Which documents does ISO 42001 need? The ~20 documents at a glance
ISO/IEC 42001 does not require a mountain of paper but around 20 real documents, grouped into policies, procedures and records and mapped to the relevant clause. The complete, audit-ready overview.
In short
ISO/IEC 42001 requires around 20 real documents in three categories: policies (how you govern AI), procedures (how you operate the system) and records (evidence that it actually ran). They come from two sources, clauses 4 to 10 of the standard and Annex A (38 controls in 9 objectives). Policies and procedures are maintained; records are retained.
Auf Deutsch lesen: deutsche Fassung
"Do we now have to write hundreds of pages?" is the most common worry before an ISO 42001 implementation. The answer: no. The standard does not require a mountain of paper but around 20 real documents, and they follow logically from two sources and sort into three categories. Once you see that, the fear of documentation disappears.
Two sources, three categories
The documents come from clauses 4 to 10 of the standard (the management-system requirements) and from Annex A (38 controls in 9 objectives). Bundled, that is around 20 real documents, and each is either a policy, a procedure or a record:
- Policies, how you govern AI (maintained, i.e. kept current).
- Procedures, how you operate the system step by step (maintained).
- Records, evidence that the system actually ran (retained).
Category 1, Policies
| Clause | Document |
|---|---|
| 5.2 / A.2 | AI policy, the top-level governance document |
| 6.2 | AI objectives |
| A.6 | AI development policy |
| A.9 | Acceptable use policy |
| A.7 | Data management policy |
| A.8 / A.10 | Supplier & customer policy |
Category 2, Procedures
| Clause | Document |
|---|---|
| 4.3 | Defining the AIMS scope |
| 6.1 | AI risk assessment methodology |
| 6.1 | AI risk treatment plan |
| A.5 | AI impact assessment procedure |
| A.6 | AI life-cycle procedure |
| A.4 | Management of AI resources |
| 7.5 | Control of documents & records |
Category 3, Records
| Clause | Document |
|---|---|
| 6.1.3 | Statement of Applicability (SoA) |
| 7.2 | Competence records |
| 8.2 | AI risk assessment results |
| 8.3 | Risk treatment results |
| 8.4 | Impact assessment results |
| 9.1 | Monitoring & measurement results |
| 9.2 | Internal audit, programme & results |
| 9.3 | Management review minutes |
| 10.2 | Nonconformity & corrective actions |
The simple logic: maintain or retain?
If you are unsure which category a document belongs to, ask one question: does it state HOW we do something, or does it prove THAT we did it? The first is a policy or procedure and is maintained (kept current, versioned). The second is a record and is retained (logs, minutes, audit reports, assessment and impact-assessment results).
Good documentation is not the thickest, but the one actually used in operations, and findable in minutes during the audit.
How we approach it
You do not have to invent these ~20 documents from scratch. I bring proven templates mapped to the standard's clauses and adapt them to your real operation, lean, audit-ready and without duplication where an ISO 27001 or 9001 already exists. The result is a document set that passes the audit and holds up in day-to-day work.
Frequently asked questions
How many documents does ISO 42001 require?+
Around 20 real documents, bundled from clauses 4 to 10 of the standard and Annex A (38 controls in 9 objectives). They group into policies (how you govern AI), procedures (how you operate the system) and records (evidence that it ran).
What is the difference between a policy, a procedure and a record?+
Policies and procedures state HOW you do something, they are maintained and kept current. Records prove THAT something happened (logs, minutes, audit reports), they are retained. Keeping the two apart keeps the documentation lean.
Do I need a separate document for every Annex A control?+
No. Annex A has 38 controls, but many bundle into a few policies and procedures. The Statement of Applicability documents which controls apply to you and how they are implemented, which keeps the document count around 20.
Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor & ISO/IEC 27001 Lead Auditor (PECB)
Last updated: 14 June 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.
Sources & further reading
Questions about your own case?
In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act, honestly and without a sales pitch.