Self-assessed · sample · ISO/IEC 42001:2023
Initech: ISO/IEC 42001 readiness from one AICM run
Assess on CSA AICM once. Report ISO/IEC 42001 as a lens: the same answers, CSA’s authoritative crosswalk, a board-facing climb list. Compare with the ISMS (27001) and privacy (27701) reads from the same run.
Assessed on CSA AICM via the function diagnostic, then rolled through CSA’s AICM→ISO/IEC 42001 crosswalk. Readiness for conversation and planning, not an ISO certification, audit opinion, or measured result.
Executive summary
Initech: 17 controls map to ISO/IEC 42001 but are absent in the function attestation. Close those first for this lens. Self-assessed, not certification.
Controls in this slice
26
Priority (mapped, absent)
17
Attested implemented
1
CSA matrix mapped
247
Full CSA sheet: 145 no gap · 97 partial · 5 full gap across 18 domains. This sample is a function slice, not the whole matrix.
Control register
Each row is one AICM control from the GRA diagnostic, with CSA’s ISO/IEC 42001 gap and clause refs, plus Initech’s illustrative posture.
| AICM | Title | Gap | Clause refs | Posture | Board line |
|---|---|---|---|---|---|
| GRC-01 | Governance Program Policy and Procedures | No Gap | 42001: B.2.2 (AI policy) 42001; B.2.4 (Review of the AI policy) · 42001: A.2.2 (AI policy) · 42001: A.2.4 (Review of the AI policy) · 42001: 5.2 (Assessing impacts of AI systems) | Implemented | Self-attested in place; CSA maps to ISO/IEC 42001. |
| GRC-02 | Risk Management Program | No Gap | 42001: B.5.2 (AI system impact assessment process) 42001 A.5.3 (Documentation of AI system impact assessments) 42001 A.5.4 (Assessing AI system impact on individuals or groups of individuals) 42001 B.5.3 (Documentation of AI system impact assessments) 42001 B.5.4 (Assessing AI system impact on individuals or groups of individuals) | Partial | Partially attested; close the practice gap before treating the ISO/IEC 42001 mapping as ready. |
| GRC-03Priority | Organizational Policy Reviews | No Gap | 42001: A.2.4 (Review of the AI policy) · 42001: B.2.4 (Review of the AI policy) · 42001: 7.5.2 (Creating and updating documented information) | Absent | CSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens. |
| HRS-15 | AI Acceptable Use | No Gap | 42001: 5.3 Roles responsibilities and authorities · 42001: 7.3 Awareness · 42001: A.3.2 AI Roles and responsibilities · 42001: A.9.2 Processes for responsible use of AI systems · 42001: A.9.3 Objectives for responsible use of AI systems | Partial | Partially attested; close the practice gap before treating the ISO/IEC 42001 mapping as ready. |
| GRC-15Priority | Human supervision | No Gap | 42001: B.5.1 AI system risk assessment and treatment · 42001: B.5.3 (Documentation of AI system impact assessments) · 42001: B.6.1.3 (Processes for responsible design and development of AI systems) · 42001: B.5.3 Documentation of AI system impact assessments · 42001: B.6.1.4 Accountability and human oversight mechanisms · 42001: B.6.2.1 Technical robustness and security · 42001: B.7.1.1 Monitoring and review of AI system behavior · 42001: B.7.1.2 Incident management for AI systems · 42001: B.8.2.1 Compliance with legal and regulatory requirements | Absent | CSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens. |
| AIS-01 | Application and Interface Security Policy and Procedures | Partial Gap | 42001: B.6.1.3 · 42001: A.6.2.1 · 42001: Clause A.6 | Partial | Partially attested; close the practice gap before treating the ISO/IEC 42001 mapping as ready. |
| AIS-04Priority | Secure Application Development Lifecycle | Partial Gap | 42001: B.6.1.3 · 42001: B.6.2.3 · 42001: A.6.2.4 · 42001: A.6.2.5 · 42001: A.6.2.6 | Absent | CSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens. |
| AIS-07Priority | Application Vulnerability Remediation | Partial Gap | 42001: B.6.2.4 · 42001: A.6.2.6 · 42001: A.8.4 | Absent | CSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens. |
| TVM-01 | Threat and Vulnerability Management Policy and Procedures | No Gap | n/a | Partial | Partially attested; close the practice gap before treating the ISO/IEC 42001 mapping as ready. |
| TVM-03Priority | Vulnerability Identification | No Gap | 42001: 6.1.2 AI risk assessment · 42001: 8.1 Operational planning and control · 42001: 9.1 Monitoring measure. | Absent | CSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens. |
| TVM-08Priority | Vulnerability Remediation Schedule | No Gap | n/a | Absent | CSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens. |
| A&A-01 | Audit and Assurance Policy and Procedures | No Gap | 42001: 9.2.1 General - Internal audit · 42001: 9.2.2 Internal audit program · 42001: 9.3 Management Review · 42001: A.2.2 AI policy · 42001: A.2.3 Alignment with other organizational policies · 42001: A.2.4 Review of the AI policy | Partial | Partially attested; close the practice gap before treating the ISO/IEC 42001 mapping as ready. |
| A&A-02Priority | Independent Assessments | No Gap | 42001: 9.2.1 General - Internal audit · 42001: 9.2.2 Internal audit program | Absent | CSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens. |
| A&A-05Priority | Audit Management Process | No Gap | 42001: 9.2.1 General · 42001: 9.2.2 Internal Audit Programme · 42001: 10.1 Non-Conformity and Corrective Action · 42001: 10.2 Continual Improvement | Absent | CSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens. |
| A&A-06Priority | Remediation | No Gap | 42001: 9.2.1 General · 42001: 9.2.2 Internal audit programme · 42001: 9.3.2 Management Review Inputs · 42001: 9.3.3 Management Review Results · 42001: 10.2: Non-conformity and Corrective action | Absent | CSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens. |
| STA-01 | Supply Chain Risk Management Policies and Procedures | No Gap | 42001: D.2 - Integration of AI management system with other management system standards · 42001: B.10.3 - Suppliers | Partial | Partially attested; close the practice gap before treating the ISO/IEC 42001 mapping as ready. |
| STA-08 | Supply Chain Inventory | No Gap | 42001: A.2.3 Alignment with other organizational policies · 42001: A.10.3 Suppliers | Partial | Partially attested; close the practice gap before treating the ISO/IEC 42001 mapping as ready. |
| STA-10Priority | Supply Chain Risk Management | No Gap | 42001: A.2.3 Alignment with other organizational policies · 42001: A.10.3 Suppliers | Absent | CSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens. |
| STA-13Priority | Supply Chain Compliance Assessment | No Gap | 42001: A.2.3 Alignment with other organizational policies · 42001: A.10.3 Suppliers | Absent | CSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens. |
| BCR-01Priority | Business Continuity Management Policy and Procedures | No Gap | 42001: A.2.2 · 42001: A.2.3 · 42001: A.2.4 | Absent | CSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens. |
| BCR-02Priority | Risk Assessment and Impact Analysis | Partial Gap | 42001: All A.10 (to ensure feedback of stakeholders on risks) · 42001: A.2.2 AI policy · 42001: A.2.3 Alignment with other organizational policies · 42001: A.2.4 Review of the AI policy · 42001: 5.1 Leadership and commitment · 42001: 7.1 Resources · 42001: 8.2 AI risk assessment | Absent | CSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens. |
| BCR-08 | Backup | No Gap | 42001: A.4.3 (Data resources) | Partial | Partially attested; close the practice gap before treating the ISO/IEC 42001 mapping as ready. |
| BCR-06Priority | Business Continuity Exercises | Partial Gap | n/a | Absent | CSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens. |
| IPY-01Priority | Interoperability and Portability Policy and Procedures | No Gap | 42001: B.8.2 | Absent | CSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens. |
| IPY-03Priority | Secure Interoperability and Portability Management | Partial Gap | 42001: Annex A · 42001: A.7 · 42001: B.7.3 | Absent | CSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens. |
| IPY-04Priority | Data Portability Contractual Obligations | Partial Gap | 42001: A.10.2 - Allocating responsibilities · 42001: B.10.2 - Allocating responsibilities · 42001: A.10.4 - customers · 42001: B.10.4 - customers | Absent | CSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens. |