Skip to main content
COMPEL Body of Knowledge
Get Certified Platform
AITP M2.6-Art14 v1.0 Reviewed 2026-04-06 Open Access
M2.6 Industry Applications and Case Study Analysis
AITP · Practitioner

ISO 42001 Implementation Using COMPEL

ISO 42001 Implementation Using COMPEL — Industry Applications & Case Studies — Applied depth — COMPEL Body of Knowledge.

13 min read Article 14 of 20

COMPEL Certification Body of Knowledge — Module 2.6: Industry-Specific Applications Article 14 of 15

ISO/IEC 42001:2023 is the first international standard for AI Management Systems (AIMS). It provides a structured framework for organizations to establish, implement, maintain, and continually improve an AI management system. For organizations seeking external validation of their AI governance maturity, ISO/IEC 42001 certification is the most widely recognized credential.

This article provides a practical guide to implementing ISO/IEC 42001 using the COMPEL methodology. Rather than treating ISO 42001 as a standalone implementation project, we show how organizations already running or adopting the COMPEL lifecycle can achieve ISO 42001 certification with incremental effort — because the COMPEL lifecycle already addresses the majority of ISO 42001 requirements.

ISO/IEC 42001 Structure

ISO/IEC 42001 follows the Harmonized Structure (HS) common to all ISO management system standards (ISO 9001, ISO 27001, ISO 14001, etc.). This makes it familiar to organizations that have implemented other ISO management systems.

The standard has two main components:

Main body (Clauses 4-10): Defines the management system requirements — context analysis, leadership, planning, support, operation, performance evaluation, and improvement. These are mandatory for certification.

Annex A: Provides 39 AI-specific controls organized into nine groups (A.2 through A.10). Organizations select applicable controls based on their AI risk assessment results. Annex A is normative — organizations must justify any exclusions.

The nine Annex A control groups are:

  • A.2 — Policies for AI (2 controls)
  • A.3 — Internal Organization (2 controls)
  • A.4 — Resources for AI Systems (4 controls)
  • A.5 — AI System Impact Assessment (3 controls)
  • A.6 — Lifecycle of AI Systems (8 controls)
  • A.7 — Data for AI Systems (4 controls)
  • A.8 — AI System Use (4 controls)
  • A.9 — Third-Party and Customer Relationships (3 controls)
  • A.10 — AI System Development (5 controls)

Mapping ISO 42001 to COMPEL

The alignment between ISO 42001 and the COMPEL lifecycle is natural and comprehensive. Each COMPEL stage addresses a cluster of ISO 42001 requirements:

Calibrate Stage → Clauses 4.1, 4.2, 6.1, and Annex A.5, A.9.4, A.10.2

The Calibrate stage is where an organization establishes the foundation for its AI management system. This maps directly to ISO 42001’s context and planning requirements:

  • Clause 4.1 (Understanding the organization and its context): COMPEL’s Calibrate stage begins with environmental scanning — identifying the internal and external factors that affect AI governance. This includes technological landscape assessment, regulatory environment mapping, organizational capability evaluation, and stakeholder landscape analysis. Document these as ISO 42001 context analysis outputs.

  • Clause 4.2 (Understanding needs and expectations of interested parties): COMPEL’s stakeholder mapping during Calibrate identifies who has a stake in the organization’s AI systems and what they expect. Translate this into the ISO 42001 interested party register.

  • Clause 6.1 (Actions to address risks and opportunities): COMPEL’s initial risk identification during Calibrate feeds directly into the ISO 42001 risk assessment process. The COMPEL risk taxonomy classifies AI risks by category (technical, ethical, legal, operational, reputational) and severity, which satisfies the “AI risk assessment process” requirement of Clause 6.1.2.

  • Annex A.5.2 (Assessing the impacts of AI systems): COMPEL’s impact screening during Calibrate evaluates potential impacts on individuals, groups, and society — directly satisfying this control.

  • Annex A.9.4 (Suppliers of AI systems): COMPEL’s Calibrate stage includes assessment of third-party AI components and suppliers, mapping to this control.

  • Annex A.10.2 (AI system requirements): Requirements definition during Calibrate, including functional, ethical, and regulatory requirements, satisfies this control.

Organize Stage → Clauses 5.1-5.3, 7.1-7.5, and Annex A.2, A.3, A.4

The Organize stage builds the governance structures and support systems that ISO 42001 requires:

  • Clause 5.1 (Leadership and commitment): COMPEL’s Organize stage establishes executive sponsorship and governance committee structures. Document management commitment through governance charter, resource allocation decisions, and participation in governance reviews.

  • Clause 5.2 (AI policy): The COMPEL Organize stage produces the AI policy — the overarching document that states the organization’s commitment to responsible AI, its risk appetite, and the governance framework it will follow. Ensure the policy meets all five ISO 42001 requirements: appropriate to purpose, provides objective framework, commits to satisfying requirements, commits to continual improvement, and is available to interested parties.

  • Clause 5.3 (Organizational roles, responsibilities and authorities): COMPEL’s RACI matrix and governance structure definition during Organize directly satisfy this requirement. Ensure documentation covers model owners, data stewards, risk owners, ethics reviewers, and governance committee members.

  • Clauses 7.1-7.4 (Support — Resources, Competence, Awareness, Communication): COMPEL’s Organize stage addresses workforce planning, training programs, awareness initiatives, and communication plans — mapping directly to these four support clauses.

  • Clause 7.5 (Documented information): Establish the document management system during Organize, including document creation, review, approval, distribution, and retention procedures.

  • Annex A.2.2-A.2.3 (AI policy and review): Covered by COMPEL’s policy development and review cycle.

  • Annex A.3.2-A.3.3 (Roles and reporting of concerns): Covered by COMPEL’s organizational structure and concern reporting channel setup.

  • Annex A.4.2-A.4.5 (Resources, competence, awareness, communication): Directly mapped to COMPEL’s support activities during Organize.

Model Stage → Clause 6.2, 8.1, and Annex A.5.3-A.5.4, A.6.2.2-A.6.2.3, A.7, A.8.4, A.10.3-A.10.4

The Model stage is where AI systems are designed and developed with governance built in:

  • Clause 6.2 (AI objectives and planning to achieve them): COMPEL’s Model stage defines specific AI system objectives, including performance targets, fairness criteria, and compliance requirements. Document these as ISO 42001 AI objectives.

  • Clause 8.1 (Operational planning and control): COMPEL’s Model stage establishes the development processes, standards, and controls that govern AI system creation. This is the operational heart of ISO 42001.

  • Annex A.5.3 (Treatment of AI system impacts): Impact mitigation planning during Model, including design decisions that reduce identified risks.

  • Annex A.5.4 (Documenting impact assessments): Documentation of impact assessment methodology, findings, and treatment decisions.

  • Annex A.6.2.2 (AI system design and development): COMPEL’s design and development activities during Model, including architecture decisions, algorithm selection, and design-for-governance practices.

  • Annex A.6.2.3 (Data for AI systems): Data preparation, quality assurance, and bias assessment during Model.

  • Annex A.7 (Data management, provenance, labelling): COMPEL’s comprehensive data governance activities during Model, including lineage tracking, quality metrics, and labelling standards.

  • Annex A.8.4 (Explainability and interpretability): Selection and documentation of explainability approaches during Model.

  • Annex A.10.3-A.10.4 (Sourcing data, developing components): Data sourcing decisions and component development practices during Model.

Produce Stage → Clause 8.1 (cont.), and Annex A.6.2.4-A.6.2.7, A.7.3, A.8.2-A.8.3, A.9.2-A.9.3, A.10.6

The Produce stage deploys AI systems into operation with appropriate controls:

  • Annex A.6.2.4 (AI system documentation): Technical documentation production, model cards, and data cards.

  • Annex A.6.2.5 (Recording AI system activity): Implementation of logging, audit trails, and activity recording systems.

  • Annex A.6.2.7 (Deployment): Controlled deployment with pre-deployment checklists, staged rollouts, and rollback procedures.

  • Annex A.7.3 (Reporting AI system use): Implementation of transparency notices and disclosure mechanisms.

  • Annex A.8.2 (Responsible use): Enforcement of acceptable use policies and operator training.

  • Annex A.8.3 (Human oversight): Implementation of human oversight mechanisms appropriate to each system’s risk tier.

  • Annex A.9.2-A.9.3 (Third parties and customers): Management of third-party usage and customer information provision.

  • Annex A.10.6 (AI system release): Formal release approval processes.

Evaluate Stage → Clauses 9.1-9.3, and Annex A.6.2.6, A.8.5, A.10.5

The Evaluate stage validates AI system performance and governance effectiveness:

  • Clause 9.1 (Monitoring, measurement, analysis and evaluation): COMPEL’s Evaluate stage defines what to monitor, how to measure, and how to evaluate results — directly satisfying this clause.

  • Clause 9.2 (Internal audit): COMPEL’s evaluation activities include internal audits conducted at planned intervals. The COMPEL Evaluate stage provides the natural trigger for comprehensive audit cycles.

  • Clause 9.3 (Management review): The Evaluate stage culminates in management review of governance effectiveness, AI system performance, and improvement opportunities.

  • Annex A.6.2.6 (Verification and validation): COMPEL’s testing and validation activities during Evaluate.

  • Annex A.8.5 (Bias in AI systems): Comprehensive bias assessment during Evaluate, including testing across protected characteristics.

  • Annex A.10.5 (Testing): Functional, performance, fairness, and robustness testing during Evaluate.

Learn Stage → Clauses 10.1-10.2, and Annex A.6.2.8-A.6.2.9

The Learn stage drives continuous improvement:

  • Clause 10.1 (Continual improvement): COMPEL’s Learn stage is explicitly designed around continuous improvement — feeding monitoring outputs, audit findings, and stakeholder feedback into governance and system improvements.

  • Clause 10.2 (Nonconformity and corrective action): COMPEL’s incident and nonconformity management during Learn, including root cause analysis, corrective action implementation, and effectiveness verification.

  • Annex A.6.2.8 (Operation and monitoring): Ongoing operational monitoring and model maintenance.

  • Annex A.6.2.9 (Retirement): Controlled decommissioning of AI systems when they are no longer fit for purpose.

Implementation Sequence for Certification

Organizations pursuing ISO/IEC 42001 certification through COMPEL should follow this sequence:

Phase 1: Gap Assessment (4-6 weeks)

Conduct a gap assessment comparing your current COMPEL implementation against ISO 42001 requirements. For organizations already running the COMPEL lifecycle, typical gaps are:

  • Formal document control procedures (Clause 7.5) — COMPEL implementations often have good documentation but lack formal version control and approval workflows
  • Internal audit program (Clause 9.2) — COMPEL evaluations may not follow the structured audit methodology required by ISO
  • Management review formality (Clause 9.3) — governance reviews may not produce the specific outputs ISO 42001 mandates (review of audit results, interested party feedback, risk assessment changes)
  • Statement of Applicability — ISO 42001 requires a formal statement identifying which Annex A controls apply and justifying any exclusions

Phase 2: AIMS Documentation (6-8 weeks)

Formalize the AI Management System documentation:

  • AI policy (Clause 5.2) — may need to be rewritten to explicitly address all five ISO requirements
  • Scope statement (Clause 4.3) — define the boundaries of the AIMS
  • Statement of Applicability — select applicable Annex A controls based on risk assessment
  • Risk assessment methodology (Clause 6.1.2) — formalize the COMPEL risk assessment approach
  • Objectives document (Clause 6.2) — define measurable AI objectives
  • Mandatory procedures: document control, internal audit, corrective action, management review

Phase 3: Implementation and Evidence (8-12 weeks)

Execute the COMPEL lifecycle with ISO 42001 evidence generation as an explicit objective:

  • Run at least one complete COMPEL cycle for each in-scope AI system
  • Generate evidence for every applicable Annex A control
  • Conduct the initial internal audit
  • Conduct the initial management review
  • Close any nonconformities identified during internal audit

Phase 4: Pre-Certification Audit (2-4 weeks)

Engage an ISO-accredited certification body for a Stage 1 audit:

  • The certification body reviews AIMS documentation for completeness
  • Identifies any documentation gaps before the Stage 2 (on-site) audit
  • Confirms the organization is ready for full certification assessment

Phase 5: Certification Audit (1-2 weeks)

The Stage 2 audit assesses implementation effectiveness:

  • Auditors verify that documented processes are actually implemented
  • They interview governance team members, model owners, and data stewards
  • They review evidence for selected Annex A controls
  • They assess the effectiveness of the internal audit and management review processes

Phase 6: Ongoing Surveillance (continuous)

After certification, the COMPEL lifecycle supports ongoing compliance:

  • Annual surveillance audits by the certification body
  • Continuous COMPEL cycle execution generating updated evidence
  • Regular internal audits at planned intervals
  • Management reviews at least annually

Preparing for Certification Audit

Certification auditors assess three things: documentation, implementation, and effectiveness. Here is what they look for in each COMPEL stage:

Calibrate: Auditors verify that context analysis is thorough and current, that interested parties are identified with their requirements, and that risk assessment methodology produces consistent, repeatable results. They will sample AI system risk assessments and check that classification is justified.

Organize: Auditors verify that the AI policy exists, is approved by top management, is communicated, and is available. They check that roles are defined and understood. They interview personnel to verify awareness. They review competency records.

Model: Auditors verify that development processes follow documented standards. They sample data governance records, checking for lineage documentation, quality assessments, and bias analyses. They review explainability approach selections.

Produce: Auditors verify that deployment followed documented procedures, that logging is implemented and retention policies are enforced, that human oversight mechanisms function, and that third-party relationships include appropriate controls.

Evaluate: Auditors assess the internal audit program — is it planned, are auditors competent and independent, are findings documented, are corrective actions tracked? They review management review records for completeness (all required inputs and outputs documented).

Learn: Auditors verify that nonconformities result in root cause analysis and corrective action, that corrective actions are verified for effectiveness, and that continual improvement is demonstrable (not just aspirational).

Common Certification Pitfalls

Pitfall 1: Treating ISO 42001 as a Documentation Exercise

The most common certification failure is having comprehensive documentation with thin implementation. Auditors will interview personnel, observe processes, and sample evidence. If the documentation describes processes that people do not actually follow, the audit will identify major nonconformities.

The COMPEL approach avoids this pitfall by embedding governance into operational activities. COMPEL governance is not a separate compliance layer — it is how the organization builds, deploys, and operates AI systems.

Pitfall 2: Incomplete Risk Assessment

ISO 42001 requires that the risk assessment process identifies risks “associated with the development and use of AI” and considers impacts on “individuals, groups of individuals and societies.” Organizations that limit their risk assessment to technical risks (model accuracy, system availability) without addressing ethical, social, and rights-based risks will face audit findings.

COMPEL’s risk taxonomy covers technical, ethical, legal, operational, and reputational risk categories, ensuring comprehensive coverage.

Pitfall 3: Missing the Statement of Applicability

The Statement of Applicability (SoA) is a mandatory document that lists all Annex A controls, states whether each is applicable or not, and justifies any exclusions. Organizations sometimes overlook this requirement or produce a superficial SoA without genuine justification.

The COMPEL harmonization matrix provides a natural basis for the SoA. Each Annex A control maps to specific COMPEL activities, making it straightforward to document applicability and evidence.

Pitfall 4: Insufficient Internal Audit

ISO 42001 requires internal audits to be planned, conducted by competent and objective auditors, and to produce documented findings. Organizations new to ISO management systems sometimes conduct informal reviews and call them audits. Certification auditors will assess the rigor of your internal audit program.

Ensure internal auditors are trained (ISO 19011 awareness is recommended), that they are independent of the areas they audit, and that audit findings are formally documented with corrective action tracking.

Key Takeaways

ISO/IEC 42001 certification is achievable for organizations running the COMPEL lifecycle because the framework already addresses the majority of the standard’s requirements. The primary additional effort involves formalizing documentation and processes to meet ISO’s structural expectations — particularly around document control, internal audit, management review, and the Statement of Applicability.

The COMPEL-to-ISO 42001 mapping provides a clear implementation path: use the Calibrate stage for context and risk assessment, the Organize stage for leadership and support, the Model stage for planning and development, the Produce stage for operational controls, the Evaluate stage for performance evaluation, and the Learn stage for improvement. Each COMPEL activity generates evidence that directly satisfies one or more ISO 42001 requirements.

For organizations already aligned with the EU AI Act or NIST AI RMF through COMPEL, the incremental effort for ISO 42001 certification is modest. The harmonization matrix shows that ISO 42001 shares 35 of its 40 requirements with the EU AI Act and 38 with the NIST AI RMF. An organization already compliant with those frameworks through COMPEL needs only to address the ISO-specific structural requirements (management system formality, internal audit program, certification body engagement) to achieve certification.