Skip to content

README.md

Latest commit

 

History

History
187 lines (133 loc) · 10.3 KB

README.md

File metadata and controls

187 lines (133 loc) · 10.3 KB

ISO/IEC 42001:2023 AI Governance Toolkit

A practical, open-source implementation toolkit for ISO/IEC 42001:2023 — the international standard for AI Management Systems (AIMS).

Built by an ISO 42001 Lead Auditor. Covers all 10 clauses, all 38 Annex A controls across 9 domains, every mandatory document required by the standard, plus Annex B/C reference guides, AI Ethics Framework, Legal Register, and GRC automation scripts.

How to Navigate This Toolkit

Work through folders in numbered order. Each clause folder has a README.md listing its files in the correct reading order.

Start here: Gap Assessment > Implementation Roadmap > Clause 4 > 5 > 6 > 7 > 8 > 9 > 10 > Annex A > Controls Mapping > Annex B > Annex C

Full Toolkit Index

Top-Level Files

# File Purpose
- 00-README.md Detailed implementation guide (read this first)
01 01-GAP-ASSESSMENT.md Baseline gap assessment checklist (128 requirements)
02 02-IMPLEMENTATION-ROADMAP.md 12-month phased implementation roadmap
10 10-ANNEX-A-CONTROLS.md All 38 Annex A controls — implementation and audit guide
11 11-CONTROLS-MAPPING.md Cross-mapping to EU AI Act, NIST AI RMF, ISO 27001
12 12-ANNEX-B-AI-CONCEPTS.md Annex B — AI concepts, terminology, and risk classification guide
13 13-ANNEX-C-AI-DEVELOPERS.md Annex C — Guidance for organisations developing AI for others
14 14-WORKED-EXAMPLE/ Worked examples — Nexus Financial Services fictional AIMS implementation

Clause 4 — Context of the Organisation

Folder: 03-CLAUSE4-CONTEXT/

# File Purpose
1 CONTEXT-REGISTER.md Internal and external issues register (PESTLE)
2 AI-SYSTEMS-INVENTORY.md Register of all AI systems in scope
3 INTERESTED-PARTIES-REGISTER.md Stakeholder needs and binding requirements
4 LEGAL-REGULATORY-REQUIREMENTS-REGISTER.md All legal, regulatory, and contractual AI obligations
5 AIMS-SCOPE-STATEMENT.md Formal AIMS scope definition
6 AIMS-PROCESS-MAP.md All AIMS processes, owners and connections

Clause 5 — Leadership

Folder: 04-CLAUSE5-LEADERSHIP/

# File Purpose
1 AIMS-POLICY-TEMPLATE.md AI Management System Policy
2 LEADERSHIP-COMMITMENT-STATEMENT.md Top management commitment statement
3 AI-ETHICS-FRAMEWORK.md 8-principle AI Ethics Framework with governance structure
4 RACI-MATRIX.md Roles and responsibilities across all AIMS activities
5 AI-SYSTEM-OWNERSHIP-REGISTER.md Named accountable owner per AI system

Clause 6 — Planning

Folder: 05-CLAUSE6-PLANNING/

# File Purpose
1 AI-RISK-ASSESSMENT-PROCESS.md Documented AI risk assessment process
2 AI-RISK-REGISTER.md Live AI risk register with scores
3 RISK-TREATMENT-PLAN.md Controls and treatment options per risk
4 STATEMENT-OF-APPLICABILITY.md Full SoA — all 38 Annex A controls with status and evidence
5 AI-OBJECTIVES-REGISTER.md AIMS objectives, KPIs, owners, achievement plans
6 AIMS-CHANGE-LOG.md Log of all planned AIMS changes

Clause 7 — Support

Folder: 06-CLAUSE7-SUPPORT/

# File Purpose
1 AIMS-RESOURCE-PLAN.md Human, financial and infrastructure resources
2 COMPETENCE-REQUIREMENTS-MATRIX.md Required competences per role and gap analysis
3 TRAINING-PLAN.md Training catalogue, schedules and records
4 AWARENESS-COMMUNICATION-PLAN.md Internal awareness and external AI disclosure
5 MASTER-DOCUMENT-LIST.md Master list of all AIMS documented information
6 DOCUMENT-CONTROL-PROCEDURE.md Document creation, approval and update process
7 RECORDS-RETENTION-SCHEDULE.md Retention periods for all AIMS records

Clause 8 — Operation

Folder: 07-CLAUSE8-OPERATION/

# File Purpose
1 OPERATIONAL-CONTROLS-REGISTER.md All controls across the AI lifecycle
2 AI-LIFECYCLE-MANAGEMENT-PROCEDURE.md End-to-end AI system lifecycle process
3 AI-SYSTEM-IMPACT-ASSESSMENT.md Risk and impact assessment for AI systems
4 AI-DEPLOYMENT-CHECKLIST.md Pre-deployment gate checks
5 AI-CHANGE-CONTROL-PROCEDURE.md AI system change classification and approval
6 AI-MODEL-CARD-TEMPLATE.md Model documentation card per AI system
7 AI-SUPPLIER-ASSESSMENT.md Vendor/supplier assessment questionnaire
8 AI-SUPPLIER-RISK-REGISTER.md Tiered register of AI suppliers with risk ratings
9 AI-SUPPLIER-CONTRACT-CLAUSES.md Standard AI governance clauses for supplier contracts

Clause 9 — Performance Evaluation

Folder: 08-CLAUSE9-PERFORMANCE/

# File Purpose
1 AI-PERFORMANCE-MONITORING-PLAN.md What to monitor, how, how often, who reviews
2 ISO42001-INTERNAL-AUDIT-GUIDE.md Comprehensive AIMS audit methodology guide
3 INTERNAL-AUDIT-PROCEDURE.md Procedure for planning and executing audits
4 ANNUAL-AUDIT-PROGRAMME.md 12-month rolling audit schedule
5 INDIVIDUAL-AUDIT-PLAN-TEMPLATE.md Per-audit plan (scope, criteria, team, schedule)
6 MANAGEMENT-REVIEW-TEMPLATE.md Structured management review agenda and record

Clause 10 — Improvement

Folder: 09-CLAUSE10-IMPROVEMENT/

# File Purpose
1 NCR-REGISTER.md Nonconformity and Corrective Action Register
2 CONTINUAL-IMPROVEMENT-LOG.md Improvement initiatives with PDCA tracking
3 AI-INCIDENT-RESPONSE-PROCEDURE.md AI system incident response procedure

Scripts and Automation

Folder: 12-SCRIPTS/

File Purpose
ai_assessment_checker.py Automated AIMS gap assessment checker
aims_soa_tracker.py SoA implementation tracker — all 38 controls with progress reporting
sample_ai_systems.csv Sample AI systems inventory CSV

Worked Example — Nexus Financial Services

Folder: 14-WORKED-EXAMPLE/

Fictional implementation reference — completed templates for educational use only.

# File What It Shows
1 README.md Folder overview and NFS organisation profile
2 NFS-AIMS-SCOPE-STATEMENT.md Completed AIMS Scope Statement (Clause 4.3)
3 NFS-AI-SYSTEM-MODEL-CARD.md Completed Model Card for CreditIQ v2.1 (Clause 8.4)
4 NFS-RISK-REGISTER-ENTRY.md Three populated AI risk register entries (Clause 6.1)
5 NFS-INCIDENT-LOG-ENTRY.md Completed AI incident log entries (Clause 10.1)

What's Covered

  • All 10 ISO 42001 clauses with implementation templates
    • All 38 Annex A controls across 9 domains
      • Every mandatory document required by the standard
        • Full Statement of Applicability with pre-populated control mapping
          • AI Ethics Framework (8 principles + governance structure)
            • Legal and Regulatory Requirements Register (EU AI Act, GDPR, UK, US)
              • Annex B — AI concepts and risk classification reference
                • Annex C — Guidance for AI developers/suppliers
                  • AI Supplier Contract Clauses template

                    • Cross-mapping to EU AI Act, NIST AI RMF, and ISO 27001

                    • GRC automation scripts (Python)

                      • Maintained by

                      Ankit Uniyal — ISO 42001 Lead Auditor | GRC Lead

                      See 00-README.md for the full implementation guide.