ISO/IEC 42001:2023 Readiness Assessment
ISO/IEC 42001:2023 Readiness Assessment
Executive Summary
This readiness assessment evaluates your organization's current state of compliance against ISO/IEC 42001:2023, the international standard for artificial intelligence management systems (AIMS). The assessment maps your existing practices across the 10 clauses of ISO 42001 and identifies gaps in governance, risk management, and operational controls.
Assessment Date: [__/__/____]
Organization: [________________________________]
Assessed Division/Department: [________________________________]
Assessor Name & Title: [________________________________]
Reviewed by Legal/Compliance Lead: [________________________________]
Section 1: Assessment Overview
Purpose and Scope
This assessment measures readiness for ISO/IEC 42001:2023 certification and identifies the controls and processes required to establish an effective AI management system. It applies to organizations that develop, deploy, or use AI systems in product or service offerings.
Systems and Products in Scope:
☐ Internal AI tools and models
☐ AI-powered customer-facing products/services
☐ Third-party AI systems and vendor tools
☐ AI used in decision-making (hiring, lending, content moderation, etc.)
☐ Data science and analytics platforms
☐ Generative AI applications
Out of Scope (justify if any):
[________________________________]
Stakeholder Roles
| Role | Responsible Party | Contact |
|---|---|---|
| AI Governance Lead | [________________________________] | [________________________________] |
| Legal/Compliance Officer | [________________________________] | [________________________________] |
| Chief Information Security Officer (CISO) | [________________________________] | [________________________________] |
| Chief Data Officer (CDO) | [________________________________] | [________________________________] |
| Chief AI Officer / Head of AI | [________________________________] | [________________________________] |
| External Auditor (if applicable) | [________________________________] | [________________________________] |
Section 2: Clause-by-Clause Readiness Assessment
Clause 4: Context of the Organization
Requirement: Organizations must define their internal and external context, identify stakeholder needs, and establish the scope and documented framework for their AIMS.
4.1 Understanding the Organization and Its Context
Gap Assessment Questions:
| Question | Status | Evidence/Notes |
|---|---|---|
| Has the organization identified internal and external issues affecting the AIMS (technology trends, regulatory landscape, market competition)? | ☐ Mature ☐ Developing ☐ Gap | [________________________________] |
| Are stakeholder needs documented (customers, regulators, employees, suppliers, public)? | ☐ Mature ☐ Developing ☐ Gap | [________________________________] |
| Does the organization understand how AI regulations (e.g., EU AI Act, state laws, industry standards) apply? | ☐ Mature ☐ Developing ☐ Gap | [________________________________] |
| Are ethical expectations and public trust considerations incorporated into AI strategy? | ☐ Mature ☐ Developing ☐ Gap | [________________________________] |
4.2 Scope and AI Management System Framework
| Question | Status | Evidence/Notes |
|---|---|---|
| Is the scope of the AIMS clearly documented and communicated? | ☐ Mature ☐ Developing ☐ Gap | [________________________________] |
| Does a documented AIMS framework exist outlining objectives, roles, and governance processes? | ☐ Mature ☐ Developing ☐ Gap | [________________________________] |
| Are AI governance objectives aligned with organizational strategy? | ☐ Mature ☐ Developing ☐ Gap | [________________________________] |
Readiness Score (Clause 4): ☐ 0-25% (Foundation) ☐ 26-50% (Developing) ☐ 51-75% (Progressing) ☐ 76-100% (Mature)
Remediation Actions:
- [________________________________]
- [________________________________]
- [________________________________]
Clause 5: Leadership and Commitment
Requirement: Top management must establish and communicate an AI policy, assign accountability, and promote a culture of responsible and ethical AI.
5.1 Leadership Responsibility
| Question | Status | Evidence/Notes |
|---|---|---|
| Has top management formally committed to the AIMS (documented statement or board resolution)? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Is ultimate accountability for the AIMS assigned to a senior executive? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Has the organization documented an AI policy reflecting ethical values and governance objectives? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Are roles and responsibilities for AI governance clearly assigned across teams? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
5.2 Organizational Culture and Awareness
| Question | Status | Evidence/Notes |
|---|---|---|
| Has the organization conducted AI ethics and governance training for leadership and technical teams? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Are incident reporting mechanisms in place for AI ethics or performance concerns? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Does the organization promote a "speak-up" culture for identifying AI-related risks? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
Readiness Score (Clause 5): ☐ 0-25% ☐ 26-50% ☐ 51-75% ☐ 76-100%
Remediation Actions:
- [________________________________]
- [________________________________]
Clause 6: Planning
Requirement: Organizations must conduct AI risk assessments, establish risk treatment strategies, identify controls (including Annex A controls), and plan for change.
6.1 Risk Assessment and Controls Planning
| Question | Status | Evidence/Notes |
|---|---|---|
| Has the organization conducted a comprehensive AI risk assessment across all AI systems in scope? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Are AI risks documented with likelihood, impact, and risk rating? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Have risk treatment strategies been defined (mitigate, accept, avoid, transfer)? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Has the organization mapped identified controls against Annex A controls to identify gaps? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
6.2 AI-Related Objectives and Planning
| Question | Status | Evidence/Notes |
|---|---|---|
| Are specific, measurable AI governance and risk management objectives set? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Is a roadmap for implementing AIMS controls documented? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Are plans in place for managing AI-related organizational changes? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
Readiness Score (Clause 6): ☐ 0-25% ☐ 26-50% ☐ 51-75% ☐ 76-100%
Annex A Controls Gap Analysis:
| Annex A Control Area | Required? | Implemented | Status | Gap |
|---|---|---|---|---|
| A.2 AI system development and design (data governance, model card, bias assessment) | ☐ Yes ☐ No | ☐ Yes ☐ Partial ☐ No | [________] | ☐ Critical ☐ Major ☐ Minor |
| A.3 AI system resource management (documentation, data quality, personnel competence) | ☐ Yes ☐ No | ☐ Yes ☐ Partial ☐ No | [________] | ☐ Critical ☐ Major ☐ Minor |
| A.4 AI system acquisition (vendor assessment, third-party due diligence) | ☐ Yes ☐ No | ☐ Yes ☐ Partial ☐ No | [________] | ☐ Critical ☐ Major ☐ Minor |
| A.5 AI system operation (monitoring, incident response, transparency) | ☐ Yes ☐ No | ☐ Yes ☐ Partial ☐ No | [________] | ☐ Critical ☐ Major ☐ Minor |
| A.6 Impact assessment and risk management (fairness, accountability, explainability) | ☐ Yes ☐ No | ☐ Yes ☐ Partial ☐ No | [________] | ☐ Critical ☐ Major ☐ Minor |
| A.7 Human and organizational factors (training, competence, culture) | ☐ Yes ☐ No | ☐ Yes ☐ Partial ☐ No | [________] | ☐ Critical ☐ Major ☐ Minor |
| A.8 Stakeholder engagement and communication (transparency, feedback) | ☐ Yes ☐ No | ☐ Yes ☐ Partial ☐ No | [________] | ☐ Critical ☐ Major ☐ Minor |
| A.9 AI system monitoring and performance evaluation | ☐ Yes ☐ No | ☐ Yes ☐ Partial ☐ No | [________] | ☐ Critical ☐ Major ☐ Minor |
| A.10 Post-deployment monitoring and incident management | ☐ Yes ☐ No | ☐ Yes ☐ Partial ☐ No | [________] | ☐ Critical ☐ Major ☐ Minor |
Remediation Actions:
- [________________________________]
- [________________________________]
- [________________________________]
Clause 7: Support
Requirement: Organizations must provide resources, competence, awareness, and infrastructure to support the AIMS (data quality, security, documentation, personnel training).
7.1 Resources and Infrastructure
| Question | Status | Evidence/Notes |
|---|---|---|
| Are adequate financial, human, and technology resources allocated to AIMS? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Are AI governance roles staffed with appropriate seniority and authority? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Is documentation and knowledge management infrastructure in place for AIMS? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
7.2 Competence, Training, and Awareness
| Question | Status | Evidence/Notes |
|---|---|---|
| Are AI ethics and governance competencies mapped for all relevant roles? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Is annual AI governance training required for all staff working with AI systems? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Are technical teams (data scientists, engineers) trained on responsible AI practices? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
7.3 Data Quality, Security, and Documentation
| Question | Status | Evidence/Notes |
|---|---|---|
| Are data quality standards defined and monitored for AI systems? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Are data security and privacy controls documented and enforced? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Are model development documentation and AI system documentation requirements defined? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
Readiness Score (Clause 7): ☐ 0-25% ☐ 26-50% ☐ 51-75% ☐ 76-100%
Remediation Actions:
- [________________________________]
- [________________________________]
Clause 8: Operation
Requirement: Organizations must implement and execute operational controls to ensure AI systems are safely developed, transparently deployed, continuously monitored, and that incident response processes are in place.
8.1 AI System Development and Deployment
| Question | Status | Evidence/Notes |
|---|---|---|
| Are AI system design and development processes documented and controlled? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Is bias and fairness testing conducted before model deployment? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Are AI model cards or equivalent documentation created for all systems? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Are impact assessments completed for high-risk AI systems? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
8.2 Monitoring and Incident Response
| Question | Status | Evidence/Notes |
|---|---|---|
| Are performance metrics and thresholds defined for monitoring AI systems post-deployment? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Is continuous monitoring infrastructure in place to detect model drift or bias? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Is an incident response plan documented for AI failures, bias incidents, or ethics violations? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Are investigation and remediation procedures defined for AI-related incidents? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
8.3 Transparency and Explainability
| Question | Status | Evidence/Notes |
|---|---|---|
| Are users informed when AI systems are making decisions that affect them? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Are explainability mechanisms in place for high-risk or regulated use cases? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
Readiness Score (Clause 8): ☐ 0-25% ☐ 26-50% ☐ 51-75% ☐ 76-100%
Remediation Actions:
- [________________________________]
- [________________________________]
- [________________________________]
Clause 9: Performance Evaluation
Requirement: Organizations must define performance metrics, conduct internal audits, gather stakeholder feedback, and evaluate compliance with applicable regulations and ethical guidelines.
9.1 Monitoring, Measurement, and Analysis
| Question | Status | Evidence/Notes |
|---|---|---|
| Are key performance indicators (KPIs) defined for the AIMS (e.g., audit completion rate, incident resolution time)? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Is AIMS performance tracked and reported to management on a regular schedule? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Are fairness, bias, and explainability metrics tracked for AI systems? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
9.2 Internal Audit
| Question | Status | Evidence/Notes |
|---|---|---|
| Is an internal audit program established for the AIMS? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Are internal audits conducted at least annually covering all AIMS clauses? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Are audit findings and remediation tracked to completion? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
9.3 Management Review and Stakeholder Feedback
| Question | Status | Evidence/Notes |
|---|---|---|
| Does management conduct formal reviews of the AIMS effectiveness? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Is stakeholder feedback (customers, users, ethicists) systematically gathered? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Is the AIMS evaluated for compliance with applicable AI regulations? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
Readiness Score (Clause 9): ☐ 0-25% ☐ 26-50% ☐ 51-75% ☐ 76-100%
Remediation Actions:
- [________________________________]
- [________________________________]
Clause 10: Improvement
Requirement: Organizations must establish processes for continual improvement of the AIMS based on audit findings, performance data, and regulatory changes.
10.1 Nonconformity and Corrective Action
| Question | Status | Evidence/Notes |
|---|---|---|
| Is a process documented for handling nonconformities and deviations from AIMS requirements? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Are root causes analyzed for identified issues? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Are corrective actions tracked and verified for effectiveness? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
10.2 Continual Improvement
| Question | Status | Evidence/Notes |
|---|---|---|
| Does a documented improvement plan exist for addressing AIMS gaps and enhancement opportunities? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Are improvements evaluated and prioritized based on risk and impact? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
| Is the AIMS regularly updated to address emerging AI risks and regulatory changes? | ☐ Yes ☐ In Progress ☐ No | [________________________________] |
Readiness Score (Clause 10): ☐ 0-25% ☐ 26-50% ☐ 51-75% ☐ 76-100%
Remediation Actions:
- [________________________________]
- [________________________________]
Section 3: Overall Readiness Summary
Clause-by-Clause Maturity Matrix
| Clause | Title | Readiness % | Status | Priority |
|---|---|---|---|---|
| 4 | Context of the Organization | [____]% | ☐ Mature ☐ Progressing ☐ Developing ☐ Foundation | ☐ Critical ☐ High ☐ Medium |
| 5 | Leadership and Commitment | [____]% | ☐ Mature ☐ Progressing ☐ Developing ☐ Foundation | ☐ Critical ☐ High ☐ Medium |
| 6 | Planning | [____]% | ☐ Mature ☐ Progressing ☐ Developing ☐ Foundation | ☐ Critical ☐ High ☐ Medium |
| 7 | Support | [____]% | ☐ Mature ☐ Progressing ☐ Developing ☐ Foundation | ☐ Critical ☐ High ☐ Medium |
| 8 | Operation | [____]% | ☐ Mature ☐ Progressing ☐ Developing ☐ Foundation | ☐ Critical ☐ High ☐ Medium |
| 9 | Performance Evaluation | [____]% | ☐ Mature ☐ Progressing ☐ Developing ☐ Foundation | ☐ Critical ☐ High ☐ Medium |
| 10 | Improvement | [____]% | ☐ Mature ☐ Progressing ☐ Developing ☐ Foundation | ☐ Critical ☐ High ☐ Medium |
Overall Organization Readiness: [____]% (Average across all clauses)
Certification Timeline Estimate:
☐ Ready to certify (within 6 months)
☐ 6–12 months
☐ 12–18 months
☐ 18+ months (major foundational work required)
Section 4: NIST AI RMF Alignment
Cross-Reference to NIST AI Risk Management Framework
ISO/IEC 42001 aligns with the NIST AI Risk Management Framework (NIST AI RMF 1.0) across governance, risk management, and operational practices. Use the following alignment to integrate both frameworks:
| ISO 42001 Clause | NIST AI RMF Function | Alignment Notes |
|---|---|---|
| Clause 4 – Context | GOVERN – Define organizations' approach and values | Establish AI governance context and stakeholder engagement |
| Clause 5 – Leadership | GOVERN – Establish AI risk governance & policy | Assign accountability and communicate AI policy |
| Clause 6 – Planning | MAP & MEASURE – Identify and assess AI risks | Conduct risk assessments and define controls |
| Clause 7 – Support | GOVERN & MAP – Resource and competency planning | Allocate resources, training, and data governance |
| Clause 8 – Operation | MANAGE – Implement controls and monitor systems | Execute development, deployment, and monitoring processes |
| Clause 9 – Performance | MEASURE – Evaluate effectiveness of controls | Track KPIs, conduct audits, and gather feedback |
| Clause 10 – Improvement | GOVERN – Improve and iterate the system | Drive continuous improvement and corrective actions |
NIST AI RMF Core Functions Assessment:
| NIST Function | Implementation Status | Evidence |
|---|---|---|
| GOVERN – Establish AI governance structure and values | ☐ Mature ☐ Developing ☐ Gap | [________________________________] |
| MAP – Identify and inventory AI systems | ☐ Mature ☐ Developing ☐ Gap | [________________________________] |
| MEASURE – Monitor AI system performance and risk | ☐ Mature ☐ Developing ☐ Gap | [________________________________] |
| MANAGE – Mitigate identified risks and incidents | ☐ Mature ☐ Developing ☐ Gap | [________________________________] |
Section 5: Critical Gaps and Remediation Roadmap
Top Critical Gaps (Highest Priority)
| Gap # | Clause | Description | Impact | Remediation Timeline | Owner |
|---|---|---|---|---|---|
| 1 | [____] | [________________________________] | ☐ Critical ☐ High ☐ Medium | [______] months | [________] |
| 2 | [____] | [________________________________] | ☐ Critical ☐ High ☐ Medium | [______] months | [________] |
| 3 | [____] | [________________________________] | ☐ Critical ☐ High ☐ Medium | [______] months | [________] |
90-Day Action Plan
Month 1 Priorities:
- [ ] [________________________________]
- [ ] [________________________________]
- [ ] [________________________________]
Month 2 Priorities:
- [ ] [________________________________]
- [ ] [________________________________]
Month 3 Priorities:
- [ ] [________________________________]
- [ ] [________________________________]
12-Month Implementation Roadmap
| Quarter | Clause Focus | Key Milestones | Responsible Party |
|---|---|---|---|
| Q1 | [____] | [________________________________] | [________] |
| Q2 | [____] | [________________________________] | [________] |
| Q3 | [____] | [________________________________] | [________] |
| Q4 | [____] | [________________________________] | [________] |
Section 6: Certification and Audit Readiness
Pre-Audit Checklist
- [ ] All AIMS documentation complete and accessible to auditors
- [ ] Internal audit completed with findings addressed
- [ ] Management review conducted and documented
- [ ] Evidence of risk assessments and control implementation gathered
- [ ] Personnel trained on AIMS requirements
- [ ] Incident response procedures tested
- [ ] Nonconformities identified and corrected
Recommended Certification Body and Timeline
Certification Body Candidates:
- [________________________________] (certification scope: [________])
- [________________________________] (certification scope: [________])
Proposed Audit Timeline:
- Stage 1 (Documentation Review): [__/__/____]
- Stage 2 (On-Site Audit): [__/__/____]
- Expected Certification Date: [__/__/____]
Estimated Certification Budget: $[____________]
Sources and References
-
ISO/IEC 42001:2023 – Information technology – Artificial intelligence – Management system for AI. International Organization for Standardization. Available at: https://www.iso.org/standard/81230.html
-
NIST AI Risk Management Framework (AI RMF 1.0) – https://airc.nist.gov/ai-risk-management-framework
-
Hicomply – ISO 42001 Core Requirements Guide – https://www.hicomply.com/hub/the-core-requirements-of-iso-42001-clauses-4-10
-
Barr Advisory – ISO 42001 Requirements Explained – https://www.barradvisory.com/resource/iso-42001-requirements-explained/
-
EU AI Act – Regulation (EU) 2024/1689 – Compliance considerations for high-risk AI systems
-
FAIR NOW – Integrating NIST AI RMF and ISO 42001: A Practical Guide – https://fairnow.ai/map-nist-ai-rmf-iso-42001/
Appendix: Glossary of Key Terms
AIMS – Artificial Intelligence Management System
Clause 6.1.3 – The critical requirement to map chosen controls against Annex A to identify all necessary controls
Annex A Controls – The 10 control areas covering AI system development, resource management, acquisition, operation, impact assessment, human factors, stakeholder engagement, monitoring, and post-deployment management
High-Risk AI System – AI systems that can significantly impact fundamental rights, safety, or well-being of individuals (per ISO 42001 and EU AI Act definitions)
Model Card – Documentation of an AI model's performance, intended use, limitations, and bias testing results
Fairness and Bias Assessment – Evaluation of whether an AI system produces discriminatory outcomes across protected classes or populations
Stakeholder Engagement – Process of involving customers, regulators, employees, and affected individuals in AI governance decisions
Assessment Completion Date: [__/__/____]
Authorized by: [________________________________] (Title: [____________])
Next Assessment Scheduled: [__/__/____]
About This Template
Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: May 2026
Get your ISO/IEC 42001:2023 Readiness Assessment, done and ready to use
Fill it in for your situation, adjust it for your state, and download the finished Word and PDF. Let the AI do it in about 5 minutes, or finish it yourself in the editor. Drafting this from scratch takes hours. Finish yours in about 5 minutes for $49, one time.