ISO 42001 Mandatory Documents: The Complete List Every AIMS Implementer Needs
ISO 42001 requires 19 mandatory documents. This guide maps all 14 clause level requirements and 5 Annex A controls with what each must contain, how auditors review them, and a 4-phase build sequence to avoid rework.
If you've started an ISO/IEC 42001 implementation, you've probably encountered a question that stops most teams cold: what documents do we actually have to produce?
The standard doesn't hand you a tidy checklist. Across ten clauses and a substantial Annex A of controls, ISO 42001 scatters its documentation requirements in ways that aren't always obvious on a first read. Miss a mandatory document and your auditor will flag a nonconformity. Create everything but get the format or management process wrong, and you'll face the same result. This 5,200-word guide covers every document, what each must contain, and how to build them in the right sequence.
The short answer: ISO/IEC 42001 requires 19 mandatory documents in total — 14 at the clause level and up to 5 from Annex A controls, depending on your organisation's scope. This guide maps all 19 clause by clause, then by Annex A control, and explains what each one needs to contain, why auditors look for it, and how to avoid the common traps that sink otherwise solid implementations. If you're new to the standard, start with our ISO 42001 certification guide before coming back here.
Key Takeaways
19
Total mandatory documents: 14 at clause level + up to 5 from applicable Annex A controls
3
Criteria every document is audited against: content, format, and management process — all three must pass
SoA
The Statement of Applicability requires justification for both inclusions AND exclusions — the most common audit nonconformity
4 phases
Build order matters: Foundation → Risk planning → Operational records → Evaluation. Skipping phase 2 wastes all phase 3 effort
Why ISO 42001 Documentation Isn't Just a Filing Exercise
Before diving into the list, it helps to understand what ISO 42001 actually expects from documented information.
The standard is clear: documentation exists to guide the operation of your AI management system (AIMS), serve as evidence of conformity, demonstrate process effectiveness, and identify improvement opportunities. Documentation should add value to the AIMS rather than be an end goal in itself.
Auditors aren't counting pages. They're evaluating three things about every document they examine:
| Criterion | What the Auditor Checks | Common Failure |
|---|---|---|
| Content | Does the document contain what the relevant clause actually requires? | Scope document that doesn't address interested parties or organisational context |
| Format | Is it properly identified, dated, versioned, and approved? | No version number or approval date — even a correct document fails on format |
| Management Process | Is there a procedure governing how documented information is created, updated, and controlled? | No Clause 7.5 procedure — the entire documentation set lacks a governance backbone |
A document that exists but fails on format or governance is still a nonconformity. Build author, date, version, and approval fields into every template before you write your first document.
ISO 42001 also separates two types of required documentation. Some documents must be maintained — policies, procedures, plans you keep current and update over time. Others must be retained — records that capture point-in-time evidence of something that happened. The tables below mark which type each requirement demands.
BECOME AN ISO 42001 LEAD IMPLEMENTER
The PECB ISO 42001 Lead Implementer certification is the gold standard for professionals building and managing AI management systems. It covers every clause, every Annex A control, and every documentation requirement in this guide — in depth.
reconn delivers this course as self-study ($799), eLearning ($899), and live instructor-led sessions with Shenoy Sandeep — PECB Certified Trainer with 20+ years of cybersecurity and AI governance experience. Both formats include 2 exam attempts and first-year AMF. Available online or in-person across Dubai, GCC, MEA, and international locations.
reconn.io | Dubai, UAE | Remote delivery worldwide
The Complete ISO 42001 Mandatory Documents List
Section 1: Clause-by-Clause Requirements (14 Documents)
| # | Document | Clause | Type | Core Requirement |
|---|---|---|---|---|
| 1 | AIMS Scope | 4.3 | Maintained | Define and document the boundaries and applicability of your AI management system |
| 2 | AI Policy | 5.2 | Maintained | Organisation-wide AI policy available as documented information, communicated internally and to interested parties |
| 3 | AI Risk Assessment | 6.1.2 | Retained | Results of the risk assessment process, including identified risks, evaluation methodology, and risk levels |
| 4 | AI Risk Treatment Plan | 6.1.3 | Retained | Chosen treatment options, controls selected, and management approval for the plan and acceptance of residual risks |
| 5 | Statement of Applicability (SoA) | 6.1.3 | Maintained | All necessary controls with justification for inclusion AND exclusion of each — both are required |
| 6 | AI Objectives | 6.2 | Retained | AI objectives at relevant functions and levels, with planning details: what, who, resources, timeline, evaluation method |
| 7 | Competence Records | 7.2 | Retained | Evidence of competence for persons influencing AI performance — training records, qualifications, appraisals |
| 8 | Documented Information Management Procedure | 7.5 | Maintained | Procedure governing creation, classification, review, approval, storage, version control, retention, and disposal of all documents |
| 9 | Operational Planning Records | 8.1 | Retained | Records demonstrating that operational processes have been planned, implemented, and controlled as designed |
| 10 | Monitoring and Measurement Results | 9.1 | Retained | Evidence of monitoring and measurement activities, including what was measured, methods used, and results |
| 11 | Internal Audit Programme | 9.2.2 | Maintained | Planned audit schedule covering frequency, methods, responsibilities, scope, and auditor independence measures |
| 12 | Internal Audit Results | 9.2.2 | Retained | Evidence of audit implementation — what was assessed, evidence reviewed, findings raised, communication to management |
| 13 | Management Review Results | 9.3 | Retained | Outputs of management review meetings addressing all required inputs: previous actions, context changes, performance data, and improvement opportunities |
| 14 | Nonconformity and Corrective Action Records | 10.2 | Retained | Nature of nonconformities, actions taken, root cause analysis, and results of corrective actions — proportionate to effects |
Each of these is non-negotiable. An auditor examining your AIMS will look for all fourteen before reaching any controls-level review. The absence of any single one is typically classified as a major nonconformity — your certification audit cannot conclude successfully until it is resolved.
Section 2: Annex A Control Documentation Requirements (5 Documents)
ISO 42001's Annex A contains the controls your organisation selects through the risk treatment process. Several controls carry their own explicit documentation requirements. These are not optional if the control is applicable.
| # | Document | Clause | What Must Be Documented |
|---|---|---|---|
| 15 | AI Resource Documentation | A.4.2 | Relevant resources (data, compute, personnel, tools) required for AI system lifecycle activities at each stage |
| 16 | AI System Impact Assessment Results | A.5.3 | Results of impact assessments on individuals, groups, and society — retained for a defined period |
| 17 | AI System Design & Development Documentation | A.6.2.3 | Design and development decisions — objectives guiding development, requirements specified, criteria used to evaluate outputs |
| 18 | AI System Technical Documentation | A.6.2.7 | Technical documentation tailored per audience — users, partners, supervisory authorities — in appropriate form for each |
| 19 | AI System Information for Users | A.8.2 | Information provided to users — what the system does, what data it uses, how decisions are made — in accessible form |
These five documents are distinct from the Statement of Applicability. Producing an SoA that marks A.4.2 as "applicable" without actually maintaining a resource document is a nonconformity — auditors will ask to see the underlying document, not just the SoA entry. For a deeper look at how these controls fit into the broader control framework, see our ISO 42001 controls guide.
What Each Document Must Actually Contain
Understanding the list is one thing. Understanding what goes inside each document is where most implementations run into trouble. The following breaks down the critical content requirements for the documents where teams most commonly go wrong.
1. AIMS Scope (Clause 4.3)
The scope document establishes which AI systems, activities, and organisational boundaries fall within your management system. It must reflect your internal and external context (Clause 4.1) and the requirements of interested parties (Clause 4.2). For a detailed treatment of scoping alone, see our guide on defining your ISO 42001 scope.
| Scope Element | What to Address |
|---|---|
| Organisational context | Internal factors (culture, capabilities, resources) and external factors (market, regulation, technology) |
| Interested party requirements | Which stakeholder requirements the AIMS is designed to meet — customers, regulators, partners |
| AI system inclusions | Specific AI systems, products, or services within scope |
| Boundary limitations | What is explicitly excluded and why — documented justification is required |
| Interfaces with out-of-scope activities | How the AIMS interfaces with excluded systems or external parties |
2. AI Risk Assessment (Clause 6.1.2)
This is the engine of your AIMS. The risk assessment must capture the process and the results — not just the methodology. ISO 42001 Annex C outlines AI-specific risk sources that go beyond conventional information security: fairness, transparency, explainability, privacy, safety, and accountability.
| Component | Documentation Requirement |
|---|---|
| Risk identification methodology | How risks are identified across the AI lifecycle — data, model, deployment, and operational phases |
| Risk owners | Named individuals responsible for each identified risk |
| Likelihood and consequence criteria | The scales used to evaluate risk levels — must be defined and consistently applied |
| Risk evaluation results | Risk level for each identified risk against the defined acceptance criteria |
| Risks accepted without treatment | Explicit management approval recorded for any risk accepted above threshold |
3. Statement of Applicability (Clause 6.1.3)
The SoA is the most scrutinised document in any AIMS audit. It must list every control — Annex A and any additional controls — with justification for both inclusion and exclusion. Exclusions need documented reasoning, not just a checkbox.
| SoA Column | Purpose |
|---|---|
| Control reference | Annex A clause number or organisation-defined control identifier |
| Control description | Brief description of what the control does |
| Applicability (Yes/No) | Whether the control applies to this organisation |
| Justification for inclusion | Risk scenarios or requirements this control addresses |
| Justification for exclusion | Why the control is not needed — risk assessment result, regulatory exception, or organisational context |
| Implementation status | Current state: planned, in progress, or implemented |
| Related documentation | Which policy, procedure, or record implements this control |
Several organisations integrate the SoA with their master document list into a single reference — practical for smaller organisations where maintaining multiple documents creates unnecessary overhead.
4. Documented Information Management Procedure (Clause 7.5)
This procedure governs the lifecycle of every other document on this list. Without it, your documentation set has no governance backbone. A practical tip: assign dates in YYYY-MM-DD format across all documents — it makes version management and audit preparation significantly easier.
| Lifecycle Stage | What the Procedure Addresses |
|---|---|
| Identification | How documents are named, numbered, and categorised |
| Creation | Standardised process for authoring and formatting new documents |
| Classification | Categories based on nature, purpose, and significance |
| Review and modification | Systematic approach for periodic updates — who triggers, who approves |
| Approval | Formal approval process with defined approvers per document type |
| Distribution | How documented information reaches those who need it |
| Storage and protection | Where documents are held and how access is controlled |
| Version control | How revisions are tracked and previous versions managed |
| Retention and disposal | How long records are kept and what happens when the retention period ends |
BECOME AN ISO 42001 LEAD AUDITOR
If your role involves auditing AI management systems — internally or as a third-party assessor — the PECB ISO 42001 Lead Auditor certification equips you to evaluate every document on this list against the standard's requirements.
The course covers audit principles, audit programme management, conducting Stage 1 and Stage 2 audits, evidence collection, nonconformity classification, and closing audits. Delivered by Shenoy Sandeep, PECB Certified Trainer. Available as self-study ($799), eLearning ($899), or live sessions.
reconn.io | Dubai, UAE | Remote delivery worldwide
The Five Annex A Controls That Require Their Own Documents
A.4.2 — Resource Documentation
Beyond the general operational records required under Clause 8.1, this control requires documenting resources needed for AI activities at each lifecycle stage specifically — mapping data, compute infrastructure, personnel expertise, and tools to the stages where they're needed.
A.5.3 — AI System Impact Assessment Documentation
Where your organisation determines that an impact assessment is required, the results must be documented and retained for a defined period — one your organisation sets in its documented information management procedure. Impact assessments examine effects on individuals, groups, and society. Documentation should capture the scope, methodology, findings, and any design or deployment decisions the assessment produced.
A.6.2.3 — AI System Design and Development Documentation
This control requires documentation of design and development decisions — the rationale behind how an AI system was built, not just what it does. For organisations developing AI in-house, this is often the most technically demanding documentation requirement. For organisations using third-party AI, the equivalent documentation may come from suppliers, making A.6.2.7 the primary control.
A.6.2.7 — AI System Technical Documentation
The organisation must determine what technical documentation is needed for each audience category and provide it in appropriate form. Regulatory authorities need model-level detail. End users need accessible explanations of what the system does and doesn't do. Partners need integration specifications. One document trying to serve all audiences typically serves none of them properly.
A.8.2 — System Documentation and Information for Users
Users must receive sufficient information to use AI systems appropriately. In regulated sectors — financial services, healthcare, public sector — this user-facing documentation often intersects directly with legal disclosure requirements.
The Auditor's Examination Order
Understanding how auditors sequence their document review helps prioritise where implementation effort goes. Knowing this before you build your documentation set changes how you invest time.
| Step | Category | Why Auditors Start Here | Documents Reviewed |
|---|---|---|---|
| 1 | Strategic documentation | Establishes what the AIMS is supposed to achieve — if this layer is weak, everything downstream is undermined | Scope, AI Policy, objectives, master plan |
| 2 | Risk management documentation | Verifies the documented risk process is credible and the SoA logically follows from risk treatment results | Risk assessment, risk treatment plan, SoA — auditors trace the chain: risk → control → SoA entry |
| 3 | Process and procedure documentation | Confirms operational processes are correctly designed and controlled | Documented Information Management Procedure, operational planning, audit programme |
| 4 | Supporting documentation | Checks that worksheets, forms, and templates in operational use align with designed processes | Templates, checklists, forms used in day-to-day AIMS operation |
| 5 | Records review | Verifies designed processes were actually followed — the gap between procedure and practice is the most common audit finding | Audit results, management review outputs, corrective action records, monitoring results, competence evidence |
When validating any document, auditors apply four criteria: complete (all expected content is present), correct (conforms to the standard and other reliable sources), consistent (internally coherent and aligned with related documents), and current (up to date).
Maintained vs. Retained: Getting the Distinction Right
Maintained documented information refers to living documents — policies, procedures, plans — that the organisation keeps current and updates when circumstances change. These need a formal change control process, version numbering, and documented approval on each revision.
Retained documented information refers to records — evidence that something happened. Records capture a point-in-time state and are not revised after the fact. They require a retention schedule specifying how long they're kept and what happens when the period ends.
Getting this wrong creates real problems. Treating records as living documents and revising them after the fact raises questions about evidence integrity. Treating policies like records and not updating them when the organisation changes creates scope and accuracy gaps that auditors flag.
Common Documentation Gaps Auditors Consistently Find
These gaps appear repeatedly across ISO 42001 audits. Knowing them before you build is more useful than discovering them during audit preparation. In my experience working with organisations across MEA on ISO 42001 implementation, the SoA exclusion gap and the procedure-versus-practice gap are by far the two most frequent reasons a first-attempt audit stalls. Both are completely preventable with the right build sequence.
| Gap | Why It's Common | How to Avoid It |
|---|---|---|
| SoA excludes controls without justification | Teams mark controls "N/A" without documenting why | Build a mandatory justification field into every SoA row; require sign-off on exclusions |
| Management review records are superficial | Reviews happen but outputs don't address all required inputs | Use a structured agenda template that maps each required input to a discussion item |
| Competence records don't link to AIMS roles | HR records exist but aren't mapped to AI-specific responsibilities | Create a competence matrix linking each AIMS role to the required evidence |
| Impact assessment results aren't retained | Assessments happen verbally or in project tools that aren't formally archived | Define retention locations and periods in the documented information procedure before any assessments are run |
| Technical documentation doesn't vary by audience | One document tries to serve regulators, users, and partners simultaneously | Produce separate documentation packages per stakeholder category under A.6.2.7 |
| Operational records don't match documented procedures | Procedures describe one process; practice shows another | Conduct procedure walkthroughs with operational staff before audit to surface alignment gaps early |
reconn Implementation Services
Don't build these 19 documents from scratch alone.
Most organisations underestimate how long it takes to get from a blank document set to audit-ready. Gap assessment, risk assessment methodology, SoA sign-off, procedure alignment, internal audit cycle — each phase has dependencies the next can't skip.
reconn's ISO 42001 implementation and certification service covers the full journey — from initial gap assessment through every mandatory document, staff PECB certification, and independent audit with BSI, Bureau Veritas, SGS, DNV, or TÜV.
reconn.io | Business Bay, Dubai | Remote delivery worldwide | hello@reconn.io
A Practical Build Order for Your Documentation Set
Building the documentation set in the right sequence reduces rework significantly. The most common sequencing mistake is jumping to Phase 3 (Annex A documentation) without a completed, approved SoA from Phase 2 — you don't yet know which controls are applicable and which aren't.
| Phase | Documents to Build | Gate Before Moving On |
|---|---|---|
| Phase 1 Foundation |
AIMS Scope · AI Policy · Documented Information Management Procedure | All three approved by top management |
| Phase 2 Risk Planning |
AI Risk Assessment · AI Risk Treatment Plan · Statement of Applicability · AI Objectives | SoA approved — determines which Annex A documents are needed in Phase 3 |
| Phase 3 Operational Evidence |
Resource Documentation (A.4.2) · Design & Development Documentation (A.6.2.3) · Technical Documentation (A.6.2.7) · User Information (A.8.2) · Impact Assessment Results (A.5.3) · Operational Planning Records · Competence Records | Records demonstrate processes are operating, not just designed |
| Phase 4 Evaluation (Ongoing) |
Internal Audit Programme · Internal Audit Results · Monitoring and Measurement Results · Management Review Results · Nonconformity and Corrective Action Records | At least one full audit and management review cycle completed before certification audit |
ISO 42001 IMPLEMENTATION & CERTIFICATION SERVICES
Building a compliant AIMS documentation set from scratch — while keeping your AI operations running — is demanding. reconn guides organisations through every phase of ISO 42001 implementation: from scope definition and risk assessment to the complete mandatory documentation set and audit readiness.
Our implementation pathway covers gap assessment, AIMS design, documentation development (all 19 mandatory documents), staff certification through PECB, and audit readiness validation. We work with independent certification bodies — BSI, Bureau Veritas, SGS, DNV, and TÜV — so your path to organisational certification is clear from day one.
reconn.io | Dubai, UAE | Remote delivery worldwide
Conclusion
ISO 42001 requires nineteen documents across its clauses and Annex A. But the standard is clear on one point: documentation is a means, not an end. The purpose of every document on this list is to make your AIMS work better, evidence that it does, and give you a foundation for improving it over time.
The implementations that survive audit aren't the ones with the most documentation. They're the ones where the documentation is coherent — where scope reflects actual AI operations, the risk assessment drives the SoA rather than the reverse, procedures match what people actually do, and records show a system in motion.
Related ISO 42001 Reading
Further Reading on orbit.reconn.io
ISO 42001 Pillar Guide
The complete global guide to ISO/IEC 42001 — what it covers, who needs it, and how certification works
ISO 42001 Lead Implementer Guide
PECB Lead Implementer course overview, prerequisites, exam structure, and career outcomes
ISO 42001 Lead Auditor Guide
How the Lead Auditor course differs from Lead Implementer, and which role fits your career path
ISO 42001 vs NIST AI RMF
Comparing the two leading AI governance frameworks — what overlaps, what doesn't, and how to use both
ISO 42001 vs ISO 27001
Key differences between the AI governance standard and the information security standard — and how they complement each other
ISO 42001 Controls: Complete Guide
A deep-dive into every Annex A control — what each requires and how to implement it in practice
