Key facts

  • Core documents include an AI policy, roles and responsibilities, a risk methodology, an AI inventory and impact assessments.
  • A Statement of Applicability records which Annex A controls apply and which do not, with justification.
  • Monitoring, incident-response, management review and internal audit records are required, not optional extras.
  • Auditors check documentation reflects actual practice, not just that documents exist.
  • Use the free readiness checklist to see what you already have and what is missing.

The core document set

At minimum, expect to need: an AI policy setting overall intent and direction; defined roles and responsibilities for the AI management system; a documented risk assessment methodology; an AI system inventory; data governance procedures for data used by AI systems; AI system impact assessments; monitoring and incident-response procedures; a Statement of Applicability; management review records; and internal audit records.

Why documentation alone is not enough

Certification auditors are checking that your organisation actually operates the way its documentation describes, not simply that the documents exist. A risk methodology that is never applied, or an inventory that has not been updated in a year, will not pass a Stage 2 audit even if the document itself looks complete.

How to build this efficiently

Start from your existing artefacts rather than writing everything from scratch: if you already have an AI inventory, a risk register, or governance policies from other compliance work (including EU AI Act work), most of the underlying content can be reused and mapped into the AIMS documentation structure rather than duplicated.

Keeping documentation current

Documentation needs to be a living set of records, reviewed and updated on a regular cycle (inventory and risk register more frequently, policy and methodology at least annually), not a one-off exercise completed before the audit and then left untouched.

Frequently asked questions

What documents does ISO 42001 require?

At minimum: an AI policy, roles and responsibilities, a risk assessment methodology, an AI inventory, data governance procedures, impact assessments, monitoring and incident-response procedures, a Statement of Applicability, and management review and internal audit records.

Is having the documents enough to pass certification?

No — auditors check that your organisation actually operates as the documentation describes, not just that documents exist.

Can we reuse existing EU AI Act documentation for ISO 42001?

Often, yes — an existing AI inventory, risk register or governance policy can typically be mapped into the AIMS documentation structure rather than rewritten from scratch.

How often should AIMS documentation be updated?

The inventory and risk register need frequent updates; policy and methodology documents should be reviewed at least annually.

What is a Statement of Applicability in ISO 42001?

A document recording which Annex A controls apply to your organisation, which do not, and the justification for each decision.

Related pages

Sources

Last updated 19 June 2026.