iso.org
Referenced sections
- Primary reference for ISO 42001 publication and scope.
Primary sources
References and citations
eur-lex.europa.eu
Referenced sections
- Primary legal source for EU AI Act comparison questions.
FAQGLOBAL
ISO 42001 FAQ
Quick answers to real ISO/IEC 42001 AIMS implementation questions.
Focused on scope, governance, AI risk and impact assessment, controls, evidence, and audit readiness.
Author
Sorena AI
Published
Mar 4, 2026
Updated
Mar 4, 2026
Questions
5
Structured answer sets in this page tree.
Primary sources
2
Cited legal and guidance references.
Publication metadata
Sorena AI
Published Mar 4, 2026
Updated Mar 4, 2026
Overview
This FAQ answers the questions that matter when ISO/IEC 42001 moves from concept to implementation: who the standard applies to, what the AI system impact assessment really requires, how Annex A and Annex B should be used, what evidence auditors look for, and where ISO 42001 stops and the EU AI Act starts.
Question 1
Who is ISO/IEC 42001 actually for?
ISO 42001 is intended for organizations that provide or use products or services that utilize AI systems. The standard is written for organizations that develop, provide, or use AI systems responsibly in pursuing their objectives.
That means it is broader than only model developers. It can apply to providers, customers or users, partners, integrators, and data providers, depending on the organization role with respect to the AI system.
- Use role determination early because it influences which controls and evidence matter most
- Do not scope only engineering if business units or suppliers materially shape AI outcomes
- Keep the scope and the role decisions as documented information
Question 2
What does the AI system impact assessment have to cover?
The standard requires the impact assessment to determine the potential consequences that deployment, intended use, and foreseeable misuse can have on individuals, groups of individuals, and societies.
It must account for the technical and societal context of deployment and applicable jurisdictions. The results must be documented and fed back into risk assessment.
- Assess impacts on individuals and groups across the system life cycle
- Assess societal impacts where relevant
- Repeat the assessment at planned intervals or when significant changes are proposed
- Add discipline-specific impact work for safety, privacy, or security critical contexts when needed
Question 3
How should Annex A and Annex B be used together?
Annex A gives reference control objectives and controls. Annex B gives the implementation guidance that turns those controls into practical routines. The two should be used together during risk treatment and operational design.
A good implementation selects relevant Annex A controls, justifies exclusions, adds extra controls where needed, and uses Annex B to define owners, procedures, documentation, and monitoring.
- Annex A is not exhaustive, so additional controls can be necessary
- Annex B explains how to operationalize policy, roles, impacts, monitoring, technical documentation, and supplier controls
- Annex C helps define objectives and risk sources, while Annex D helps adapt the AIMS across sectors
Question 4
What evidence do auditors usually expect for ISO 42001?
Auditors usually look for whether the AIMS operates as a system: scope and role clarity, interested-party requirements, policy and responsibilities, risk and impact work, operational controls, monitoring, internal audit, management review, and corrective action.
The strongest evidence is traceable documented information that shows the management system is used in practice, not only declared.
- Scope statement, AI system inventory, role determination, and interested-party register
- AI policy, governance charter, assigned responsibilities, and concern-reporting route
- Risk assessments, risk-treatment records, impact assessments, and justification for excluded controls
- Technical documentation, event-log decisions, monitoring outputs, incident records, and supplier allocations
- Internal audit outputs, management-review decisions, and corrective-action closure proof
Question 5
Does ISO 42001 make you compliant with the EU AI Act?
No. ISO 42001 is a management system standard, while the EU AI Act is a regulation with role-specific and system-category-specific legal duties. ISO 42001 can provide the governance engine behind compliance, but it does not replace legal scoping or AI Act specific obligations.
The efficient approach is to reuse ISO 42001 evidence for AI Act work where the underlying governance process overlaps, such as risk management, documentation control, monitoring, and supplier accountability.
- ISO 42001 helps with governance and evidence discipline
- The AI Act still requires provider or deployer scoping, category assessment, and legal obligation mapping
- Design one evidence index so ISO audits and AI Act readiness use the same underlying artifacts
Recommended next step
Use ISO 42001 FAQ as a cited research workflow
Research Copilot can take ISO 42001 FAQ from cited answers to recurring questions on this topic to a reusable workflow inside Sorena. Teams working on ISO 42001 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.
Research workflow
Open Research Copilot for ISO 42001 FAQ
Start from ISO 42001 FAQ and answer scope, timing, and interpretation questions with cited outputs.
Explore next step
Talk to Sorena
Talk through ISO 42001
Review your current process, evidence gaps, and next steps for ISO 42001 FAQ.
Explore next step
Related guides
Explore more topics
ISO 42001 Compliance (AI Management System Playbook)
A practical ISO/IEC 42001 compliance playbook to implement an AI Management System (AIMS): scope, AI policy, roles and responsibilities.
ISO 42001 Controls and Governance Model (Annex A + Operating Routines)
Turn ISO/IEC 42001 into an AI governance operating model: Annex A control objectives and controls, Annex B implementation guidance.
ISO 42001 Requirements (Clause-by-Clause Breakdown + Evidence)
An advanced ISO/IEC 42001 requirements breakdown: clauses 4-10 (context, leadership, planning, support, operation, performance evaluation, improvement).
ISO 42001 vs EU AI Act (Mapping + Evidence Reuse)
A practical ISO/IEC 42001 vs EU AI Act mapping: how an AI Management System (AIMS) supports AI Act obligations (risk management, data governance.