Hael
Sign inRequest a demo
ISO/IEC 42001 · Requirements

A guide to the ISO 42001 Annex A controls

Updated 30 June 2026 · 7 min read
Key takeaway
ISO 42001's Annex A sets out the AI-specific controls that organisations apply within their management system. Where the standard's main clauses define how to run the system, the annex defines the particular AI risks to address. Organisations select the controls relevant to their context, apply them, and document their choices, much as they would with ISO 27001's controls.
  • Annex A defines the AI-specific controls applied within the ISO 42001 management system.
  • Control areas span AI policy, organisation, resources, lifecycle, data, transparency, and responsible use.
  • Organisations select applicable controls and document their choices via a Statement of Applicability.
  • Controls deliver value only when genuinely applied to real systems with evidence, which auditors check.
  • Current as of June 2026. This is general information, not legal advice.

What the controls are for

A management system needs to address the specific risks of the thing it governs. For AI, those risks include how AI is decided upon and governed, how data is handled, how AI systems are developed and operated over their lifecycle, how transparency is provided, and how AI is used responsibly. Annex A translates these concerns into concrete control areas so that an organisation's management system actually grips the risks that matter for AI.

The main control areas

The Annex A controls span the lifecycle and governance of AI, including areas such as:

  • AI policy and governance: Establishing organisational policy, objectives, and accountability for AI.
  • Internal organisation: Roles, responsibilities, and reporting for AI risk.
  • Resources for AI systems: Managing the data, tooling, and human resources AI depends on.
  • AI system lifecycle: Governing how AI systems are designed, developed, deployed, operated, and retired.
  • Data for AI: Managing the data used to develop and run AI, including its quality and provenance.
  • Information and transparency: Providing appropriate information about AI systems to users and affected parties.
  • Responsible use and oversight: Ensuring AI is used as intended, with human oversight where needed.

The exact controls and their grouping are defined in the standard; the point is that they cover the practical territory of governing AI well.

Selecting and applying controls

Organisations do not apply every control regardless of relevance. They assess which controls apply to their AI and context, implement those, and document the selection and the reasons, including any controls excluded and why. This is the Statement of Applicability approach familiar from ISO 27001, and it is what an auditor reviews to understand how the organisation has scoped its controls.

Keeping controls connected to systems

The value of the controls comes from their being genuinely applied to real AI systems, not merely listed. A control like data governance or lifecycle management only protects you if it is actually operating on the systems it covers, with evidence to show it. As an organisation's AI grows, keeping each control connected to the systems and evidence it relates to is the practical challenge, and the thing that makes the difference between controls that exist on paper and controls that work.

How this supports certification and beyond

In a certification audit, the Annex A controls and the Statement of Applicability are central: the auditor checks that the chosen controls are appropriate and operating. Beyond certification, well-applied controls are exactly the evidence buyers and regulators want to see. Treating the controls as a live, connected part of the management system therefore serves both the audit and the wider trust the standard is meant to build.

Key terms

Annex A
ISO 42001's reference list of AI-specific controls.
Statement of Applicability
The record of which controls are applied, which are excluded, and why.
AI lifecycle
The stages of an AI system's life, from design and development through deployment, operation, and retirement.
Data governance for AI
The management of data used for AI, including quality, provenance, and protection.

References

Related guides

Keep reading on ISO/IEC 42001.

Free check

See where you stand on ISO/IEC 42001, free.

Answer a few questions and get an indicative view of what ISO/IEC 42001 expects of your AI systems and where you stand today — no sign-up to see your result.

Indicative, not legal advice.
ISO/IEC 42001 · indicative readiness
HAEL FREE TOOL
Applicability
Applies to your AI use
What's expected
Risk classification · governance · documentation · oversight
Where you stand
Banded result · pointed to the gaps that matter most
Result
On-screen, free · optional PDF
Pre-scoped to ISO/IEC 42001~ 5 MIN