Customizing ISO 42001 ISMS Templates

ISO 42001 certification requires a collection of documents. There are a number of templates available for purchase online. We use our own ISO 42001 templates so that we can create an individual AI management concept faster and cheaper. The ISO/IEC 42001 standard has an extensive catalogue of mandatory and optional documents that must be presented during the audit. The ISO 42001 standard is modernized every few years. Documents are eliminated, others are expanded or supplemented with additional documents. Watch our short video on the topic of the ISO 42001 template here:

What must an ISO 42001 template contain in 2025?

As you could already see from the video, an ISO 42001 template requires a wealth of documents. With the switch from the ISO 42001 draft standard to the ISO 42001:2023, a few significant changes have occurred:

What needs to be documented?ISO 27001 ChaptersIncluded in following documents
Scope of AIMSSection 4.3AIMS Project Document
AI PoliciesSection 5.2AI policies and objectives
Methods for risk evaluation and treatmentSection 6.1.2Methods for risk evaluation and treatment
Statement of ApplicabilitySection 6.1.3 d)Statement of Applicability
Risk Treatment PlanSection 6.1.3 e, 6.2, and 8.3Risk Management Plan
Security objectivesSection 6.2List of AI objectives
Risk assessment and treatmentSection 8.2 and 8.3Risk assessment and treatment report
Inventory of AssetsControl A.5.9*Inventory of Assets
Permitted usage of AssetsControl A.5.10*AI Policy
Handling security incidentsControl A.5.26*Incident Management Vorgehensweise
Legal, regulatory and contractual requirementsControl A.5.31*List of legal, regulatory and contractual requirements
Security policies in  AI ManagementControl A.5.37*Security policies in  AI Management
Definition of security roles and responsibilitiesControl A.6.2 and A.6.6*Contracts, Agreements, NDA and other responsibilities
Definition of AI guidelinesControl A.8.9*Security policies in the AI department
Security policies in R&DControl A.8.27*AI policies in R&D
Woman in a library holding books and a binder, engaged in reading, symbolizing the importance of documentation and training for ISO 9001 certification.

The list must be continually updated and adapted to the respective industry. We therefore regularly update our industry-specific templatesof the AIMS management system to the ISO 42001 standard. Consequently, it does not make sense to have to go through another expensive round of certification because of outdated or incomplete templatesbecause the auditor has rejected all documentsWe want to provide our customers with a high-quality set of rules in a time-saving manner at affordable costsby continuously improving the templates and checklists.

How do you customize the ISO 42001 AIMS?​

In addition to the general documents, the ISO 42001:2023 standard requires that certain company-specific documents also provide evidence of the active implementation of the AIMS requirements in everyday operations. A thick folder full of documents is not enough to prove that information security is actually being implemented. The following documents are often requested or expected as active evidence:

Required documentationISO 27001 Sectionshere to be included
competence certificatesSection 7.2CV, Training and education certificates
Monitoring resultsSection 9.1Monitoring report
Internal Audit ProgrammSection 9.2Internal Audit Program
Results of internal auditsSection 9.2Internal Audit Report
Results of management reviewSection9.3Protocol of management review
Results of corrective actionsSection10.2Document on corrective actions
Log on events and user behaviourControl A.8.15*Automatic System Protocols

Do free ISO 42001 sample templates help?

You are probably asking whether you can create an AIMS using “ISO 42001 free sample templates”. These sample templates represent only a small fraction of all relevant documents. They will certainly help to get a better idea of what the ISO IEC 42001 standard expects from certified companies.

Without a truly functioning AI management system (AIMS), a certification will not comply with the compliance guidelines of the accreditation bodies. What most business owners and managers overlook is that 80% represents a standardized set of policies. However, the remaining 20% require explicit IT specialist knowledge. Based on the lack of IT expertise in the regulations, an auditor can recognize that the organization being certified has not met the necessary requirementsIEC ISO IEC 42001 does not expect small companies(SMEs) to employ AI experts. Many companies have specific AI topics looked after by a trusted AI consultants. Simple tasks are usually carried out by an employee with computer skills. To ensure that the documentation for the company audit costs as little as possible, we also work together with a trusted AI system provider.

Due to our expertise in SMEs, holding companies and corporate landscapes, we can also help service providers meet regulatory requirements for more complex issues. This also creates new potential for new business for AI service providers. The operational AI landscape is increasingly changing due to the digital transformation in retail and authorities. As part of our partner program, we are already helping AI system houses to implement the ISO 42001 standard in their customers’ companies.

In this way, we relieve the companies being certified of a lot of the workload that would otherwise have to be done by reformulating free sample templates, which usually do not fully correspond to the current standard. We do not expect our business customers to undergo ISO 42001 basic training for 6 months in order to adapt the AIMS documentation. Our experts will take care of the adjustment for you at a significantly lower cost. This means you can even acquire an ISO 42001 certificate within 4 weeks. A free template will only waste your time and budget.