Statement of Applicability
1. Purpose
This Statement of Applicability (SOA) defines which ISO 42001:2023 Annex A controls are applicable to Rygen’s AI Management System (AIMS). It provides:
- A complete listing of all Annex A controls
- The applicability determination for each control (Included/Excluded)
- Implementation status for included controls
- Justification for any excluded controls
- Evidence references demonstrating control implementation
This document fulfils the requirements of ISO 42001:2023 clause 6.1.3f and serves as the formal controlled record for audit purposes.
2. Scope
This SOA covers the AIMS scope as defined in AI-003 (AIMS Scope), which includes:
- All AI systems developed and operated by Rygen
- AI systems provided to clients through Rygen’s products and services
- Third-party AI services integrated into Rygen’s offerings
3. SOA Methodology
Applicability decisions are made using a risk-based approach aligned with the AI-008 Risk Management Framework:
- Risk Assessment: Each control is evaluated against identified AI risks
- Business Context: Operational requirements and regulatory obligations are considered
- Proportionality: Control implementation is proportionate to the risk level
- Evidence Requirements: Each included control requires documented evidence of implementation
Controls may only be excluded where:
- The control addresses risks not present in Rygen’s context
- Alternative controls adequately address the underlying risk
- Regulatory requirements do not mandate the control
All exclusion decisions are documented with explicit justification and are reviewed during the annual management review per AI-012.
Note: Treatment measures that implement these controls are documented in the Risk Treatment Register (treatments.yaml) within the AIMS Governance repository and in individual risk reports. These are operational measures, not additional control objectives.
4. Annex A Controls
| Control ID | Control Name | Applicable | Status | Justification/Evidence |
|---|
| A.2.2 | AI policy | Yes | Active | AI Policy document (AI-001), version-controlled in Gitlab. |
| A.2.3 | Alignment with other organizational policies | Yes | Active | AI Policy document, Section 4, which explicitly maps to Security, Risk, and Compliance policies. |
| A.2.4 | Review of the AI policy | Yes | Active | AIMS Charter document defining the quarterly review schedule; Gitlab history showing review approvals. |
4.2 Internal Organization (A.3)
| Control ID | Control Name | Applicable | Status | Justification/Evidence |
|---|
| A.3.2 | AI roles and responsibilities | Yes | Active | Roles, Responsibilities, and Authorities document (AI-005) in Gitlab, defining specific AIMS roles. |
| A.3.3 | Reporting of concerns | Yes | Active | Concerns are reported and tracked via multiple channels. A ‘Concern’ issue type in Jira is used for internal reporting. Client-facing concerns are tracked via ZenDesk tickets, which are escalated to the AIMS owner. The AI System Impact Assessment process also serves as a formal channel for raising concerns during development. |
4.3 Resources for AI Systems (A.4)
| Control ID | Control Name | Applicable | Status | Justification/Evidence |
|---|
| A.4.2 | Resource documentation | Yes | Active | System Design Specifications contain per-system resource sections covering personnel, technical, and infrastructure requirements; AI-005 defines AIMS-level roles and responsibilities. |
| A.4.3 | Data resources | Yes | Active | AI Data Management Process (AI-011); Data Quality Reports for systems with training data; system design specs document data handling for API-based systems. |
| A.4.4 | Tooling resources | Yes | Active | AI System Design Specifications with System Resources sections detailing AI/ML, infrastructure, and development tooling per system. |
| A.4.5 | System and computing resources | Yes | Active | System Design Specifications with infrastructure sections; GCP monitoring dashboards, alerting, and high-availability in GKE. |
| A.4.6 | Human resources | Yes | Active | System Design Specifications with human resources sections; AI role job descriptions in content/competence/; training records in Leapsome. |
4.4 Assessing Impacts of AI Systems (A.5)
| Control ID | Control Name | Applicable | Status | Justification/Evidence |
|---|
| A.5.2 | AI system impact assessment process | Yes | Active | AI System Impact Assessment Process document (AI-009), version-controlled in Gitlab. |
| A.5.3 | Documentation of AI system impact assessments | Yes | Active | Completed AI System Impact Assessment reports for each system, using the standard template. |
| A.5.4 | Assessing AI system impact on individuals or groups of individuals | Yes | Active | AI System Impact Assessment Process, Section 4.1; completed assessments with analysis of individual impacts. |
| A.5.5 | Assessing societal impacts of AI systems | Yes | Active | Risk Report R27; completed AI System Impact Assessments, Section 4.3, with analysis of environmental footprint and safety impacts for intended use and foreseeable misuse. |
4.5 AI System Life Cycle - Management Guidance (A.6.1)
| Control ID | Control Name | Applicable | Status | Justification/Evidence |
|---|
| A.6.1.2 | Objectives for responsible development of AI system | Yes | Active | AIMS Objectives document (AI-002), defining six measurable objectives and their KPIs. |
| A.6.1.3 | Processes for responsible AI system design and development | Yes | Active | AI System Development Process document (AI-013), detailing the 7-phase lifecycle. |
4.6 AI System Life Cycle - Implementation (A.6.2)
| Control ID | Control Name | Applicable | Status | Justification/Evidence |
|---|
| A.6.2.2 | AI system requirements and specification | Yes | Active | AI System Design Specifications created during Phase 1 of the development process. |
| A.6.2.3 | Documentation of AI system design and development | Yes | Active | Deliverables specified in the AI System Development Process, including design docs, risk assessments, and evaluation reports. |
| A.6.2.4 | AI system verification and validation | Yes | Active | Completed Evaluation Reports from Phase 4 of the development process, including UAT results and performance metrics. |
| A.6.2.5 | AI system deployment | Yes | Active | Deployment checklists, user training materials, and monitoring configurations from Phase 5 of the development process. |
| A.6.2.6 | AI system operation and monitoring | Yes | Active | Performance dashboards (GCP, Vertex AI); incident reports; AIMS Objectives KPI tracking records. |
| A.6.2.7 | AI system technical documentation | Yes | Active | Comprehensive technical documentation for each AI system, stored in Gitlab as required by the development process. |
| A.6.2.8 | AI system recording of event logs | Yes | Active | System logs stored in Google Cloud Logging; DevOps runbooks defining logging requirements. |
4.7 Data for AI Systems (A.7)
| Control ID | Control Name | Applicable | Status | Justification/Evidence |
|---|
| A.7.2 | Data for development and enhancement of AI system | Yes | Active | AI Data Management Process (AI-011); System Design Specifications with Data Management sections for API-based systems; standalone Data Quality Reports for custom model systems. |
| A.7.3 | Acquisition of data | Yes | Active | System Design Specifications document data sources, acquisition methods, and integration points per AI-011. |
| A.7.4 | Quality of data for AI systems | Yes | Active | System Design Specifications include data quality assessments for API-based systems per AI-011; standalone Data Quality Reports for custom model systems. |
| A.7.5 | Data provenance | Yes | Active | System Design Specifications document data flows, transformation pipelines, and audit trails per AI-011; pipeline code in application source repositories. |
| A.7.6 | Data preparation | Yes | Active | System Design Specifications document data transformation and preparation pipelines per AI-011; preparation code in application source repositories. |
| Control ID | Control Name | Applicable | Status | Justification/Evidence |
|---|
| A.8.2 | System documentation and information for users | Yes | Active | User guides, training materials, and in-app notifications created during the development and deployment phases. |
| A.8.3 | External reporting | Yes | Active | AI-007 Communication Policy, External Communications (Auditors/Compliance) and Communication Triggers (AI Incidents) sections. The policy establishes formal protocols for communicating AIMS documentation, audit evidence, incident reports, and compliance status to external parties including auditors, clients, and regulatory bodies. |
| A.8.4 | Communication of incidents | Yes | Active | Incident Response Plan; post-mortem reports and stakeholder communication records for past incidents. |
| A.8.5 | Information for interested parties | Yes | Active | Impact assessment communication plans within individual system impact assessments (Section 8); AI-007 Communication Policy stakeholder framework; records of communications with clients, auditors, and partners. |
4.9 Use of AI Systems (A.9)
| Control ID | Control Name | Applicable | Status | Justification/Evidence |
|---|
| A.9.2 | Processes for responsible use of AI systems | Yes | Active | AI Policy (AI-001), Section 3; AI System Development Process document which embeds responsible use controls. |
| A.9.3 | Objectives for responsible use of AI system | Yes | Active | AIMS Objectives document (AI-002), specifically objectives for Trustworthy Delivery (explainability, human oversight). |
| A.9.4 | Intended use of the AI system | Yes | Active | Completed AI System Impact Assessments and AI System Design Specifications which document intended use. |
4.10 Third-party and Customer Relationships (A.10)
| Control ID | Control Name | Applicable | Status | Justification/Evidence |
|---|
| A.10.2 | Allocating responsibilities | Yes | Active | Supplier management procedures; contracts and service agreements with API providers (e.g., OpenAI) defining responsibilities. |
| A.10.3 | Suppliers | Yes | Active | Interested Parties analysis; records of supplier due diligence and performance reviews. |
| A.10.4 | Customers | Yes | Active | Interested Parties analysis; client requirements documented in project plans and impact assessments. |
5. Exclusions Summary
No controls are currently excluded from the scope of Rygen’s AIMS.
All 38 ISO 42001:2023 Annex A controls have been determined to be applicable based on Rygen’s risk profile, operational context, and commitment to comprehensive AI governance.
Exclusion Review History
| Date | Control | Decision | Rationale |
|---|
| 2026-01-13 | A.8.3 (External reporting) | Changed to Included | Previously excluded due to no regulatory reporting obligations. Re-assessed following pre-registration audit; AI-007 Communication Policy provides adequate implementation evidence for external reporting to auditors, clients, and compliance stakeholders. |
6. Summary Statistics
| Category | Count |
|---|
| Total Annex A Controls | 38 |
| Included Controls | 38 |
| Excluded Controls | 0 |
| Active Controls | 38 |
| Planned Controls | 0 |
- AI-001: AI Policy
- AI-002: AIMS Objectives
- AI-003: AIMS Scope
- AI-005: Roles, Responsibilities, and Authorities
- AI-007: Communication Policy
- AI-008: Risk Management Framework
- AI-009: AI System Impact Assessment Process
- AI-011: AI Data Management Procedure
- AI-013: AI System Development Lifecycle
8. Revision History
| Version | Date | Author | Summary of Change |
|---|
| 1.0 | 2026-01-13 | Field Bradley | Initial controlled document created following pre-registration audit findings. Control A.8.3 included with AI-007 as evidence. |
| 1.1 | 2026-01-13 | Field Bradley | Updated A.5.5 evidence to reflect safety impact assessment per ISO 42001 clauses 6.1.4 and A.5.5. |
| 1.2 | 2026-02-04 | Field Bradley | Added clarifying note in Section 3 about Risk Treatment Register relationship to SoA controls (AI-1216) |
| 1.3 | 2026-02-17 | Field Bradley | Updated evidence statements for A.2.3, A.4.2–A.4.6, A.7.2–A.7.6, and A.10.2 to reflect actual implementation evidence (design spec sections, AI-011 v1.2 applicability by system type) |