Customizing ISO 42001 ISMS Templates
ISO 42001 certification requires a collection of documents. There are a number of templates available for purchase online. We use our own ISO 42001 templates so that we can create an individual AI management concept faster and cheaper. The ISO/IEC 42001 standard has an extensive catalogue of mandatory and optional documents that must be presented during the audit. The ISO 42001 standard is modernized every few years. Documents are eliminated, others are expanded or supplemented with additional documents. Watch our short video on the topic of the ISO 42001 template here:
What must an ISO 42001 template contain in 2025?
As you could already see from the video, an ISO 42001 template requires a wealth of documents. With the switch from the ISO 42001 draft standard to the ISO 42001:2023, a few significant changes have occurred:
| What needs to be documented? | ISO 27001 Chapters | Included in following documents |
| Scope of AIMS | Section 4.3 | AIMS Project Document |
| AI Policies | Section 5.2 | AI policies and objectives |
| Methods for risk evaluation and treatment | Section 6.1.2 | Methods for risk evaluation and treatment |
| Statement of Applicability | Section 6.1.3 d) | Statement of Applicability |
| Risk Treatment Plan | Section 6.1.3 e, 6.2, and 8.3 | Risk Management Plan |
| Security objectives | Section 6.2 | List of AI objectives |
| Risk assessment and treatment | Section 8.2 and 8.3 | Risk assessment and treatment report |
| Inventory of Assets | Control A.5.9* | Inventory of Assets |
| Permitted usage of Assets | Control A.5.10* | AI Policy |
| Handling security incidents | Control A.5.26* | Incident Management Vorgehensweise |
| Legal, regulatory and contractual requirements | Control A.5.31* | List of legal, regulatory and contractual requirements |
| Security policies in AI Management | Control A.5.37* | Security policies in AI Management |
| Definition of security roles and responsibilities | Control A.6.2 and A.6.6* | Contracts, Agreements, NDA and other responsibilities |
| Definition of AI guidelines | Control A.8.9* | Security policies in the AI department |
| Security policies in R&D | Control A.8.27* | AI policies in R&D |
The list must be continually updated and adapted to the respective industry. We therefore regularly update our industry-specific templatesof the AIMS management system to the ISO 42001 standard. Consequently, it does not make sense to have to go through another expensive round of certification because of outdated or incomplete templatesbecause the auditor has rejected all documents. We want to provide our customers with a high-quality set of rules in a time-saving manner at affordable costsby continuously improving the templates and checklists.
How do you customize the ISO 42001 AIMS?
In addition to the general documents, the ISO 42001:2023 standard requires that certain company-specific documents also provide evidence of the active implementation of the AIMS requirements in everyday operations. A thick folder full of documents is not enough to prove that information security is actually being implemented. The following documents are often requested or expected as active evidence:
| Required documentation | ISO 27001 Sections | here to be included |
| competence certificates | Section 7.2 | CV, Training and education certificates |
| Monitoring results | Section 9.1 | Monitoring report |
| Internal Audit Programm | Section 9.2 | Internal Audit Program |
| Results of internal audits | Section 9.2 | Internal Audit Report |
| Results of management review | Section9.3 | Protocol of management review |
| Results of corrective actions | Section10.2 | Document on corrective actions |
| Log on events and user behaviour | Control A.8.15* | Automatic System Protocols |
Do free ISO 42001 sample templates help?
You are probably asking whether you can create an AIMS using “ISO 42001 free sample templates”. These sample templates represent only a small fraction of all relevant documents. They will certainly help to get a better idea of what the ISO IEC 42001 standard expects from certified companies.
Without a truly functioning AI management system (AIMS), a certification will not comply with the compliance guidelines of the accreditation bodies. What most business owners and managers overlook is that 80% represents a standardized set of policies. However, the remaining 20% require explicit IT specialist knowledge. Based on the lack of IT expertise in the regulations, an auditor can recognize that the organization being certified has not met the necessary requirements. IEC ISO IEC 42001 does not expect small companies(SMEs) to employ AI experts. Many companies have specific AI topics looked after by a trusted AI consultants. Simple tasks are usually carried out by an employee with computer skills. To ensure that the documentation for the company audit costs as little as possible, we also work together with a trusted AI system provider.
Due to our expertise in SMEs, holding companies and corporate landscapes, we can also help service providers meet regulatory requirements for more complex issues. This also creates new potential for new business for AI service providers. The operational AI landscape is increasingly changing due to the digital transformation in retail and authorities. As part of our partner program, we are already helping AI system houses to implement the ISO 42001 standard in their customers’ companies.
In this way, we relieve the companies being certified of a lot of the workload that would otherwise have to be done by reformulating free sample templates, which usually do not fully correspond to the current standard. We do not expect our business customers to undergo ISO 42001 basic training for 6 months in order to adapt the AIMS documentation. Our experts will take care of the adjustment for you at a significantly lower cost. This means you can even acquire an ISO 42001 certificate within 4 weeks. A free template will only waste your time and budget.