ISO/IEC 42001:2023 — Extended Clauses 5, 6, 7
This mapping extends the Clause 8 baseline with the leadership, planning, support, and documentation clauses that complete the ISO/IEC 42001 AI Management System requirements. Ledgix evidences each clause via policy snapshots, human-principal attributions, the framework mapping document, and signed training-data lineage records.
Status: Full — every control resolves to an artifact Ledgix produces today following the Phase 9 training-data lineage shipping.
Scope
Clauses 5, 6, and 7 address leadership and commitment, the AI policy, roles and responsibilities, planning of actions to address risks and opportunities, risk treatment, competence, communication, documented information, and data quality/provenance. Ledgix's policy lifecycle, per-decision accountability metadata, and the signed evidence pack satisfy each clause.
Controls covered
| Field | Type | Required | Description |
|---|---|---|---|
| ISO42001-5.1 | policy_snapshots | Leadership and Commitment | Signed and versioned policies demonstrate documented top-management commitment. |
| ISO42001-5.2 | policy_snapshots | AI Policy | AI policy versions preserved with content hashes. |
| ISO42001-5.3 | events_jsonl | Roles, Responsibilities, and Authorities | Per-action accountable-actor identification (agent_id, human_principal). |
| ISO42001-6.1.1 | policy_snapshots / events_jsonl | Actions to Address Risks and Opportunities — General | Risk-driven policy rules as planned actions; denial decisions instantiate the planned response. |
| ISO42001-6.1.3 | policy_snapshots | AI Risk Treatment | Policy-encoded risk treatments; structured impact assessments available for deeper coverage. |
| ISO42001-7.2 | events_jsonl | Competence | Human-principal attributions across HITL decisions support competence records. |
| ISO42001-7.4 | framework_mapping / signatures | Communication | Exportable, human-readable mapping plus signed evidence pack supports external communication. |
| ISO42001-7.5 | policy_snapshots / framework_mapping / checkpoint_chain | Documented Information | Versioned policies, the framework mapping, and the operational log constitute documented information. |
| ISO42001-7.6 | training_data_lineage / dataset_sheets / model_cards | Data Quality and Provenance for AI Systems | Signed lineage records, dataset sheets, and model cards covering every model reference. |
Evidence types referenced
- policy_snapshots — signed and versioned AI policies.
- events_jsonl — per-action accountable-actor identification.
- framework_mapping — human-readable control-to-evidence map.
- signatures — signed evidence pack supporting authenticated communication.
- checkpoint_chain — operational log as documented information.
- training_data_lineage — signed lineage per model_ref disclosing source, consent basis, retention, quality checks.
- dataset_sheets — dataset composition, sampling, and known limitations.
- model_cards — model cards cross-referencing lineage declarations.
Known gaps (if any)
None — every control resolves to an artifact Ledgix produces today. Clause 6.1.3 risk-treatment coverage is richer for tenants that have authored structured impact assessments from the Phase 4 module.
Audit pack workflow
Export an evidence ZIP for this framework from the admin console's Evidence Exports panel by selecting ISO/IEC 42001:2023 — Extended Clauses 5, 6, 7 and a time window. Each control's evidence_locators[] in the included framework_mapping.json points to the corresponding file in the ZIP.
References
- Framework mapping JSON:
vault/internal/compliance/frameworks/iso_42001_extended.json - Canonical source: ISO/IEC 42001:2023 — iso.org