Unorma

ISO 42001

ISO 42001 Documentation Templates You Actually Need (And How Software Generates Them)

The specific documentation templates ISO 42001 requires, what good ones look like, and how software should generate first drafts without replacing human review.

Zofia Kubiak
Zofia Kubiak

May 11, 2026 · 7 min read

ISO 42001

Not every ISO 42001 document needs to be written from scratch. Here are the specific templates you actually need, what a good one looks like, and how software should generate the first draft of each without replacing the human review that makes it real evidence.

TL;DR

  • The core templates you need: AI policy, risk assessment, Statement of Applicability, internal audit checklist, and management review agenda.
  • A good template is structured to the specific clause it satisfies, not a generic document with ISO 42001 branding added.
  • Software should draft these pre-filled with your organization's actual data — software drafts, a qualified person reviews and approves.
  • The Statement of Applicability template is the one that needs the most ongoing maintenance as your AI systems change.
  • Templates alone don't satisfy an audit — the evidence of them being used and followed is what auditors actually check.

Software Drafts, Humans Approve

Software draftsPre-filled with your dataHuman reviewsApproves before use
Software drafts; a qualified person reviews and approves — the split that keeps generated documents usable as real evidence.

The Core Templates You Need

TemplateSatisfies
AI policyClause 5 — leadership commitment and direction
Risk assessmentClause 6 — planning and risk treatment
Statement of ApplicabilityClause 6.1.3 — control selection and justification
Internal audit checklistClause 9.2 — internal audit
Management review agendaClause 9.3 — management review

What Makes a Template Good vs. Generic

  • Structured to the specific clause or control it satisfies, not a generic policy document
  • Pre-filled with placeholders that map directly to fields you'd otherwise fill in manually
  • Versioned, so you can show which version applied at any point in time

The Statement of Applicability Needs the Most Upkeep

Unlike the policy or audit checklist, which change infrequently, the Statement of Applicability needs to update every time you add, change or retire an AI system. This is the template most likely to drift out of sync with reality if it isn't actively maintained.

Templates Alone Don't Pass an Audit

A perfectly structured template that nobody actually uses is worse than a rougher one that's genuinely followed — auditors check for evidence the documented process is actually happening, not just that the document exists in a polished form.

Who Should Own Each Template

TemplateTypical owner
AI policyExecutive sponsor, drafted by compliance lead
Risk assessmentCompliance/risk team, per AI system
Statement of ApplicabilityCompliance lead, kept in sync with the AI inventory
Internal audit checklistIndependent internal auditor
Management review agendaExecutive sponsor, prepared by compliance lead

Version Control That Actually Matters to Auditors

Auditors don't just want the current version of a document — they sometimes want to know which version applied at a specific point in time, especially when investigating a nonconformity. At minimum, keep a version number, a change date, and who approved each revision, for the AI policy and the Statement of Applicability in particular, since those two change most often as your AI systems evolve.

Primary Sources

Secondary Documents Worth Templating Too

Beyond the five core documents, a handful of secondary templates save real time once your AIMS is operating, even though they're not always the first thing teams think to template.

Secondary templateWhen it's used
Nonconformity and corrective action logEvery time an internal or external audit finding needs tracking to closure
Training completion trackerOngoing, as new hires and role changes require fresh AI literacy training
Third-party AI risk assessmentWhenever a new vendor or embedded model is introduced
Change log for the AI inventoryAny time a system is added, materially changed, or retired

Where Unorma Fits

Drafts you actually use

Unorma’s document generation drafts each of these templates pre-filled with your registered AI systems, ready for review. Read what ISO 42001 certification software automates for the broader picture.

Frequently asked questions

What are the core ISO 42001 documents we need?

At minimum: an AI policy, risk assessment, Statement of Applicability, internal audit checklist, and management review agenda — each mapped to a specific clause.

Can software fully generate these documents without human review?

No — software should draft them pre-filled with your data, but a qualified person always needs to review and approve before they're used as real evidence.

Which document needs the most ongoing maintenance?

The Statement of Applicability — it needs updating every time an AI system is added, changed or retired, unlike the policy or audit checklist which change less frequently.

Is having good templates enough to pass an audit?

No — auditors check for evidence the documented processes are actually being followed, not just that well-structured templates exist.

What secondary templates matter beyond the five core documents?

A nonconformity/corrective action log, a training completion tracker, a third-party AI risk assessment template, and a change log for the AI inventory all save real time once the AIMS is operating.

When should we create a third-party AI risk assessment template?

Before the first new vendor or embedded model is introduced, so the assessment process is consistent from the start rather than improvised each time.

Should templates be reused across multiple AI systems unchanged?

The structure should stay consistent, but the content — risk categories, intended use, affected stakeholders — needs to reflect each specific system rather than being copied verbatim from a previous one.

Who should approve changes to a template itself?

Whoever owns the underlying document — for example, the compliance lead for the AI policy template — should approve structural changes, so templates don't quietly drift between different owners' versions.

Do templates need legal review before first use?

For the AI policy and any document referencing specific legal obligations, yes — a quick legal review catches wording that could create commitments the organization isn't actually prepared to meet.

About the author

Zofia Kubiak
Zofia Kubiak

Compliance Specialist

Compliance specialist focused on management-system standards and risk frameworks, helping teams turn certification requirements into working programs.

View full profile