The ISO 42001 Control Map

ISO/IEC 42001 is the first management-system standard for AI, and it follows the same Annex SL spine as ISO 27001: context, leadership, planning, support, operation, performance evaluation, improvement, plus a reference set of controls in Annex A. The clauses are not the hard part. The hard part is that most teams treat the standard as a document to author rather than a system to operate, and an auditor can tell the difference in the first interview.

The mapping that matters is clause-to-artifact, not clause-to-paragraph. The planning clauses are satisfied by an AI risk assessment and an AI impact assessment that name real systems, not hypothetical ones. The operation clause is satisfied by the deployment-review record — the evidence that controls were applied before a model went live, not after. The performance-evaluation clause is satisfied by the evaluation and monitoring logs the team already runs, if they run them.

Three documents carry most of the weight. The AIMS scope and policy, which define what the system governs and who owns it. The risk and impact assessment, which is the standard's center of gravity. And the Statement of Applicability — the control register that says which Annex A controls apply, which do not, and why. An auditor reads these three first and infers the rest of the program from them.

What the auditor rejects is predictable. A policy with no owner. A risk assessment written once and never revisited. A control register that lists controls no one can demonstrate. The rejection is rarely about the clause text; it is about whether the artifact is a live record or a one-time deliverable. A management system that does not move is a finding.

Read this map alongside the 90-Day Diagnostic and the vendor exit assessment. ISO 42001 is the grammar; the operating system is the language. The clauses tell you what must exist. The operating system is what makes the artifacts true between audits, which is the only state in which they are worth anything.