30 Days Gen AI Risk Trial -Start Now
Book a demo
Free Template · ISO 42001

ISO 42001 Statement of Applicability TemplateDocument Every Annex A Control Decision

The Statement of Applicability is the document your ISO 42001 certification audit is planned around. This template lists all 38 Annex A controls grouped by objective area, with columns for applicability, justification, implementation status, evidence, and owner, plus worked examples and an approval block.

What a Statement of Applicability Is

The SoA records which of the 38 reference controls in Annex A of ISO/IEC 42001:2023 apply to your organization, why, and how each one is implemented. Three things make it central to certification:

The audit starts here

Certification auditors request the SoA early and build the audit plan from it. They sample your applicable controls and test the evidence behind each one, so every row needs to hold up.

Traceable to your risk assessment

Every control you declare applicable should trace to a risk, a legal or contractual obligation, or a business objective. Every exclusion must show that the underlying risk or activity genuinely does not exist.

A living document

The SoA is re-reviewed and re-approved whenever the risk assessment changes, AI systems are added or retired, or an incident exposes a gap. Version history and approval blocks are built into the template.

How the SoA Table Works

Each Annex A control gets one row: reference, paraphrased control, applicability, justification, implementation status, evidence pointer, and a named owner. Here are three annotated example rows from the template:

A.6.2.6Ongoing operation and monitoring of deployed AI systems
ApplicableImplemented
Justification

Addresses risks R-014 (model drift in the credit-scoring model) and R-021 (silent degradation of the support chatbot). Monitoring thresholds and escalation paths are defined in the Model Operations Procedure.

Evidence reference

POL-AI-07 v2.1; monthly model performance reports; alert configuration in the MLOps platform

Owner

Head of ML Engineering

A.7.6Preparation of data for AI development
ExcludedNot applicable
Justification

No models are trained or fine-tuned in-house; all AI capability is procured as vendor-hosted services, so no training-data pipeline exists. The decision is revisited if in-house development begins.

Evidence reference

AI system inventory INV-2026-Q2 showing no in-house model development

Owner

AI Governance Lead

A.6.2.8Retention of event logs for AI systems
ApplicableIn progress
Justification

Addresses risk R-009: inability to reconstruct AI-assisted decisions during complaints or incidents. Auditors expect a credible plan, not a finished checklist, so partial rows like this are normal.

Evidence reference

Prompt and response logging live for the customer chatbot; rollout to the two internal copilots scheduled for Q3 2026

Owner

Security Operations Manager

All 38 Annex A Controls, Grouped by Objective Area

The template covers the nine control objective areas of ISO/IEC 42001:2023 Annex A with paraphrased control summaries, plus a coverage summary table for the headline picture.

A.2
Policies for AI
3 controls
A.3
Internal organization
2 controls
A.4
Resources for AI systems
5 controls
A.5
Assessing impacts of AI systems
4 controls
A.6
AI system lifecycle
9 controls
A.7
Data for AI systems
5 controls
A.8
Information for interested parties
4 controls
A.9
Use of AI systems
3 controls
A.10
Third-party and customer relationships
3 controls

Gap Analysis vs Statement of Applicability

The two documents split the standard between them. Run both to cover ISO 42001 end to end.

Gap analysis: Clauses 4 to 10

  • Measures how mature your AI Management System is against the standard's mandatory requirements
  • Covers context, leadership, planning, support, operation, performance evaluation, and improvement
  • Output: maturity ratings, gaps with root causes, and a remediation roadmap

Statement of Applicability: Annex A

  • Records which of the 38 reference controls apply to your organization and why
  • Justifies every inclusion and exclusion so auditors can trace decisions back to risks
  • Output: the control-by-control record your certification audit is planned around
Get the ISO 42001 Gap Analysis Template
Get started

Keep your SoA evidence audit-ready

Aona AI discovers every AI tool in use across your organization, monitors what data flows into them, and keeps the AI inventory and audit trails your Statement of Applicability points to current.