GRCWatch
Sign inStart free trial

ISO 42001 A.5.4: Documentation of AI Risk Assessments

ISO 42001 A.5.4 requires organizations to document and retain comprehensive AI risk assessments, including identified risks, analysis, evaluation, and treatment decisions. As AI systems evolve and their context changes, this documentation must be maintained and updated—a critical foundation for demonstrating AI governance maturity to auditors and stakeholders.

What this means

Organizations must create and maintain documented records of all AI risk assessment activities. This includes: identifying potential risks in AI systems, analyzing their likelihood and impact, evaluating their significance to the organization, and documenting decisions about how those risks will be treated (mitigated, accepted, transferred, or avoided). When an AI system is modified or its operational context changes—such as expanded data sources, new use cases, or updated regulatory requirements—the assessment documentation must be revised to reflect current risk posture.

How to comply

  1. 1.Establish an AI risk assessment methodology that aligns with ISO 42001 requirements and your organization's risk appetite
  2. 2.Conduct structured risk assessments for each AI system, documenting identified risks with clear descriptions and context
  3. 3.Document the analysis phase: assess likelihood and potential impact of each identified risk using a consistent framework
  4. 4.Record evaluation results and risk prioritization decisions with supporting rationale
  5. 5.Document all risk treatment decisions—including mitigation actions, acceptance justifications, or transfer arrangements—with ownership and timelines
  6. 6.Create a version control process to track assessment updates when systems or contexts change
  7. 7.Implement a repository or management system to organize, store, and retrieve assessment documentation efficiently
  8. 8.Establish a periodic review schedule to validate assessment accuracy and update documentation as needed
  9. 9.Ensure clear audit trails showing who conducted assessments, when, and what changes were made over time

Evidence auditors look for

  • Completed AI risk assessment templates or forms with identified risks listed and ranked by severity
  • Risk analysis worksheets showing likelihood ratings, impact assessments, and calculated risk scores
  • Risk treatment plans documenting decisions (mitigate/accept/transfer/avoid) with assigned owners and target dates
  • Assessment update logs showing changes triggered by system modifications, new data inputs, or regulatory updates
  • Signed or approved assessment documents with evidence of stakeholder review and sign-off
  • Version history records demonstrating updates to assessments over time with timestamps and change summaries
  • Risk register or central inventory linking AI systems to their corresponding assessments
  • Audit reports or compliance reviews confirming assessment documentation is complete and current

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates the creation, versioning, and maintenance of AI risk assessment documentation, ensuring assessments are updated in real-time when system changes occur and keeping audit-ready records always current.

See how GRCWatch handles this control automatically

Start free trial

Related controls

ISO 42001 A.5.3 — Risk Assessment ProcessISO 42001 A.5.5 — Risk Treatment OptionsISO 42001 A.5.6 — Information Security Risk AssessmentISO 42001 A.4 — Risk Management