Resources | Insights | Defining Your ISO/IEC 42001 Audit Scope

Defining Your ISO/IEC 42001 Audit Scope

Feb 28, 2025 | Scott Dritz
Two people looking at a laptop while one points at the screen.

Defining the scope of an ISO/IEC 42001 compliance audit is an important early step in aligning the audit with the standard’s requirements, organizational risk, and stakeholder expectations.

In creating the audit scope, organizations need to define their Artificial Intelligence Management System (AIMS) and the associated roles, develop a governance structure, and identify important AI-related risks and controls.

Throughout the scope determination process, organizations should keep risk management and responsible AI use in mind. This should include assessing the organization’s processes for identifying and managing AI-related risks, as well as evaluating different types of exposures (such as risks inherent to AI development and use, control risk, and detection risk).

Identify Roles and Systems

An important starting point in determining your scope is identifying the AI roles your organization performs. These will typically include being an AI provider, producer, or user (or a combination of these roles). Different AI roles have varying requirements and controls within the ISO/IEC 42001 standard. In addition, understanding these roles will provide valuable organizational context that will influence how the organization approaches AI risk assessment and management.

Once roles have been clarified, the next step is determining which AI systems will be included in the audit scope. Depending on the organization and the roles it performs, this may include specific AI products or services, third-party AI tools the organization uses, or systems or tools in development or testing phases.

Organizational Boundaries and Influences

After outlining the AI systems that will be reviewed during the audit, it’s time to consider the organizational boundaries of your AIMS. These can include:

  • Departments or teams developing or using AI
  • Relevant processes or activities
  • Physical and virtual locations where AI work takes place.

You’ll next consider the inside and outside factors that can influence your AIMS. This list may include organizational objectives and strategies, regulatory requirements, or technology and industry trends affecting your AI use or plans.

Next up, consider anyone who could be interested in the responsible governance of your AI tools and systems. This may include, for instance, your internal users or customers, regulators, business partners, or suppliers.

The next phase of the audit scope definition process is ensuring your proposed audit scope aligns with your organization’s AI policies and objectives. Key steps in this phase include:

  • Reviewing your AI governance framework
  • Considering ethical guidelines and principles
  • Assessing the impact of AI systems on individuals and society.

Drafting Your Scope Statement

After reviewing the items discussed above, it’s time to draft a clear and concise scope statement that:

  • Describes the AI roles, systems, and activities to be reviewed
  • Specifies relevant departments and locations
  • Lists the factors that influenced the audit’s scope. 

Understand the Statement

The ISO/IEC 42001 standard’s organizational structure can provide important insights in developing an effective audit scope. The standard includes 10 clauses outlining key requirements, such as:

  • Understanding the standard’s purpose
  • Related standards and documents
  • Key terms and definitions
  • Company-specific information such as leadership, planning, support, and other important considerations.

The standard, and the specific controls outlined in the standard’s Annex A, will influence the type of evidence auditors seek to assess how well the organization’s AIMS aligns with the standard’s core requirements.

For example, the standard outlines methodologies for effective audit planning such as gap analyses to identify discrepancies between current practices and the standard’s requirements, as well as evidence collection through interviews, system testing, and document reviews.

Sample Scope Statements

The following examples illustrate the types of information outlined in ISO/IEC 42001 audit scope statements:

The scope of certification encompasses the Artificial Intelligence Management System (AIMS) governing ABC Corp’s role as an AI Service/Product Provider, delivering solutions through the Debra AI Agent solution. This includes the deployment, monitoring, and continuous enhancement of AI models to deliver advanced analytics and decision-support capabilities for clients across diverse industries

The scope of certification encompasses the Artificial Intelligence Management System (AIMS) governing the organization’s role as an AI provider, delivering cutting-edge solutions through the ABC Corp Platform (SaaS). This includes the deployment, monitoring, and continuous improvement of AI models to provide advanced analytics and decision-support capabilities for clients across various sectors. The organization is headquartered in Pleasanton, California, United States, with remote employees located globally. This certification aligns with ISO 42001 standards and is based on the SoA version 2.0 dated October 19, 2024.

Learn More About Responsible AI

By taking time to review the standard and plan an appropriate audit scope, organizations can ensure a comprehensive evaluation of their AIMS that in turn promotes more effective and responsible AI system, development, management, and usage.

To learn more about ISO/IEC 42001 and strategies for responsible AI governance and use, contact us.

Related Resources

Insight

Two medical workers looking at a computer.

Comparing HIPAA and HITRUST

Learn More

Insight

Someone showing charts to someone else.

Understanding Annual Recurring Revenue and GAAP Recognition

Learn More

Insight

Person looking at mobile device while leaning on desk.

Improve Your Technology Startup’s Financial and Operational Controls

Learn More

Insight

Two people working together with mobile devices at a desk.

What Is Penetration Testing?

Learn More

Insight

Four people talking about something sitting around a table.

5 of the Most Common Accounting Challenges We See With Tech Startups

Learn More

Insight

Two people looking at a computer and collaborating.

Preparing for Your Technology Company’s First Audit: 5 Tips to Ensure Success

Learn More

Insight

Four people looking at a screen.

A Guide to R&D Tax Credits for Tech Companies

Learn More

Insight

Two people looking at a laptop and collaborating.

Creating an Effective Back Office for Your Tech Startup

Learn More

Insight

Someone typing on a laptop.

What Is HITRUST?

Learn More

Insight

One one looking at a laptop.

What Is ISO/IEC 42001?

Learn More

Insight

Two people looking at a projection of reports.

Determining In-Scope Headcount for Your ISO 27001 Audit 

Learn More

Insight

World map overlayed on nature background.

ISO/IEC 27001 Updated for Climate Change Risks

Learn More

Insight

A person looking at a tablet.

ISO/IEC 27701 vs. 27018: Privacy Data Protection Standards

Learn More

Insight

Person writing on a document with laptop open.

Understanding AI Roles to Promote ISO 42001 Compliance

Learn More

Insight

Person typing on laptop with ISO graphic overlay.

How to Define Your ISO 27001 Scope (and Write Your Scope Statement)

Learn More

Insight

A person typing on a laptop

How Penetration Testing Improves Industry Standards Compliance

Learn More