The ISO 42001/42005 AI Management Starter Kit

Purpose: Establishes the organization's AI governance rules, roles, approval gates, records, monitoring expectations, and incident reporting requirements.

The Policy Template helps provide:

• A documented policy structure that assigns ownership.

• Defined approval gates and escalation paths for new AI systems, material changes, and high-impact use cases.

• Monitoring and incident reporting requirements.

Example Use Case: An organization rolling out its first AI governance program needs a policy that goes beyond a values statement. This template gives the AI Governance Committee a documented rulebook to point to when a business unit asks, "who approves this, and what do we need before launch?"

Simple Artifacts to Produce: (1) an approved AI governance policy with named role owners; (2) an approval-gate map by project stage; and (3) an incident reporting and monitoring procedure.

Purpose: Helps assess organization level readiness and identify improvement actions across AI governance, risk, controls, evidence, and oversight.

The Gap Analysis Workbook helps provide:

• A structured readiness review mapped to ISO 42001 requirements, with current-state, target-state, and gap fields for each area.

• A prioritized action list with owners, target dates, and status tracking.

Example Use Case: Before committing to a certification timeline, an organization needs an honest picture of where it stands. The Gap Analysis Workbook gives the AI Governance Committee a defensible starting point instead of a guess.

Simple Artifacts to Produce: (1) a documented readiness baseline against ISO 42001 requirements; (2) a prioritized remediation action list with owners and dates; and (3) a certification-readiness summary for leadership.

Purpose: Records applicable control areas, ownership, status, rationale, and evidence references.

This Statement of Applicability Workbook helps provide:

• A control-by-control record of what applies, what doesn't, and why.

• Ownership fields so each control has a named accountable party, not a shared assumption.

• Evidence references that link each control back to the documentation that supports it.

Example Use Case: When an external auditor asks "show me your Statement of Applicability," the AI Owner and Information Security team need more than a verbal answer. This workbook turns that conversation into a documented, evidence-backed record.

Simple Artifacts to Produce: (1) a complete Statement of Applicability with ownership assigned per control; (2) an evidence reference log; and (3) an audit-ready export for certification bodies or customer due diligence.

Purpose: Defines how AI impact assessments are triggered, performed, approved, evidenced, and reviewed.

This Impact Assessment Workbook helps provide:

• Trigger criteria for when an AI impact assessment is required.

• A defined approval workflow connecting the AI Owner, Technology/Data team, Privacy/Legal/Compliance, and the AI Governance Committee.

• Review cadence and reassessment triggers so impact assessments don't go stale.

Example Use Case: A compliance lead is frequently asked, "does this AI tool need an assessment, and if so, by whom?" This workbook answers that question consistently, instead of leaving it to be decided every time a new system shows up.

Simple Artifacts to Produce: (1) a documented trigger and intake process for impact assessments; (2) an approval workflow with named roles; and (3) a review and reassessment schedule.

Purpose: Supports a direct assessment of one AI system, tool, vendor solution, pilot, or material change.

This System Impact Assessment Template helps provide:

• A structured assessment covering intended use, affected individuals, data flows, risk factors, and safeguards for a specific AI system.

• Fields for findings, mitigations, and an approval or risk-acceptance decision.

• A documentation trail that links back to the Process Workbook so each assessment follows the same defined process.

Example Use Case: A vendor pitches a new AI-enabled tool. Instead of a fragmented email thread between Legal, Security, and Procurement, this template gives the AI Owner one document that captures what the system does, what was found, and what was decided.

Simple Artifacts to Produce: (1) a completed system-level impact assessment covering purpose, data, risk factors, and safeguards; (2) a findings and mitigation record with an action tracker; and (3) a readiness dashboard and documented approval or risk-acceptance decision.