SIS Certifications Pvt. Ltd.

Documentation required for ISO/IEC 42001:2023 certifications

Issue: 01 Rev. ‘00’ Date of initial issue- Date of Last Date of latest
01/04/2024 Revision:- N/A Issue:- 01/04/2024 Doc No.
SIS/D.Check/01/AIMS

S.No. Document name Clause number

1 AIMS Manual -
2 Identification of the role of the organization 4.0 (4.1, 4.2, 4.3, 4.4)
3 Internal and external issues
4 List of Interested parties (Internal and external)
5 Needs and expectations of the interested parties
6 Documentation of the scope of the certifications keeping
the role of the organization in consideration.
7 Process interaction document

8 Document with commitment statement of the top 5 (5.1,5.2, 5.3, 5.4)

management
9 Roles, responsibilities and authorities of the people in the
organization
10 Communication of roles, responsibilities and authorities
of the people in the organization and their contribution in
the development in the AIMS.
11 Identification of the key personals in the organization and
making sure that they are promoted as a leader for their
team.
12 AI Policy
13 Communication evidence of the policy (to the relevant
interested parties)

14 Procedure to calculate risk and opportunities in the 6 (6.1(6.1.1, 6.1.2,

organization. 6.1.3,6.1.4), 6.2, 6.3)
15 AI Risk criteria (can be mentioned in the procedure)
16 Plan to address the risk and opportunities in the
organization
17 Procedure for risk assessment (include risk analysis, risk
criteria, risk treatment)
18 Statement of applicability as per Annex A.
19 Procedure for AI system impact assessment.
20 AI Objectives and plan to achieve the objectives
21 Procedure for planning and control of changes.

22 Comprehensive list of resource required and availability of 7 (7.1, 7.2, 7.3, 7.4, 7.5
the resources for establishment, Implementation , (7.5.1, 7.5.2, 7.5.3, ))
maintenance and continual improvement of the AIMS.
23 Organization chart depicting point number 22.
24 Competence criteria (required v/s Available)
25 Procedure to acquire the necessary competence and
evaluation of the effectiveness.
 26 Records of training (training calendar, training need
Identification, Training record, training effectiveness
evaluation)
27 Skill matrix v/s skills required
28 Record of improvement in the awareness of Policy, the
contribution of the people in AIMS, objectives, etc.
29 Communication matrix and record of communications
30 Procedure of control of documents
31 Procedure of control of records
32 List of forms and formats (Along with unique identification
of each forms/formats)
33 List of documents (Along with unique identification of
each document)

34 Procedure of control of organizational processes 8 (8.1, 8.2, 8.3, 8.4)

35 List of all processes and their inclusion in the procedure
36 AI Risk Assessment
37 AI Risk Treatment
38 AI System Impact Assessment

39 Procedure of internal audit 9 (9.1, 9.2 (9.2.1, 9.2.2),

40 Procedure of Management review meeting 9.3 (9.3.1, 9.3.2, 9.3.3))
41 Internal audit record (Audit plan, audit monitoring, list of
trained internal auditors, Internal audit report, Closure
report of gaps identified in the Internal audit)
42 Communication of agenda of management review meeting
to the concerned persons
43 Minutes of meeting
44 Outcome of the meeting

45 Closure evidences of all the complaints, analysis of the 10 (10.1, 10.2)

feedback, closure evidences of the gaps identified in the
Internal audit, planning and execution of the points
raised in the Management review meeting and
implementation record all other points raised through
various sources for the development of AIMS.
45 Process, procedure and records as deemed importance Annexure A.
and applicable as per Annex A (reference control
objectives and controls)

Note:-
a) The above list of documents is a list prepared on the understanding of the individual.
b) There can be few more documents as per the size and type of the organization
c) Kindly refer to the standard for complete understanding of the standard and documentation &
Implementation of the standard in your organization.
d) This document is to be used only as a reference document and not the exact interpretation of the
standard.
e) All the documents that shall be prepared by the organization shall depict the relevance of AIMS in
the context and content of the documents.
 Annex A
(normative)
Reference control objectives and controls
A.1
General
The controls detailed in Table A.1 provide the organization with a reference for meeting
organizational
objectives and addressing risks related to the design and operation of AI systems. Not all the
control
objectives and controls listed in Table A.1 are required to be used, and the organization can
design and
implement their own controls (see 6.1.3).

Annex B provides implementation guidance for all the controls listed in Table A.1.

Table A.1 — Control objectives and controls

A.2 Policies related to AI
Objective: To provide management direction and support for AI systems according to business
requirements.
Topic Control

The organization shall document a policy for the

A.2.2 AI policy development
or use of AI systems.

Alignment with other The organization shall determine where other policies can
A.2.3 organizational be affected by or apply to, the organization’s objectives
policies with respect to AI systems

The AI policy shall be reviewed at planned intervals or

A.2.4 Review of the AI policy additionally as needed to ensure its continuing suitability,
adequacy and effectiveness.

A.3 Internal organization

Objective: To establish accountability within the organization to uphold its responsible approach for
the implementation,
operation and management of AI systems.

Topic Control

Roles and responsibilities for AI shall be defined and

AI roles and
A.3.2 allocated
responsibilities
according to the needs of the organization.
 The organization shall define and put in place a process to
A.3.3 Reporting of concerns report concerns about the organization’s role with respect
to an AI system throughout its life cycle.

A.4 Resources for AI systems

Objective: To ensure that the organization accounts for the resources (including AI system components
and
assets) of the AI system in order to fully understand and address risks and impacts.

Topic Control

The organization shall identify and document relevant

resources required for the activities at given AI system life
A.4.2 Resource documentation
cycle stages and other AI-related activities relevant for the
organization.

As part of resource identification, the organization shall

A.4.3 Data resources document information about the data resources utilized
for the AI system.

As part of resource identification, the organization shall

A.4.4 Tooling resources document information about the tooling resources utilized
for the AI system.

As part of resource identification, the organization shall

System and computing
A.4.5 document information about the system and computing
resources
resources utilized for the AI system.

As part of resource identification, the organization shall

document information about the human resources and
their competences utilized for the development,
A.4.6 Human resources deployment,
operation, change management, maintenance,
transfer and decommissioning, as well as verification and
integration of the AI system.

A.5 Assessing impacts of AI systems

Objective: To assess AI system impacts to individuals or groups of individuals, or

both, and societies affected by the AI system throughout its life cycle.

Topic Control
The organization shall establish a process to assess the
AI system impact potential consequences for individuals or groups of
A.5.2 assessment individuals,
process or both, and societies that can result from the AI
system throughout its life cycle.
 Documentation of AI
The organization shall document the results of AI system
A.5.3 system impact
impact assessments and retain results for a defined period.
assessments

Assessing AI system The organization shall assess and document the potential
A.5.4 impact on individuals impacts of AI systems to individuals or groups of individuals
or groups of individuals throughout the system’s life cycle.

The organization shall assess and document the potential

Assessing societal impacts
A.5.5 societal impacts of their AI systems throughout their life
of AI systems
cycle.

A.6 AI system life cycle

A.6.1 Management guidance for AI system development

Objective: To ensure that the organization identifies and documents objectives
and implements processes for the responsible design and development of AI
systems.
Topic Control

The organization shall identify and document objectives

Objectives for responsible
to guide the responsible development AI systems, and take
A.6.1.2 development of AI
those objectives into account and integrate measures to
system
achieve them in the development life cycle.
Processes for responsible The organization shall define and document the specific
A.6.1.3 AI system design and processes for the responsible design and development of
development the AI system.

A.6.2 AI system life cycle

Objective: To define the criteria and requirements for each stage of the AI
system life cycle.
Topic Control

The organization shall specify and document requirements

AI system requirements
A.6.2.2 for new AI systems or material enhancements to
and specification
existing systems.

The organization shall document the AI system design and

Documentation of AI
development based on organizational objectives,
A.6.2.3 system design
documented requirements and specification criteria
and development
.
 The organization shall define and document verification
AI system verification and
A.6.2.4 and validation measures for the AI system and specify
validation
criteria for their use.

The organization shall document a deployment plan and

A.6.2.5 AI system deployment ensure that appropriate requirements are met prior to
deployment.

The organization shall define and document the necessary

AI system operation and elements for the ongoing operation of the AI system. At the
A.6.2.6
monitoring minimum, this should include system and performance
monitoring, repairs, updates and support.

The organization shall determine what AI system technical

documentation is needed for each relevant category of
AI system technical
A.6.2.7 interested parties, such as users, partners, supervisory
documentation
authorities, and provide the technical documentation to
them in the appropriate form.

The organization shall determine at which phases of the

AI system recording of
A.6.2.8 AI system life cycle, record keeping of event logs should be
event logs
enabled, but at the minimum when the AI system is in use.

A.7 Data for AI systems

Objective: To ensure that the organization understands the role and impacts of data in AI systems in the
application
and development, provision or use of AI systems throughout their life cycles.

Topic Control

Data for development The organization shall define, document and implement
A.7.2 and enhancement data management processes related to the development of
of AI system AI systems

The organization shall determine and document details

A.7.3 Acquisition of data about the acquisition and selection of the data used in AI
systems.

The organization shall define and document requirements

Quality of data for AI
A.7.4 for data quality and ensure that data used to develop and
systems
operate the AI system meet those requirements

The organization shall define and document a process for

A.7.5 Data provenance recording the provenance of data used in its AI systems
over the life cycles of the data and the AI system.
 The organization shall define and document its criteria
A.7.6 Data preparation for selecting data preparations and the data preparation
methods to be used.

A.8 Information for interested parties of AI systems

Objective: To ensure that relevant interested parties have the necessary information to understand and
assess
the risks and their impacts (both positive and negative).

Topic Control

System documentation
The organization shall determine and provide the necessary
A.8.2 and information
information to users of the AI system
for users

The organization shall provide capabilities for interested

A.8.3 External reporting
parties to report adverse impacts of the AI system.

Communication of The organization shall determine and document a plan for

A.8.4
incidents communicating incidents to users of the AI system.

The organization shall determine and document their

Information for
A.8.5 obligations to reporting information about the AI system
interested parties
to interested parties.

A.9 Use of AI systems

Objective: To ensure that the organization uses AI systems responsibly and per organizational policies.

Topic Control

Processes for responsible

The organization shall define and document the processes
A.9.2 use of AI
for the responsible use of AI systems.
systems
Objectives for responsible
The organization shall identify and document objectives to
A.9.3 use of AI
guide the responsible use of AI systems.
system
The organization shall ensure that the AI system is used
Intended use of the AI
A.9.4 according to the intended uses of the AI system and its
system
accompanying documentation.

A.10 Third-party and customer relationships

Objective: To ensure that the organization understands its responsibilities and remains accountable, and
risks
are appropriately apportioned when third parties are involved at any stage of the AI system life cycle.
 Topic Control

The organization shall ensure that responsibilities within

their AI system life cycle are allocated between the
A.10.2 Allocating responsibilities
organization,
its partners, suppliers, customers and third parties.
The organization shall establish a process to ensure that
its usage of services, products or materials provided by
A.10.2 Suppliers
suppliers aligns with the organization’s approach to the
responsible development and use of AI systems.

The organization shall ensure that its responsible approach

A.10.4 Customers to the development and use of AI systems considers
their customer expectations and needs.