Check out this 1-minute clip where I talk about ISO 42001 scoping.

Scoping can make or break your ISO/IEC 42001:2023 audit. Here are 4 key aspects for security and compliance teams to think about:

1. Roles

ISO/IEC 22989:2022 lays out six high-level AI roles:

• Provider

• Producer

• Customer

• Partner

• Subject

• Relevant authority

If you are trying to get ISO 42001 certified, you'll almost certainly include one or more of the first three.

And these appear on your certificate, which customers will ask to see. You can also include some of the sub-roles described in ISO 22989 if desired.

2. Systems

Are you:

• Limiting the certification to one product?

• Trying to cover all your services?

• Including third-party AI tools?

• Excluding systems in test?

• Certain personnel?

For example, Amazon Web Services (AWS) announced their ISO 42001 certification in November 2024. But if you look closely, it only covers 4 services:

• Q (Business)

• Transcribe

• Bedrock

• Textract

How broad you are going for the audit (and certification) is a key question to consider ahead of time. This will determine how expansive the review is, as well as what you can claim.

3. Locations

Virtual audits are possible for ISO 42001 (unlike ISO 27001) because there aren't any physical controls in the former's Annex A.

But you still need to list in-scope locations.

• Do you have multiple offices where AI work happens?

• How does this impact your regulatory footprint?

• What are the jurisdiction(s)' rules on AI?

4. Controls

None of the controls in Annex A of ISO 42001 are technically required (although certain ones like A.2.2 [AI Policy] functionally are because Clauses 4-10 also mandate them). With that said, you’ll need to document your rationale for both including and excluding certain controls. This post highlights some you might consider leaving out.

Your certificate and scoping statement will include a reference to the version of your Statement of Applicability, which notes which controls you implemented.

A note on describing your scope

I track StackAware’s ISO 42001 scope in a structured database because that’s how I think. This format includes all of the above elements. With that said, auditors will generally want a “prose” statement rather than a list of bullet points. To give you an example, here is our scope statement:

The scope of the ISO/IEC 42001:2023 certification includes the artificial intelligence management system (AIMS) supporting the StackAware AI governance platform, StackAware AI risk assessment and governance services, and third-party AI systems used by the organization in the role of an AI product provider and AI producer, as an AI governance and oversight professional, in accordance with the statement of applicability, version 2, dated June 12, 2024, operates in compliance with the requirements of ISO/IEC 42001.

Think hard about how to abstract the specific in-scope items into a concise statement.

Need help scoping your ISO 42001 audit?

StackAware was the first AI governance company in the world to get ISO 42001 certified. And we are already helping several other AI-powered firms achieve the same. So if you are in:

• Financial services

• Healthcare

• B2B SaaS

and want to:

• Build customer trust

• Manage AI-related risks

• Comply with emerging AI regulations

Book a call