Organisations building their first ISO/IEC 42001:2023 AI Management System are importing assumptions from ISO 27001 that do not transfer. Two structural errors reach Stage 2 audit preparation uncorrected: Annex B implementation guidance listed as independent Statement of Applicability rows, and a Clause 6.1.4 impact assessment scoped to organisational risk with no coverage of the individual and societal dimensions the clause requires. Both errors come from the same place β applying familiar management system logic to a standard built on a different clause architecture. Understanding how the ISO 42001 Statement of Applicability actually works is the first step to closing both gaps.
What Clause 6.1.3(f) and the Annexes Actually Require
The SoA mechanism in ISO/IEC 42001:2023 operates through Clause 6.1.3(f), which requires a documented Statement of Applicability addressing Annex A control objectives. Each Annex A control needs a justified inclusion or exclusion decision and an implementation status statement.
Annex A is normative. It provides the reference control objectives and controls that the SoA must cover. So far, this mirrors ISO 27001:2022, where all 93 Annex A controls require applicability determination.
Annex B is where the standards diverge. Annex B is also normative, but its function is different β it provides implementation guidance for Annex A controls. It does not introduce additional control objectives. Annex B items do not require independent SoA applicability rows because they are not control objectives under Clause 6.1.3(f). They tell you how to implement the Annex A controls that appear in your SoA.
Clause 6.1.4 sits alongside the Clause 6.1.2 risk assessment but serves a structurally different purpose. Clause 6.1.2 addresses risks and opportunities related to the AI management system. Clause 6.1.4 requires the organisation to assess the potential consequences for individuals or groups of individuals, or both, and societies that can result from the development, provision or use of AI systems. Three dimensions are mandated: individuals, groups of individuals, and societies. Organisational risk does not appear in the clause.
Where ISO 42001 SoA and Impact Assessment Errors Occur
SoA Annex B bloat is the first pattern. Organisations with ISO 27001 certification replicate their 27001 SoA structure for ISO 42001. In 27001 practice, every Annex A control gets an applicability row β the SoA is the Annex A applicability table. Apply that logic to 42001 and you generate rows for both Annex A control objectives and Annex B implementation guidance items. The result is an SoA with far more line items than the standard requires, where control applicability decisions and implementation guidance references sit in the same table. Auditors receiving this document cannot tell which rows need substantive control evidence and which are guidance notes. Stage 2 evidence planning breaks down before it starts.
No published certification body or accreditation body guidance currently provides explicit audit criteria distinguishing permissible Annex B omissions from non-compliant Annex A control gaps in an ISO 42001 Statement of Applicability. This gap is structural β the boundary is defined by the standard’s architecture but has not been operationalised in CB or AB audit documentation as of early 2026.
The Clause 6.1.4 scope failure is more consequential. Organisations route the AI impact assessment through their existing enterprise risk management framework. ERM measures impact to the organisation β operational disruption, financial loss, reputational damage. Clause 6.1.4 requires the opposite orientation: consequences for people and society. Individual harm from AI system outputs. Group-level discrimination or bias effects. Broader societal consequences from deployment at scale.
When an auditor requests the 6.1.4 documentation and receives a document structured around organisational risk categories, the three-dimensional scope is not met. That is a Stage 2 nonconformity.
What a Correct SoA and Impact Assessment Look Like
An SoA restricted to Annex A. The Statement of Applicability contains applicability decisions for Annex A control objectives only. Each row addresses one Annex A control with a justified inclusion or exclusion and an implementation status. Annex B references appear in implementation documentation β linked to their parent Annex A control β not as independent SoA line items.
A dedicated Clause 6.1.4 impact assessment. This is a separate document from the Clause 6.1.2 risk assessment. It covers each in-scope AI system across three dimensions: consequences for individual users and affected persons, consequences for identifiable groups including bias and discrimination potential, and broader societal consequences. The assessment considers the specific technical and societal context of each AI system. Results feed into the Clause 6.1.2 risk assessment as the standard requires, but the 6.1.4 document stands alone as externally oriented evidence.
EU AI Act cross-mapping for high-risk systems. Where the organisation operates AI systems classified as high-risk under EU AI Act Annex III, the Clause 6.1.4 assessment also serves as foundational documentation for Article 9 compliance. Article 9(1)(a) requires identification and analysis of risks to health, safety, and fundamental rights β the fundamental rights element maps directly to Clause 6.1.4’s individual and societal dimensions. A properly scoped 6.1.4 assessment addresses both the ISO requirement and the regulatory obligation from a single documentation architecture. The Article 9 high-risk enforcement deadline is August 2, 2026.
Practical Steps to Fix Your ISO 42001 SoA and Clause 6.1.4
First, audit your current SoA structure. Identify any Annex B items listed as independent applicability rows. Remove them. Confirm that every remaining row corresponds to an Annex A control objective under Clause 6.1.3(f). For organisations pursuing ISO 42001 certification, this structural correction is a prerequisite for Stage 2 readiness. A gap assessment against the standard’s actual clause architecture will surface these errors before your auditor does.
Second, refile Annex B references. Document Annex B implementation guidance as notes against their parent Annex A control entries in your control register β not as SoA line items.
Third, create a dedicated Clause 6.1.4 impact assessment. Separate this document from your Clause 6.1.2 risk assessment. Structure it around the three mandatory dimensions: individuals, groups of individuals, and societies. For each in-scope AI system, document consequences across all three dimensions with consideration of the specific technical and societal context.
Fourth, cross-map to EU AI Act Article 9. For high-risk AI systems under Annex III, verify that your 6.1.4 assessment satisfies Article 9(1)(a) fundamental rights risk identification. Map the individual and societal dimensions to the health, safety, and fundamental rights categories Article 9 requires.
Fifth, maintain two separate risk documents. Clause 6.1.2 covers organisational risk orientation. Clause 6.1.4 covers individual and societal impact orientation. They serve different functions and require different evidence structures. Do not merge them into a single risk register.
Key Takeaway
The ISO 27001 SoA is a single-annex applicability table. The ISO 42001 Statement of Applicability operates on the same Annex A mechanism but sits alongside Annex B implementation guidance that does not belong in the applicability table. Clause 6.1.4 is not an organisational risk clause β it requires an externally oriented assessment of consequences for people and society. Correct both structures before Stage 2. You eliminate a nonconformity path and, for high-risk AI systems in scope, close a parallel EU AI Act Article 9 gap ahead of the August 2026 enforcement deadline.
Clause references for Clause 6.1.3(f) and Annex B functional role reflect mapped standard requirements. Verify against current edition before audit use.
About AEC International
AEC International provides ISO certification, training, and consultancy services at the intersection of AI governance, information security, and management system design. We support organisations across industries in achieving and maintaining ISO certification β from gap analysis and implementation through audit preparation and continual improvement.
Learn more: www.aec.llc