A Statement of Applicability documents which controls are selected for the AIMS and why they apply, creating traceability between risks, requirements, and controls.
The Statement of Applicability (SoA) is a key implementation artifact because it explains which controls are chosen and how they align to the organization's needs. It helps connect AI risk management outcomes to specific control decisions, making the control set understandable and reviewable.
In implementation, the SoA supports structured decision-making. Once the organization's context, AIMS scope, and existing system analysis are understood, the SoA becomes the place to justify control selection and to show how requirements are addressed within the defined scope.
The SoA is also useful for audits: it provides a clear reference for what should be implemented and what evidence should exist, reducing ambiguity during internal audit and third-party certification audits.
Audits go faster when control choices are explicit. A well-maintained SoA prevents "control drift" where teams implement measures without documenting rationale or scope.
Keep the SoA aligned with risk management updates so it remains a living decision map, not a one-time document.
“The SoA is the control decision record for your AIMS.”
Expert Trainer
Expert Trainer
Prepare by ensuring scope, controls, documented information, and operational evidence are in place, then validating through internal audit and management review before the certification audit.
You scope an AIMS by defining organizational context and boundaries, then setting the AIMS scope so policies, risks, controls, and operations match what is in-scope.
An auditor should look for objective evidence that AI governance processes are defined, implemented, monitored, and improved across the AI lifecycle.
Necessary cookies are always active. You can accept, reject non-essential cookies, or customize your preferences.