Chapter Overview
This chapter provides a comprehensive checklist of all documented information required for ISO 42001 compliance. Use this as a reference to ensure your AIMS documentation is complete.
Documentation Types
Documented Information includes both:
• Documents: Policies, procedures, plans, guidelines
• Records: Evidence of activities performed and results achieved
Mandatory Documents
These documents are explicitly required by ISO 42001 with phrases like "shall be documented" or "documented information shall be available."
Clause 4: Context
| Document | Clause | Status |
|---|
| AIMS Scope Statement | 4.3 | ☐ |
Clause 5: Leadership
| Document | Clause | Status |
|---|
| AI Policy | 5.2 | ☐ |
Clause 6: Planning
| Document | Clause | Status |
|---|
| AI Risk Assessment Process | 6.1.2 | ☐ |
| AI Risk Treatment Process | 6.1.3 | ☐ |
| Statement of Applicability (SoA) | 6.1.3 | ☐ |
| AI Risk Treatment Plan | 6.1.3 | ☐ |
| AI Objectives | 6.2 | ☐ |
Clause 7: Support
| Document | Clause | Status |
|---|
| Evidence of Competence | 7.2 | ☐ |
Clause 8: Operation
| Document | Clause | Status |
|---|
| Operational Planning Documentation | 8.1 | ☐ |
| AI Risk Assessment Results | 8.2 | ☐ |
| AI Risk Treatment Results | 8.3 | ☐ |
| AI System Impact Assessment Results | 8.4 | ☐ |
Clause 9: Performance Evaluation
| Document | Clause | Status |
|---|
| Monitoring and Measurement Results | 9.1 | ☐ |
| Internal Audit Program | 9.2 | ☐ |
| Internal Audit Results | 9.2 | ☐ |
| Management Review Results | 9.3 | ☐ |
Clause 10: Improvement
| Document | Clause | Status |
|---|
| Nonconformity Records | 10.2 | ☐ |
| Corrective Action Records | 10.2 | ☐ |
Mandatory Documents Summary
16 Mandatory Documents
1. AIMS Scope Statement
2. AI Policy
3. AI Risk Assessment Process
4. AI Risk Treatment Process
5. Statement of Applicability
6. AI Risk Treatment Plan
7. AI Objectives
8. Evidence of Competence
9. Operational Planning Documentation
10. AI Risk Assessment Results
11. AI Risk Treatment Results
12. AI System Impact Assessment Results
13. Monitoring and Measurement Results
14. Internal Audit Program and Results
15. Management Review Results
16. Nonconformity and Corrective Action Records
Recommended Documents
These documents are not explicitly required but are strongly recommended for effective AIMS implementation.
Governance Documents
| Document | Purpose | Status |
|---|
| Context Analysis Document | Document internal/external issues | ☐ |
| Interested Parties Register | Track stakeholder requirements | ☐ |
| Roles and Responsibilities Matrix | Define AIMS accountabilities | ☐ |
| AI Governance Committee Terms of Reference | Define governance structure | ☐ |
Risk Management Documents
| Document | Purpose | Status |
|---|
| Risk Criteria Document | Define risk assessment criteria | ☐ |
| AI Risk Register | Track identified risks | ☐ |
| Risk Assessment Reports | Document individual assessments | ☐ |
Operational Documents
| Document | Purpose | Status |
|---|
| AI System Inventory | Register of AI systems in scope | ☐ |
| AI Lifecycle Procedure | Define lifecycle management | ☐ |
| Data Governance Procedure | Define data management | ☐ |
| Change Management Procedure | Control AI system changes | ☐ |
| Incident Management Procedure | Handle AI incidents | ☐ |
Assessment Documents
| Document | Purpose | Status |
|---|
| Impact Assessment Methodology | Define impact assessment process | ☐ |
| Impact Assessment Template | Standardize assessments | ☐ |
| Impact Assessment Register | Track assessment status | ☐ |
Support Documents
| Document | Purpose | Status |
|---|
| Competence Matrix | Track required vs actual competence | ☐ |
| Training Plan | Plan competence development | ☐ |
| Communication Plan | Define AIMS communications | ☐ |
| Document Control Procedure | Control documented information | ☐ |
Audit and Review Documents
| Document | Purpose | Status |
|---|
| Audit Procedure | Define audit process | ☐ |
| Audit Checklists | Guide audit execution | ☐ |
| Management Review Agenda Template | Ensure complete reviews | ☐ |
| Corrective Action Procedure | Define CA process | ☐ |
Document Control Requirements
Clause 7.5 Requirements
Creating and Updating (7.5.2):
• Appropriate identification (title, date, author, version)
• Appropriate format and media
• Review and approval for suitability
Control (7.5.3):
• Available and suitable for use when needed
• Adequately protected
• Distribution, access, retrieval, and use controlled
• Storage and preservation (legibility)
• Control of changes (version control)
• Retention and disposition
Documentation Best Practices
Do's
- Use consistent naming conventions
- Implement version control
- Define clear ownership for each document
- Establish review and approval workflows
- Keep documents concise and practical
- Cross-reference related documents
- Regular review and update cycle
- Secure storage with backup
Don'ts
- Create documents only for audit
- Over-document simple processes
- Leave documents without owners
- Allow outdated documents to remain in use
- Make documents inaccessible to those who need them
- Forget to control external documents
Pre-Certification Checklist
Final Documentation Check
Before Stage 1 Audit, verify:
☐ All 16 mandatory documents exist
☐ Documents are approved and version controlled
☐ SoA covers all 39 controls with justifications
☐ Risk assessments are complete for all AI systems
☐ Impact assessments are complete
☐ Internal audit has been conducted
☐ Management review has been conducted
☐ Documents are accessible to auditors
Key Takeaways - Documentation
1. 16 documents are explicitly mandatory
2. Additional documents are recommended for effectiveness
3. Documents must be controlled (7.5.3)
4. Keep documentation practical, not bureaucratic
5. Ensure documents are used, not just filed
6. Regular review keeps documentation current