ai · security · skills

Self-assessed · sample · ISO/IEC 42001:2023

Initech: ISO/IEC 42001 readiness from one AICM run

Assess on CSA AICM once. Report ISO/IEC 42001 as a lens: the same answers, CSA’s authoritative crosswalk, a board-facing climb list. Compare with the ISMS (27001) and privacy (27701) reads from the same run.

Assessed on CSA AICM via the function diagnostic, then rolled through CSA’s AICM→ISO/IEC 42001 crosswalk. Readiness for conversation and planning, not an ISO certification, audit opinion, or measured result.

Executive summary

Initech: 17 controls map to ISO/IEC 42001 but are absent in the function attestation. Close those first for this lens. Self-assessed, not certification.

Controls in this slice

26

Priority (mapped, absent)

17

Attested implemented

1

CSA matrix mapped

247

Full CSA sheet: 145 no gap · 97 partial · 5 full gap across 18 domains. This sample is a function slice, not the whole matrix.

Control register

Each row is one AICM control from the GRA diagnostic, with CSA’s ISO/IEC 42001 gap and clause refs, plus Initech’s illustrative posture.

AICMTitleGapClause refsPostureBoard line
GRC-01Governance Program Policy and ProceduresNo Gap42001: B.2.2 (AI policy) 42001; B.2.4 (Review of the AI policy) · 42001: A.2.2 (AI policy) · 42001: A.2.4 (Review of the AI policy) · 42001: 5.2 (Assessing impacts of AI systems)ImplementedSelf-attested in place; CSA maps to ISO/IEC 42001.
GRC-02Risk Management ProgramNo Gap42001: B.5.2 (AI system impact assessment process) 42001 A.5.3 (Documentation of AI system impact assessments) 42001 A.5.4 (Assessing AI system impact on individuals or groups of individuals) 42001 B.5.3 (Documentation of AI system impact assessments) 42001 B.5.4 (Assessing AI system impact on individuals or groups of individuals)PartialPartially attested; close the practice gap before treating the ISO/IEC 42001 mapping as ready.
GRC-03PriorityOrganizational Policy ReviewsNo Gap42001: A.2.4 (Review of the AI policy) · 42001: B.2.4 (Review of the AI policy) · 42001: 7.5.2 (Creating and updating documented information)AbsentCSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens.
HRS-15AI Acceptable UseNo Gap42001: 5.3 Roles responsibilities and authorities · 42001: 7.3 Awareness · 42001: A.3.2 AI Roles and responsibilities · 42001: A.9.2 Processes for responsible use of AI systems · 42001: A.9.3 Objectives for responsible use of AI systemsPartialPartially attested; close the practice gap before treating the ISO/IEC 42001 mapping as ready.
GRC-15PriorityHuman supervisionNo Gap42001: B.5.1 AI system risk assessment and treatment · 42001: B.5.3 (Documentation of AI system impact assessments) · 42001: B.6.1.3 (Processes for responsible design and development of AI systems) · 42001: B.5.3 Documentation of AI system impact assessments · 42001: B.6.1.4 Accountability and human oversight mechanisms · 42001: B.6.2.1 Technical robustness and security · 42001: B.7.1.1 Monitoring and review of AI system behavior · 42001: B.7.1.2 Incident management for AI systems · 42001: B.8.2.1 Compliance with legal and regulatory requirementsAbsentCSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens.
AIS-01Application and Interface Security Policy and ProceduresPartial Gap42001: B.6.1.3 · 42001: A.6.2.1 · 42001: Clause A.6PartialPartially attested; close the practice gap before treating the ISO/IEC 42001 mapping as ready.
AIS-04PrioritySecure Application Development LifecyclePartial Gap42001: B.6.1.3 · 42001: B.6.2.3 · 42001: A.6.2.4 · 42001: A.6.2.5 · 42001: A.6.2.6AbsentCSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens.
AIS-07PriorityApplication Vulnerability RemediationPartial Gap42001: B.6.2.4 · 42001: A.6.2.6 · 42001: A.8.4AbsentCSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens.
TVM-01Threat and Vulnerability Management Policy and ProceduresNo Gapn/aPartialPartially attested; close the practice gap before treating the ISO/IEC 42001 mapping as ready.
TVM-03PriorityVulnerability IdentificationNo Gap42001: 6.1.2 AI risk assessment · 42001: 8.1 Operational planning and control · 42001: 9.1 Monitoring measure.AbsentCSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens.
TVM-08PriorityVulnerability Remediation ScheduleNo Gapn/aAbsentCSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens.
A&A-01Audit and Assurance Policy and ProceduresNo Gap42001: 9.2.1 General - Internal audit · 42001: 9.2.2 Internal audit program · 42001: 9.3 Management Review · 42001: A.2.2 AI policy · 42001: A.2.3 Alignment with other organizational policies · 42001: A.2.4 Review of the AI policyPartialPartially attested; close the practice gap before treating the ISO/IEC 42001 mapping as ready.
A&A-02PriorityIndependent AssessmentsNo Gap42001: 9.2.1 General - Internal audit · 42001: 9.2.2 Internal audit programAbsentCSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens.
A&A-05PriorityAudit Management ProcessNo Gap42001: 9.2.1 General · 42001: 9.2.2 Internal Audit Programme · 42001: 10.1 Non-Conformity and Corrective Action · 42001: 10.2 Continual ImprovementAbsentCSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens.
A&A-06PriorityRemediationNo Gap42001: 9.2.1 General · 42001: 9.2.2 Internal audit programme · 42001: 9.3.2 Management Review Inputs · 42001: 9.3.3 Management Review Results · 42001: 10.2: Non-conformity and Corrective actionAbsentCSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens.
STA-01Supply Chain Risk Management Policies and ProceduresNo Gap42001: D.2 - Integration of AI management system with other management system standards · 42001: B.10.3 - SuppliersPartialPartially attested; close the practice gap before treating the ISO/IEC 42001 mapping as ready.
STA-08Supply Chain InventoryNo Gap42001: A.2.3 Alignment with other organizational policies · 42001: A.10.3 SuppliersPartialPartially attested; close the practice gap before treating the ISO/IEC 42001 mapping as ready.
STA-10PrioritySupply Chain Risk ManagementNo Gap42001: A.2.3 Alignment with other organizational policies · 42001: A.10.3 SuppliersAbsentCSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens.
STA-13PrioritySupply Chain Compliance AssessmentNo Gap42001: A.2.3 Alignment with other organizational policies · 42001: A.10.3 SuppliersAbsentCSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens.
BCR-01PriorityBusiness Continuity Management Policy and ProceduresNo Gap42001: A.2.2 · 42001: A.2.3 · 42001: A.2.4AbsentCSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens.
BCR-02PriorityRisk Assessment and Impact AnalysisPartial Gap42001: All A.10 (to ensure feedback of stakeholders on risks) · 42001: A.2.2 AI policy · 42001: A.2.3 Alignment with other organizational policies · 42001: A.2.4 Review of the AI policy · 42001: 5.1 Leadership and commitment · 42001: 7.1 Resources · 42001: 8.2 AI risk assessmentAbsentCSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens.
BCR-08BackupNo Gap42001: A.4.3 (Data resources)PartialPartially attested; close the practice gap before treating the ISO/IEC 42001 mapping as ready.
BCR-06PriorityBusiness Continuity ExercisesPartial Gapn/aAbsentCSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens.
IPY-01PriorityInteroperability and Portability Policy and ProceduresNo Gap42001: B.8.2AbsentCSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens.
IPY-03PrioritySecure Interoperability and Portability ManagementPartial Gap42001: Annex A · 42001: A.7 · 42001: B.7.3AbsentCSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens.
IPY-04PriorityData Portability Contractual ObligationsPartial Gap42001: A.10.2 - Allocating responsibilities · 42001: B.10.2 - Allocating responsibilities · 42001: A.10.4 - customers · 42001: B.10.4 - customersAbsentCSA maps to ISO/IEC 42001, but practice is not attested. Priority for this lens.