Which Modulos templates implement ISO/IEC 42001:2023?

Two framework template pairs record and link ISO 42001 requirements in modulos_platform: OFF-7 (org) + MFF-7 (app) — the legacy template with paraphrased requirement names and a Clauses 4–10 + Annex A control mix; and OFF-10 (org) + MFF-10 (app) — the clause-aligned template that follows the OBP clause titles directly. Both reference the same standard. Pick the template pair that matches your tenant's framework configuration; the substantive obligations are identical.

How should I structure projects for an ISO 42001 AIMS?

Use two layers. (1) One organisation project for the AIMS itself — AI policy, scope statement, AI risk-management process, internal audit, management review, corrective action. Apply OFF-7 or OFF-10. (2) One AI-system project per AI system in scope — AI impact assessment, lifecycle controls, data controls, monitoring evidence. Apply MFF-7 or MFF-10. The organisation project carries the management-system spine; AI-system projects carry per-system execution. Where an organisation already runs ISO 27001 / 27701, the AIMS shares Clauses 4–10 with the existing ISMS / PIMS — only the AI-specific clauses and Annex A controls are AIMS-only.

Where does the Statement of Applicability live in Modulos?

The Statement of Applicability is owner-authored documentation stored as control-level evidence on the Annex A area requirements (on OFF-10: ORF-191 A.2, ORF-192 A.3, ORF-193 A.4, ORF-194 A.5; on MFF-10: MRF-216 A.6.2, MRF-217 A.7, MRF-218 A.8, MRF-219 A.9, MRF-220 A.10). Modulos does not provide a dedicated SoA workflow surface — the SoA is a versioned document attached as evidence.

How does Modulos handle the AI impact assessment (Clause 6.1.4)?

The AI impact assessment lives on the AI-system MFF-10 requirement MRF-215 (or its equivalent MRF-74 on MFF-7 legacy). The assessment document, the supporting evidence (categories of natural persons affected, foreseeable risks of harm, mitigation), and the cadence for re-assessment are stored as control-level evidence on this requirement. The AI impact assessment is the AIMS analogue of the EU AI Act Article 27 FRIA — sharing evidence between the two is common.

How does Modulos help with internal audit and management review?

OFF-10 ORF-184 / ORF-185 (or OFF-7 ORF-88) record internal-audit requirements; ORF-186 / ORF-187 / ORF-188 (or OFF-7 ORF-87) record management-review requirements. The audit programme, audit reports, finding records, review minutes, follow-up actions and approvals are owner-authored artefacts stored as control-level evidence on these requirements.

What is the typical evidence pattern for Annex A.6 AI system lifecycle?

On OFF-7 / MFF-7 the lifecycle controls are granular: MRF-93 development objectives, MRF-94 system requirements, MRF-95 design documentation, MRF-96 verification and validation, MRF-97 deployment, MRF-98 operation and monitoring, MRF-99 technical documentation, MRF-100 event logs. On OFF-10 / MFF-10 the lifecycle is consolidated under MRF-216 with the granular controls treated as evidence components. Either way, lifecycle evidence is captured at the smallest meaningful claim and linked to the control.

Operationalizing ISO/IEC 42001:2023 in Modulos

ISO 42001 becomes manageable when the AIMS is treated as a living operating model: governance work is executed continuously and evidence is produced as a byproduct. This page is the implementation playbook for running the AIMS on Modulos using the OFF-7 / MFF-7 (legacy) or OFF-10 / MFF-10 (clause-aligned) framework templates.

Quick decision

You are starting a fresh AIMS rollout → one organisation project with OFF-7 or OFF-10, plus one AI-application project per AI system with MFF-7 or MFF-10.
You already operate ISO 27001 or 27701 → add the ISO 42001 OFF template to the existing organisation project; reuse the shared Annex SL management-system processes; only stand up AI-specific clauses and Annex A controls.
You are building the Statement of Applicability → record control selection as evidence on the Annex A area requirements (ORF-191–ORF-194 org-side; MRF-216–MRF-220 app-side on OFF-10 / MFF-10).
You are choosing between OFF-7 / MFF-7 and OFF-10 / MFF-10 → both record and link ISO/IEC 42001:2023 requirements. OFF-7 / MFF-7 has more granular Annex A control coverage; OFF-10 / MFF-10 has clause-aligned requirement names matching the OBP. Use what your tenant has configured.

TL;DR

Two framework template pairs record and link ISO 42001 requirements: OFF-7 + MFF-7 (legacy, more granular) and OFF-10 + MFF-10 (clause-aligned).
Two project layers: organisation project for the AIMS spine; AI-system projects for per-system execution.
AIMS spine on the org project: scope statement, AI policy, AI risk-management process, internal audit, management review, corrective action.
AI-system execution on the app project: AI impact assessment, lifecycle controls, data controls, monitoring evidence.
Statement of Applicability is owner-authored documentation stored as evidence on Annex A area requirements.
IMS integration with ISO 27001 / 27701: share Clauses 4–10 processes; keep AI-specific Clauses 5.2 / 6.1.2 / 6.1.3 / 6.1.4 and Annex A controls explicit.

Primary source

ISO/IEC 42001:2023 — Information technology — Artificial intelligence — Management system. Modulos framework templates: OFF-7 / MFF-7 (legacy) and OFF-10 / MFF-10 (clause-aligned) in modulos_platform/content/templates/frameworks/. Available via the ISO Online Browsing Platform. © ISO.

Recommended project structure

Project	Template	When to use
One organisation project	OFF-7 or OFF-10 (add to existing org project if you already run ISO 27001 / 27701)	Scope statement, AI policy, Annex SL management-system processes, internal audit, management review, corrective action
One AI-application project per AI system	MFF-7 or MFF-10	AI impact assessment, lifecycle controls (Annex A.6), data controls (Annex A.7), monitoring evidence, supplier evidence

The split mirrors the standard's own structure: organisation-wide management-system layer on one side; per-AI-system operational layer on the other.

Set up: a sequence that works

Add OFF-7 or OFF-10 to your org project

Apply the AIMS template — clause-aligned (OFF-10) or legacy (OFF-7).

Create one app project per AI system

Apply MFF-7 or MFF-10. Each AI system gets its own evidence trail.

Define the AIMS scope

Clause 4.3 scope statement: AI systems, processing activities, boundaries.

Run AI risk + impact assessments

Clause 6.1.2 risk and 6.1.4 impact assessment, with cadence and approvals.

Record Annex A control selection

SoA-equivalent record under Clause 6.1.3 — Annex A remains informative.

Operate, audit, review, improve

Controls, internal audit, management review, corrective action.

How to operationalise ISO 42001 in Modulos

OFF-10 / MFF-10 mapping:

AIMS element	OFF-10 / MFF-10 requirement	Clause
Organisational context	`ORF-162`	4.1
Interested parties	`ORF-163`	4.2
AIMS scope statement	`ORF-164`	4.3
AIMS itself	`ORF-165`	4.4
Leadership commitment	`ORF-166`	5.1
AI policy	`ORF-167`	5.2
Roles and responsibilities	`ORF-168`	5.3
AI risk-management general	`ORF-169`	6.1.1
AI risk assessment	`ORF-170`	6.1.2
AI risk treatment + Statement of Applicability	`ORF-171`	6.1.3
AI impact assessment (org-level scoping)	`ORF-172`	6.1.4
AI objectives	`ORF-173`	6.2
Planning of changes	`ORF-174`	6.3
Resources / competence / awareness / communication	`ORF-175`–`ORF-178`	7.1–7.4
Documented information	`ORF-179` / `ORF-180` / `ORF-181`	7.5.1–7.5.3
Operational planning + control	`ORF-182`	8.1
Monitoring + measurement	`ORF-183`	9.1
Internal audit + audit programme	`ORF-184` / `ORF-185`	9.2.1 / 9.2.2
Management review (process / inputs / outputs)	`ORF-186` / `ORF-187` / `ORF-188`	9.3.1 / 9.3.2 / 9.3.3
Continual improvement	`ORF-189`	10.1
Nonconformity + corrective action	`ORF-190`	10.2
Annex A.2 Policies related to AI	`ORF-191`	A.2
Annex A.3 Internal organization	`ORF-192`	A.3
Annex A.4 Resources for AI systems	`ORF-193`	A.4
Annex A.5 Assessing impacts of AI systems	`ORF-194`	A.5
AI risk assessment (operational)	`MRF-213`	8.2
AI risk treatment (operational)	`MRF-214`	8.3
AI system impact assessment (operational)	`MRF-215`	8.4
Annex A.6 AI system life cycle	`MRF-216`	A.6.2
Annex A.7 Data for AI systems	`MRF-217`	A.7
Annex A.8 Information for interested parties	`MRF-218`	A.8
Annex A.9 Use of AI systems	`MRF-219`	A.9
Annex A.10 Third-party and customer relationships	`MRF-220`	A.10

OFF-7 / MFF-7 mapping (legacy, more granular Annex A coverage):

AIMS element	OFF-7 / MFF-7 requirement	Clause
Organisational context	`ORF-65`	4.1
Stakeholder needs	`ORF-66`	4.2
AIMS scope	`ORF-67`	4.3
AIMS itself	`ORF-68`	4.4
AI policy	`ORF-69`	5.2
Roles and responsibilities	`ORF-70`	5.3
AI risk-management general	`ORF-71`	6.1.1
AI risk assessment	`ORF-72`	6.1.2
AI risk treatment	`ORF-73`	6.1.3
AI impact assessment (operational)	`MRF-74`	6.1.4
Annex A.6 lifecycle controls (granular)	`MRF-93`…`MRF-100`	A.6.x
Annex A.7 data controls (granular)	`MRF-101`…`MRF-104`	A.7.x
Annex A.10 supplier management	`MRF-84`	A.10.3
Internal audit	`ORF-88`	9.2
Management review	`ORF-87`	9.3
Continual improvement	`ORF-85`	10

What is first-class UI vs evidence-attached

First-class — Modulos exposes the framework template ID on the project (Settings → Frameworks) and the requirement readiness signal on each ORF / MRF requirement.
Evidence-attached (no dedicated UI) — the Statement of Applicability, the AI risk-assessment method document, the AI impact-assessment artefact, internal-audit reports, management-review minutes, corrective-action records, supplier assessments. Each is owner-authored documentation stored as control-level evidence on the relevant requirement.

This is deliberate. ISO 42001 expects the organisation to own the form of its AIMS artefacts; locking them into a prescribed workflow would defeat the standard's risk-driven, context-specific intent.

IMS integration — ISO 42001 + 27001 + 27701

ISO management-system standards share the Annex SL backbone, which makes IMS integration realistic. The shared layer:

document control (Clause 7.5)
internal audit (Clause 9.2)
management review (Clause 9.3)
corrective action (Clause 10.2)
competence (Clause 7.2)

What stays standard-specific:

ISO 27001: information-security risk and Annex A (normative) information-security controls.
ISO 42001: AI policy (5.2), AI risk + impact (6.1.2 / 6.1.3 / 6.1.4), Annex A (informative) AI lifecycle and data controls.
ISO 27701: privacy risk, PII processor / controller distinctions, Annex A and B privacy controls.

Practical pattern in Modulos: add the relevant OFF templates to the same organisation project; share evidence across them where a single control satisfies multiple obligations (e.g., a single internal-audit programme that covers ISMS + AIMS).

Cross-framework mapping (preview)

ISO 42001 element	Adjacent framework
Clause 4.3 AIMS scope	EU AI Act Articles 6 + 25 system classification; ISO 27001 Clause 4.3 ISMS scope
Clause 6.1.2 AI risk assessment	EU AI Act Article 9 risk-management system; NIST AI RMF MAP / MEASURE / MANAGE
Clause 6.1.3 AI risk treatment + SoA	EU AI Act Article 9 mitigation; ISO 27001 Clause 6.1.3
Clause 6.1.4 / 8.4 AI impact assessment	EU AI Act Article 27 FRIA; NIST AI RMF MAP
Annex A.6 AI system lifecycle	EU AI Act Articles 8–15 substantive obligations
Annex A.7 Data for AI systems	EU AI Act Article 10 data governance; GDPR Articles 5, 6, 9; ISO/IEC 27701 PIMS
Annex A.8 Information for interested parties	EU AI Act Article 13 transparency; Article 50 transparency
Annex A.10 Third-party / customer relationships	EU AI Act Article 25 value chain; ISO 27001 Annex A supplier controls
Clauses 9.1 / 9.2 / 9.3 monitoring + audit + review	EU AI Act Article 72 post-market monitoring; ISO 27001 / 27701 Clauses 9
Clause 10.2 corrective action	EU AI Act Article 73 incident reporting; ISO 27001 / 27701 Clause 10.2

Common pitfalls

Copying Annex A control text into a spreadsheet and calling it an implementation. The SoA is the output of the risk-driven selection, not the input.
Treating the AI risk assessment as a one-time gap analysis. Clause 6.1.2 expects a continuous lifecycle mechanism — the risk register should change as systems, suppliers and the threat environment change.
Confusing the AI risk assessment with the AI impact assessment. 6.1.2 = organisational risk; 6.1.4 = consequences for individuals, groups, society.
Internal audit as a documentation review. Auditors expect operational sampling — control execution records, decisions, evidence — not just policy completeness.
Mixing AIMS work with product execution. The org project holds the management-system spine; per-system MFF projects hold the operational evidence. Keeping them separate keeps review queues legible.

ISO 42001 overview

Hub: AIMS structure, Annex SL backbone, certification path

Scope and certification

AIMS scope, Statement of Applicability, Stage 1 / Stage 2 / surveillance / recertification

Clauses 4–10 (implementation guide)

Annex SL backbone with AIMS-specific additions

Annex A and informative annexes

How to use the Annex A reference controls and informative Annexes B / C / D

ISO 27001 integration with AI governance

How an existing ISMS supports the AIMS

Source attribution

ISO/IEC 42001:2023 — Information technology — Artificial intelligence — Management system, Clauses 4–10 + Annex A. © ISO/IEC. Available via the ISO Online Browsing Platform. Modulos framework templates OFF-7, MFF-7, OFF-10, MFF-10 in modulos_platform/content/templates/frameworks/.

Disclaimer

This page is for general informational purposes and does not constitute legal or certification advice.

Comparison

EU AI Act

Commission guidance

ISO Standards

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

NIST AI RMF

GDPR (EU)

NIS2 (EU)

DORA (EU)

OWASP for AI Security

UAE AI Ethics

MAS FEAT

Microsoft Supplier DPR

Operationalizing ISO/IEC 42001:2023 in Modulos

Quick decision

TL;DR

Recommended project structure

Set up: a sequence that works

Add OFF-7 or OFF-10 to your org project

Create one app project per AI system

Define the AIMS scope

Run AI risk + impact assessments

Record Annex A control selection

Operate, audit, review, improve

How to operationalise ISO 42001 in Modulos

What is first-class UI vs evidence-attached

IMS integration — ISO 42001 + 27001 + 27701

Cross-framework mapping (preview)

Common pitfalls

Source attribution

Commission guidance

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

Operationalizing ISO/IEC 42001:2023 in Modulos ​

Quick decision ​

TL;DR ​

Recommended project structure ​

Set up: a sequence that works ​

Add OFF-7 or OFF-10 to your org project

Create one app project per AI system

Define the AIMS scope

Run AI risk + impact assessments

Record Annex A control selection

Operate, audit, review, improve

How to operationalise ISO 42001 in Modulos ​

What is first-class UI vs evidence-attached ​

IMS integration — ISO 42001 + 27001 + 27701 ​

Cross-framework mapping (preview) ​

Common pitfalls ​

Related pages ​

Source attribution ​

Operationalizing ISO/IEC 42001:2023 in Modulos

Quick decision

TL;DR

Recommended project structure

Set up: a sequence that works

How to operationalise ISO 42001 in Modulos

What is first-class UI vs evidence-attached

IMS integration — ISO 42001 + 27001 + 27701

Cross-framework mapping (preview)

Common pitfalls

Related pages

Source attribution