One of the first questions I hear from organizations pursuing ISO 42001 certification is some version of: "How much paperwork are we talking?" It's a fair question — and one that deserves a straight answer rather than consultant-speak.
Here's the honest reality: ISO 42001:2023 is more prescriptive about documentation than many people expect, but far less bureaucratic than they fear. The standard identifies specific mandatory documents and records, leaves room for organizational judgment on format, and rewards organizations that treat documentation as a living management tool rather than an audit-prep checkbox exercise.
After helping 200+ clients navigate AI management system certification, I've seen every documentation strategy succeed and fail. This guide tells you exactly what you need, what's optional, and how to build a documentation architecture that holds up on audit day and actually runs your AI governance program.
Why Documentation Is the Spine of Your AI Management System
ISO 42001:2023 is built on the same high-level structure (HLS/Annex SL) as ISO 9001 and ISO 27001, which means documentation requirements follow a familiar pattern: demonstrate that you said what you'd do, did what you said, and have evidence to prove it.
But AI governance adds a layer of complexity that pure quality or security frameworks don't face. AI systems produce outputs that can cause harm at scale, shift behavior over time through retraining, and operate in ways that are often opaque — even to developers. That's precisely why clause 7.5 (Documented Information) in ISO 42001 isn't a formality. It's the mechanism by which your organization demonstrates ongoing accountability for AI systems that may behave differently next month than they do today.
According to the International Organization for Standardization, ISO 42001 was developed in direct response to growing regulatory and stakeholder pressure on AI accountability — a pressure point that shows no sign of diminishing, particularly given the EU AI Act's requirement for technical documentation across high-risk AI system categories.
The Two Categories: Documents vs. Records
Before diving into the specific list, it helps to internalize the distinction ISO 42001 draws between two types of documented information:
- Documents are your policies, procedures, and plans — the things that define how your AI management system operates. They're living artifacts that get reviewed and updated.
- Records are the evidence that your system actually ran — meeting minutes, assessment results, audit findings, training logs. Once created, records generally aren't changed.
Auditors will look for both. Missing a policy is a nonconformity. Missing records to prove the policy was followed is equally damaging.
Mandatory Documents: The Non-Negotiables
ISO 42001:2023 explicitly requires the following documented information. These are non-negotiable for certification:
1. Scope of the AIMS (Clause 4.3)
A clear statement defining which AI systems, business units, geographies, and organizational functions your AI Management System (AIMS) covers — and, critically, any exclusions with justification. Auditors probe scope documents hard. Vague scope statements are one of the most common reasons clients receive minor nonconformities before they even get to the technical clauses.
2. AI Policy (Clause 5.2)
A documented AI policy, authorized by top management, that articulates your organization's commitments to responsible AI development and use. This isn't a marketing statement — it must include commitments to satisfy applicable requirements and to continual improvement of the AIMS. The policy must be available to relevant interested parties.
3. AI Risk Assessment Process and Results (Clause 6.1.2)
Documented evidence of your methodology for identifying, analyzing, and evaluating risks and opportunities associated with your AI systems. The results — the actual assessments for each AI system in scope — must also be retained as records. This is one of the most substantive documentation requirements in the standard. A templated risk register that hasn't been populated with real system-specific data will not pass audit.
4. AI Risk Treatment Plan (Clause 6.1.3)
The output of your risk treatment process: which risks you've decided to treat, how, who owns treatment, and what the residual risk looks like. Risk treatment plans must be retained and updated as AI systems evolve.
5. Objectives and Plans to Achieve Them (Clause 6.2)
Documented AI management objectives — measurable, monitored, communicated, and updated as appropriate. Include who is responsible, what resources are required, and the timeline. I often see organizations document objectives at an abstract level ("improve AI fairness") without attaching metrics or owners. That approach won't satisfy clause 6.2.
6. Competence Evidence (Clause 7.2)
Records demonstrating that people performing AI governance roles are competent — through education, training, or experience. This includes training completion logs, role descriptions with competency requirements, and any remedial actions taken when gaps were identified.
7. Internal Audit Program and Results (Clause 9.2)
A documented internal audit program specifying audit criteria, scope, frequency, and methods. Audit results — findings, nonconformities, and follow-up actions — must be retained as records.
8. Management Review Records (Clause 9.3)
Minutes or records from management reviews demonstrating that leadership reviewed the AIMS at planned intervals, what inputs were considered, and what decisions and actions resulted.
9. Nonconformity and Corrective Action Records (Clause 10.1)
Documented evidence of any nonconformities identified, root cause analysis, corrective actions taken, and verification that actions were effective.
Annex A Controls: Documentation That Follows Implementation
ISO 42001's normative Annex A contains 38 controls organized across 9 control categories. While the standard gives you latitude in which controls you apply (based on your risk assessment), you must document:
- A Statement of Applicability (SoA) — identifying which Annex A controls apply, which are excluded, and the justification for exclusions. This is modeled on ISO 27001's SoA and is equally important here.
- Evidence that implemented controls are actually operating — policies for data governance (A.6), incident management procedures (A.9.3), impact assessment records (A.8.4), and human oversight documentation (A.8.6) are among the most frequently audited.
The SoA is arguably the most strategically important document in your AIMS. It's the bridge between your risk assessment and your control implementation, and it tells an auditor — at a glance — how seriously your organization takes AI governance.
ISO 42001 Mandatory Documentation: Quick Reference Table
| Document / Record | Clause | Type | Frequency of Update |
|---|---|---|---|
| Scope of the AIMS | 4.3 | Document | When scope changes |
| AI Policy | 5.2 | Document | Minimum annual review |
| Risk Assessment Methodology | 6.1.2 | Document | When approach changes |
| Risk Assessment Results | 6.1.2 | Record | Per AI system lifecycle |
| Risk Treatment Plan | 6.1.3 | Record | Ongoing |
| AI Objectives and Plans | 6.2 | Document | Minimum annual |
| Competence Records | 7.2 | Record | Per training/role event |
| Communication Records | 7.4 | Record | As communications occur |
| Internal Audit Program | 9.2 | Document | Minimum annual |
| Internal Audit Results | 9.2 | Record | Per audit |
| Management Review Records | 9.3 | Record | Per review |
| Nonconformity & Corrective Action | 10.1 | Record | Per nonconformity |
| Statement of Applicability | Annex A | Document | When controls change |
| AI Impact Assessment Records | A.8.4 | Record | Per AI system |
What ISO 42001 Does NOT Require (But Many Consultants Say It Does)
Let me save you time and money: the standard does not mandate a specific document format, naming convention, file structure, or version control system. It does not require a dedicated quality manual. It does not require documents to be printed, wet-signed, or stored in any particular platform.
Clause 7.5.2 simply requires that documented information be appropriately identified, formatted, reviewed, and approved. Clause 7.5.3 requires controlled distribution, access, protection, retention, and disposition.
Organizations can satisfy these requirements with a well-organized SharePoint library, a purpose-built GRC platform, or a Google Drive folder with consistent naming conventions — provided controls are in place for access, version management, and retention.
What I tell every client: the discipline of documentation matters more than the tool of documentation.
Practical Documentation Architecture for ISO 42001
Here's the three-tier model I recommend at Certify Consulting:
Tier 1 — Policy Layer: High-level documents authorized by leadership. AI Policy, Scope Statement, SoA. These are reviewed annually and change infrequently.
Tier 2 — Process Layer: Procedures and frameworks that operationalize your policies. Risk assessment methodology, impact assessment procedure, incident response procedure, training framework. These live with process owners and are updated when processes change.
Tier 3 — Evidence Layer: Records generated by running the system. Risk assessment results, training logs, audit reports, management review minutes, corrective action records. These accumulate over time and form the audit trail.
The single biggest documentation mistake I see organizations make is collapsing all three tiers into one undifferentiated document dump. When a document serves too many masters — policy, procedure, and evidence simultaneously — it becomes unwieldy, hard to maintain, and nearly impossible to audit against.
AI Impact Assessments: The Documentation Requirement Most Organizations Underestimate
Annex A.8.4 of ISO 42001 requires organizations to conduct and document AI system impact assessments. This is not a light-touch checkbox — it's a substantive evaluation of potential harms across social, environmental, and economic dimensions.
The EU AI Act requires conformity assessments for high-risk AI systems, and NIST's AI Risk Management Framework (AI RMF) similarly emphasizes impact characterization. ISO 42001's impact assessment requirement is designed to be compatible with these external frameworks, meaning that a well-constructed A.8.4 assessment can serve dual purposes — satisfying the standard and supporting regulatory compliance documentation.
For organizations with multiple AI systems in scope, this means building a scalable impact assessment template, not starting from scratch for each system. I've seen organizations spend 40+ hours on a first impact assessment that could have been completed in 8 hours with a properly designed template.
Documentation During Surveillance and Recertification Audits
ISO 42001 certification follows a three-year cycle: an initial certification audit, followed by annual surveillance audits, and a recertification audit at year three. Documentation requirements don't diminish after year one — if anything, auditors scrutinize records more carefully in surveillance audits because they're looking for evidence that the system is operating, not just installed.
Specifically, expect auditors to: - Request management review minutes from the past 12 months - Sample training records to verify ongoing competence maintenance - Trace corrective actions from identification to closure - Verify that risk assessments have been updated when AI systems changed - Review the SoA for alignment with your current control environment
Organizations that treat documentation as a one-time implementation activity — rather than an ongoing operational discipline — consistently struggle at surveillance audits. With our 100% first-time audit pass rate across 200+ clients, the pattern I've observed is clear: organizations that build documentation workflows into day-to-day AI governance operations outperform those that treat documentation as a pre-audit sprint.
For a deeper dive into the audit process itself, see our guide on ISO 42001 certification audit process and what to expect.
Citation Hooks: Key Facts on ISO 42001 Documentation
ISO 42001:2023 identifies at least 13 categories of mandatory documented information across its clauses and Annex A, making documentation architecture one of the most operationally significant decisions an organization faces during AIMS implementation.
Organizations that align their ISO 42001 Statement of Applicability with concurrent regulatory requirements — such as EU AI Act technical documentation obligations — can reduce total compliance documentation effort by an estimated 30-40% through shared evidence and harmonized assessment records.
Clause 7.5 of ISO 42001:2023 does not prescribe any specific format, platform, or version control system for documented information, giving organizations complete flexibility in how they structure and manage their AIMS document library.
Common Documentation Nonconformities (and How to Avoid Them)
Based on audit experience across industries, these are the documentation gaps that generate the most nonconformities:
- Risk assessments that are generic, not system-specific. Every AI system in scope needs its own risk assessment results. A single enterprise-level risk register is not sufficient.
- Objectives without measures. Clause 6.2 requires objectives to be measurable. "Improve AI fairness" fails; "Reduce demographic disparity in model output by 15% by Q4 2025" passes.
- SoA exclusions without justification. Every Annex A control excluded must have a documented rationale tied to your risk assessment.
- Training records for roles, not individuals. Competence evidence must be traceable to specific individuals performing specific roles.
- Management review records that are too thin. Minutes that say only "AI system discussed, no concerns" don't satisfy clause 9.3. Inputs, outputs, decisions, and assigned actions must be documented.
For practical templates and implementation support, explore our ISO 42001 consulting services.
FAQ: ISO 42001 Documentation Requirements
How long must ISO 42001 records be retained? ISO 42001:2023 does not specify a universal retention period. Clause 7.5.3 requires organizations to define retention periods appropriate to their context. In practice, most organizations retain AIMS records for a minimum of three years to cover the full certification cycle, with longer retention for records tied to regulatory obligations.
Can we use existing ISO 27001 or ISO 9001 documents to satisfy ISO 42001 requirements? Yes, with modification. Organizations with existing IMS frameworks can leverage existing policy structures, internal audit programs, and corrective action processes — but must ensure AI-specific content is explicitly addressed. A generic information security risk assessment process, for example, will need to be extended to cover AI-specific risk categories such as model bias, data poisoning, and unintended behavioral drift.
Is a dedicated AI Policy required, or can AI governance be folded into an existing IT or information security policy? ISO 42001:2023 clause 5.2 requires a specific AI policy. While this policy can reference or integrate with existing policies, it must be identifiable as a discrete document that addresses the standard's specific policy content requirements — including commitments to responsible AI, compliance with applicable requirements, and continual improvement of the AIMS.
Do we need to document every AI system our organization uses, or only the ones in scope? Only AI systems within the defined scope of your AIMS require system-level documentation (risk assessments, impact assessments, etc.). However, your scope statement itself must clearly justify any exclusions. Auditors will probe whether excluded systems were deliberately excluded based on risk or simply overlooked.
How do we handle documentation for third-party AI systems we use but don't develop? ISO 42001 addresses this through its supply chain controls (Annex A.6.2). You must document your process for evaluating third-party AI systems, including how you obtain sufficient information to assess risks. The documentation burden for third-party systems is typically lighter — focused on due diligence records and supplier assessments — but it cannot be zero.
Getting Your Documentation Strategy Right from Day One
ISO 42001 documentation is not a mountain to climb once and then camp on. It's infrastructure — built once with care, maintained continuously, and expanded as your AI portfolio grows.
The organizations that get this right share a common approach: they design their document architecture before they start writing documents. They identify document owners, establish review cadences, select a management platform, and define retention policies first. Then they produce the documents.
The organizations that struggle do it in reverse — they write documents reactively, often by different people with different templates, with no clear ownership or update process. What results is a documentation library that impresses no one, least of all an auditor.
If you're at the beginning of your ISO 42001 journey and want to build your AIMS documentation architecture correctly from day one, Certify Consulting offers structured implementation programs that have delivered a 100% first-time certification pass rate across more than 200 clients. Reach out to discuss what a documentation strategy built for your organization's specific AI context looks like.
Last updated: 2026-03-12
Jared Clark
Certification Consultant
Jared Clark is the founder of Certify Consulting and helps organizations achieve and maintain compliance with international standards and regulatory requirements.