The Statement of Applicability is the document your ISO 42001 certification audit is planned around. This template lists all 38 Annex A controls grouped by objective area, with columns for applicability, justification, implementation status, evidence, and owner, plus worked examples and an approval block.
The SoA records which of the 38 reference controls in Annex A of ISO/IEC 42001:2023 apply to your organization, why, and how each one is implemented. Three things make it central to certification:
Certification auditors request the SoA early and build the audit plan from it. They sample your applicable controls and test the evidence behind each one, so every row needs to hold up.
Every control you declare applicable should trace to a risk, a legal or contractual obligation, or a business objective. Every exclusion must show that the underlying risk or activity genuinely does not exist.
The SoA is re-reviewed and re-approved whenever the risk assessment changes, AI systems are added or retired, or an incident exposes a gap. Version history and approval blocks are built into the template.
Each Annex A control gets one row: reference, paraphrased control, applicability, justification, implementation status, evidence pointer, and a named owner. Here are three annotated example rows from the template:
Addresses risks R-014 (model drift in the credit-scoring model) and R-021 (silent degradation of the support chatbot). Monitoring thresholds and escalation paths are defined in the Model Operations Procedure.
POL-AI-07 v2.1; monthly model performance reports; alert configuration in the MLOps platform
Head of ML Engineering
No models are trained or fine-tuned in-house; all AI capability is procured as vendor-hosted services, so no training-data pipeline exists. The decision is revisited if in-house development begins.
AI system inventory INV-2026-Q2 showing no in-house model development
AI Governance Lead
Addresses risk R-009: inability to reconstruct AI-assisted decisions during complaints or incidents. Auditors expect a credible plan, not a finished checklist, so partial rows like this are normal.
Prompt and response logging live for the customer chatbot; rollout to the two internal copilots scheduled for Q3 2026
Security Operations Manager
The template covers the nine control objective areas of ISO/IEC 42001:2023 Annex A with paraphrased control summaries, plus a coverage summary table for the headline picture.
The two documents split the standard between them. Run both to cover ISO 42001 end to end.
Aona AI discovers every AI tool in use across your organization, monitors what data flows into them, and keeps the AI inventory and audit trails your Statement of Applicability points to current.