Preparing for ISO 42001 AI Management System Audit
Advanced13 min readUpdated 2026-03-15
Advanced walkthrough for preparing organizations for ISO 42001 AI management system audits, covering control assessment, evidence preparation, gap remediation, and audit readiness.
ISO/IEC 42001:2023 is the first international standard for AI management systems (AIMS). It provides a framework for organizations to manage AI responsibly, covering governance, risk, development, operations, and continuous improvement. Unlike the EU AI Act (regulatory) or NIST AI RMF (voluntary framework), ISO 42001 is a certifiable standard: organizations can achieve independent third-party certification.
Red team assessments provide critical evidence for ISO 42001 audits, particularly for controls related to AI system security, robustness, and risk management. This walkthrough guides you through preparing that evidence and identifying gaps that must be remediated before an audit.
Step 1: Understand ISO 42001 Structure
Management System Requirements (Clauses 4-10)
ISO 42001 follows the ISO Harmonized Structure (same as ISO 27001):
| Clause | Topic | Red Team Relevance |
|---|---|---|
| 4 | Context of the organization | Understanding AI risk landscape |
| 5 | Leadership | AI security governance commitment |
| 6 | Planning | AI risk assessment and treatment |
| 7 | Support | Resources, competence, awareness |
| 8 | Operation | AI system lifecycle management |
| 9 | Performance evaluation | Monitoring, measurement, audit |
| 10 | Improvement | Corrective actions, continual improvement |
Annex B: AI-Specific Controls
Annex B provides AI-specific controls that organizations must implement (or justify exclusion). These are the primary targets for red team evidence.
# Annex B Control Categories Relevant to Red Teaming
## B.3: AI System Development
- B.3.2: Data quality for AI systems
- B.3.3: AI system development approach
- B.3.4: AI system testing and validation
- B.3.5: AI system documentation
## B.4: AI System Operations
- B.4.1: Monitoring of AI systems
- B.4.2: AI system change management
- B.4.3: Third-party AI components
## B.6: AI System Security
- B.6.1: Security of AI systems
- B.6.2: Adversarial robustness
- B.6.3: Data security in AI systems
- B.6.4: AI system access control
## B.7: AI Risk Management
- B.7.1: AI risk assessment
- B.7.2: AI risk treatment
- B.7.3: Residual risk communicationStep 2: Assess Annex B Controls
Control Assessment Template
For each relevant Annex B control, assess the current state and map red team evidence.
# Annex B Control Assessment
## B.6.1: Security of AI Systems
### Control Objective
The organization shall implement security measures to protect AI systems
against unauthorized access, manipulation, and adversarial attacks.
### Assessment Criteria
| Criterion | Evidence Required | Red Team Contribution |
|-----------|------------------|----------------------|
| Security measures are documented | Security architecture document | Validate accuracy of documentation |
| Measures protect against unauthorized access | Access control testing results | API auth testing (TC-API-001-005) |
| Measures protect against input manipulation | Adversarial testing results | Prompt injection testing (TC-PI-001-025) |
| Measures protect against data exfiltration | Data security testing results | Exfiltration testing (TC-DE-001-012) |
| Measures are regularly tested | Testing schedule and results | Red team assessment report |
### Current State Assessment
| Criterion | Status | Evidence | Gap |
|-----------|--------|---------|-----|
| Security measures documented | Partial | Architecture doc exists but incomplete | Missing adversarial attack coverage |
| Unauthorized access protection | Compliant | Auth testing passed | None |
| Input manipulation protection | Non-compliant | F-001: Prompt injection bypass | Remediation required |
| Data exfiltration protection | Non-compliant | F-003: Cross-tenant leakage | Remediation required |
| Regular testing | Non-compliant | First red team assessment | Testing program needed |
### Auditor Questions to Expect
1. "Show me your security testing methodology for AI-specific attacks."
2. "How often do you conduct adversarial testing?"
3. "What were the results of the most recent security assessment?"
4. "How do you verify that remediations are effective?"
5. "What is your process for staying current with new AI attack techniques?"
## B.6.2: Adversarial Robustness
### Control Objective
The organization shall implement measures to ensure AI systems maintain
intended behavior under adversarial conditions.
### Assessment Criteria
| Criterion | Evidence Required | Red Team Contribution |
|-----------|------------------|----------------------|
| Adversarial risks identified | Threat model document | AI threat model assessment |
| Robustness measures implemented | Defense architecture | Test effectiveness of defenses |
| Robustness regularly tested | Adversarial test results | Red team findings and coverage |
| Known vulnerabilities tracked | Vulnerability register | Finding list and remediation status |
### Current State Assessment
| Criterion | Status | Evidence | Gap |
|-----------|--------|---------|-----|
| Adversarial risks identified | Partial | General risk assessment exists | AI-specific threat model needed |
| Robustness measures implemented | Partial | Content filter present | Multi-layer defense needed |
| Regular robustness testing | Non-compliant | No prior adversarial testing | Testing program needed |
| Vulnerability tracking | Non-compliant | No AI vulnerability register | Register needed |
## B.6.3: Data Security in AI Systems
### Control Objective
The organization shall protect data used by, generated by, and stored
within AI systems.
### Assessment Criteria
| Criterion | Status | Gap |
|-----------|--------|-----|
| Training data protected | N/A (third-party model) | Document in scope exclusion |
| Knowledge base data classified | Partial | Classification incomplete |
| User data protected in AI context | Non-compliant | F-003: Cross-tenant access |
| System prompts protected | Non-compliant | F-004: Prompt extraction |
| Data retention policies for AI | Compliant | Policy documented and enforced |
## B.6.4: AI System Access Control
### Assessment Criteria
| Criterion | Status | Gap |
|-----------|--------|-----|
| Role-based access to AI functions | Partial | F-005: Function calling abuse |
| API access controls | Compliant | Authentication verified |
| Admin access restricted | Compliant | Admin controls verified |
| Access logging and monitoring | Partial | Logging exists, monitoring insufficient |Step 3: Prepare Audit Evidence Packages
For each control, prepare an evidence package that an auditor can review.
Evidence Package Structure
# Evidence Package: B.6.1 Security of AI Systems
## 1. Policy Evidence
- AI security policy document (version, date, approver)
- Security architecture document for AI systems
- AI-specific risk assessment
## 2. Implementation Evidence
- Content filtering configuration and rules
- Authentication and authorization configuration
- Rate limiting configuration
- Monitoring dashboard screenshots
## 3. Testing Evidence
- Red team assessment report (executive summary + findings)
- Test coverage matrix showing AI-specific test categories
- Automated scan results (Garak, Promptfoo)
- Finding remediation tracker
## 4. Operational Evidence
- Security monitoring alerts and response examples
- Incident response records (if any AI incidents occurred)
- Change management records for AI system updates
- Vulnerability management records
## 5. Continuous Improvement Evidence
- Post-assessment remediation plan
- Scheduled retest dates
- Testing program roadmapEvidence Quality Criteria
Auditors evaluate evidence against these criteria:
| Quality Factor | Poor Evidence | Good Evidence |
|---|---|---|
| Relevance | Generic security policy | AI-specific security policy |
| Currency | Assessment from 2 years ago | Assessment from within 6 months |
| Completeness | Test results without methodology | Full report with methodology, results, remediation |
| Traceability | "We test regularly" | Dated test records with coverage documentation |
| Authority | Informal document | Approved policy with designated owner |
Step 4: Conduct Gap Analysis
Gap Analysis Summary
# ISO 42001 Gap Analysis Summary
## Overall Readiness
| Category | Total Controls | Compliant | Partially | Non-Compliant | N/A |
|----------|---------------|-----------|-----------|---------------|-----|
| B.3: Development | 5 | 2 | 2 | 1 | 0 |
| B.4: Operations | 3 | 1 | 1 | 1 | 0 |
| B.6: Security | 4 | 1 | 1 | 2 | 0 |
| B.7: Risk Management | 3 | 0 | 2 | 1 | 0 |
| **Total** | **15** | **4 (27%)** | **6 (40%)** | **5 (33%)** | **0** |
## Critical Gaps (Must Fix Before Audit)
| Gap | Control | Impact | Remediation |
|-----|---------|--------|-------------|
| No adversarial testing program | B.6.2 | Major non-conformity | Establish testing program |
| AI vulnerabilities not tracked | B.6.2 | Major non-conformity | Create AI vulnerability register |
| Cross-tenant data access | B.6.3 | Major non-conformity | Fix isolation, verify with retest |
| No AI threat model | B.7.1 | Major non-conformity | Conduct AI-specific threat modeling |
| No AI security monitoring | B.4.1 | Major non-conformity | Implement AI-specific monitoring |
## Minor Gaps (Should Fix, Not Audit Blockers)
| Gap | Control | Impact | Remediation |
|-----|---------|--------|-------------|
| Security documentation incomplete | B.3.5 | Minor non-conformity | Update documentation |
| Partial data classification | B.6.3 | Minor non-conformity | Complete classification |
| No formal retest schedule | B.6.2 | Minor non-conformity | Add to testing program |Step 5: Create Remediation Roadmap
Pre-Audit Remediation Plan
# Pre-Audit Remediation Roadmap
## Phase 1: Critical Gap Remediation (Weeks 1-4)
### Week 1-2
| Action | Owner | Deliverable | Status |
|--------|-------|------------|--------|
| Fix cross-tenant data isolation | Engineering | Verified fix (retest passed) | |
| Remediate prompt injection findings | Engineering | Updated defense controls | |
| Create AI vulnerability register | Security | Populated register with findings | |
### Week 3-4
| Action | Owner | Deliverable | Status |
|--------|-------|------------|--------|
| Conduct AI threat model | Security + ML | Threat model document | |
| Implement AI security monitoring | Security | Monitoring dashboard + alerts | |
| Establish adversarial testing program | Security | Program charter + schedule | |
## Phase 2: Documentation and Process (Weeks 5-6)
| Action | Owner | Deliverable | Status |
|--------|-------|------------|--------|
| Update AI security policy | CISO | Approved policy document | |
| Complete data classification | Data team | Classification inventory | |
| Update system documentation | Engineering | Accurate architecture docs | |
| Document risk assessment process | Security | Risk management procedure | |
## Phase 3: Evidence Collection and Dry Run (Weeks 7-8)
| Action | Owner | Deliverable | Status |
|--------|-------|------------|--------|
| Compile evidence packages | Security | Evidence per control | |
| Conduct remediation verification | Red team | Retest report | |
| Internal audit dry run | Quality | Internal audit report | |
| Address dry run findings | All | Corrective actions | |Step 6: Prepare for Auditor Interactions
Common Auditor Questions and Preparation
# Auditor Question Preparation Guide
## B.6 Security Controls
Q: "How do you test your AI systems against adversarial attacks?"
Prepared Response: "We conduct regular adversarial testing using a
combination of automated scanning tools (Garak, Promptfoo) and manual
expert testing. Our most recent assessment was conducted on [date]
using [N] test cases across [N] attack categories. Results are
documented in our red team assessment report [reference]."
Q: "Show me evidence that your security controls are effective."
Evidence: Red team report → findings section → show controls that
held up under testing + show remediated findings with retest results.
Q: "How do you handle new AI-specific vulnerabilities?"
Evidence: AI vulnerability register → show process for triaging
new vulnerabilities → show recent example of response.
Q: "What is your process when a security finding is identified?"
Evidence: Remediation workflow → finding → severity classification →
remediation → retest → closure in vulnerability register.
## B.7 Risk Management
Q: "Show me your AI risk assessment."
Evidence: AI threat model → risk scoring matrix → treatment decisions.
Q: "How do you determine acceptable residual risk?"
Evidence: Risk acceptance criteria → specific examples of accepted
risks with rationale and senior management approval.Common ISO 42001 Audit Preparation Mistakes
-
Preparing only technical evidence. ISO 42001 is a management system standard. Auditors assess policies, processes, roles, and continuous improvement alongside technical controls. Ensure governance documentation is as prepared as technical evidence.
-
Treating red team findings as audit failures. Red team findings demonstrate that the organization actively tests its AI systems. The audit evaluates the process: test, find, fix, verify. Unmitigated findings are the problem, not the fact that findings exist.
-
Not addressing non-applicable controls. If a control does not apply (e.g., training data controls for a system using a third-party model), document the exclusion with justification. Unexplained gaps in the Statement of Applicability raise auditor concerns.
-
Conducting a single assessment before the audit. Auditors want to see a pattern of continuous improvement, not a one-time exercise. Establish a regular testing cadence well before the audit date.
-
Over-preparing technical staff, under-preparing management. Auditors interview people at all levels. Ensure management can articulate the AI risk management approach, not just the technical team.
Knowledge Check
During an ISO 42001 audit, the auditor asks about your adversarial testing program. Your organization conducted one red team assessment six months ago. What is the most likely auditor concern?
Related Topics
- NIST AI RMF Assessment -- Risk framework aligned with ISO 42001 risk management
- EU AI Act Compliance Testing -- Regulatory requirements that ISO 42001 can support
- Continuous Assessment Program -- Building the ongoing assessment program auditors expect
- Red Team Maturity Model -- Assessing maturity of testing program for audit readiness