ISO 42001 checklist

ISO 42001 checklist for small teams

How small teams can evaluate AI management-system gaps before deeper ISO 42001 certification or assurance work.

Buyer

AI governance owners, SaaS companies, operations teams, and risk managers

Problem

Companies interested in AI management systems often jump to certification conversations before knowing which policy, role, risk, and evidence gaps exist.

What to look for

  • Checklist items for AI policy, roles, inventory, risk assessment, vendor review, monitoring, incident response, and management review.
  • Evidence readiness prompts that show whether controls are documented or merely intended.
  • Prioritization guidance for closing gaps before formal assurance work.

Red flags

  • The company has no AI inventory but wants a certification timeline.
  • Management review receives no AI risk, incident, exception, or training information.
  • Policies exist but no operating records show use, approval, monitoring, or improvement.

FAQ

Does a checklist make us ISO 42001 ready?

No. It helps identify gaps before certification, consulting, or formal assurance.

Is ISO 42001 only for AI product companies?

No. It can apply to organizations that provide or use AI systems, depending on scope and objectives.