A practical, open-source implementation toolkit for ISO/IEC 42001:2023 — the international standard for AI Management Systems (AIMS).
Built by an ISO 42001 Lead Auditor. Covers all 10 clauses, all 38 Annex A controls across 9 domains, every mandatory document required by the standard, plus Annex B/C reference guides, AI Ethics Framework, Legal Register, and GRC automation scripts.
Work through folders in numbered order. Each clause folder has a README.md listing its files in the correct reading order.
Start here: Gap Assessment > Implementation Roadmap > Clause 4 > 5 > 6 > 7 > 8 > 9 > 10 > Annex A > Controls Mapping > Annex B > Annex C
| # | File | Purpose |
|---|---|---|
| - | 00-README.md | Detailed implementation guide (read this first) |
| 01 | 01-GAP-ASSESSMENT.md | Baseline gap assessment checklist (128 requirements) |
| 02 | 02-IMPLEMENTATION-ROADMAP.md | 12-month phased implementation roadmap |
| 10 | 10-ANNEX-A-CONTROLS.md | All 38 Annex A controls — implementation and audit guide |
| 11 | 11-CONTROLS-MAPPING.md | Cross-mapping to EU AI Act, NIST AI RMF, ISO 27001 |
| 12 | 12-ANNEX-B-AI-CONCEPTS.md | Annex B — AI concepts, terminology, and risk classification guide |
| 13 | 13-ANNEX-C-AI-DEVELOPERS.md | Annex C — Guidance for organisations developing AI for others |
| 14 | 14-WORKED-EXAMPLE/ | Worked examples — Nexus Financial Services fictional AIMS implementation |
Folder: 03-CLAUSE4-CONTEXT/
| # | File | Purpose |
|---|---|---|
| 1 | CONTEXT-REGISTER.md | Internal and external issues register (PESTLE) |
| 2 | AI-SYSTEMS-INVENTORY.md | Register of all AI systems in scope |
| 3 | INTERESTED-PARTIES-REGISTER.md | Stakeholder needs and binding requirements |
| 4 | LEGAL-REGULATORY-REQUIREMENTS-REGISTER.md | All legal, regulatory, and contractual AI obligations |
| 5 | AIMS-SCOPE-STATEMENT.md | Formal AIMS scope definition |
| 6 | AIMS-PROCESS-MAP.md | All AIMS processes, owners and connections |
Folder: 04-CLAUSE5-LEADERSHIP/
| # | File | Purpose |
|---|---|---|
| 1 | AIMS-POLICY-TEMPLATE.md | AI Management System Policy |
| 2 | LEADERSHIP-COMMITMENT-STATEMENT.md | Top management commitment statement |
| 3 | AI-ETHICS-FRAMEWORK.md | 8-principle AI Ethics Framework with governance structure |
| 4 | RACI-MATRIX.md | Roles and responsibilities across all AIMS activities |
| 5 | AI-SYSTEM-OWNERSHIP-REGISTER.md | Named accountable owner per AI system |
Folder: 05-CLAUSE6-PLANNING/
| # | File | Purpose |
|---|---|---|
| 1 | AI-RISK-ASSESSMENT-PROCESS.md | Documented AI risk assessment process |
| 2 | AI-RISK-REGISTER.md | Live AI risk register with scores |
| 3 | RISK-TREATMENT-PLAN.md | Controls and treatment options per risk |
| 4 | STATEMENT-OF-APPLICABILITY.md | Full SoA — all 38 Annex A controls with status and evidence |
| 5 | AI-OBJECTIVES-REGISTER.md | AIMS objectives, KPIs, owners, achievement plans |
| 6 | AIMS-CHANGE-LOG.md | Log of all planned AIMS changes |
Folder: 06-CLAUSE7-SUPPORT/
| # | File | Purpose |
|---|---|---|
| 1 | AIMS-RESOURCE-PLAN.md | Human, financial and infrastructure resources |
| 2 | COMPETENCE-REQUIREMENTS-MATRIX.md | Required competences per role and gap analysis |
| 3 | TRAINING-PLAN.md | Training catalogue, schedules and records |
| 4 | AWARENESS-COMMUNICATION-PLAN.md | Internal awareness and external AI disclosure |
| 5 | MASTER-DOCUMENT-LIST.md | Master list of all AIMS documented information |
| 6 | DOCUMENT-CONTROL-PROCEDURE.md | Document creation, approval and update process |
| 7 | RECORDS-RETENTION-SCHEDULE.md | Retention periods for all AIMS records |
Folder: 07-CLAUSE8-OPERATION/
| # | File | Purpose |
|---|---|---|
| 1 | OPERATIONAL-CONTROLS-REGISTER.md | All controls across the AI lifecycle |
| 2 | AI-LIFECYCLE-MANAGEMENT-PROCEDURE.md | End-to-end AI system lifecycle process |
| 3 | AI-SYSTEM-IMPACT-ASSESSMENT.md | Risk and impact assessment for AI systems |
| 4 | AI-DEPLOYMENT-CHECKLIST.md | Pre-deployment gate checks |
| 5 | AI-CHANGE-CONTROL-PROCEDURE.md | AI system change classification and approval |
| 6 | AI-MODEL-CARD-TEMPLATE.md | Model documentation card per AI system |
| 7 | AI-SUPPLIER-ASSESSMENT.md | Vendor/supplier assessment questionnaire |
| 8 | AI-SUPPLIER-RISK-REGISTER.md | Tiered register of AI suppliers with risk ratings |
| 9 | AI-SUPPLIER-CONTRACT-CLAUSES.md | Standard AI governance clauses for supplier contracts |
Folder: 08-CLAUSE9-PERFORMANCE/
| # | File | Purpose |
|---|---|---|
| 1 | AI-PERFORMANCE-MONITORING-PLAN.md | What to monitor, how, how often, who reviews |
| 2 | ISO42001-INTERNAL-AUDIT-GUIDE.md | Comprehensive AIMS audit methodology guide |
| 3 | INTERNAL-AUDIT-PROCEDURE.md | Procedure for planning and executing audits |
| 4 | ANNUAL-AUDIT-PROGRAMME.md | 12-month rolling audit schedule |
| 5 | INDIVIDUAL-AUDIT-PLAN-TEMPLATE.md | Per-audit plan (scope, criteria, team, schedule) |
| 6 | MANAGEMENT-REVIEW-TEMPLATE.md | Structured management review agenda and record |
Folder: 09-CLAUSE10-IMPROVEMENT/
| # | File | Purpose |
|---|---|---|
| 1 | NCR-REGISTER.md | Nonconformity and Corrective Action Register |
| 2 | CONTINUAL-IMPROVEMENT-LOG.md | Improvement initiatives with PDCA tracking |
| 3 | AI-INCIDENT-RESPONSE-PROCEDURE.md | AI system incident response procedure |
Folder: 12-SCRIPTS/
| File | Purpose |
|---|---|
| ai_assessment_checker.py | Automated AIMS gap assessment checker |
| aims_soa_tracker.py | SoA implementation tracker — all 38 controls with progress reporting |
| sample_ai_systems.csv | Sample AI systems inventory CSV |
Folder: 14-WORKED-EXAMPLE/
Fictional implementation reference — completed templates for educational use only.
| # | File | What It Shows |
|---|---|---|
| 1 | README.md | Folder overview and NFS organisation profile |
| 2 | NFS-AIMS-SCOPE-STATEMENT.md | Completed AIMS Scope Statement (Clause 4.3) |
| 3 | NFS-AI-SYSTEM-MODEL-CARD.md | Completed Model Card for CreditIQ v2.1 (Clause 8.4) |
| 4 | NFS-RISK-REGISTER-ENTRY.md | Three populated AI risk register entries (Clause 6.1) |
| 5 | NFS-INCIDENT-LOG-ENTRY.md | Completed AI incident log entries (Clause 10.1) |
- All 10 ISO 42001 clauses with implementation templates
-
- All 38 Annex A controls across 9 domains
-
- Every mandatory document required by the standard
-
- Full Statement of Applicability with pre-populated control mapping
-
- AI Ethics Framework (8 principles + governance structure)
-
- Legal and Regulatory Requirements Register (EU AI Act, GDPR, UK, US)
-
- Annex B — AI concepts and risk classification reference
-
- Annex C — Guidance for AI developers/suppliers
-
- AI Supplier Contract Clauses template
-
-
Cross-mapping to EU AI Act, NIST AI RMF, and ISO 27001
- GRC automation scripts (Python)
Ankit Uniyal — ISO 42001 Lead Auditor | GRC Lead
See 00-README.md for the full implementation guide.
-
