Overview
Build and validate the SoA for ISO/IEC 42001:2023 Annex A with justification and implementation evidence.
Getting Started
Add your source materials to the project workspace, then activate the ISO 42001 Statement of Applicability skill. The agent will guide you through the process step by step.
Example conversation
You: We need a Statement of Applicability for Annex A. We’ve done our risk assessment—can you draft the SoA with applicable/not applicable and justification for each control theme, and then validate it?
Agent: I’ll use the Annex A control list (A.1–A.11) from the skill reference. For each theme I’ll set applicable or not applicable with a specific justification and, for applicable controls, a reference to our policy or procedure. I’ll avoid generic “N/A” for exclusions. Then I’ll run soa_justification_audit on the SoA and fix any missing justifications or evidence links until the audit passes.
Output excerpt
SoA excerpt (Annex A control themes)
| Control | Status | Justification | Implementation evidence |
|---|---|---|---|
| A.1 AI governance and leadership | Applicable | Governance and policy review defined; top management approval of AI policy. | AI policy; AIMS scope; roles document. |
| A.2 AI risk management | Applicable | Risk methodology and register in place; ethical evaluation in methodology. | Risk assessment methodology; risk register. |
| A.5 Data governance and data quality | Applicable | Data governance procedure covers acquisition, quality, provenance, security. | Data governance procedure. |
| A.10 AI incident management | Applicable | Incident response procedure and log; escalation and corrective action. | Incident response procedure. |
| A.9 Technical robustness and AI safety | Not applicable | No high-criticality or safety-related AI in scope; recommendation system only. Organization does not operate safety-critical AI. | — |
Extension and validation
The skill includes soa_justification_audit, which validates the SoA for Annex A (A.1–A.11). It checks: every control theme is addressed; excluded controls have a non-generic justification; applicable controls have both justification and a reference to implementation evidence (policy, procedure, or document). Optionally, with a workspace root, it verifies that referenced evidence files exist. Run it after drafting and fix any errors before the certification audit.