Colorado AI Act in · EU AI Act (High-Risk) in · ISO 42001 + NIST AI RMF + Agentic AI — unified in one toolkit

ISO 42001 Readiness Checklist

42 items covering every clause and Annex A control in ISO/IEC 42001:2023. Find out where your AI management system stands before you engage auditors.
📄 42 items ⏱ 10-15 min 🔒 No data collected ✅ Instant results
ISO 42001 readiness checklist with clause progress indicators
Covers Clauses 4–10 + Annex A (A.2–A.10)

Assess Your ISO 42001 Readiness

For each requirement, select Yes (fully implemented), Partial (in progress or partially met), or No (not implemented). All 42 items must be answered to generate your results.

Clause 4

Context of the Organization

Your organization has identified external and internal issues relevant to AI that affect its ability to achieve the intended outcomes of the AI management system.
Ref: Clause 4.1
You have identified interested parties (regulators, customers, employees, partners) and their requirements relevant to AI.
Ref: Clause 4.2
The scope of your AI management system is defined and documented, including which AI systems and activities are covered.
Ref: Clause 4.3
An AI management system (AIMS) has been established with defined processes, interactions, and documented procedures.
Ref: Clause 4.4
Your organization has determined how AI-specific considerations (such as ethical principles and responsible AI practices) are integrated into the AIMS.
Ref: Clause 4.4
Clause 5

Leadership

Top management demonstrates leadership and commitment to the AIMS, including ensuring the AI policy and objectives are established.
Ref: Clause 5.1
An AI policy has been established that is appropriate to the organization's purpose, provides a framework for setting AI objectives, and includes a commitment to responsible AI.
Ref: Clause 5.2
Roles, responsibilities, and authorities for AI governance are defined and communicated within the organization.
Ref: Clause 5.3
Top management ensures adequate resources are provided for the AIMS and promotes continual improvement.
Ref: Clause 5.1
The AI policy is communicated, understood, and available to relevant interested parties as appropriate.
Ref: Clause 5.2
Clause 6

Planning

Risks and opportunities related to AI have been identified, considering the context and interested parties.
Ref: Clause 6.1.1
An AI risk assessment process is defined with risk criteria, and AI-specific risks have been systematically identified and evaluated.
Ref: Clause 6.1.2
An AI risk treatment plan has been developed, selecting appropriate controls and documenting the rationale.
Ref: Clause 6.1.3
AI objectives have been established at relevant functions and levels, are measurable and consistent with the AI policy.
Ref: Clause 6.2
Plans to achieve AI objectives are documented, including resources required, responsibilities, timelines, and how results will be evaluated.
Ref: Clause 6.2
When changes to the AIMS are needed, they are planned and carried out in a controlled manner.
Ref: Clause 6.3
Clause 7

Support

The organization has determined and provided the resources needed for the establishment, implementation, maintenance, and continual improvement of the AIMS.
Ref: Clause 7.1
Competence requirements for persons doing work affecting AI performance have been determined, and persons are competent on the basis of education, training, or experience.
Ref: Clause 7.2
Persons doing work under the organization's control are aware of the AI policy, their contribution to the AIMS, and the implications of not conforming.
Ref: Clause 7.3
Internal and external communication needs relevant to the AIMS have been determined, including what, when, with whom, and how to communicate.
Ref: Clause 7.4
Documented information required by the AIMS and by ISO 42001 is created, updated, and controlled (including version control, access, and retention).
Ref: Clause 7.5
Where applicable, actions have been taken to acquire necessary AI competence and records of competence are retained.
Ref: Clause 7.2
Clause 8

Operation

The organization plans, implements, and controls the processes needed to meet AIMS requirements, including establishing criteria for processes and implementing controls.
Ref: Clause 8.1
AI risk assessments are performed at planned intervals or when significant changes occur, and results are documented.
Ref: Clause 8.2
The AI risk treatment plan is implemented and results of risk treatment are documented.
Ref: Clause 8.3
AI system impact assessments are conducted for AI systems within scope, evaluating potential impacts on individuals, groups, and society.
Ref: Clause 8.4
Externally provided processes, products, or services relevant to the AIMS are controlled, including outsourced AI development or deployment.
Ref: Clause 8.1
Clause 9

Performance Evaluation

The organization has determined what needs to be monitored and measured regarding AI performance and the AIMS, including methods, timing, and responsibilities.
Ref: Clause 9.1
An internal audit program is planned, established, and implemented, covering the frequency, methods, responsibilities, and reporting of audits.
Ref: Clause 9.2
Internal audits confirm the AIMS conforms to the organization's own requirements and to ISO 42001, and is effectively implemented and maintained.
Ref: Clause 9.2
Top management reviews the AIMS at planned intervals, considering audit results, AI performance metrics, and the status of corrective actions.
Ref: Clause 9.3
Results of monitoring, measurement, analysis, and evaluation are retained as documented information.
Ref: Clause 9.1
Clause 10

Improvement

When nonconformities occur, the organization takes action to control and correct them, and evaluates the need for action to eliminate root causes.
Ref: Clause 10.1
Corrective actions are implemented and their effectiveness is reviewed, with documented information retained as evidence.
Ref: Clause 10.1
The organization continually improves the suitability, adequacy, and effectiveness of the AIMS.
Ref: Clause 10.2
Annex A

AI Controls (A.2–A.10)

AI policies addressing responsible development, deployment, and use of AI are documented and aligned with organizational objectives.
Ref: Annex A.2 (AI Policies)
Resources for AI (including human expertise, computational infrastructure, and tools) are identified, provided, and maintained.
Ref: Annex A.3 (Internal Organization / Resources)
An AI system impact assessment process is established to evaluate potential impacts of AI systems on individuals, groups, and society before deployment.
Ref: Annex A.4 (AI System Impact Assessment)
AI system lifecycle processes (design, development, testing, deployment, operation, retirement) are defined with appropriate controls at each stage.
Ref: Annex A.5 (AI System Lifecycle)
Data governance for AI is established, covering data quality, data provenance, privacy, and the management of data used for training, testing, and operating AI systems.
Ref: Annex A.6, A.7, A.8 (Data for AI Systems)
Third-party and supplier relationships involving AI are managed, including due diligence, contractual requirements, and ongoing monitoring of AI-related services.
Ref: Annex A.9 (Third-Party and Customer Relationships)
Documentation and records related to AI systems (including decisions, risk assessments, impact assessments, and performance data) are maintained and accessible.
Ref: Annex A.10 (Documentation and Record Keeping)
Answer all 42 items to see your results
📊 Live Progress
Cl. 4: Context0/5
Cl. 5: Leadership0/5
Cl. 6: Planning0/6
Cl. 7: Support0/6
Cl. 8: Operation0/5
Cl. 9: Evaluation0/5
Cl. 10: Improvement0/3
Annex A Controls0/7
Overall: 0 / 42 answered
✅ What it checks
  • All 7 mandatory clauses (4–10)
  • Annex A controls A.2–A.10
  • 42 plain-language requirements
  • Yes / Partial / No scoring
❌ What it won't do
  • Map to NIST AI RMF or Colorado
  • Provide evidence requirements
  • Cross-framework crosswalk
  • Remediation guidance
  • Replace a certification audit
💡 Operating stance

This is a self-assessment, not a compliance determination. Use it to identify gaps before engaging certification auditors. No data leaves your browser.

ISO 42001 Readiness Score

0%
0
Fully Implemented
0
Partially Met
0
Not Implemented

Readiness by Clause

Gap Summary

This checklist covers ISO 42001 only.

The Colorado AI Act safe harbor requires demonstrating compliance with ISO 42001 or NIST AI RMF. The unified controls matrix maps 120+ controls across both frameworks plus Colorado statutory obligations with evidence requirements and implementation priorities.

See AI Compliance Toolkit (ACT) Tier 1 →

Need a deeper assessment?

The free AI governance readiness assessment covers five governance domains (not just ISO 42001) and takes about 15 minutes. It scores governance ownership, AI inventory, risk workflow, policy baseline, and evidence readiness.

Run the free readiness assessment →

Gaps are opportunities, not failures

Most organizations score below 50% on their first assessment. The value is knowing exactly where you stand so you can prioritize implementation efforts before certification auditors arrive.

ISO 42001 is the certification framework

Unlike NIST AI RMF (voluntary), ISO 42001 is certifiable. Certification provides demonstrable AI governance evidence that satisfies customers, regulators, and the Colorado AI Act safe harbor provision.

Start with the biggest gaps

Focus on clause groups scoring below 25% first. Foundational controls (Clause 4 scope, Clause 5 policy, Clause 6 risk assessment) must be in place before operational and evaluation controls can function.

ISO 42001 Implementation Guide

Clause-by-clause walkthrough for implementing the AI management system with practical guidance.

Read the guide →

AI System Inventory Template

Free Excel template with 11 columns. Clause 4.3 requires knowing which AI systems are in scope.

Download template →

Colorado AI Act Obligations

ISO 42001 certification qualifies for the Colorado safe harbor. Check whether you are subject to the Act first.

Check obligations →

Frequently Asked Questions

What does this ISO 42001 readiness checklist assess?
The checklist assesses organizational readiness against all requirements of ISO/IEC 42001:2023, the international standard for AI management systems. It covers Clauses 4 through 10 (Context, Leadership, Planning, Support, Operation, Performance Evaluation, Improvement) plus Annex A controls (A.2 through A.10). Each of the 42 items maps to a specific clause or control requirement.
Is this checklist sufficient for ISO 42001 certification?
No. This is a readiness self-assessment, not a certification audit. It identifies gaps in your AI management system against ISO 42001 requirements. Certification requires a formal audit by an accredited certification body. The checklist helps you understand where you stand before engaging auditors, which can save significant time and cost.
How is the readiness score calculated?
Each item is scored as Yes (2 points), Partial (1 point), or No (0 points). The overall readiness percentage is total points earned divided by the maximum possible (84). Results fall into four maturity bands: Critical (0–25%), Developing (26–50%), Established (51–75%), and Advanced (76–100%). Per-clause scores show which areas need the most attention.
Does this checklist cover NIST AI RMF or the Colorado AI Act?
No. This checklist is ISO 42001 only. It does not map to NIST AI RMF functions, Colorado AI Act statutory obligations, or any other framework. If you need cross-framework coverage, the AI Compliance Toolkit (ACT) Tier 1 provides a unified controls matrix mapping 120+ controls across ISO 42001, NIST AI RMF, and the Colorado AI Act.
How long does the checklist take to complete?
Most compliance officers complete it in 10–15 minutes. You don't need the ISO 42001 standard in front of you — each item is written in plain language. However, familiarity with your organization's current AI governance practices will help you answer more accurately.
Can I save or share my results?
Results are displayed on-screen immediately after completing the checklist. Your responses stay in your browser only — no data is collected or stored on any server. You can take a screenshot or print the results page for your records.