ISO 42001 AI System Readiness Tracker
Map ISO 42001 clauses to practical AI system controls, lifecycle gates, and evidence requirements before pilot or production.
The tracker includes a how-to guide, 28 control rows with working columns for status, owner, evidence links, and gap tracking, and a worked example for an internal RAG assistant showing realistic partial and missing controls.
Free spreadsheet
Excel · .xlsx · 3 sheets
Download free
Enter your work email. Three tabs: how-to guide, tracker with working columns, and a worked example. Opens in Excel, Google Sheets, or any spreadsheet tool. You'll also receive new blog posts when they publish.
Who it's for
Security architects, AI governance leads, DPOs, and AppSec teams preparing an AI system for pilot or production review.
Designed to be used per system — one copy per AI system under review — not as an organisation-wide compliance register.
How teams use it
- Scope a single AI system under review and identify which controls apply at the current lifecycle stage.
- Surface missing evidence before a pilot or production gate — so gaps are found in review, not in an audit.
- Prepare a structured AI security review pack or governance committee submission.
- Align ISO 42001 requirements with EU AI Act, NIST AI RMF, OWASP Agentic Top 10, and internal governance.
How to use it
- 1Pick one AI system.
- 2Identify the current lifecycle stage: before pilot, before production, or ongoing.
- 3Filter by the Lifecycle Gate column.
- 4Mark each row: Covered / Partial / Missing / Not applicable / Unknown.
- 5Add evidence links where available.
- 6Treat Missing rows at the relevant gate as review blockers.
- 7Use the output to prepare a review pack.
What's in the file
Three sections: a how-to guide tab, the main tracker with 16 columns per row, and a worked example for an internal RAG assistant.
Reference columns
| Column | Contents |
|---|---|
| ISO 42001 clause | 4.1 through 10.2 — all normative clauses |
| Clause title | Official clause name from the standard |
| Control area | Governance / Risk / Technical / Operational / Audit |
| Required control | Specific, actionable — not a paraphrase of the clause |
| Lifecycle gate | Before pilot / Before production / Ongoing |
| Evidence required | What you show an auditor to prove the control is working |
| Cross-framework tags | EU AI Act article / NIST AI RMF function / GDPR article |
Working columns
| Column | Contents |
|---|---|
| Applicable? | Yes / No / TBD |
| Status | Covered / Partial / Missing / Not applicable / Unknown |
| Owner | Name or role responsible for this control |
| Evidence link | URL or document reference to the evidence artefact |
| Gap / Issue | What is missing or incomplete |
| Priority | High / Medium / Low |
| Target date | Date by which the gap should be closed |
| Drel review section | Maps to the corresponding section in a Drel review pack |
| Notes | Free text |
Sample row — clause 6.1.2
Clause
6.1.2
Title
AI risk assessment
Required control
Document treatment decision with rationale and residual risk
Lifecycle gate
Before pilot
Status
Missing
Gap
Risk assessment not completed. No treatment decisions documented.
From tracker to review pack
Spreadsheets are the starting point.
This tracker helps structure the evidence gap analysis. Drel turns that analysis into a guided AI security review — mapping controls to findings, generating a risk disposition, and producing a review-ready dossier your AI Committee can actually approve or reject.
Frequently asked
Frequently asked questions
- Does this tracker certify my system under ISO 42001?
- No. The tracker is a working spreadsheet that helps you map clauses to controls and evidence. ISO 42001 certification requires audit by an accredited certification body. The tracker produces evidence that supports the audit; it does not perform the audit.
- Which ISO 42001 clauses are covered?
- The tracker covers all normative clauses (4.1 through 10.2). Clauses 6 (planning and risk) and 8 (operation) — the operational core — have the most detailed rows with lifecycle gates and evidence types.
- What is a lifecycle gate?
- A lifecycle gate is a point in an AI system's lifecycle where a specific control or evidence item should be in place. The tracker uses three gates: before pilot, before production, and ongoing. Each control row names the gate at which it applies.
- Is there a worked example?
- Yes. The 'Example' sheet shows the tracker filled in for an internal RAG assistant — each clause mapped to specific controls and evidence for that system, including which gates have been passed and which evidence items are still gaps.
- How do I use the status columns?
- Each row has a status column (covered / partial / missing / N/A / unknown) and an owner column. Use it as a working tracker for your readiness: fill in current status, identify gaps, assign owners, and re-review on a cadence. The tracker is designed to be a live artefact, not a one-time deliverable.
- Can I share this with my auditor?
- The tracker is yours to use however you wish, including sharing the populated version with an internal or external auditor. Your auditor will likely want the evidence artefacts themselves alongside the tracker — the tracker is the index; the evidence is the substance.