ISO 42001 Annexes (Annex A–D)
In addition to its main clauses, ISO/IEC 42001 includes several annexes that support and expand the core requirements of the standard. While the clauses define what an organization must do to achieve certification, the annexes help explain how those requirements can be interpreted and implemented in practice.
Not all annexes are audited in the same way. Annex A is central to certification because it contains the reference AI controls used to build the Statement of Applicability (SoA). Annexes B, C, and D are primarily informative, meaning they are not audited clause-by-clause, but they strongly influence how organizations interpret requirements, assess AI risks, and implement effective governance mechanisms.
- Annex A – Reference controls: A structured catalogue of AI governance controls that can be selected and justified in the Statement of Applicability (SoA); covers governance, risk, data, lifecycle, robustness, safety, transparency, and incidents.
- Annex B – Guidance and examples: Provides implementation guidance and illustrative examples on how to apply requirements and controls in practice (for example, how to run AI impact assessments or set AI metrics).
- Annex C – Risk sources and objectives: Lists typical AI risk sources (bias, security, misuse, explainability, data quality, etc.) and governance objectives, helping to design risk‑based controls and KPIs.
- Annex D – Integration and sector mapping: Shows how ISO 42001 can be aligned with other standards (for example, ISO 27001, 27701, 9001) and applied to sector‑specific AI use cases.
SOC Frameworks Overview
SOC 2 Basics
SOC 2 Compliance Process
SOC 2 Compliance Process
Sprinto: Your ally for all things compliance, risk, governance
