GRCWatch
Sign inStart free trial

ISO 42001 A.2.1: Establish and Communicate Your AI Policy

ISO 42001 A.2.1 requires organizations to create a documented AI policy that reflects organizational purpose and context. This foundational control sets the framework for all AI governance objectives. Without a clear, communicated policy, your organization lacks the strategic foundation for responsible AI management.

What this means

A.2.1 mandates that your organization establish a formal, documented AI policy. This policy must align with your organization's purpose and operational context, demonstrate commitment to applicable legal and regulatory requirements, and serve as the baseline for setting measurable AI objectives. The policy must be documented, actively communicated throughout the organization, and available to all relevant stakeholders. It represents the strategic commitment to AI governance and responsible AI practices.

How to comply

  1. 1.Define your organization's AI governance scope and identify applicable regulatory requirements (industry-specific laws, data protection, ethical standards)
  2. 2.Draft an AI policy statement that articulates commitment to responsible AI development, deployment, and monitoring
  3. 3.Include specific commitments to risk management, transparency, accountability, and compliance with applicable requirements
  4. 4.Establish processes for setting measurable AI objectives aligned to the policy
  5. 5.Document the policy and make it accessible to all employees, contractors, and relevant stakeholders
  6. 6.Communicate the policy through onboarding, training, and internal channels
  7. 7.Review and update the policy annually or when organizational context or regulatory requirements change
  8. 8.Assign clear ownership and accountability for policy oversight and enforcement

Evidence auditors look for

  • Documented AI policy signed by senior management or board
  • Policy documentation addressing scope, objectives, compliance commitments, and stakeholder roles
  • Communication records showing policy distribution to employees (email, intranet, training materials)
  • Evidence of policy acknowledgment (signed attestations, training completion records)
  • Minutes from governance meetings discussing AI policy framework and objectives
  • Documented AI objectives derived from and aligned to the policy
  • Policy review and update records showing ongoing relevance
  • Organizational charts showing accountability for AI policy governance

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch streamlines AI policy creation and communication by providing ISO 42001 policy templates, automated stakeholder distribution tracking, and evidence management—so you document compliance without building policies from scratch.

See how GRCWatch handles this control automatically

Start free trial

Related controls

ISO 42001 A.3.1 — AI Objectives and PlanningISO 42001 A.4.1 — Resource AllocationISO 42001 A.5.1 — Roles and ResponsibilitiesISO 42001 A.6.1 — Risk Management Process