Regulome
Search regulations…⌘K
For ProvidersFree Checker
← Read the full ISO 42001 guide
Free Download · Regulome.io

ISO 42001 Certification Checklist

48 requirements across 7 phases. Use this checklist to assess your readiness before a Stage 1 or Stage 2 certification audit.

Read the full guide
Clause 4

Context of the Organization

6 items
  • Identified and documented internal and external issues relevant to AI activities
  • Assessed how issues affect the AIMS's ability to achieve intended outcomes
  • Identified all interested parties and their AI-related requirements
  • Determined which interested party requirements the AIMS will address
  • Defined and documented the scope of the AIMS
  • Established, implemented, and maintained the AIMS per standard requirements
Clause 5

Leadership

6 items
  • Top management demonstrated leadership by establishing AI policy and directing resources
  • Top management promoted a culture of responsible AI use
  • AI policy established, documented, and communicated internally
  • AI policy available to interested parties as appropriate
  • AIMS roles, responsibilities, and authorities assigned and communicated
  • Responsible individual/function assigned for AIMS performance reporting to top management
Clause 6

Planning

9 items
  • Process established to identify risks and opportunities related to the AIMS
  • AI risk assessment conducted identifying risks to individuals and society
  • AI risk assessment criteria (likelihood, impact, thresholds) defined and documented
  • AI risk assessment results documented and retained
  • AI risk treatment plan documented with selected controls and justifications
  • Risk owners accepted residual risks following treatment
  • AI objectives established at relevant functions and levels, measurable and monitored
  • Plans to achieve AI objectives include responsible parties, timelines, evaluation methods
  • Changes to the AIMS carried out in a planned manner
Clause 7

Support

8 items
  • Resources required for AIMS determined and provided
  • Persons have necessary competence (education, training, or experience)
  • Competence requirements documented; training actions recorded
  • Persons aware of AI policy, their contribution, and implications of nonconformity
  • Internal and external communications relevant to the AIMS planned
  • Documented information required by the standard exists and is controlled
  • New documented information identified with appropriate metadata
  • Documented information controlled for access, storage, version control, and retention
Clause 8

Operations

11 items
  • Operational processes planned, implemented, controlled, and reviewed
  • AI impact assessment process established and documented
  • AI impact assessments conducted before deployment and when significant changes occur
  • Impact assessment results and treatment decisions retained
  • AI system lifecycle management process covers full lifecycle
  • AI system objectives, intended use, and foreseeable misuse documented
  • Data management processes address quality, provenance, and governance for AI data
  • Processes exist to identify and address data bias before and during deployment
  • Processes address AI use as deployer and developer (where both apply)
  • Third-party and supply chain AI risks assessed; contracts address AI governance
  • Criteria exist for responsible disclosure of AI system information to affected parties
Clause 9

Performance Evaluation

9 items
  • Methods for monitoring, measurement, analysis, and evaluation defined
  • Monitoring and measurement results documented and retained
  • AI system performance evaluated at planned intervals
  • Internal audits conducted at planned intervals
  • Internal audit program exists with scope, frequency, methods, and responsibilities
  • Internal audit results reported to management and retained
  • Management reviews conducted at planned intervals
  • Management review inputs include audit results, risks, objectives, and improvement opportunities
  • Management review outputs (decisions, actions) retained
Clause 10

Improvement

5 items
  • Opportunities for improvement identified and acted upon
  • Nonconformities identified, documented, root-caused, corrected, and evaluated
  • Corrective actions appropriate to the effects of nonconformities
  • Results of corrective actions retained
  • Organization continually improves AIMS suitability, adequacy, and effectiveness

Annex A — Statement of Applicability

ISO 42001 includes 38 additional Annex A controls covering transparency, human oversight, incident management, and data governance. Your certification body will require a Statement of Applicability declaring which controls apply and why any are excluded. This checklist covers the mandatory clauses (4–10) only.

Track ISO 42001 readiness with your team

Regulome.io maps these requirements to your specific AI systems, tracks completion by owner, and connects ISO 42001 obligations to parallel EU AI Act and Colorado AI Act requirements.

Start free at Regulome.io