evidence of outsourced process control

8.2-8.4 Risk Assessment, Treatment, and Impact Assessment

• Evidence risk assessments performed at planned intervals
• Evidence risk assessments updated for significant changes
• Evidence risk treatment plan implemented
• Evidence impact assessments performed as planned

Clause 9: Performance Evaluation

9.1 Monitoring, Measurement, Analysis, and Evaluation

• What to monitor and measure is determined
• Methods for monitoring defined
• Schedule for monitoring defined
• Evidence of monitoring results
• AIMS performance evaluation documented

9.2 Internal Audit

• Internal audit program documented
• Audit criteria and scope defined
• Auditor independence ensured
• At least one complete audit cycle completed
• Audit reports documented
• Findings communicated to relevant management

9.3 Management Review

• Management review completed at planned intervals
• All required inputs considered (status of actions, changes, performance, opportunities)
• Outputs include decisions on improvement opportunities
• Management review minutes retained

Clause 10: Improvement

10.1 Continual Improvement

• Evidence of improvement activities
• Improvement opportunities identified and actioned

10.2 Nonconformity and Corrective Action

• Nonconformity management process documented
• Nonconformities are documented when they occur
• Root cause analysis performed
• Corrective actions implemented
• Effectiveness of corrective actions reviewed
• Records of nonconformities and actions retained

A complete readiness checklist is not just about having documents - it is about having accessible, current evidence that auditors can verify. Organize your evidence repository before the audit begins.