Annex A & Statement of Applicability Explained
What Annex A of ISO 42001 delivers, what a Statement of Applicability is, and why this document becomes your most important guide in the audit.
In short
Annex A of ISO 42001 is a catalogue of controls, concrete measures an organization uses to get its AI risks under control. The Statement of Applicability records for each control whether it applies, why, and its implementation status. Controls are selected risk-based, not all adopted by default; a justified exclusion is permitted.
Auf Deutsch lesen: deutsche Fassung
Anyone opening ISO 42001 (or 27001) for the first time runs into two terms: Annex A and the Statement of Applicability. The two are connected, and they are among the most important tools in any audit.
What is Annex A?
Annex A is a catalogue of controls, that is, concrete measures an organization uses to get its risks under control. In ISO 42001 these are organizational and governance controls around AI, grouped by area: AI policy, roles and resources, impact assessment of AI systems (effects on individuals and on society), the AI lifecycle, data for AI systems (quality and provenance), transparency and information for interested parties, responsible use, and the handling of third parties and suppliers.
Important: Annex A is deliberately generic and organizational. Model-specific technical tests, such as for bias, robustness, or adversarial attacks, must be planned in addition; the annex does not replace them.
What is the Statement of Applicability (SoA)?
The Statement of Applicability is the document that records, for each control: Does it apply to us? Why (or why not)? And what is its implementation status? It is the bridge between your risk assessment and the concrete measures.
- Which controls are applicable, derived from the risk assessment?
- Justification for the inclusion or exclusion of each control.
- Implementation status: planned, implemented, effective?
Why the SoA is the heart of the audit
For the auditor, the Statement of Applicability is the map through the entire system: it shows what you have declared relevant, and that is exactly what gets sampled for effectiveness. A well-considered, honest SoA is therefore half the battle; an empty or whitewashed one stands out immediately.
The SoA is not a bureaucratic form but the map of your management system, for yourself just as much as for the auditor.
Risk-based, not a tick-box list
The decisive point: controls are not adopted as "all implemented" across the board but selected risk-based. An exclusion is entirely legitimate, as long as it is justified. It is precisely this traceable logic from risk to measure that an audit wants to see.
Frequently asked questions
Do I have to implement all the controls from Annex A?+
No. The controls are selected risk-based. A justified exclusion is permitted, documented in the Statement of Applicability.
What is the difference between Annex A and the SoA?+
Annex A is the catalogue of possible controls. The Statement of Applicability records which of them apply to you, why, and at what implementation status.
Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor & ISO/IEC 27001 Lead Auditor (PECB)
Last updated: 26 May 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.
Sources & further reading
Questions about your own case?
In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act, honestly and without a sales pitch.