ISO 42001
ISO 42001 Annex A Controls Explained: All 9 Objectives
June 27, 2026 · 8 min read
The 38 Annex A controls, grouped under nine objectives — what each set covers and how to evidence it.
Annex A is the implementation backbone of ISO/IEC 42001. It lists 38 controls grouped under nine objectives (A.2–A.10). Your Statement of Applicability records which apply, why, and their status — so this is the part of the standard auditors examine most closely.
The nine Annex A control objectives
A.2 — Policies related to AI
Establish and maintain an AI policy (and supporting policies) aligned with your objectives and the organization’s direction on responsible AI.
A.3 — Internal organization
Define AI roles, responsibilities, and reporting lines, and a process for raising concerns about AI systems.
A.4 — Resources for AI systems
Identify and document the resources behind your AI — data, tooling, compute, and human competencies — so AI systems are properly supported.
A.5 — Assessing impacts of AI systems
Conduct AI system impact assessments — the effects on individuals, groups, and society — and feed them into risk treatment. This is distinctive to ISO 42001.
A.6 — AI system life cycle
Govern responsible design, development, verification, deployment, operation, and retirement of AI systems, with documentation at each stage.
A.7 — Data for AI systems
Manage data quality, provenance, and governance across acquisition, preparation, and use — the data controls that underpin trustworthy AI.
A.8 — Information for interested parties
Provide transparency: documentation and information so users and affected parties understand an AI system’s purpose, capabilities, and limitations.
A.9 — Use of AI systems
Govern responsible use — intended purpose, human oversight, and monitoring of deployed AI systems in operation.
A.10 — Third-party and customer relationships
Manage responsibilities, expectations, and due diligence across suppliers, customers, and partners involved in your AI systems.
From Annex A to your Statement of Applicability
For each control you mark applicable or excluded, justify the decision, and record implementation status. Doing this by hand is slow; native Annex A control validation tests each control and generates the Statement of Applicability for you. Work through the ISO 42001 readiness guide to put them in place.
Validate every Annex A control automatically
See ISO 42001 automation →Frequently asked questions
- How many controls are in ISO 42001 Annex A?
- ISO/IEC 42001:2023 Annex A contains 38 controls grouped under nine objectives, A.2 through A.10.
- What are the ISO 42001 Annex A control objectives?
- A.2 Policies related to AI, A.3 Internal organization, A.4 Resources for AI systems, A.5 Assessing impacts of AI systems, A.6 AI system life cycle, A.7 Data for AI systems, A.8 Information for interested parties, A.9 Use of AI systems, and A.10 Third-party and customer relationships.
- Are all ISO 42001 Annex A controls mandatory?
- No. As with ISO 27001, you select applicable controls based on your risk and impact assessments and justify any exclusions in the Statement of Applicability. Applicability depends on your AI systems and your role (provider, developer, or deployer).