Key facts
- Annex A controls are grouped into themes covering policy, resourcing, impact assessment, system lifecycle, data and third-party relationships.
- You select applicable controls based on your own risk assessment, not apply every control by default.
- A Statement of Applicability documents which controls apply, which do not, and why.
- Annex A works alongside the main clauses of the standard (context, leadership, planning, support, operation, evaluation, improvement).
- Use the free ISO 42001 readiness checklist to see where your gaps are.
How Annex A is structured
The controls are grouped into themes rather than presented as a flat list: policies for AI, internal organisation and roles, resources needed to run the AI management system, assessing the impacts of AI systems, managing the AI system lifecycle, data used by AI systems, providing information to interested parties, how AI systems are used within the organisation, and managing third-party and customer relationships involving AI.
Selecting controls, not applying all of them
ISO 42001 does not require every organisation to implement every Annex A control. You run a risk assessment, decide which controls are relevant to your context, and record the outcome — including justified exclusions — in a Statement of Applicability. A small SaaS business and a large financial institution will typically end up with different, proportionate sets of applicable controls.
How this connects to the EU AI Act
Many Annex A themes map closely onto EU AI Act obligations — impact assessment, lifecycle management, data governance and third-party relationships all show up in both. Organisations pursuing ISO 42001 certification often find much of the underlying work directly supports EU AI Act compliance evidence, and vice versa.
Getting started
Start with a gap assessment against the relevant Annex A themes rather than reading the whole control set line by line. The readiness checklist is designed as that first pass.
Frequently asked questions
What is Annex A of ISO 42001?
A structured set of control themes — covering policy, resourcing, impact assessment, system lifecycle, data and third-party relationships — that organisations select from based on their own risk assessment.
Do you have to implement every Annex A control?
No — you select applicable controls based on a risk assessment and record your choices, including justified exclusions, in a Statement of Applicability.
What is a Statement of Applicability?
A document recording which Annex A controls apply to your organisation, which do not, and the justification for each decision.
How does Annex A relate to the EU AI Act?
Several themes — impact assessment, lifecycle management, data governance, third-party relationships — closely mirror EU AI Act obligations, so work on one often supports the other.
Where should we start with Annex A?
With a gap assessment against the relevant themes, rather than attempting to read and apply the full control set from scratch.
Related pages
Sources
Last updated 19 June 2026.