The ISO 42001 Starter Checklist

A free, practical path to an AI Management System (AIMS) in 9 steps. ISO/IEC 42001:2023 is the first international management-system standard for artificial intelligence — a documented, risk-based way to govern how your organization develops, provides or uses AI. Certification proves an accredited body has audited your live AIMS and found it conforms.

Who this is for: founders, product and compliance leads at companies building AI features or deploying AI tools, who want a clear route to responsible-AI governance and, where they choose, ISO 42001 certification — and a head start on EU AI Act readiness.

Honest note: a checklist and good templates speed up the documentation, but they do not make you certified. Certification is issued only by an accredited body after it audits your operating AIMS (Stage 1 + Stage 2). An ISO 42001 management system is also widely used as the operational backbone for EU AI Act readiness, though the Act and the standard remain distinct. Use this as a roadmap.

Step 1Define scope & context of your AIMS (Clause 4)

ISO 42001 governs the AI systems you develop, provide or use — you first decide which of those the management system covers.

  • List the AI systems and uses in scope (built in-house and third-party tools you deploy)
  • Identify internal/external issues and interested parties (customers, regulators, affected people)
  • Determine your role for each system — provider, deployer, or both — as it shapes your obligations
  • Write the AIMS scope statement, with any exclusions justified

Step 2Secure leadership & write the AI policy (Clause 5)

Like any ISO management system, auditors look first for demonstrable top-management commitment.

  • Get documented leadership commitment and resourcing for the AIMS
  • Publish a top-level AI policy setting your principles for responsible AI use
  • Assign roles, responsibilities and authorities for AI governance
  • Align AI objectives with your business strategy and values

Step 3Run an AI risk assessment (Clause 6.1)

AI introduces risks — bias, safety, security, misuse — that a general risk process often misses; ISO 42001 requires a defined AI-specific assessment.

  • Define a repeatable AI risk assessment methodology (criteria, scoring, acceptance)
  • Identify risks across the AI lifecycle for the systems in scope
  • Assess and rank them, and record results in an AI risk register
  • Choose a treatment for each risk and assign owners and dates

Step 4Complete an AI system impact assessment (Clause 6 (AI system impact assessment))

This is what sets ISO 42001 apart — assessing the impact of AI on individuals and society, not just risk to the organization.

  • For each in-scope AI system, assess potential impacts on individuals, groups and society
  • Consider fairness, transparency, safety, privacy and human oversight
  • Document mitigations and the residual impact you accept
  • Revisit the assessment when a system or its use materially changes

Step 5Set AI objectives & plan (Clause 6.2)

Objectives turn the policy into measurable commitments the audit will check against.

  • Set measurable AIMS objectives consistent with the AI policy
  • Plan how you will achieve them: actions, resources, owners, timelines and measures
  • Plan changes to the AIMS in a controlled way

Step 6Produce the Statement of Applicability (Annex A) (Clause 6.1.3 / Annex A)

The SoA is the document auditors return to most — it justifies every Annex A control you include or exclude.

  • Review the Annex A controls (governance, AI lifecycle, data for AI systems, transparency, third-party and more)
  • Mark each control applicable or not, with a written justification
  • Note each control’s implementation status
  • Cross-check the SoA against your AI risk treatment and impact assessments

Step 7Implement controls & manage the AI lifecycle (Clause 8 / Annex A)

Auditors verify controls exist and are evidenced across the AI lifecycle — data, development, deployment and monitoring.

  • Operationalize the applicable controls: data management for AI, development and testing, deployment approval, human oversight, and ongoing monitoring
  • Document data provenance, quality and governance for the systems in scope
  • Manage third-party AI suppliers and the AI you procure
  • Keep records that show the controls operate as designed

Step 8Support: competence, awareness & documentation (Clause 7)

The people building and using AI need the competence to do it responsibly — and the EU AI Act now makes AI literacy an explicit duty.

  • Ensure staff involved with AI have the necessary competence, and keep records
  • Run AI awareness/literacy training for those who deploy or use AI tools
  • Maintain the documented information the AIMS requires, under version control

Step 9Internal audit, management review & certification (Clauses 9–10 → certification)

You check yourself before the certification body does, then an accredited body audits the operating AIMS — the only step that yields a certificate.

  • Monitor and measure AIMS performance against your objectives
  • Run an internal audit; log nonconformities and corrective actions (Clause 9–10)
  • Hold a documented management review
  • Select an accredited certification body; pass Stage 1 (documentation) then Stage 2 (implementation) to earn the certificate

Skip the blank page — get the editable ISO 42001 toolkit

The ISO 42001 AI Management System Toolkit gives you the documents behind Steps 2–7 — the AI policy, AI risk methodology and register, the AI system impact-assessment procedure, an Annex A Statement of Applicability, and the AI-lifecycle and data-governance policies — pre-built in Word and Excel to tailor to your systems. Instant download, 14 documents, $99 ($69.30 — 30% off auto-applied through July 31, 2026).

View the ISO 42001 toolkit

Weighing AI frameworks? See the AI Governance Policy Pack (a faster, lighter set of AI policies), the verified EU AI Act deadlines, or all free resources.

Professional editable templates and general information — not legal advice, and not a certificate. ISO/IEC 42001 and the EU AI Act are referenced descriptively; ComplianceDocs is not affiliated with ISO or any certification body. A product of ExpertEngine LLC.

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.