← Blog

ISO 42001

ISO 42001 Annex A Controls Explained: All 9 Objectives

June 27, 2026 · 8 min read

The 38 Annex A controls, grouped under nine objectives — what each set covers and how to evidence it.

Annex A is the implementation backbone of ISO/IEC 42001. It lists 38 controls grouped under nine objectives (A.2–A.10). Your Statement of Applicability records which apply, why, and their status — so this is the part of the standard auditors examine most closely.

The nine Annex A control objectives

A.2 — Policies related to AI

Establish and maintain an AI policy (and supporting policies) aligned with your objectives and the organization’s direction on responsible AI.

A.3 — Internal organization

Define AI roles, responsibilities, and reporting lines, and a process for raising concerns about AI systems.

A.4 — Resources for AI systems

Identify and document the resources behind your AI — data, tooling, compute, and human competencies — so AI systems are properly supported.

A.5 — Assessing impacts of AI systems

Conduct AI system impact assessments — the effects on individuals, groups, and society — and feed them into risk treatment. This is distinctive to ISO 42001.

A.6 — AI system life cycle

Govern responsible design, development, verification, deployment, operation, and retirement of AI systems, with documentation at each stage.

A.7 — Data for AI systems

Manage data quality, provenance, and governance across acquisition, preparation, and use — the data controls that underpin trustworthy AI.

A.8 — Information for interested parties

Provide transparency: documentation and information so users and affected parties understand an AI system’s purpose, capabilities, and limitations.

A.9 — Use of AI systems

Govern responsible use — intended purpose, human oversight, and monitoring of deployed AI systems in operation.

A.10 — Third-party and customer relationships

Manage responsibilities, expectations, and due diligence across suppliers, customers, and partners involved in your AI systems.

From Annex A to your Statement of Applicability

For each control you mark applicable or excluded, justify the decision, and record implementation status. Doing this by hand is slow; native Annex A control validation tests each control and generates the Statement of Applicability for you. Work through the ISO 42001 readiness guide to put them in place.

Validate every Annex A control automatically

See ISO 42001 automation

Frequently asked questions

How many controls are in ISO 42001 Annex A?
ISO/IEC 42001:2023 Annex A contains 38 controls grouped under nine objectives, A.2 through A.10.
What are the ISO 42001 Annex A control objectives?
A.2 Policies related to AI, A.3 Internal organization, A.4 Resources for AI systems, A.5 Assessing impacts of AI systems, A.6 AI system life cycle, A.7 Data for AI systems, A.8 Information for interested parties, A.9 Use of AI systems, and A.10 Third-party and customer relationships.
Are all ISO 42001 Annex A controls mandatory?
No. As with ISO 27001, you select applicable controls based on your risk and impact assessments and justify any exclusions in the Statement of Applicability. Applicability depends on your AI systems and your role (provider, developer, or deployer).