Regulatory Guide

ISO 42001 Documentation Requirements

What the ISO 42001 AI Management System standard requires from organisations in terms of documentation, risk assessment, and ongoing governance.

ISO 42001, published in December 2023, is the first international standard for AI management systems. It provides a framework for organisations to establish, implement, maintain, and continually improve responsible AI development and deployment practices. For regulated financial services firms, ISO 42001 certification provides independent evidence of systematic AI governance that complements FCA supervisory requirements under SS1/23 and satisfies EU AI Act Article 9 risk management obligations.

ISO 42001 requires organisations to maintain documented information demonstrating conformance with the standard throughout the AI system lifecycle. This includes an AI policy, an AI risk assessment and treatment process, objectives and plans to achieve them, and records of competence for individuals involved in AI governance. Crucially, the standard requires that changes to AI systems are carried out in a planned manner, with documented impact assessments and approval records retained as objective evidence for certification audits.

Audital maps directly to ISO 42001’s documentation requirements, maintaining a real-time model register, per-model risk assessments, governance action logs, and competency records in a cryptographically protected audit trail. Evidence packages aligned to ISO 42001 clause requirements can be generated for external auditors and certification bodies, substantially reducing the preparation burden for initial certification and annual surveillance audits.

ISO 42001 Core Documentation Requirements

  • AI policy approved by top management and communicated throughout the organisation
  • AI risk assessment procedure with documented risk acceptance criteria
  • Statement of Applicability referencing applicable controls
  • AI system impact assessments with documented conclusions
  • Competence records for individuals with AI governance responsibilities
  • Monitoring and measurement results demonstrating ongoing performance
  • Internal audit programme results and management review records

ISO 42001 and Financial Services

For FCA-regulated firms already subject to SS1/23 and SMCR obligations, pursuing ISO 42001 certification is an efficient way to demonstrate AI governance maturity to clients, counterparties, and regulators simultaneously. The standard’s documentation requirements closely mirror FCA expectations, meaning firms with robust internal AI governance infrastructure can achieve certification without significant incremental effort. Audital was designed with ISO 42001 clause mapping built in, so every governance action recorded automatically contributes to certification evidence.

Build Your ISO 42001 Evidence Base →

Questions? Contact us at contact@audital.ai