ISO 42001
ISO 42001 Documentation Templates You Actually Need (And How Software Generates Them)
The specific documentation templates ISO 42001 requires, what good ones look like, and how software should generate first drafts without replacing human review.
May 11, 2026 · 7 min read
ISO 42001
Not every ISO 42001 document needs to be written from scratch. Here are the specific templates you actually need, what a good one looks like, and how software should generate the first draft of each without replacing the human review that makes it real evidence.
TL;DR
- The core templates you need: AI policy, risk assessment, Statement of Applicability, internal audit checklist, and management review agenda.
- A good template is structured to the specific clause it satisfies, not a generic document with ISO 42001 branding added.
- Software should draft these pre-filled with your organization's actual data — software drafts, a qualified person reviews and approves.
- The Statement of Applicability template is the one that needs the most ongoing maintenance as your AI systems change.
- Templates alone don't satisfy an audit — the evidence of them being used and followed is what auditors actually check.
Software Drafts, Humans Approve
The Core Templates You Need
| Template | Satisfies |
|---|---|
| AI policy | Clause 5 — leadership commitment and direction |
| Risk assessment | Clause 6 — planning and risk treatment |
| Statement of Applicability | Clause 6.1.3 — control selection and justification |
| Internal audit checklist | Clause 9.2 — internal audit |
| Management review agenda | Clause 9.3 — management review |
What Makes a Template Good vs. Generic
- Structured to the specific clause or control it satisfies, not a generic policy document
- Pre-filled with placeholders that map directly to fields you'd otherwise fill in manually
- Versioned, so you can show which version applied at any point in time
The Statement of Applicability Needs the Most Upkeep
Unlike the policy or audit checklist, which change infrequently, the Statement of Applicability needs to update every time you add, change or retire an AI system. This is the template most likely to drift out of sync with reality if it isn't actively maintained.
Templates Alone Don't Pass an Audit
A perfectly structured template that nobody actually uses is worse than a rougher one that's genuinely followed — auditors check for evidence the documented process is actually happening, not just that the document exists in a polished form.
Who Should Own Each Template
| Template | Typical owner |
|---|---|
| AI policy | Executive sponsor, drafted by compliance lead |
| Risk assessment | Compliance/risk team, per AI system |
| Statement of Applicability | Compliance lead, kept in sync with the AI inventory |
| Internal audit checklist | Independent internal auditor |
| Management review agenda | Executive sponsor, prepared by compliance lead |
Version Control That Actually Matters to Auditors
Auditors don't just want the current version of a document — they sometimes want to know which version applied at a specific point in time, especially when investigating a nonconformity. At minimum, keep a version number, a change date, and who approved each revision, for the AI policy and the Statement of Applicability in particular, since those two change most often as your AI systems evolve.
Primary Sources
- ISO — ISO/IEC 42001:2023
- NIST — AI Risk Management Framework
Secondary Documents Worth Templating Too
Beyond the five core documents, a handful of secondary templates save real time once your AIMS is operating, even though they're not always the first thing teams think to template.
| Secondary template | When it's used |
|---|---|
| Nonconformity and corrective action log | Every time an internal or external audit finding needs tracking to closure |
| Training completion tracker | Ongoing, as new hires and role changes require fresh AI literacy training |
| Third-party AI risk assessment | Whenever a new vendor or embedded model is introduced |
| Change log for the AI inventory | Any time a system is added, materially changed, or retired |
Where Unorma Fits
Drafts you actually use
Frequently asked questions
What are the core ISO 42001 documents we need?
At minimum: an AI policy, risk assessment, Statement of Applicability, internal audit checklist, and management review agenda — each mapped to a specific clause.
Can software fully generate these documents without human review?
No — software should draft them pre-filled with your data, but a qualified person always needs to review and approve before they're used as real evidence.
Which document needs the most ongoing maintenance?
The Statement of Applicability — it needs updating every time an AI system is added, changed or retired, unlike the policy or audit checklist which change less frequently.
Is having good templates enough to pass an audit?
No — auditors check for evidence the documented processes are actually being followed, not just that well-structured templates exist.
What secondary templates matter beyond the five core documents?
A nonconformity/corrective action log, a training completion tracker, a third-party AI risk assessment template, and a change log for the AI inventory all save real time once the AIMS is operating.
When should we create a third-party AI risk assessment template?
Before the first new vendor or embedded model is introduced, so the assessment process is consistent from the start rather than improvised each time.
Should templates be reused across multiple AI systems unchanged?
The structure should stay consistent, but the content — risk categories, intended use, affected stakeholders — needs to reflect each specific system rather than being copied verbatim from a previous one.
Who should approve changes to a template itself?
Whoever owns the underlying document — for example, the compliance lead for the AI policy template — should approve structural changes, so templates don't quietly drift between different owners' versions.
Do templates need legal review before first use?
For the AI policy and any document referencing specific legal obligations, yes — a quick legal review catches wording that could create commitments the organization isn't actually prepared to meet.
Key terms in this article
About the author

Compliance Specialist
Compliance specialist focused on management-system standards and risk frameworks, helping teams turn certification requirements into working programs.
View full profileKeep reading
More from the blog
AI Compliance Software
AI Compliance Software
What Is AI Compliance Software? A Complete Guide for 2026
AI compliance software turns scattered spreadsheets and PDFs into a live system of record for every AI system you build or use. Here's what it does, who needs it, and how to evaluate it.
EU AI Act
EU AI Act
EU AI Act Deadlines in 2026 and 2027: What the Digital Omnibus Actually Changed
In May 2026, EU lawmakers provisionally agreed to delay the AI Act's high-risk deadlines. Here's exactly what changed, what didn't, and what's legally binding today.
ISO 42001
ISO 42001
ISO 42001 Certification Requirements: The Complete Checklist
ISO 42001 has 10 clauses and 38 Annex A controls. This is the complete, plain-language checklist for what you actually need to have in place before your audit.