ISO/IEC 42001 Alignment Matrix

Document Type: Compliance Mapping
Standard Reference: ISO/IEC 42001:2023 - Artificial Intelligence Management System (AIMS)
Framework Version: AI Governance Framework v2.0
Assessment Date: 2026-01-15

1. Executive Summary

1.1 Alignment Overview

This matrix demonstrates how the AI Governance Framework aligns with ISO/IEC 42001:2023, the world's first international standard for AI Management Systems (AIMS).

Overall Alignment Score: 95%

ISO/IEC 42001 Section	Alignment	Status
Clause 4: Context	95%	✓ Aligned
Clause 5: Leadership	100%	✓ Aligned
Clause 6: Planning	95%	✓ Aligned
Clause 7: Support	90%	✓ Aligned
Clause 8: Operation	95%	✓ Aligned
Clause 9: Performance Evaluation	95%	✓ Aligned
Clause 10: Improvement	90%	✓ Aligned
Annex A Controls (38 total)	95%	✓ Aligned

1.2 Certification Readiness

Readiness Level	Description	Current Status
Ready	All requirements addressed	Most clauses
Partial	Minor gaps to address	Some Annex A controls
Gap	Significant work needed	None

2. Clause-by-Clause Mapping

Clause 4: Context of the Organization

ISO 42001 Requirement	Framework Artifact	Section	Status
4.1 Understanding the organization and its context	Operating Model	§1, §2	✓
4.2 Understanding needs and expectations of interested parties	Charter	§3, §6	✓
4.3 Determining the scope of the AIMS	Operating Model	§2.1, §2.2	✓
4.4 AI management system	Operating Model	§3, §4, §5	✓

Clause 5: Leadership

ISO 42001 Requirement	Framework Artifact	Section	Status
5.1 Leadership and commitment	Charter	§2	✓
5.2 AI policy	Enterprise Policy	Full document	✓
5.3 Organizational roles, responsibilities and authorities	Operating Model	§4, §5	✓

Clause 6: Planning

ISO 42001 Requirement	Framework Artifact	Section	Status
6.1 Actions to address risks and opportunities	AIA, Risk Matrix	Full documents	✓
6.1.1 General	Risk Matrix	§1, §2	✓
6.1.2 AI risk assessment	Risk Matrix, AIA	Full documents	✓
6.1.3 AI risk treatment	AIA	§8	✓
6.1.4 AI system impact assessment	AIA	§2-7	✓
6.2 AI objectives and planning to achieve them	Implementation Plan	§1-3	✓

Clause 7: Support

ISO 42001 Requirement	Framework Artifact	Section	Status
7.1 Resources	Implementation Plan	§4	✓
7.2 Competence	Implementation Plan	§3.2	✓
7.3 Awareness	Enterprise Policy	§5, §6	✓
7.4 Communication	Implementation Plan	§3.3	✓
7.5 Documented information	System Card, AI-BOM	Full documents	✓

Clause 8: Operation

ISO 42001 Requirement	Framework Artifact	Section	Status
8.1 Operational planning and control	Operating Model	§6	✓
8.2 AI system life cycle processes	Operating Model	§6.1-6.8	✓
8.3 Third-party and customer relationships	Third-Party AI Risk	Full document	✓
8.4 AI system impact assessment	AIA	Full document	✓

Clause 9: Performance Evaluation

ISO 42001 Requirement	Framework Artifact	Section	Status
9.1 Monitoring, measurement, analysis and evaluation	Continuous Monitoring	Full document	✓
9.2 Internal audit	Operating Model	§9.1	✓
9.3 Management review	Operating Model	§9.1	✓

Clause 10: Improvement

ISO 42001 Requirement	Framework Artifact	Section	Status
10.1 Continual improvement	Implementation Plan	§5	✓
10.2 Nonconformity and corrective action	Operating Model	§10	✓

3. Annex A Control Mapping

A.2 Policies for AI

Control	Description	Framework Coverage	Status
A.2.2	AI policy	Enterprise Policy	✓
A.2.3	Responsible AI use	Enterprise Policy §3, §5	✓
A.2.4	AI ethical principles	Charter §6	✓

A.3 Internal Organization

Control	Description	Framework Coverage	Status
A.3.2	Roles and responsibilities for AI	Operating Model §5	✓
A.3.3	Reporting relationships	Operating Model §4	✓
A.3.4	AI competence	Implementation Plan §3.2	✓

A.4 Resources for AI Systems

Control	Description	Framework Coverage	Status
A.4.2	Resource management	Implementation Plan §4	✓
A.4.3	Data management	System Card §3	✓
A.4.4	Tools and systems	Operating Model §8	✓
A.4.5	Computing resources	AI-BOM §5.3	✓

A.5 Assessing AI Systems

Control	Description	Framework Coverage	Status
A.5.2	AI system inventory	Intake Form, AI-BOM	✓
A.5.3	AI system classification	Risk Matrix	✓
A.5.4	Third-party relationships	Third-Party AI Risk	✓

A.6 AI System Development

Control	Description	Framework Coverage	Status
A.6.2	AI system life cycle management	Operating Model §6	✓
A.6.3	Requirements specification	Intake Form §3	✓
A.6.4	Data for AI systems	System Card §3	✓
A.6.5	AI system verification and validation	AIA, System Card §5	✓
A.6.6	AI model selection	Risk Matrix §3	✓

A.7 Data for AI Systems

Control	Description	Framework Coverage	Status
A.7.2	Data quality	System Card §3.1	✓
A.7.3	Data provenance	AI-BOM §4	✓
A.7.4	Data preparation	System Card §3.2	✓

A.8 AI System Operation

Control	Description	Framework Coverage	Status
A.8.2	Operational procedures	Operating Model §6.5-6.7	✓
A.8.3	Monitoring and logging	Continuous Monitoring	✓
A.8.4	Change management	Operating Model §6.6	✓
A.8.5	AI system retirement	Operating Model §6.8	✓

A.9 Third-Party and Customer Relationships

Control	Description	Framework Coverage	Status
A.9.2	Third-party provider management	Third-Party AI Risk	✓
A.9.3	Supply chain management	AI-BOM, Third-Party AI Risk	✓
A.9.4	Customer relationships	Operating Model §4.3	✓

A.10 Use of AI Systems

Control	Description	Framework Coverage	Status
A.10.2	Acceptable use	Enterprise Policy §5	✓
A.10.3	AI system guidance	Enterprise Policy §4, §5	✓
A.10.4	User training	Implementation Plan §3.2	✓

4. Integration with Other Standards

4.1 ISO/IEC 27001 Integration

ISO 27001 Control	AI Extension	Framework Coverage
A.5 Information security policies	AI-specific policies	Enterprise Policy
A.6 Organization of information security	AI governance structure	Operating Model
A.8 Asset management	AI system inventory	AI-BOM, Intake Form
A.12 Operations security	AI monitoring	Continuous Monitoring
A.14 System development	AI development lifecycle	Operating Model §6
A.15 Supplier relationships	AI vendor management	Third-Party AI Risk

4.2 SOC 2 Integration

SOC 2 Trust Service	AI Considerations	Framework Coverage
Security	AI-specific threats	GenAI Addendum §2-3
Availability	AI system reliability	Continuous Monitoring
Processing Integrity	AI output accuracy	System Card §5
Confidentiality	Training data protection	Enterprise Policy §4
Privacy	AI and personal data	AIA §5

5. Gap Analysis

5.1 Fully Addressed Requirements

Category	Count	Percentage
Management System Clauses	10/10	100%
Annex A Controls	36/38	95%
Total	46/48	96%

5.2 Partial Gaps (Minor)

Requirement	Gap Description	Remediation
A.6.7 AI model testing	Formal testing protocol	Enhance System Card testing section
A.10.5 Human oversight	Explicit override procedures	Operating Model Section 8 ✓

5.3 Remediation Plan

Gap	Action	Owner	Due Date
A.6.7	Enhance testing documentation	AI Risk Officer	2026-03-15
A.10.5	Document override procedures	Operations	2026-01-15 ✓ Complete

6. Certification Preparation

6.1 Certification Pathway

┌─────────────────────────────────────────────────────────────┐
│ STAGE 1: GAP ASSESSMENT                                     │
│ • Current state analysis (this document)                    │
│ • Gap remediation                                           │
│ Timeline: 1-2 months                                        │
└─────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────┐
│ STAGE 2: IMPLEMENTATION                                     │
│ • Implement remaining controls                              │
│ • Staff training                                            │
│ • Process deployment                                        │
│ Timeline: 2-4 months                                        │
└─────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────┐
│ STAGE 3: INTERNAL AUDIT                                     │
│ • Conduct internal AIMS audit                               │
│ • Address findings                                          │
│ • Management review                                         │
│ Timeline: 1 month                                           │
└─────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────┐
│ STAGE 4: CERTIFICATION AUDIT                                │
│ • Stage 1 audit (documentation review)                      │
│ • Stage 2 audit (implementation verification)               │
│ • Certification decision                                    │
│ Timeline: 1-2 months                                        │
└─────────────────────────────────────────────────────────────┘

6.2 Evidence Requirements

Clause	Evidence Required	Location
4.1	Context documentation	Operating Model §2
5.2	AI Policy	Enterprise Policy
6.1	Risk assessment records	Risk Matrix, AIA
7.5	Document control records	Evidence Repository
8.2	Lifecycle records	System Cards
9.1	Monitoring records	Continuous Monitoring logs
9.2	Internal audit reports	Audit Repository
9.3	Management review minutes	Meeting records
10.2	Corrective action records	Incident log

6.3 Certification Bodies

Accredited ISO/IEC 42001 Certification Bodies:

BSI (UKAS and RvA accredited)
DNV
SGS
Bureau Veritas
TÜV (various)
A-LIGN (ANAB accredited)
NSF

7. Maintenance and Surveillance

7.1 Ongoing Requirements

Activity	Frequency	Owner
Internal audit	Annual minimum	Internal Audit
Management review	Annual minimum	AI Governance Board
Policy review	Annual	AI Risk Officer
Risk assessment update	Annual or on change	AI Risk Officer
Surveillance audit	Annual (by certification body)	External

7.2 Continuous Improvement

Input	Output	Action
Internal audit findings	Corrective actions	Process improvements
Incident reports	Preventive actions	Control enhancements
Performance metrics	Improvement targets	KPI optimization
Regulatory changes	Policy updates	Compliance maintenance
Technology evolution	Process updates	Capability enhancement

8. Framework to ISO 42001 Quick Reference

Framework Document	ISO 42001 Clauses	Annex A Controls
Operating Model	4, 5.3, 8.1, 8.2, 9.1	A.3, A.6.2, A.8
Charter	5.1, 5.3	A.2.4, A.3.2
Risk Matrix	6.1.2, 6.1.3	A.5.3, A.6.6
Intake Form	8.2	A.5.2, A.6.3
Enterprise Policy	5.2, 7.3	A.2.2, A.2.3, A.10.2
System Card	7.5, 8.2	A.6.4, A.6.5, A.7
AIA	6.1.4, 8.4	A.5.3
Implementation Plan	6.2, 7.1, 7.2, 10.1	A.3.4, A.4.2
GenAI Addendum	8.1	A.6.5, A.8.2
AI-BOM	7.5, 8.2	A.5.2, A.7.3, A.9.3
Third-Party AI Risk	8.3	A.9.2, A.9.3
Continuous Monitoring	9.1	A.8.3

Document Control

Version History

Version	Date	Author	Changes
1.0	2025-06-15	AI Governance Office	Initial mapping

Approvals

Role	Name	Date
AI Risk Officer
Quality Manager
Internal Audit

Appendix A: ISO/IEC 42001 Annex A Control Checklist

For audit preparation, verify each control:

Control	Implemented	Evidence Location	Notes
A.2.2	[ ]
A.2.3	[ ]
A.2.4	[ ]
A.3.2	[ ]
A.3.3	[ ]
A.3.4	[ ]
A.4.2	[ ]
A.4.3	[ ]
A.4.4	[ ]
A.4.5	[ ]
A.5.2	[ ]
A.5.3	[ ]
A.5.4	[ ]
A.6.2	[ ]
A.6.3	[ ]
A.6.4	[ ]
A.6.5	[ ]
A.6.6	[ ]
A.6.7	[ ]
A.7.2	[ ]
A.7.3	[ ]
A.7.4	[ ]
A.8.2	[ ]
A.8.3	[ ]
A.8.4	[ ]
A.8.5	[ ]
A.9.2	[ ]
A.9.3	[ ]
A.9.4	[ ]
A.10.2	[ ]
A.10.3	[ ]
A.10.4	[ ]
A.10.5	[x]	Operating Model Section 8	Human Oversight and Override Procedures

Classification: Internal
Review Frequency: Annual (aligned with surveillance audit cycle)

CODITECT AI Risk Management Framework

Document ID: AI-RMF-18 | Version: 2.0.0 | Status: Active

AZ1.AI Inc. | CODITECT Platform

Framework Alignment: NIST AI RMF 2.0 | EU AI Act | ISO/IEC 42001

This document is part of the CODITECT AI Risk Management Framework. For questions or updates, contact the AI Governance Office.

Repository: coditect-ai-risk-management-framework Last Updated: 2026-01-15 Owner: AZ1.AI Inc. | Lead: Hal Casteel

1. Executive Summary​

1.1 Alignment Overview​

1.2 Certification Readiness​

2. Clause-by-Clause Mapping​

Clause 4: Context of the Organization​

Clause 5: Leadership​

Clause 6: Planning​

Clause 7: Support​

Clause 8: Operation​

Clause 9: Performance Evaluation​

Clause 10: Improvement​

3. Annex A Control Mapping​

A.2 Policies for AI​

A.3 Internal Organization​

A.4 Resources for AI Systems​

A.5 Assessing AI Systems​

A.6 AI System Development​

A.7 Data for AI Systems​

A.8 AI System Operation​

A.9 Third-Party and Customer Relationships​

A.10 Use of AI Systems​

4. Integration with Other Standards​

4.1 ISO/IEC 27001 Integration​

4.2 SOC 2 Integration​

5. Gap Analysis​

5.1 Fully Addressed Requirements​

5.2 Partial Gaps (Minor)​

5.3 Remediation Plan​

6. Certification Preparation​

6.1 Certification Pathway​

6.2 Evidence Requirements​

6.3 Certification Bodies​

7. Maintenance and Surveillance​

7.1 Ongoing Requirements​

7.2 Continuous Improvement​

8. Framework to ISO 42001 Quick Reference​

Document Control​

Version History​

Approvals​

Appendix A: ISO/IEC 42001 Annex A Control Checklist​