ISO 42001

ISO 42001 control mapping

A working guide to Annex A of the standard — its 38 controls across nine objectives, and how to map them to your AI systems and the evidence an assessor looks for.

What Annex A is for

Alongside its management system requirements, ISO/IEC 42001:2023 provides Annex A — a reference set of controls an organisation can use to treat the AI-related risks it identifies. Annex A contains 38 controls organised under nine control objectives. The controls are a structured menu: an organisation selects and applies those relevant to its context and justifies its choices, much as Annex A of ISO/IEC 27001 works for information security.

The nine control objectives

The 38 controls are grouped under nine objectives that together span the AI management system:

  • AI policy — direction and policy for the use of AI.
  • Internal organisation — roles, responsibilities and reporting for AI.
  • Resources — the data, tooling, computing and human resources AI depends on.
  • Impact assessment — assessing impacts of AI systems on individuals and groups.
  • AI system life cycle — responsible management across the system life cycle.
  • Data for AI systems — governance of the data used in AI systems.
  • Information for interested parties — what is communicated to those affected by the system.
  • Use of AI systems — responsible use in operation.
  • Third-party relationships — managing suppliers and other third parties involved in AI.

How to map controls to your systems

Mapping turns the reference set into something specific to your estate. A practical approach:

  • List the AI systems within your AIMS scope.
  • For each control, decide whether it applies given the risks you have identified, and record the decision.
  • Where a control applies, point it at the system or process that implements it.
  • Note where a control is not applicable, with a short justification — assessors expect to see this reasoning.

The evidence an assessor looks for

For each applicable control, the question is simple: can you show it is in place and working? Typical evidence includes:

  • The policy, procedure or standard that defines the control.
  • Records that show the control being operated — assessments, logs, approvals, reviews.
  • A named owner accountable for the control.
  • A statement of applicability that records which controls apply and why.

Keeping the map current

A control map is only useful if it stays aligned to reality. As AI systems are added, changed or retired, the applicability of controls and the evidence behind them shifts. Reviewing the map alongside the management system's performance evaluation keeps it accurate and keeps audit preparation from becoming a last-minute scramble.

How TrustedAIGov helps

The TrustedAIGov Governance Platform is designed to support control-mapping work aligned to Annex A — holding the applicability decisions, owners and evidence for each control in one place and keeping them current as systems change. It supports your team's audit preparation; it does not itself certify your controls.

Sources

ISO/IEC 42001:2023 — Artificial intelligence management system (ISO) NIST AI Risk Management Framework (crosswalk context)

Map your controls with confidence

Turn Annex A into a living map of applicable controls, owners and evidence across your AI systems.

Talk to TAI → Run Exposure Scan