ISO 42001 LI / Free Practice

ISO 42001 Lead Implementer Free Practice Questions.

Ten free questions from the ISO 42001 Lead Implementer bank, each tagged with the trap pattern it tests. Reveal the answer to see the cited clause and a plain-English rationale.

No card needed to read the answers below. Trial only required to access the full adaptive bank.

Q01 T-01 Annex A treated as mandatory

ISO/IEC 42001:2023 Annex A is labelled normative. An auditor reviewing the SoA finds the implementer has selected 23 of the listed Annex A controls. Per the standard, this is:

  1. A. A nonconformity - 'normative' means all listed controls must be implemented in conformant AIMSes
  2. B. A nonconformity - the standard requires at least 30 of the Annex A controls to be in scope
  3. C. Acceptable only if the certification body has approved the selection
  4. D. Acceptable - Annex A is a reference list; selection is driven by the AI risk and impact assessments under Clause 6.1.3, with exclusions justified in the SoA
Show my answer

Correct answer: D

ISO/IEC 42001:2023 Annex A is normative as a reference list, meaning the controls listed are the canonical set the organisation considers - not the set it must implement universally. Clause 6.1.3 drives selection from Annex A based on risk and impact assessment outcomes, with exclusions justified in the SoA. Option B is the textbook T-01 trap: 'normative' misread as 'mandatory in entirety'. Option C invents a quorum. Option D invents an approval gate the standard does not assign to the certification body.

ISO/IEC 42001:2023, Clause 6.1.3 (with Annex A)

Q02 T-02 Software lifecycle vs AIMS lifecycle

An implementer is mapping the organisation's MLOps practices onto the ISO/IEC 42001 AIMS. The MLOps team operates in two-week sprints with continuous deployment. Per the standard, the implementer should:

  1. A. Map MLOps activities onto the AIMS AI lifecycle phases (design, development, deployment, operation); the sprint cadence is an internal practice, not an AIMS lifecycle phase
  2. B. Adopt the two-week sprint as the formal AIMS lifecycle cycle, since 42001 inherits whatever delivery cadence the implementing team uses
  3. C. Document MLOps separately from the AIMS - they are not compatible
  4. D. Replace MLOps with a waterfall AI lifecycle to align with the standard
Show my answer

Correct answer: A

ISO/IEC 42001:2023 with ISO/IEC 23894:2023 guidance frames the AIMS AI lifecycle as design, development, deployment, and operation - a governance framework, not a delivery cadence. MLOps and sprint cycles are internal delivery practices that operate within those phases. Option A maps the team's practices onto the standard's phases. Option B is the T-02 trap: confusing delivery cadence with the AIMS lifecycle. Option C wrongly forces a waterfall model. Option D severs MLOps from governance, which is precisely what 42001 prevents.

ISO/IEC 42001:2023 with ISO/IEC 23894:2023 (AI lifecycle guidance)

Q03 T-03 AI ethics policy vs AI management policy

An organisation has two policy documents: an 'AI Ethics Policy' (board-approved, sets the organisation's ethical principles for AI use) and an 'AI Management Policy' (top-management-approved, operationalises Clause 5.2). Per ISO/IEC 42001:2023, the auditor should treat these as:

  1. A. Distinct documents with different scope, signatories, and review cadence; verify both are governed and that the Clause 5.2 AI policy commitments are explicitly addressed in at least one
  2. B. Only the AI Ethics Policy matters for audit, since 42001 inherits ethics framing from ISO/IEC 23894
  3. C. The same document with two titles; raise a finding if both exist
  4. D. Only the AI Management Policy matters; ethics policies are out of audit scope
Show my answer

Correct answer: A

ISO/IEC 42001:2023 Clause 5.2 requires the organisation to establish an AI policy at the management-system level (top-management-approved, addressing the AIMS commitments). Many organisations also publish AI ethics principles - these are distinct artefacts, with different scope and signatory. Option A keeps them distinct, which is correct. Option B collapses them - the T-03 trap. Option C bypasses the Clause 5.2 obligation. Option D removes the ethics document from scope when it sits within the AIMS.

ISO/IEC 42001:2023, Clause 5.2

Q04 T-01 Annex A treated as mandatory

An organisation has excluded three Annex A controls from its 42001 implementation because they are not relevant to the AI systems in scope. Per the standard, the exclusions:

  1. A. Are not permitted - Annex A is normative, so all listed controls must be included
  2. B. Must be approved by the certification body in advance
  3. C. Are only permitted for AI systems with no consumer-facing outputs
  4. D. Must be justified in the SoA with reasons referencing the risk and impact assessment outcomes
Show my answer

Correct answer: D

Annex A is a normative reference list, not a blanket-mandatory set. Clause 6.1.3 d) requires the SoA to justify both inclusions AND exclusions of Annex A controls, with reasons tied to the risk and impact outcomes. Option A captures this. Option B is the T-01 trap: 'normative' misread as 'all controls mandatory'. Option C invents a certification-body approval gate. Option D introduces a consumer-output carve-out the standard does not contain.

ISO/IEC 42001:2023, Clause 6.1.3 d)

Q05 T-02 Software lifecycle vs AIMS lifecycle

An implementer is placing a specific activity into a lifecycle phase. The activity is 'monitoring of model performance against agreed thresholds, with retraining triggered when thresholds are breached'. Per ISO/IEC 42001:2023 (with ISO/IEC 23894:2023 guidance), this activity belongs to the:

  1. A. Deployment phase - monitoring is a deployment-time concern
  2. B. Operation phase - the AI system is deployed and monitored against operational criteria
  3. C. Design phase - thresholds are set in the design specification
  4. D. Development phase - retraining is part of model development
Show my answer

Correct answer: B

ISO/IEC 42001:2023 with ISO/IEC 23894:2023 guidance frames operation as the phase covering deployed-system monitoring, performance evaluation, and the trigger logic for further action. Retraining triggered by performance breach is an operational control loop. Option B is the T-02 trap: placing an operational monitoring activity into development because retraining 'feels like' a development task. Option C misplaces threshold-evaluation into design (where thresholds are set, but not where they are evaluated in production). Option D treats deployment as a phase that includes ongoing monitoring, conflating deployment-the-event with operation-the-phase.

ISO/IEC 42001:2023 with ISO/IEC 23894:2023

Q06 T-03 AI ethics policy vs AI management policy

Per ISO/IEC 42001:2023 Clause 5.2, the AI policy shall:

  1. A. Be appropriate to the organisation's purpose, provide a framework for AI objectives, include a commitment to satisfy applicable requirements, and include a commitment to continual improvement of the AIMS
  2. B. Whatever the organisation chooses - Clause 5.2 leaves AI policy content to the organisation's discretion
  3. C. Define the organisation's ethical principles for AI use, including fairness, accountability, transparency, and explainability
  4. D. Both - the AI policy must combine management-system commitments and ethical principles in a single document
Show my answer

Correct answer: A

Clause 5.2 lists specific content requirements for the AI policy (alignment to organisational purpose, framework for AI objectives, commitment to applicable requirements, continual improvement). Option A captures these. Option B describes ethical principles, which may sit in a separate AI Ethics document with different scope - the T-03 trap. Option C forces a combined document, which is not what the standard requires. Option D under-specifies the standard's actual requirements.

ISO/IEC 42001:2023, Clause 5.2

Q07 T-01 Annex A treated as mandatory

An implementer is reviewing the structure of ISO/IEC 42001:2023. Which statement correctly describes Annex A and Annex B?

  1. A. Annex A is normative; Annex B is normative, and B items must appear in the SoA with the same inclusion/exclusion justification as Annex A
  2. B. Annex A is normative (reference controls); Annex B is normative implementation guidance, and Clause B.1 specifies that B items do not require SoA justification
  3. C. Both Annex A and Annex B are informative; the SoA covers only Clause 6 selections
  4. D. Annex A is normative; Annex B is informative implementation guidance
Show my answer

Correct answer: B

ISO/IEC 42001:2023 labels both Annex A and Annex B as normative. Annex A is the reference control catalogue (selection driven by risk and impact). Annex B is implementation guidance; Clause B.1 specifies that B items do not need SoA justification because they are guidance, not selectable controls. Option B is the common error - mislabelling B as informative because B.1 waives SoA justification (the waiver is a property of B.1's content, not a status change on Annex B). Option C wrongly demotes both. Option D wrongly extends SoA justification to B items.

ISO/IEC 42001:2023, Annexes A and B (with Clause B.1)

Q08 T-02 Software lifecycle vs AIMS lifecycle

An implementer is documenting how the organisation handles training-data collection. Per ISO/IEC 23894:2023 lifecycle guidance referenced by ISO/IEC 42001:2023, training-data collection belongs primarily to the:

  1. A. Deployment phase - data is loaded when the system is deployed
  2. B. Operation phase - data is collected continuously during system use
  3. C. Design phase - data sources are specified in the design
  4. D. Development phase - data collection is part of building the AI system
Show my answer

Correct answer: D

ISO/IEC 23894:2023 AI lifecycle guidance, referenced by ISO/IEC 42001:2023, places training-data collection in the development phase - the phase where the model and its training corpus are built. Option B confuses inference-time data flow with training-data collection. Option C confuses specifying data sources (a design activity) with collecting them (a development activity). Option D conflates loading-into-production with collection. The T-02 trap is candidates mapping AI lifecycle phases onto whatever delivery-pipeline phase happens to touch the data at a given moment, rather than to the governance lifecycle the standard defines.

ISO/IEC 42001:2023 with ISO/IEC 23894:2023

Q09 T-03 AI ethics policy vs AI management policy

An organisation has both an AI Policy (top-management-approved, Clause 5.2) and an AI Ethics Policy (board-approved, sets the organisation's ethical commitments). The AI Policy commits the AIMS to operate in accordance with the AI Ethics Policy. Per ISO/IEC 42001:2023, this arrangement is:

  1. A. Out of scope - the AI Ethics Policy is voluntary and the auditor should ignore it
  2. B. Non-conformant - the AI Ethics Policy must be top-management-approved, not board-approved
  3. C. Non-conformant - 42001 requires a single AI Policy, so the Ethics Policy should be merged into it
  4. D. Acceptable - the two documents are distinct and the cross-reference makes the relationship explicit; the auditor should verify both are governed
Show my answer

Correct answer: D

Clause 5.2 requires the organisation to establish an AI policy at the management-system level. The standard does not prevent the organisation from having additional policies (such as a board-approved Ethics Policy) - it requires the AIMS policy to exist and to meet the Clause 5.2 content requirements. A cross-reference where the AI Policy commits the AIMS to operate in accordance with the Ethics Policy is good governance. Option B is the T-03 trap: collapsing two distinct documents because both contain 'AI'. Option C invents an approval-level rule. Option D removes a referenced document from audit scope.

ISO/IEC 42001:2023, Clause 5.2

Q10 T-01 Annex A treated as mandatory

An implementer has selected an Annex A control into the SoA but has not yet implemented it. The auditor sees this during a Stage 2 audit. Per ISO/IEC 42001:2023, the correct framing is:

  1. A. Each Annex A control included in the SoA must show its implementation status under Clause 6.1.3 d); 'selected but not implemented' is permitted only with a documented plan for implementation - otherwise it is a nonconformity
  2. B. Acceptable in all cases - Annex A controls are guidance, not requirements, so non-implementation is not a finding
  3. C. Acceptable - the SoA is a planning document, so implementation status is reviewed in surveillance audits only
  4. D. Always non-conformant - any Annex A control in the SoA must be fully implemented by the time of certification audit
Show my answer

Correct answer: A

Clause 6.1.3 d) requires the SoA to record implementation status for each selected control. A 'selected but not implemented' entry must have a documented implementation plan; otherwise it is a nonconformity because the organisation has identified the control as necessary but is not operating it. Option B mis-frames Annex A as guidance (the inverse of the T-01 trap). Option C is too absolute - the standard permits planned implementation. Option D removes implementation review from the initial audit, which contradicts Clause 9.2.

ISO/IEC 42001:2023, Clause 6.1.3 d)

You've seen ten. The bank holds 200+ questions.

Each one tagged with the trap pattern it tests, scheduled by an adaptive engine that targets only your weak clauses. 3-day free trial, card upfront, one-click cancel.

Start 3-day free trial