Does ISO 42001 require specific templates?

No. The standard defines required outputs (documented information) but not their format. The minimum set in this guide reflects what accredited auditors look for in practice.

Can we use a single AI + security policy?

Yes if AI commitments are clearly marked and the document is reviewed against both standards. A separate AI policy is more common because it makes AI-specific commitments visible during the audit.

What is the most over-templated document?

The AI policy. Auditors recognise generic wording immediately. Adapt every section to the organisation's actual AI portfolio, governance model and risk posture.

Do we need an environmental impact statement?

Annex A.5 covers environmental impact as one of the dimensions the impact assessment should consider. A standalone environmental document is not required but the assessment should explicitly cover it.

Where can I get free ISO 42001 templates?

ISO Annex B provides implementation guidance for every Annex A control and is the most authoritative free reference. Compliance automation platforms ship more polished templates but require a paid subscription.

Last reviewed: May 2026 · 10 min read

ISO 42001 Policies and Templates: The Minimum Document Set

The minimum document set

Scope statement and stakeholder register (clause 4).
AI policy (clause 5, Annex A.2.2).
AI roles and responsibilities matrix (Annex A.3.2).
AI risk methodology and AI risk register (clause 6).
AI system impact assessment methodology and per-system assessments (clause 8.4, Annex A.5).
AI system inventory (operational).
Statement of Applicability (clause 6.1.3 d).
Competence matrix and training records (clause 7.2, 7.3).
Internal audit programme and audit reports (clause 9.2).
Management review minutes (clause 9.3).
CAPA log (clause 10.2).
Third-party AI register and due diligence evidence (Annex A.10).

AI policy — structure outline

Purpose and scope.
Commitment to responsible AI and to comply with applicable requirements.
AI objectives (linked to organisational strategy).
Principles (e.g. fairness, transparency, safety, human oversight, accountability).
Roles and responsibilities (high-level; detail in the matrix).
Cross-references to supporting policies (security, privacy, HR, procurement).
Approval, version, review cycle.

Length: 2-4 pages. Avoid generic statements that could apply to any organisation — auditors recognise template wording. The single most common nonconformity on AI policies is missing organisation-specific commitments around third-party AI use.

Statement of Applicability — structure

One row per Annex A control. Columns:

Control reference (e.g. A.5.2).
Control title.
Applied / Excluded / Not applicable.
Justification.
Implementation reference (link or document name).
Owner.
Last review date.

AI system inventory — fields

System ID and name.
Business owner, technical owner, governance owner.
Intended purpose and intended users.
Type (in-house developed / configured third-party / embedded vendor AI).
Risk classification (organisation's own + EU AI Act category if applicable).
Status (in development / production / retired).
Link to the impact assessment.
Link to the technical documentation.
Last review date.

Impact assessment template

See our impact assessment guide for the full method. The template should at minimum capture: system description; intended purpose and foreseeable misuse; affected individuals and groups; impacts across fairness, safety, privacy, security, environment; inherent and residual risk; mitigations; decision; approver; refresh schedule.

Internal audit programme

Audit scope per cycle (which clauses and Annex A controls).
Auditor competence and impartiality criteria.
Schedule across the certification cycle.
Report template with finding categorisation (major / minor / observation).
CAPA workflow tied to findings.

Management review minutes

Inputs (audit results, performance, changes, opportunities, stakeholder feedback) and outputs (decisions, actions, owners, dates). The single most common gap is AI items merged into a generic security review without distinct discussion — make AI a dedicated agenda item with its own minutes section.

Third-party AI register

Vendor name and AI component description.
Use case in the organisation.
Risk classification.
Evidence of vendor due diligence (security review, AI documentation, contract clauses).
Link to the impact assessment that includes this third-party AI.
Review schedule.

Common template pitfalls

Generic boilerplate. If the policy could belong to any company, it fails the "appropriate to the organisation" requirement.
SoA missing exclusion justifications. Every "excluded" row needs reasoning, not just a tick.
Inventory in a separate spreadsheet from the impact assessments. Auditors trace across; broken links are findings.
One template for every system. Risk-tier the template so a low-risk system gets a focused 2-page assessment and a high-risk system gets a longer one.

Where to get pre-built templates

Compliance automation platforms (Vanta, Drata, Sprinto, Secureframe, Thoropass) ship ISO 42001 framework templates that include the policy, SoA structure and impact assessment workflow. For organisations not using a platform, ISO publishes Annex B which contains implementation guidance for every Annex A control — this is the most authoritative free reference.