ISO/IEC 42001 Annex A controls, explained
- Annex A is a reference control set, mapped from the management-system clauses.
- Controls fall into six broad themes; understanding the themes is enough to plan implementation.
- The standard's control text is copyrighted — read this thematically and consult ISO for the verbatim text.
- Annex A does not replace risk-based selection; the SoA is where applicability is decided.
- Every applicable control must trace to a real, operated record — not to a policy document.
- General information, not legal advice. Current as of July 2026.
How Annex A is organised
Annex A groups reference controls thematically. Each theme has a governance intent, from which the individual controls flow. Rather than treating the annex as a shopping list, treat it as a set of design intents your management system must express — through policies, roles, processes and records.
The six themes
- Organisational policies and responsibilities — the AI policy, the responsibilities structure, the alignment of AI activity to organisational objectives.
- Internal organisation for AI — how AI-related roles are defined, allocated and coordinated across the business.
- AI system lifecycle — controls that treat the AI system as an artefact under managed change from design through decommissioning: requirements, development, evaluation, release, operation, retirement.
- Data for AI — provenance, quality, representativeness, protection and lifecycle of data used to train, validate and operate systems.
- Third-party and supplier relationships — controls on how AI capability sourced from suppliers is assessed, contracted, monitored and, where necessary, replaced.
- Information for interested parties, impact assessment and human oversight — how information about AI systems is provided to stakeholders, how impact on individuals and society is assessed, and how meaningful human oversight is designed and maintained.
Selection is risk-based
Annex A is a reference set. Applicability is decided in the Statement of Applicability against risk and context. A small organisation with a narrow AI footprint will legitimately exclude controls that a global platform provider will operate in full — provided the exclusion rationale is defensible and the residual risk is accepted by an appropriate owner.
The verbatim text
This article describes the annex thematically because the standard's control text is copyrighted. For the authoritative wording — which you will need for the SoA, for the internal audit programme and for any external attestation — consult ISO/IEC 42001 directly through the ISO portal or a national standards body.
Key terms
- Reference control
- A control listed in a standard's annex as a starting set from which applicability is decided in context.
- Lifecycle control
- A control that treats an AI system as an artefact under managed change from design through decommissioning.