ISO 42001 Checklist

Use this ISO 42001 Audit Checklist to assess AIMS compliance, AI lifecycle controls, for an internal audit and gap analysis against the ISO IEC 42001 standard.

Download as free PDF

GET A DEMO
SIGN UP TO USE TEMPLATE
SIGN UP

ISO 42001 Checklist



Clause 4 — Context Of The Organization

1. The organization has documented the external issues relevant to its AIMS, including applicable AI regulations, industry standards, and market expectations.


Photo Comment

2. Internal issues affecting the AIMS are documented, including organizational culture, existing governance structures, and resource capabilities.


Photo Comment

3. Interested parties relevant to the AIMS are identified, including customers, users, regulators, employees, and third-party AI vendors.


Photo Comment

4. The requirements and expectations of each interested party are documented and reviewed periodically.


Photo Comment

5. The AIMS scope statement is documented, clearly defining which AI systems, activities, and organizational units are covered.


Photo Comment

6. AI systems included within scope are identified by name, function, and the organization's role (developer, provider, or deployer).


Photo Comment

7. Any AI systems excluded from scope are listed with documented justification.


Photo Comment

8. The AIMS scope is available to relevant interested parties.


Photo Comment

9. An AI system inventory is maintained and aligned to the documented scope.


Photo Comment

10. The AI system inventory includes system purpose, owner, operational status, and data inputs for each entry.


Photo Comment
Clause 5 — Leadership And AI Policy

1. Top management has demonstrated commitment to the AIMS through documented resource allocation decisions and governance approvals.


Photo Comment

2. Evidence of leadership involvement in AIMS establishment is available, such as steering committee records, approval sign-offs, or management review minutes.


Photo Comment

3. An AI policy is documented and approved by top management.


Photo Comment

4. The AI policy includes a commitment to responsible and ethical AI development and use.


Photo Comment

5. The AI policy provides a framework for setting AI objectives and includes a commitment to continual improvement.


Photo Comment

6. The AI policy is communicated to all personnel involved in AI activities.


Photo Comment

7. The AI policy is available to relevant external parties where appropriate.


Photo Comment

8. AIMS roles, responsibilities, and authorities are documented and assigned.


Photo Comment

9. Responsibility for ensuring AIMS conformity is formally assigned to a named role or individual.


Photo Comment

10. Responsibility for reporting AIMS performance to top management is formally assigned.


Photo Comment

11. Evidence that AIMS responsibilities have been communicated to relevant personnel is available.


Photo Comment
Clause 6 — AI Risk Assessment And Planning

1. An AI risk assessment process is documented, including risk identification, analysis, evaluation, and treatment steps.


Photo Comment

2. Risk criteria are defined, including AI-specific criteria such as bias potential, explainability requirements, and societal impact thresholds.


Photo Comment

3. Risk assessments have been completed for all AI systems within scope.


Photo Comment

4. Risk assessments are reviewed and updated when AI systems undergo significant changes.


Photo Comment

5. A risk register is maintained with risk owners, risk levels, and treatment status for each identified risk.


Photo Comment

6. Risk treatment options have been selected for each identified risk, with documented rationale.


Photo Comment

7. A Statement of Applicability (SoA) is documented, listing applicable Annex A controls with justifications for inclusions and exclusions.


Photo Comment

8. A risk treatment plan is documented with assigned owners and target completion dates.


Photo Comment

9. An AI impact assessment process is documented, covering intended use cases and foreseeable misuse scenarios.


Photo Comment

10. Impact assessments have been completed for AI systems with potential to affect individuals or society.


Photo Comment

11. Impact assessment results are retained and reviewed when system purpose or deployment context changes.


Photo Comment

12. AI objectives are established, documented, measurable, and consistent with the AI policy.


Photo Comment

13. Plans to achieve AI objectives include assigned responsibilities, required resources, timelines, and evaluation methods.


Photo Comment

14. A change management process is documented for planned changes to the AIMS, including changes to AI systems, data sources, or use cases.


Photo Comment
Clause 7 — Support: Resources, Competence, And Documentation

1. Resources required to establish, implement, and maintain the AIMS are determined and provided.


Photo Comment

2. Budget allocation for AIMS activities is visible and documented.


Photo Comment

3. Competence requirements are defined for all roles that affect AI system performance, safety, or governance.


Photo Comment

4. Evidence of competence is available for personnel in AIMS roles, such as qualifications, training records, or assessed performance.


Photo Comment

5. Training records are maintained where competence was developed through formal training.


Photo Comment

6. Evidence that training effectiveness has been evaluated is available.


Photo Comment

7. Personnel involved in AI activities are aware of the AI policy and their contribution to AIMS objectives.


Photo Comment

8. Internal and external communication requirements for the AIMS are documented, specifying who communicates what, to whom, and by which channel.


Photo Comment

9. A document control procedure is in place covering creation, approval, version control, and access management.


Photo Comment

10. AIMS documents are properly identified, described, and protected from unauthorized changes.


Photo Comment

11. Retention and disposal requirements for AIMS documented information are defined.


Photo Comment

12. Documented information is accessible to those who need it and protected from unintended alteration or deletion.


Photo Comment
Clause 8 — Operation

1. Operational procedures are documented for AI system design, development, testing, deployment, monitoring, and decommissioning.


Photo Comment

2. Criteria for controlling AI lifecycle processes are established and applied consistently.


Photo Comment

3. Evidence that AI lifecycle processes are executed according to documented procedures is available.


Photo Comment

4. AI risk assessments are performed at the design stage before new AI systems are deployed.


Photo Comment

5. AI risk assessments are repeated following significant changes to model architecture, training data, use case, or deployment environment.


Photo Comment

6. Change control records document approvals for model updates, prompt changes, retraining runs, and vendor changes.


Photo Comment

7. Rollback procedures are defined and tested for AI systems where reverting to a prior version may be required.


Photo Comment

8. Human oversight mechanisms are defined for AI systems where automated decisions carry material risk to individuals or the organization.


Photo Comment

9. Human review and override records are maintained for AI systems with defined oversight requirements.


Photo Comment

10. Model performance is tested against defined criteria before deployment, including accuracy, robustness, and intended-use alignment.


Photo Comment

11. Post-deployment monitoring is in place to detect model drift, performance degradation, and unexpected outputs.


Photo Comment

12. Monitoring results and incidents are recorded and reviewed at defined intervals.


Photo Comment

13. AI-specific incident response procedures are documented and cover detection, containment, root cause analysis, and notification.


Photo Comment

14. Records of AI incidents and near-misses are maintained and used to inform corrective action.


Photo Comment
Clause 9 — Performance Evaluation And Internal Audit

1. The organization has determined what to monitor and measure for AIMS performance, including AI system outcomes, risk treatment effectiveness, and objective progress.


Photo Comment

2. Methods, frequency, and responsibility for monitoring and measurement are documented.


Photo Comment

3. Monitoring results are analyzed, evaluated, and reported to relevant management at defined intervals.


Photo Comment

4. An internal audit program is documented, covering audit scope, criteria, frequency, and auditor selection.


Photo Comment

5. Auditor independence from the areas being audited is ensured and documented.


Photo Comment

6. At least one complete internal AIMS audit cycle has been completed before the certification audit.


Photo Comment

7. Internal audit reports document findings, evidence reviewed, conformities, and nonconformities.


Photo Comment

8. Audit findings are communicated to relevant management and tracked to closure.


Photo Comment

9. Management reviews are conducted at planned intervals by top management.


Photo Comment

10. Management review inputs include AIMS performance data, audit results, risk register status, objective progress, and changes in internal or external context.


Photo Comment

11. Management review outputs include decisions on improvement opportunities, resource needs, and any required changes to the AIMS.


Photo Comment

12. Management review minutes are retained as documented evidence.


Photo Comment
Clause 10 — Improvement And Corrective Action

1. A process for identifying, recording, and managing nonconformities is documented.


Photo Comment

2. Nonconformities, including AI system control failures and incidents, are recorded when they occur.


Photo Comment

3. Root cause analysis is performed for each nonconformity to identify the underlying cause rather than the symptom.


Photo Comment

4. Corrective actions are planned with assigned owners and target completion dates.


Photo Comment

5. Corrective actions are verified for effectiveness before the nonconformity is closed.


Photo Comment

6. Records of nonconformities, corrective actions, and closure evidence are retained.


Photo Comment

7. Lessons learned from nonconformities and AI incidents are used to update risk assessments, controls, and procedures.


Photo Comment

8. Improvement opportunities are identified through monitoring results, audit findings, management reviews, and incident analysis.


Photo Comment

9. Evidence of continual improvement activities is available, demonstrating that the AIMS is developed over time rather than maintained as a static system.


Photo Comment

10. Improvement actions are tracked and their outcomes reported at management reviews.


Photo Comment
A.2.2 — AI Policy

1. A written AI policy is documented and approved at the appropriate management level, setting out the organisation's approach to developing, providing, and using AI systems.


Photo Comment

2. The AI policy is informed by the organisation's business strategy, values, risk appetite, legal obligations, and the risk environment relevant to its AI activities.


Photo Comment

3. The AI policy includes principles that guide all AI-related activities and processes for handling exceptions to those principles.


Photo Comment

4. Evidence is available that the AI policy genuinely shapes decision-making about AI systems, rather than existing solely as a document.


Photo Comment
A.2.3 — Alignment With Other Organisational Policies

1. The organisation has identified all existing policies — including information security, privacy, risk management, HR, procurement, and ethics — that intersect with AI activities.


Photo Comment

2. The AI policy is consistent with those existing policies, with conflicts identified and resolved through policy updates rather than left unaddressed.


Photo Comment

3. Where AI activities introduce requirements not covered by existing policies, the AI policy or relevant existing policies have been updated to address them.


Photo Comment
A.2.4 — Review Of The AI Policy

1. A named, management-approved role is responsible for the periodic review of the AI policy.


Photo Comment

2. The AI policy is reviewed on a planned cycle and whenever material changes occur, including new regulations, new AI use cases, changes in organisational context, or lessons learned from incidents.


Photo Comment

3. Review outcomes — including any resulting policy changes — are documented and retained as records.


Photo Comment
A.3.2 — AI Roles And Responsibilities

1. AI-specific roles and responsibilities are defined and documented, covering the full AI system life cycle — including risk management, impact assessment, development, oversight, data quality, security, and supplier management.


Photo Comment

2. Accountability and responsibility for each AI-related activity are explicitly assigned to named roles, with no gaps in coverage.


Photo Comment

3. AI roles and responsibilities are communicated to relevant personnel and reflected in organisational structures.


Photo Comment
A.3.3 — Reporting Of Concerns Regarding AI Systems

1. A formal mechanism exists for personnel, contractors, and relevant external parties to raise concerns about the organisation's development, provision, or use of AI systems.


Photo Comment

2. The reporting mechanism is accessible, confidential where appropriate, and protected from retaliation.


Photo Comment

3. Defined investigation and escalation steps are documented for concerns raised through this mechanism, and records of concerns raised and their resolution are retained.


Photo Comment
A.4.2 — Resource Documentation

1. An inventory of resources required by each AI system across its life cycle is maintained, covering data, tooling, system and computing resources, and human expertise.


Photo Comment

2. The resource inventory is kept current as AI systems are developed, modified, deployed, or decommissioned.


Photo Comment
A.4.3 — Data Resources

1. Documentation is maintained for every dataset used by AI systems, covering provenance, last-updated timestamps, categories (training, validation, test, production), labelling process, intended purpose, quality characteristics, retention policy, and known bias issues.


Photo Comment

2. Data resource documentation is sufficient to support impact assessment, risk assessment, and incident investigation for each AI system.


Photo Comment
A.4.4 — Tooling Resources

1. The algorithms, machine learning models, frameworks, libraries, optimisation methods, evaluation methods, and provisioning tools used by each AI system are documented.


Photo Comment

2. Tooling resource documentation is sufficient to support reproducibility of results and assessment of supply chain risk.


Photo Comment
A.4.5 — System And Computing Resources

1. The compute, storage, network, and hosting environments (on-premises, cloud, or edge) on which each AI system depends are documented, including capacity constraints, network and storage dependencies, and environmental impact of the hardware.


Photo Comment
A.4.6 — Human Resources

1. The people and competencies involved across every phase of each AI system's life cycle are documented, including developers, operators, domain experts, testers, oversight roles, and those responsible for change management.


Photo Comment

2. Diversity of expertise — including, where relevant, demographic representation in teams working with datasets affecting particular communities — is considered in human resource planning for AI activities.


Photo Comment
A.5.2 — AI System Impact Assessment Process

1. A documented, repeatable process is established and maintained for assessing the potential impacts of AI systems on individuals, groups, and society.


Photo Comment

2. The impact assessment methodology is defined, consistently applied across different AI systems, and capable of being scaled to the risk profile of each system.


Photo Comment
A.5.3 — Internal Impact Assessment Of AI Systems

1. Impact assessments have been conducted for each AI system within the AIMS scope using the process established under A.5.2.


Photo Comment

2. Impact assessments examine potential discriminatory outcomes, privacy violations, safety risks, and broader societal effects, and their results are used to inform deployment decisions and control selection.


Photo Comment

3. AI systems assessed as high-impact have corresponding controls in place; deployment without adequate controls following a high-impact assessment is documented as a nonconformity.


Photo Comment
A.5.4 — Functionality And Behaviour Of The AI System

1. Controls are in place to ensure AI systems function as intended and that deviations from expected behaviour are detected and addressed.


Photo Comment

2. Actual AI system behaviour is monitored against the outcomes of impact assessments conducted under A.5.3, with discrepancies investigated and acted upon.


Photo Comment
A.6.1.1 — Design Of The AI System

1. Requirements and design specifications are documented before AI system development begins, reflecting the intended use case, identified risks, and governance constraints established by the AI policy.


Photo Comment

2. Design documentation is sufficient to trace whether downstream controls are coherent with the system's original intent.


Photo Comment
A.6.1.2 — Data For Development And Enhancement

1. Governance controls are in place for data used in AI system development, covering privacy and security implications, security and safety threats from data-dependent development, transparency and explainability requirements, representativeness of training data relative to the operational domain, and data accuracy and integrity.


Photo Comment
A.6.1.3 — AI System Development Documentation

1. Documentation is maintained throughout the development process capturing design decisions, testing procedures, validation results, and changes, creating an audit trail demonstrating the system was built in accordance with its specifications and governance requirements.


Photo Comment
A.6.1.4 — Addressing Bias In Data

1. Explicit controls are in place for identifying, assessing, and addressing bias in training and operational data.


Photo Comment

2. Bias assessment results are documented, and corrective actions taken in response to identified bias are recorded and verified for effectiveness.


Photo Comment
A.6.1.5 — Robustness Of AI Systems

1. Robustness testing is conducted to verify that AI systems maintain intended performance under adversarial conditions, edge cases, and unexpected or manipulated inputs.


Photo Comment

2. Robustness testing is distinct from functional testing and its results are documented and retained.


Photo Comment
A.6.2.1 — AI System Operational Concept

1. Documentation of how each AI system is intended to operate in its deployment environment is maintained, covering users, use cases, interfaces, and operational constraints, defining what correct operation looks like for monitoring purposes.


Photo Comment
A.6.2.2 — AI System Testing

1. Structured testing is conducted before deployment to verify that each AI system performs as specified, with documentation covering scope, methodology, test data, results, and sign-off.


Photo Comment

2. Testing scope is demonstrably adequate relative to the risk profile of each system.


Photo Comment
A.6.2.3 — Human Oversight Of AI Systems

1. Human oversight mechanisms are defined for AI systems, including reviewers with genuine authority to override AI decisions, monitoring of AI output accuracy and consistency, and mechanisms for personnel to report concerns about AI outputs.


Photo Comment

2. The appropriateness of automated decision-making is assessed for each specific use case, and rubber-stamp oversight without ability to challenge outputs is not accepted as conforming to this control.


Photo Comment
A.6.2.4 — AI System Event Logs

1. Logging of AI system use is in place, capturing time, date, production data processed, and outputs that fall outside intended operational ranges.


Photo Comment

2. Logs are retained for as long as required by the system's intended use and applicable legal or regulatory requirements.


Photo Comment
A.6.2.5 — AI System Deployment

1. A documented deployment plan and formal verification process confirms that all necessary requirements — including design specifications, testing results, impact assessments, oversight mechanisms, and operational documentation — are in place before each AI system goes live.


Photo Comment

2. Evidence of deployment verification is retained for each AI system deployed within the AIMS scope.


Photo Comment
A.7.2 — Data For Development And Enhancement Of AI System

1. Operational data management controls are in place covering privacy and security in data use, security threats from data-dependent AI, transparency and explainability aspects, representativeness of training data versus the operational domain, and data accuracy and integrity.


Photo Comment
A.7.3 — Acquisition Of Data

1. Governance of how data is sourced covers categories required, quantities, data sources, source characteristics, data subject demographics, prior handling, data rights (including personal data and intellectual property), metadata about labelling, and provenance.


Photo Comment

2. Data acquisition records are maintained and sufficient to support regulatory compliance and incident investigation.


Photo Comment
A.7.4 — Quality Of Data

1. Data quality criteria — covering accuracy, completeness, consistency, and timeliness — are defined for datasets used by AI systems.


Photo Comment

2. Processes are established to detect and remediate data quality issues throughout the AI system life cycle, with quality assessment results documented and retained.


Photo Comment
A.7.5 — Processing Of Personal Information

1. Controls are in place for the appropriate handling of personal data within AI systems, aligned with applicable privacy frameworks and integrated with the organisation's existing privacy governance arrangements.


Photo Comment
A.8.2 — Transparency Of AI Systems

1. Documented information about each AI system — including its intended use, known limitations, performance characteristics, and governance arrangements — is made available to relevant interested parties in a form appropriate to the audience.


Photo Comment
A.8.3 — Communication About Intended Use Of AI System

1. The intended use of each AI system is communicated to users and affected individuals, including the circumstances under which the system operates and the basis on which outputs are generated.


Photo Comment

2. Where AI is used to make or significantly influence decisions affecting individuals, those individuals are informed of this fact through defined disclosure mechanisms.


Photo Comment
A.8.4 — Disclosure Of AI Interaction

1. Mechanisms are in place to disclose to individuals when they are interacting with an AI system, where this is required by applicable regulation, contractual obligation, or the organisation's own AI policy.


Photo Comment

2. Disclosure requirements are documented for each applicable AI system and their implementation is verified.


Photo Comment
A.9.2 — Intended Use

1. Each AI system is used only for its documented intended purpose, and controls are in place to detect and prevent use outside that purpose.


Photo Comment

2. Policies defining proper AI system applications and preventing misuse are documented, communicated to users, and reviewed at defined intervals.


Photo Comment
A.9.3 — Correct And Ethical Use

1. Controls are in place to ensure AI systems are used correctly and ethically in accordance with the organisation's AI policy and applicable ethical principles.


Photo Comment

2. Personnel using AI systems are trained on correct and ethical use requirements relevant to their role.


Photo Comment
A.9.4 — Information Security For AI Systems In Use

1. Information security controls applicable to AI systems during operation — including access controls, encryption, vulnerability management, and incident response — are identified and implemented.


Photo Comment
A.9.5 — Safety Of AI Systems In Use

1. Safety controls are in place for AI systems where outputs or failures could result in physical, psychological, financial, or societal harm to individuals or groups.


Photo Comment

2. Safety control requirements are determined through the impact assessment process (A.5.3) and are proportionate to the identified risk level.


Photo Comment
A.9.6 — Decommissioning Of AI Systems

1. A documented decommissioning process is in place for AI systems that are retired or replaced, covering secure disposal of data and models, update of the AI system inventory, communication to affected users, and retention of relevant records.


Photo Comment
A.10.2 — Responsible Use Policies In Third-Party Relationships

1. Contracts or agreements with third parties involved in AI activities — including suppliers, partners, and customers — include provisions covering responsible use of AI, data protection, incident notification, and compliance with applicable AI requirements.


Photo Comment

2. Third-party AI governance practices are assessed before engagement and at defined intervals, with documented outcomes and follow-up actions.


Photo Comment
A.10.3 — Customer Responsibilities

1. Where customers use the organisation's AI systems, their responsibilities for correct and safe use are clearly defined, communicated, and agreed in service agreements or equivalent documentation.


Photo Comment
A.10.4 — Third-Party AI Systems

1. An inventory of third-party AI systems and components used within in-scope AI systems is maintained and kept current.


Photo Comment

2. Third-party AI systems are assessed for risk before adoption and reviewed at defined intervals or following material changes to the supplier's service, model, or data practices.


Photo Comment

3. Procedures are in place to assess and approve third-party model updates, API changes, or retraining events that could affect in-scope AI system behaviour.


Photo Comment

Checklist by GoAudits.com – Please note that this checklist is intended as an example. We do not guarantee compliance with the laws applicable to your territory or industry. You should seek professional advice to determine how this checklist should be adapted to your workplace or jurisdiction.

Is this sample what you are looking for?
Sign up to use & customize this template, or create your own custom checklist.

NEW! Try generating a custom checklist with our free AI tool:

AI spark green AI CHECKLIST CREATOR

Easy inspection app for your digital checklists

  • Conduct inspections anytime, anywhere - even offline
  • Capture photos as proof of compliance or areas needing attention
  • Instantly generate and share detailed reports after the inspections
  • Assign & track follow-up tasks, view historical trends on a centralized dashboard
GET A DEMO
START FREE TRIAL
GoAudits care app