Back to the list

Statement of Applicability according to section 6.1.3 of ISO/IEC 42001:2023

MD, AI and Cybersecurity

Statement of Applicability according to ISO/IEC 42001:2023

According to ISO/IEC 42001:2023, and section 6.1.3 (AI risk treatment), taking the risk assessment results into account, the organization shall define an AI risk treatment process to produce a statement of applicability that contains the necessary controls and provide justification for inclusion and exclusion of controls. Justification for exclusion can include where the controls are not deemed necessary by the risk assessment and where they are not required by (or are subject to exceptions under) applicable external requirements.

NOTE: The organization can provide documented justifications for excluding any control objectives in general or for specific AI systems, whether those listed in Annex A or established by the organization itself.

Risks according to AI Act

But as a medical device manufacturer, you should also consider the AI Act.

Article 9 of AI Act : Risk management system

Here are some extracts:

1. A risk management system shall be established, implemented, documented and maintained in relation to high-risk AI systems.

2. The risk management system shall be understood as a continuous iterative process planned and run throughout the entire lifecycle of a high-risk AI system, requiring regular systematic review and updating.

5. High-risk AI systems shall be tested for the purposes of identifying the most appropriate and targeted risk management measures. Testing shall ensure that high-risk AI systems perform consistently for their intended purpose and they are in compliance with the requirements set out in this Chapter.

9. For providers of high-risk AI systems that are subject to requirements regarding internal risk management processes under relevant sectorial Union law, the aspects described in paragraphs 1 to 8 may be part of or combined with the risk management procedures established pursuant to that law. 

Your risks management system

Building on the foundational understanding of ISO/IEC 42001:2023 and the AI Act, it's clear that a robust framework for AI risk management is not just a recommendation, it's a mandate for organizations operating within the realm of AI, especially when it comes to medical devices. The intricacies of both requirements underscore the necessity for a comprehensive, iterative approach to risk management that evolves alongside the AI systems it governs.

The Statement of Applicability, as outlined in ISO/IEC 42001:2023, is pivotal in this context. It serves as a living document that records decisions on which controls are necessary and which are not, based on a thorough risk assessment. This statement, therefore, becomes a crucial tool for organizations, not only to ensure compliance but to embed a culture of continuous risk management within their operational ethos. Similarly, the AI Act's emphasis on a continuous, iterative risk management process reinforces the dynamic nature of AI systems and the evolving landscape of risks they present. 

Together, these regulations provide a comprehensive framework for managing AI risks, ensuring that high-risk AI systems are not only compliant but are also safe and reliable throughout their lifecycle.

In response to these stringent requirements, our free Statement of Applicability template offers a practical solution. Designed with the complexities of ISO/IEC 42001:2023 and the AI Act in mind, this template facilitates a structured approach to documenting necessary controls and justifications for inclusions and exclusions. By simplifying the documentation process, we aim to empower organizations to not only meet regulatory requirements efficiently but to also foster a proactive risk management culture. This template is a starting point for organizations to align their AI systems with best practices in AI governance and risk management.


Navigating the regulatory landscape of AI compliance can be daunting. With ISO/IEC 42001:2023 and the AI Act setting rigorous standards for risk management, organizations must adopt a meticulous and structured approach to compliance. Our Statement of Applicability template is designed to demystify this process, providing a clear, customizable framework for documenting compliance efforts. As AI continues to evolve, so too will the risks and regulations that govern it. By embracing tools and practices that support ongoing compliance and risk management, organizations can not only ensure their AI systems are safe and effective but can also leverage these challenges as opportunities for innovation and growth.

You can access to our template by clicking on this link.