Statement of Applicability
ISO/IEC 42001 Annex A control applicability and implementation status
SoA Entries
38 controls in the Statement of Applicability
| Control Ref | Control Name | Applicable | Justification | Implementation Status | Evidence |
|---|---|---|---|---|---|
| A.10.2 | Responsible Use of AI | Yes | — | Implemented | System documentation maintained for all 8 AI systems. Model cards created. |
| A.10.3 | User Transparency | Yes | — | Partially Implemented | Transparency notices published for SYS-002, SYS-004, SYS-006. Others in progress. |
| A.10.4 | Human Oversight of AI Systems | Yes | — | Implemented | Accountability framework documented. System owners designated with clear escalation paths. |
| A.2.2 | AI Policy | Yes | — | Implemented | AI Governance Policy v2.0 approved by board on 2025-12-01 |
| A.2.3 | Internal AI Policy Review | Yes | — | Implemented | Policy review schedule established. Last review 2025-12-01, next scheduled 2026-06-01 |
| A.2.4 | AI Policy Alignment with Other Policies | Yes | — | Partially Implemented | Alignment review with ISO 27001 and GDPR policies completed. EU AI Act alignment in progress |
| A.3.2 | AI Roles and Responsibilities | Yes | — | Implemented | RACI matrix for AI governance documented. AI Officer appointed. |
| A.3.3 | Reporting of Concerns | Yes | — | Partially Implemented | Incident reporting channel established via ServiceNow. Escalation procedures drafted. |
| A.3.4 | Multi-disciplinary Approach | Yes | — | Planned | AI Committee charter drafted. Member nominations in progress. |
| A.4.2 | Resources for AI Systems | Yes | — | Implemented | Budget allocated for AI governance program. FTE resources assigned. |
| A.4.3 | AI Competency | Yes | — | Partially Implemented | Competence framework drafted. Training needs assessment for 3 of 8 system owners completed. |
| A.4.4 | Awareness | Yes | — | Partially Implemented | Awareness training launched. 45% completion rate across organization. |
| A.4.5 | Communication | Yes | — | Planned | Communication plan template created. Stakeholder mapping completed. |
| A.4.6 | Documented Information | Yes | — | Implemented | AI development and monitoring infrastructure provisioned on AWS. MLflow deployed. |
| A.4.7 | Tools and Infrastructure | Yes | — | Partially Implemented | Key stakeholder registry created. Engagement plan for regulators and clients in progress. |
| A.5.2 | AI Impact Assessment Process | Yes | — | Partially Implemented | Impact assessment methodology defined. Completed for SYS-001 and SYS-003. |
| A.5.3 | Impact Assessment Documentation | Yes | — | Partially Implemented | Documentation template created. 2 of 8 assessments documented. |
| A.5.4 | Impact Assessment Review | Yes | — | Planned | Review schedule to be established after initial assessments complete. |
| A.5.5 | Stakeholder Engagement in Assessment | Yes | — | Planned | Mitigation tracking process designed but not yet operational. |
| A.6.2 | AI System Life Cycle Management | Yes | — | Implemented | AI system lifecycle framework documented in AIMS Manual v0.9, Chapter 6. |
38 row(s) total
Page 1 of 2