The Statement of Applicability (AI Controls Catalogue)
The SoA is a mandatory document that summarises which ISO 42001 Annex A controls your AIMS adopts, which are not applicable, and why. It demonstrates that you have systematically considered all AI governance controls, not just a handpicked subset that is convenient or “easy.”
For AI, this is especially important because Annex A covers ethical, technical, and organizational aspects (for example, bias, transparency, human oversight, data governance, robustness, and incident response), and the SoA demonstrates how your organization addresses these across the AI lifecycle. What it typically contains: A practical ISO 42001 SoA usually includes, at a minimum:
For AI, this is especially important because Annex A covers ethical, technical, and organizational aspects (for example, bias, transparency, human oversight, data governance, robustness, and incident response), and the SoA demonstrates how your organization addresses these across the AI lifecycle. What it typically contains: A practical ISO 42001 SoA usually includes, at a minimum:
- Control reference and title: Annex A ID (for example, A.x.x) and the official control name, forming your AI controls catalogue.
- Applicability decision: Marked as “Applicable” or “Not applicable” for your scope.
- Justification: Risk‑based explanation: why the control is needed or why it is not relevant (for example, you do not build models, only consume low‑risk APIs).
- Implementation status: Implemented / Partially implemented / Planned, often with target dates where relevant.
- Linked risks and objectives: References to entries in your AI risk register and to AI governance objectives that the control helps meet.
- Evidence and ownership: Pointers to policies, procedures, records, tools, and named owners (process or system owners) that demonstrate the control in action.
SOC Frameworks Overview
SOC 2 Basics
SOC 2 Compliance Process
SOC 2 Compliance Process
Sprinto: Your ally for all things compliance, risk, governance
