An ISO 42001 checklist turns the standard into a sequence you can work through: define your AI management system scope, run a gap analysis, write the mandatory documents, implement the applicable Annex A controls, operate the system long enough to generate records, then pass a two-stage certification audit. Five phases, one accredited certificate at the end.
Published in December 2023, ISO/IEC 42001 is the first international standard for an AI management system (AIMS). Its certifiable requirements live in clauses 4 to 10, and Annex A supplies 38 reference controls across 9 objectives that you select through a Statement of Applicability. Our ISO 42001 guide explains what the standard is and why buyers are asking for it. This piece is the do-list: the ordered steps and the exact inventory of documents and records an auditor expects to see.
TL;DR
- The checklist runs in five phases: scope and gap analysis, build the AIMS, implement controls, internal audit and management review, then the certification audit.
- The AIMS scope statement and the Statement of Applicability are the two documents auditors read first.
- ISO 42001 requires a defined set of documents (policy, scope, risk and impact assessments, data procedures, SoA, audit programme) and a set of retained records that prove the system operates.
- Certification is a Stage 1 and Stage 2 audit by an accredited body; the certificate is valid for three years.
- Budget four to nine months, shorter if you already hold ISO 27001, because the management-system machinery already exists.
The ISO 42001 Checklist: Five Phases to Certification
These five phases are the ISO 42001 implementation steps in the order most teams run them. Nothing here reinvents the ISO playbook; it is the same Plan-Do-Check-Act rhythm as ISO 27001, pointed at AI. Most organizations move through it in four to nine months. If you already hold ISO 27001, expect the shorter end, because the risk methodology, the audit cadence, and the leadership structure are already in place and you are mostly extending them to cover AI.
The phases:
- Scope and gap analysis - decide what the AIMS covers and find what is missing.
- Build the AIMS - write the mandatory documents and stand up the processes.
- Implement the controls - apply the Annex A controls your risk work justifies.
- Internal audit and management review - test the system yourself before an auditor does.
- Certification audit - pass the Stage 1 and Stage 2 assessment.
Work them in order. Each phase produces the inputs the next one needs, and skipping ahead is the fastest way to fail a Stage 2 audit.
Phase 1: Scope the AIMS and Run a Gap Analysis
The first phase decides how big the job is. A tight, defensible scope and an honest gap analysis are worth more than an ambitious plan you cannot evidence later.
Define the AIMS Scope
The AIMS scope statement is a mandatory document (clause 4.3) and the first thing an auditor reads. It records which AI systems sit inside the management system, the internal and external issues that shape your AI, and the interested parties you answer to. You do not have to put every model in scope on day one; you have to draw a boundary you can actually run and prove.
- List every AI system you build, provide, or use, and decide which sit inside the AIMS boundary
- Document the internal and external issues and the interested parties relevant to your AI (clause 4)
- Write the AIMS scope statement and get top management to sign it off
Run an ISO 42001 Gap Analysis
A gap analysis compares your current AI governance against clauses 4 to 10 and the 38 Annex A controls, then turns the differences into a ranked remediation plan. The output is your project backlog for phases 2 and 3. The mechanics are the same as an information-security gap assessment, so our ISO 27001 gap assessment guide is a useful model for how to scope and score one.
- Assess current practice against each of clauses 4 to 10
- Check current practice against the 38 Annex A controls and note which are relevant
- Rank each gap by risk and effort into a prioritized remediation plan
Phase 2: Build the AIMS and Its Mandatory Documents
With the gaps mapped, you build the system. Most of the work in this phase is documentation the standard explicitly requires. An AIMS is the same species of management system as an ISMS, so if you have written information-security documentation before, the format will feel familiar; only the subject matter (AI risk, impact, and lifecycle) is new. For the full clause-by-clause detail behind each item below, see our ISO 42001 requirements breakdown.
ISO 42001 Mandatory Documents and Records
The standard distinguishes documents you maintain (living artefacts an auditor can inspect) from records you retain (evidence that the system actually ran). You need both. Here are the ISO 42001 mandatory documents to author:
- AI policy, owned by top management (clause 5.2 / Annex A.2)
- AIMS scope statement (clause 4.3)
- AI system inventory, a register of the systems in scope
- AI risk assessment process and its results (clause 6.1.2)
- AI system impact assessment process and its results (clauses 6.1.4 and 8.4)
- Data management and data governance procedures (Annex A.7)
- Statement of Applicability, justifying which controls apply (clause 6.1.3)
- Internal audit programme (clause 9.2)
And the records to retain as proof the AIMS operates:
- Risk assessment results
- Risk treatment results
- Impact assessment results
- Competence evidence for the people running the AIMS (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit results (clause 9.2)
- Management review minutes (clause 9.3)
- Nonconformity and corrective action records (clause 10.2)
The Statement of Applicability deserves special attention: it is the bridge between your risk work and Annex A, and auditors treat it as the map of your whole control set.
Want this as a ready-to-use ISO 42001 checklist you can work straight from?
Drop your work email and we'll send the full implementation and documents checklist, and map your AI systems to the controls with you.
Phase 3: Implement the Annex A Controls
Annex A lists 38 controls grouped into 9 objectives (A.2 to A.10). You do not implement all 38 by default. You select the ones your risk and impact assessments justify, record every include-or-exclude decision with its rationale in the Statement of Applicability, then put the selected controls into real workflows rather than into a document nobody follows. For the full catalogue and what each control asks for, see our guide to the ISO 42001 Annex A controls.
- Select the applicable controls from the 38, justified by your risk and impact assessments
- Record each decision, applied or excluded with a reason, in the Statement of Applicability
- Implement each applicable control in a real, operating workflow
- Assign an owner to every implemented control
Phase 4: Internal Audit and Management Review
An auditor cannot certify a system that has never run. Before Stage 1, the AIMS has to operate long enough to produce genuine records, then you test it against itself. Clause 9 makes both the internal audit and the management review mandatory, and this phase is where readiness is actually earned rather than assumed.
- Operate the AIMS long enough to generate real records: completed impact assessments, monitoring results, and risk treatments
- Run at least one internal audit against clauses 4 to 10 and the applied controls
- Hold a management review and record the minutes
- Raise, log, and remediate any nonconformities with documented corrective action
Phase 5: The Two-Stage Certification Audit
ISO 42001 certification follows the same accredited, two-stage path as any ISO management system. Stage 1 is a documentation and readiness review; Stage 2 tests whether the AIMS operates as designed, with the auditor sampling evidence across your controls. A clean result earns a certificate valid for three years, with annual surveillance audits in between. The details of choosing a body and what each stage samples are in our ISO 42001 certification walkthrough.
- Choose an accredited certification body, not merely any assessor
- Pass Stage 1, the documentation and readiness review
- Pass Stage 2, where the auditor tests the AIMS in operation
- Close any findings, receive the certificate, and schedule the annual surveillance audit
Are You Ready? An ISO 42001 Readiness Check
Before you book Stage 1, run this ISO 42001 readiness self-check. If you can answer yes to every line, you are audit-ready; a no is a gap to close first.
- The AIMS scope statement is approved and current
- Every mandatory document exists and is version-controlled
- The Statement of Applicability justifies every include-or-exclude decision
- Risk and impact assessments have been performed and their results retained
- At least one internal audit and one management review are on record
- Open nonconformities each have a corrective action in progress
- The people running the AIMS have documented competence
The most common reason teams fail this check is the last mile of Phase 4: the documents exist, but the system has not run long enough to leave a trail. Give yourself a real operating window before you invite an auditor in.
Frequently Asked Questions
How many documents does ISO 42001 require?
There is no single magic number, but the practical core is the eight documents in Phase 2 (AI policy, AIMS scope, AI system inventory, risk assessment, impact assessment, data procedures, Statement of Applicability, and the internal audit programme) plus the retained records that prove each process ran. Treat the document list and the records list as one set; auditors check for both.
Is a gap analysis mandatory for ISO 42001?
No. The standard does not name a gap analysis as a required document. In practice it is the sensible first move, because it tells you exactly which clauses and controls you still have to build before you spend money on an audit.
Do I need all 38 Annex A controls?
No. Annex A is a reference set, not a mandatory list. You select the controls your risk and impact assessments justify and document every inclusion and exclusion in the Statement of Applicability. Ticking all 38 without reasoning is a red flag to an auditor, not a shortcut.
Can I reuse my ISO 27001 documentation?
Largely, yes. Both standards use the same Harmonized Structure, so your risk methodology, internal-audit programme, management-review cadence, and competence records carry over. You extend them to cover AI risk, impact, and lifecycle rather than starting from a blank page, which is why holding ISO 27001 compresses the timeline. Our ISO 27001 documentation toolkit shows how that document set is structured.
How long does working through the checklist take?
Four to nine months for most organizations. Teams already certified to ISO 27001 tend to land at the shorter end; teams building a management system for the first time should plan for the longer end, since the foundation has to be built before the AI-specific work begins.
Conclusion
The ISO 42001 checklist is not complicated, but it is unforgiving about order and evidence: scope it, find the gaps, write the documents, apply the controls your risk work justifies, run the system until it leaves a trail, and only then invite the auditor. The teams that struggle are the ones that document without operating.
Konfirmity runs AI governance the way we run managed compliance for ISO 27001, SOC 2, and HIPAA: human-led and end-to-end. The team behind Konfirmity has supported more than 6,000 audits, and we build the AIMS inside your stack, write the mandatory documents, and collect the records with you, so your team spends hours rather than months. Book a demo and we will map your AI systems to the checklist together.




