--- title: "ISO 42001 FAQ (AIMS, Risk Assessment, Impact Assessment, Audit)" canonical_url: "https://www.sorena.io/artifacts/global/iso-42001/faq" source_url: "https://www.sorena.io/artifacts/global/iso-42001/faq" author: "Sorena AI" description: "ISO/IEC 42001 FAQ for AI Management System (AIMS) implementation: what the standard covers, clause structure, Annex A controls." published_at: "2026-03-04" updated_at: "2026-03-04" keywords: - "ISO 42001 FAQ" - "ISO/IEC 42001 questions" - "AI management system FAQ" - "AIMS FAQ" - "ISO 42001 certification FAQ" - "ISO 42001 audit FAQ" - "ISO 42001 scope definition" - "Annex A controls ISO 42001" - "AI risk assessment ISO 42001" - "AI risk treatment ISO 42001" - "AI system impact assessment ISO 42001" - "documented information ISO 42001" - "internal audit ISO 42001" - "ISO 42001 vs EU AI Act" - "GLOBAL compliance" - "ISO/IEC 42001" - "AIMS" - "AI governance" - "FAQ" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ISO 42001 FAQ (AIMS, Risk Assessment, Impact Assessment, Audit) ISO/IEC 42001 FAQ for AI Management System (AIMS) implementation: what the standard covers, clause structure, Annex A controls. *FAQ* *GLOBAL* ## ISO 42001 FAQ Quick answers to real ISO/IEC 42001 AIMS implementation questions. Focused on scope, governance, AI risk and impact assessment, controls, evidence, and audit readiness. This FAQ answers the questions that matter when ISO/IEC 42001 moves from concept to implementation: who the standard applies to, what the AI system impact assessment really requires, how Annex A and Annex B should be used, what evidence auditors look for, and where ISO 42001 stops and the EU AI Act starts. ## Who is ISO/IEC 42001 actually for? ISO 42001 is intended for organizations that provide or use products or services that utilize AI systems. The standard is written for organizations that develop, provide, or use AI systems responsibly in pursuing their objectives. That means it is broader than only model developers. It can apply to providers, customers or users, partners, integrators, and data providers, depending on the organization role with respect to the AI system. - Use role determination early because it influences which controls and evidence matter most - Do not scope only engineering if business units or suppliers materially shape AI outcomes - Keep the scope and the role decisions as documented information ## What does the AI system impact assessment have to cover? The standard requires the impact assessment to determine the potential consequences that deployment, intended use, and foreseeable misuse can have on individuals, groups of individuals, and societies. It must account for the technical and societal context of deployment and applicable jurisdictions. The results must be documented and fed back into risk assessment. - Assess impacts on individuals and groups across the system life cycle - Assess societal impacts where relevant - Repeat the assessment at planned intervals or when significant changes are proposed - Add discipline-specific impact work for safety, privacy, or security critical contexts when needed ## How should Annex A and Annex B be used together? Annex A gives reference control objectives and controls. Annex B gives the implementation guidance that turns those controls into practical routines. The two should be used together during risk treatment and operational design. A good implementation selects relevant Annex A controls, justifies exclusions, adds extra controls where needed, and uses Annex B to define owners, procedures, documentation, and monitoring. - Annex A is not exhaustive, so additional controls can be necessary - Annex B explains how to operationalize policy, roles, impacts, monitoring, technical documentation, and supplier controls - Annex C helps define objectives and risk sources, while Annex D helps adapt the AIMS across sectors ## What evidence do auditors usually expect for ISO 42001? Auditors usually look for whether the AIMS operates as a system: scope and role clarity, interested-party requirements, policy and responsibilities, risk and impact work, operational controls, monitoring, internal audit, management review, and corrective action. The strongest evidence is traceable documented information that shows the management system is used in practice, not only declared. - Scope statement, AI system inventory, role determination, and interested-party register - AI policy, governance charter, assigned responsibilities, and concern-reporting route - Risk assessments, risk-treatment records, impact assessments, and justification for excluded controls - Technical documentation, event-log decisions, monitoring outputs, incident records, and supplier allocations - Internal audit outputs, management-review decisions, and corrective-action closure proof ## Does ISO 42001 make you compliant with the EU AI Act? No. ISO 42001 is a management system standard, while the EU AI Act is a regulation with role-specific and system-category-specific legal duties. ISO 42001 can provide the governance engine behind compliance, but it does not replace legal scoping or AI Act specific obligations. The efficient approach is to reuse ISO 42001 evidence for AI Act work where the underlying governance process overlaps, such as risk management, documentation control, monitoring, and supplier accountability. - ISO 42001 helps with governance and evidence discipline - The AI Act still requires provider or deployer scoping, category assessment, and legal obligation mapping - Design one evidence index so ISO audits and AI Act readiness use the same underlying artifacts *Recommended next step* *Placement: after the FAQ section* ## Use ISO 42001 FAQ as a cited research workflow Research Copilot can take ISO 42001 FAQ from cited answers to recurring questions on this topic to a reusable workflow inside Sorena. Teams working on ISO 42001 can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Research Copilot for ISO 42001 FAQ](/solutions/research-copilot.md): Start from ISO 42001 FAQ and answer scope, timing, and interpretation questions with cited outputs. - [Talk through ISO 42001](/contact.md): Review your current process, evidence gaps, and next steps for ISO 42001 FAQ. ## Primary sources - [ISO/IEC 42001:2023 - ISO standard page](https://www.iso.org/standard/81230.html?ref=sorena.io) - Primary reference for ISO 42001 publication and scope. - [Regulation (EU) 2024/1689 - Artificial Intelligence Act](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Primary legal source for EU AI Act comparison questions. ## Related Topic Guides - [ISO 42001 Compliance (AI Management System Playbook)](/artifacts/global/iso-42001/compliance.md): A practical ISO/IEC 42001 compliance playbook to implement an AI Management System (AIMS): scope, AI policy, roles and responsibilities. - [ISO 42001 Controls and Governance Model (Annex A + Operating Routines)](/artifacts/global/iso-42001/controls-and-governance-model.md): Turn ISO/IEC 42001 into an AI governance operating model: Annex A control objectives and controls, Annex B implementation guidance. - [ISO 42001 Requirements (Clause-by-Clause Breakdown + Evidence)](/artifacts/global/iso-42001/requirements.md): An advanced ISO/IEC 42001 requirements breakdown: clauses 4-10 (context, leadership, planning, support, operation, performance evaluation, improvement). - [ISO 42001 vs EU AI Act (Mapping + Evidence Reuse)](/artifacts/global/iso-42001/iso-42001-vs-eu-ai-act.md): A practical ISO/IEC 42001 vs EU AI Act mapping: how an AI Management System (AIMS) supports AI Act obligations (risk management, data governance. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/iso-42001/faq