15 Must-Have Documents & Evidence for an ISO/IEC 42001 Audit
ISO/IEC 42001 is the world’s first certifiable AI Management System (AIMS) standard. It provides organizations with a structured, auditable framework to develop, deploy, and operate AI responsibly. In practice, ISO 42001 alignment has become a hot trend in 2025 as regulators brace for heavy AI rules. Auditors do not care about slick brochures; they care about proof. Documentation is the immune system of your AI. You must have the right papers and records ready, or you risk flunking the audit and losing credibility.
Implementing ISO/IEC 42001 means building solid AI governance from the ground up. A key starting point is a comprehensive AI Management System (AIMS) manual or charter. This governance manual formally commits leadership to AI oversight, defines your AI policy and objectives, and references the standard’s requirements. It is basically the playbook that Auditors will measure your program against. In short, an AI Management System policy document is mandatory: it spells out your high-level commitments (ethics, security, compliance) much like a quality manual. Without this foundational document on paper, you are not ISO-ready.
15 Must-have Documents and Evidence for ISO 42001 Audit
Below is the list of 15 must-have documents and evidence your organization needs to show in an ISO/IEC 42001 audit. Each item includes what to prepare and why Auditors will look for it:
1. AIMS Manual (AI Management System Policy): The cornerstone document that outlines your AI governance framework. It should state leadership’s commitment to safe and ethical AI, define scope and objectives, and map how your AI processes meet the standard. In fact, the ISO guidance explicitly calls for an AI Management System policy, scope statement, risk plan, and defined roles as mandatory documentation. Make sure your manual references relevant clauses and is signed by top management. This proves you have officially “created” the AI governance system, a must for Auditors.
2. AI Governance Policy: A high-level policy (often part of the AIMS manual or standalone) that explains your organization’s AI ethics and rules. This “North Star” document should be concise but powerful: it typically declares what you will and would not do with AI (fairness, privacy, security, etc.). Auditors expect to see a clear AI policy written at the leadership level. ISO 42001 demands “Leadership’s commitment through clear policies and resources”. Your policy should be communicated across the organization and rolled into training.
3. Scope of AIMS: A scope document defines what parts of your organization and AI lifecycle are covered by the AIMS. It is like drawing a map so Auditors know where to focus. Specifically, the scope should say what AI technologies and which business units the standard covers. ISO 42001 Auditors will look to ensure you can articulate where your AI management system begins and ends. If you “can not articulate it, your scope may fail,” warns one analysis. In short, document exactly what is included and excluded from your AI program, and audit teams use this as a checklist baseline.
4. Risk Assessment & Treatment Plan: One of the most crucial records: a documented process for identifying, analyzing, and treating AI risks. ISO 42001 requires that all identified AI risks be formally documented and linked to controls. So prepare your risk assessment procedure, plus the actual risk register or reports. This includes listing each risk, its likelihood and impact, and the planned mitigation (treatment) actions. Your evidence can be spreadsheets or forms with risk scores and selected controls, plus a Risk Treatment Plan showing how you plan to reduce or manage the top AI risks. This documentation is key proof that you have a methodical, repeatable risk program. Auditors will demand to see it.
5. Statement of Applicability (SoA): The SoA is a mandatory ISO component listing which Annex-A controls you apply (and why). In AI terms, it should list every AI-specific control or practice from the standard (or guidance) that your organization uses, and justify any exclusions. Auditors expect an SoA as “a critical component of certification”. In practice, prepare a table: Control ID, Name, Applied (Yes/No), Reason/Notes. Tie it back to your risk assessment and policy. This shows examiners you have considered each control and made informed choices.
6. AI System Impact Assessments: Beyond general risk, ISO 42001 emphasizes the impact of AI on individuals and society. You should have documentation of your AI Impact Assessment process and results. This may be in the form of questionnaires or checklists used whenever a new AI system is developed or changed. Impact assessment (evaluating AI’s effects on people/society) is a core element. Provide completed impact assessment reports for key AI projects (for example, data privacy impacts, fairness evaluations, etc.). Auditors will want to see that you systematically evaluate and document these effects.
7. AI Objectives and Plans: It is not enough to claim goals; you must document them. Prepare a record of your AI quality or governance objectives (e.g., “reduce bias incidents by X%” or “validate 100% of models before release”) along with plans to achieve them. Include measurable targets and timelines. ISO 42001 requires measurable objectives and a plan to meet them. For each objective, attach evidence of tracking (status reports, dashboard screenshots, etc.). This proves to Auditors that you are driving continuous improvement, not just “keeping the lights on.”
8. Change Management Procedure: AI systems and data environments evolve constantly. You need a formal change control procedure for any AI component (data sets, model updates, code changes, etc.). Document how you evaluate proposed changes, who approves them, and how you update your risk/impact assessments accordingly. ISO 42001 explicitly calls for “Procedure for planning and control of changes” in the AIMS. In an audit, show your change logs and approval records to prove you do not deploy AI changes on a whim. Demonstrating disciplined change control reassures Auditors that AI risks stay in check over time.
9. Roles, Responsibilities, and Organization Chart: Auditors will check that you have mapped who does what in your AI program. Provide documents defining roles and authorities (e.g., AI Manager, Data Protection Officer, Ethics Board, etc.) and how they interact. An organization chart highlighting these roles is great evidence. Include job descriptions or charters (even brief ones) showing each person’s responsibilities for AI governance, risk, oversight, or compliance. This shows the Auditors that accountability is assigned and traceable. (Hint: do not say “everyone and no one”, show the organization chart!)
10. Competence and Training Records: Competence and Training Records: ISO 42001 requires that staff working with AI have the necessary skills, and you must prove it. Keep a training matrix or skill assessment showing required vs. actual skills (for Data Scientists, Developers, Auditors, etc.). Maintain training records, certificates, or attendance logs for any AI or ethics training conducted. For example, show attendees and materials for your “AI ethics workshop” or “data bias training”. Training and Competency Records are mandatory evidence. Auditors will ask, “How do you know your people are qualified?” Your logs answer that question.
11. Communication Records: It is not enough to draft policies; you must show how you communicated them. Prepare evidence that your AI policy and AIMS updates were distributed and understood. This can include meeting minutes announcing the AI policy, signed acknowledgment forms, email announcements, or an internal newsletter entry. Even attendance lists from training can count. The SIS guide explicitly notes “Communication evidence of the policy to relevant parties”. In an audit, be ready to present communications that show how employees (and possibly suppliers) were informed about key AI rules and responsibilities.
12. Document and Record Control Procedures: ISO standards always require controlled documentation. Have a written procedure that defines how you create, review, update, and archive AIMS documents and records. Also, provide an index or list of all controlled documents (policy, procedures, forms) with version numbers. Similarly, maintain a records log (where and how long each record type is kept). This proves to Auditors that your documentation is current and traceable. (By the way, Auditors will likely quiz you on document IDs and revision histories, so keep that list handy.)
13. Internal Audit Reports and Records: You must audit your own AI Management System regularly. Provide your internal audit plan and any completed audit reports of the AIMS. Each report should list findings, evidence reviewed, and any corrective actions taken. Keep logs showing who performed the audit and when, plus records of follow-up on issues. For example, if an internal audit found a gap in model validation, show the report and proof that it was fixed. Auditors look for a cycle: audit ⇒ findings ⇒ corrections. A well-maintained internal audit folder, plans, checklists, and reports, is huge evidence of compliance.
14. Management Review Documents: Senior management must regularly review the AIMS. Have meeting agendas, minutes, attendance sheets, and action lists from your management review meetings. Show the outputs: e.g., a summary of audit results, risk status updates, and decision records (like “approved new AI objective” or “assigned resource for data quality improvement”). ISO 42001 expects documented MR outcomes. In the audit, presenting a binder or file with all MR meetings over the year demonstrates top-level oversight. It signals that you do not let AI risks “drift unnoticed.”
15. Incident and Non-Conformance Records: Finally, compile your evidence of incidents and corrective actions. This includes any AI-related issues (data breaches, model failures, bias incidents, ethical complaints, etc.) and how you addressed them. Provide incident logs, root-cause analysis, and proof of corrective actions (tickets, memos, closure notes). Also include customer or user feedback if relevant. ISO 42001 calls for records of “complaints, feedback, non-conformities, and corrective actions” as part of continual improvement. In practice, Auditors will ask to see a sample of problem reports to verify that issues are taken seriously and fixed. Keep these records organized and accessible.
Each of the above documents or records must be real and retrievable. Auditors will randomly pick an item (say, the internal audit for Q2 or a specific risk file) and ask you to produce it. To get an early pass with the Auditor, make sure your documentation is up-to-date, logically organized, and clearly referenced in your AIMS manual or document index.
ISO 42001 Lead Auditor Training with InfosecTrain
ISO/IEC 42001 audits are not a test of memory; they are a test of maturity, transparency, and evidence-backed governance. By preparing these 15 foundational documents, from your AIMS policy and risk assessments to internal audit logs and impact records, you are not just checking boxes; you are building trust in how your organization designs and deploys AI.
But let’s be real, having the documents is one thing. Knowing how to evaluate, interpret, and audit them with precision? That’s what sets great teams apart.
If you are serious about becoming audit-ready or leading your organization’s AI compliance journey, then it is time to get trained like a pro. InfosecTrain’s ISO/IEC 42001 Lead Auditor Training gives you deep, hands-on insight into the standard, teaches you how to conduct audits with confidence, and empowers you to ask the right questions, whether you are managing AI risk or sitting on the other side of the table.
Ready to turn AI compliance into a competitive edge?
Enroll in InfosecTrain’s ISO/IEC 42001 Lead Auditor Training and lead with confidence. Your audit should not be a fire drill; it should be a flex.
TRAINING CALENDAR of Upcoming Batches For ISO/IEC 42001:2023 Lead Auditor Training
| Start Date | End Date | Start - End Time | Batch Type | Training Mode | Batch Status | |
|---|---|---|---|---|---|---|
| 07-Feb-2026 | 15-Mar-2026 | 19:00 - 23:00 IST | Weekend | Online | [ Open ] | |
| 14-Feb-2026 | 15-Mar-2026 | 09:00 - 13:00 IST | Weekend | Online | [ Open ] |