← Frameworks / ISO 42001:2023 / Control Mappings

ISO/IEC 42001:2023

Artificial intelligence management system standard. Specifies requirements for establishing, implementing, maintaining and improving an AI management system, including responsible AI development, deployment and use.

Controls: 128

Total Mappings: 180

Publisher: ISO/IEC Version: 2023

ISO 42001:2023 → SP 800-53 SP 800-53 → ISO 42001:2023 Coverage Analysis

AC (10) AT (6) AU (8) CA (6) CM (11) CP (5) IR (8) MA (3) MP (6) PE (1) PL (7) PS (9) PT (8) RA (8) SA (11) SC (2) SI (9) SR (10)

AC Access Control

Control	Name	ISO 42001:2023 References
AC-01	Access Control Policies and Procedures	A.2.2A.2.3A.9.2
AC-02	Account Management	A.3.2
AC-03	Access Enforcement	A.9.2A.9.4
AC-04	Information Flow Enforcement	A.9.4
AC-05	Separation Of Duties	A.3.2
AC-06	Least Privilege	A.3.2A.9.2
AC-13	Supervision And Review -- Access Control	A.6.2.6
AC-15	Automated Marking	A.7.4
AC-16	Automated Labeling	A.7.4A.7.5
AC-20	Use Of External Information Systems	A.10.2

AT Awareness and Training

Control	Name	ISO 42001:2023 References
AT-01	Security Awareness And Training Policy And Procedures	A.4.6
AT-02	Security Awareness	A.4.6A.9.2
AT-03	Security Training	A.4.6
AT-04	Security Training Records	A.4.6
AT-05	Contacts With Security Groups And Associations	A.3.3
AT-06	Training Feedback	A.4.6

AU Audit and Accountability

Control	Name	ISO 42001:2023 References
AU-01	Audit And Accountability Policy And Procedures	A.6.2.8
AU-02	Auditable Events	A.6.2.8
AU-03	Content Of Audit Records	A.6.2.8
AU-06	Audit Monitoring, Analysis, And Reporting	A.6.2.6A.6.2.8
AU-07	Audit Reduction And Report Generation	A.6.2.8
AU-09	Protection Of Audit Information	A.6.2.8
AU-10	Non-Repudiation	A.7.5
AU-11	Audit Record Retention	A.6.2.8

CA Security Assessment and Authorization

Control	Name	ISO 42001:2023 References
CA-01	Certification, Accreditation, And Security Assessment Policies And Procedures	A.5.2
CA-02	Security Assessments	A.5.2A.5.3A.6.2.4
CA-03	Information System Connections	A.10.2
CA-05	Plan Of Action And Milestones	A.5.3
CA-06	Security Accreditation	A.5.2
CA-07	Continuous Monitoring	A.2.4A.6.2.6

CM Configuration Management

Control	Name	ISO 42001:2023 References
CM-01	Configuration Management Policy And Procedures	A.4.2
CM-02	Baseline Configuration	A.4.2A.6.2.3
CM-03	Configuration Change Control	A.6.2.5
CM-04	Monitoring Configuration Changes	A.6.2.6
CM-05	Access Restrictions For Change	A.6.2.5
CM-06	Configuration Settings	A.4.2A.6.2.3
CM-07	Least Functionality	A.9.4
CM-08	Information System Component Inventory	A.4.2A.4.4
CM-12	Information Location	A.4.2A.7.3
CM-13	Data Action Mapping	A.4.3A.6.2.8A.7.3
CM-14	Signed Components	A.7.5

CP Contingency Planning

Control	Name	ISO 42001:2023 References
CP-01	Contingency Planning Policy And Procedures	A.4.5
CP-02	Contingency Plan	A.4.5
CP-07	Alternate Processing Site	A.4.5
CP-09	Information System Backup	A.4.3
CP-10	Information System Recovery And Reconstitution	A.4.5

IR Incident Response

Control	Name	ISO 42001:2023 References
IR-01	Incident Response Policy And Procedures	A.8.4
IR-02	Incident Response Training	A.8.4
IR-03	Incident Response Testing And Exercises	A.8.4
IR-04	Incident Handling	A.3.3A.8.4
IR-05	Incident Monitoring	A.8.4
IR-06	Incident Reporting	A.3.3A.8.3A.8.4
IR-07	Incident Response Assistance	A.8.4
IR-09	Information Spillage Response	A.3.3A.8.4

MA Maintenance

Control	Name	ISO 42001:2023 References
MA-02	Controlled Maintenance	A.6.2.6
MA-03	Maintenance Tools	A.4.4
MA-06	Timely Maintenance	A.6.2.6

MP Media Protection

Control	Name	ISO 42001:2023 References
MP-01	Media Protection Policy And Procedures	A.4.3
MP-02	Media Access	A.4.3
MP-03	Media Labeling	A.7.4
MP-04	Media Storage	A.4.3
MP-05	Media Transport	A.4.3
MP-06	Media Sanitization And Disposal	A.4.3

PE Physical and Environmental Protection

Control	Name	ISO 42001:2023 References
PE-18	Location Of Information System Components	A.4.5

PL Planning

Control	Name	ISO 42001:2023 References
PL-01	Security Planning Policy And Procedures	A.2.2A.2.3A.9.3
PL-02	System Security Plan	A.2.2A.6.2.7
PL-03	System Security Plan Update	A.2.4
PL-04	Rules Of Behavior	A.9.2A.9.4
PL-05	Privacy Impact Assessment	A.5.2A.5.3A.5.4A.5.5
PL-06	Security-Related Activity Planning	A.6.1.2
PL-09	Central Management	A.2.2

PS Personnel Security

Control	Name	ISO 42001:2023 References
PS-01	Personnel Security Policy And Procedures	A.3.2A.4.6
PS-02	Position Categorization	A.3.2
PS-03	Personnel Screening	A.4.6
PS-04	Personnel Termination	A.3.2
PS-05	Personnel Transfer	A.3.2
PS-06	Access Agreements	A.9.2
PS-07	Third-Party Personnel Security	A.10.2
PS-08	Personnel Sanctions	A.3.3
PS-09	Position Descriptions	A.2.3A.3.2

PT Personally Identifiable Information Processing and Transparency

Control	Name	ISO 42001:2023 References
PT-01	Policy and Procedures	A.5.4
PT-02	Authority to Process Personally Identifiable Information	A.5.4A.7.3
PT-03	Personally Identifiable Information Processing Purposes	A.5.4A.9.4
PT-04	Consent	A.7.3
PT-05	Privacy Notice	A.8.2A.8.5
PT-06	System of Records Notice	A.8.5
PT-07	Specific Categories of Personally Identifiable Information	A.5.4A.7.3
PT-08	Computer Matching Requirements	A.5.4

RA Risk Assessment

Control	Name	ISO 42001:2023 References
RA-01	Risk Assessment Policy And Procedures	A.5.2
RA-02	Security Categorization	A.5.2
RA-03	Risk Assessment	A.5.2A.5.3A.5.4A.5.5
RA-04	Risk Assessment Update	A.2.4A.5.2
RA-05	Vulnerability Scanning	A.6.2.4
RA-07	Risk Response	A.5.2A.5.3
RA-08	Privacy Impact Assessments	A.5.2A.5.4
RA-09	Criticality Analysis	A.5.2

SA System and Services Acquisition

Control	Name	ISO 42001:2023 References
SA-01	System And Services Acquisition Policy And Procedures	A.6.1.2
SA-02	Allocation Of Resources	A.4.5
SA-03	Life Cycle Support	A.6.1.2A.6.1.3
SA-04	Acquisitions	A.10.3A.6.2.2
SA-05	Information System Documentation	A.6.2.3A.6.2.7A.8.2
SA-06	Software Usage Restrictions	A.4.4
SA-07	User Installed Software	A.4.4A.9.4
SA-08	Security Engineering Principles	A.6.1.2A.6.1.3
SA-09	External Information System Services	A.10.2A.10.4
SA-10	Developer Configuration Management	A.6.1.3A.6.2.3
SA-11	Developer Security Testing	A.6.2.4

SC System and Communications Protection

Control	Name	ISO 42001:2023 References
SC-06	Resource Priority	A.4.5
SC-24	Fail in Known State	A.4.5

SI System and Information Integrity

Control	Name	ISO 42001:2023 References
SI-01	System And Information Integrity Policy And Procedures	A.6.2.6
SI-02	Flaw Remediation	A.6.2.6
SI-04	Information System Monitoring Tools And Techniques	A.6.2.6
SI-05	Security Alerts And Advisories	A.3.3
SI-06	Security Functionality Verification	A.6.2.4
SI-07	Software And Information Integrity	A.6.2.4A.6.2.6
SI-09	Information Input Restrictions	A.7.4
SI-10	Information Accuracy, Completeness, Validity, And Authenticity	A.7.2A.7.4
SI-12	Information Output Handling And Retention	A.8.5

SR Supply Chain Risk Management

Control	Name	ISO 42001:2023 References
SR-01	Policy and Procedures	A.10.2A.10.3
SR-02	Supply Chain Risk Management Plan	A.10.2A.10.3
SR-03	Supply Chain Controls and Processes	A.10.3
SR-04	Provenance	A.7.5
SR-05	Acquisition Strategies, Tools, and Methods	A.10.3
SR-06	Supplier Assessments and Reviews	A.10.3
SR-07	Supply Chain Operations Security	A.10.3
SR-08	Notification Agreements	A.10.3A.8.4
SR-10	Inspection of Systems or Components	A.6.2.4
SR-11	Component Authenticity	A.7.5