ISO/IEC 42001 FAQ Risk Controls

Start with the operational decision: define what risk controls means in your ISO/IEC 42001 scope, for example access restrictions, approval steps, human oversight, monitoring, testing, incident response, supplier checks, or rollback procedures, and record who owns them and what record proves the decision is current.

For risk work, separate the model from the result: risk criteria, scenario assumptions, likelihood rationale, impact rationale, existing controls, treatment choice, residual risk, and acceptance authority. This keeps the answer useful in audits, customer reviews, incidents, supplier reviews, and management review.

The evidence should show the process operating. For this artifact, the strongest record usually includes AIMS scope, AI inventory, AI policy, role map, risk and impact assessments, control evidence, monitoring records, human oversight, and management review outputs.

Avoid evidence that only repeats a requirement. A reviewer should be able to see the actual owner, date, system, supplier, AI system, service, incident, risk, or control sample behind the answer.

The person who can fund, operate, and correct the process should own the decision; governance should review consistency and exceptions.

For high-impact changes, approval should include the teams affected by the evidence: security, privacy, resilience, supplier management, AI governance, legal, risk, or business service owners as relevant.

Review it at planned intervals and whenever the underlying scope, service, supplier, control, risk, AI system, personal data flow, incident process, or customer commitment changes.

A stale record is worse than a short record. If the facts change, update the evidence and mark what changed so the next reviewer can trust the page.