Cheat sheet

ISO 42001 Lead Implementer Cheat Sheet

AI & AIMS Fundamentals

21%of exam

AIMS Requirements (Clauses)

6%of exam

Clause 4-10 StructureAnnex A-D RolesAnnex SL Format42001 Scope

Planning AIMS Implementation

25%of exam

Risk & Impact AssessmentStatement of ApplicabilityGap AnalysisAI PolicyPlanning Inputs

Implementing the AIMS

22-23%of exam

Monitoring & Measurement

12-13%of exam

Monitoring & MeasurementInternal AuditManagement ReviewAIMS Metrics

Improvement & Certification Audit

12-13%of exam

Quick Facts

Exam
ISO 42001 LI
Credential
AIMS Lead Implementer
Questions
80 MCQ
Time
3 hours
Pass
70%
Format
Open-book, 3 options
Level
Advanced
Handbook
v1.5 (2026)

Credential Ladder

Provisional -> Implementer -> Lead -> Senior Lead

0yr: provisional1-2yr: implementer2-5yr: lead7-10yr: senior lead

42001 vs 27001

ISO 42001

  • AI management system
  • Annex A: AI controls
  • AI risk + impact

ISO 27001

  • Info security system
  • Annex A: security controls
  • Info security risk

AI vs security scope

AI Standards Family

42001
AIMS requirements
22989
AI concepts/terminology
23053
ML framework
23894
AI risk management
5338
AI system lifecycle
38507
Board AI governance
42005
AI impact assessment

Provisional vs Lead Implementer

Provisional

  • No experience
  • Exam only

Lead Implementer

  • 2yr AIMS work
  • 300 project hours

Exam vs credentialed

EU AI Act Risk Tiers

Unacceptable
Banned practices (Art 5)
High-risk
Annex III systems
Limited-risk
Transparency duties
Minimal-risk
No specific obligation
GPAI
General-purpose AI rules

EU AI Act vs NIST RMF

EU AI Act

  • Binding EU law
  • Risk-tier obligations

NIST AI RMF

  • Voluntary US framework
  • Govern/Map/Measure/Manage

Law vs framework

AI Subfields & Concepts

Machine learning
Learn from data
Deep learning
Neural network layers
Neural network
Node-layer model
Cognitive computing
Mimic human reasoning
Semantic computing
Meaning-based processing
Soft computing
Tolerates imprecision

PECB Credential Levels

Provisional
No experience needed
Implementer
1yr AIMS + 200hrs
Lead Implementer
2yr AIMS + 300hrs
Senior Lead
7yr AIMS + 1000hrs

Exam Mechanics

3 options
1 correct, 2 distractors
Scenario sets
5 Qs per scenario
Open-book
Standard + notes allowed
Cognitive split
40% comprehension/analysis, 60% evaluation

Clause 4-10 Flow

Context -> Leadership -> Operate -> Improve

4: Context5: Leadership6-8: Plan-Operate9-10: Evaluate-Improve

Annex A vs Annex B

Annex A

  • Normative controls
  • Must implement

Annex B

  • Implementation guidance
  • Informative only

Requirement vs how-to

Clause 4-10 Structure

Clause 4
Context of organization
Clause 5
Leadership
Clause 6
Planning
Clause 7
Support
Clause 8
Operation
Clause 9
Performance evaluation
Clause 10
Improvement

Annex A-D Roles

Annex A
38 normative controls
Annex B
Control implementation guidance
Annex C
AI objectives/risk sources
Annex D
Sector-specific tailoring

Risk vs Impact Assessment

Risk assessment

  • Threats to org
  • 23894 methodology
  • Likelihood x severity

Impact assessment

  • Effect on people/society
  • 42005 methodology
  • Individuals + groups

Org risk vs societal effect

Risk & Impact Response Picker

  1. New AI system plannedAI impact assessment
  2. Identify AI-specific riskISO/IEC 23894 method
  3. Control excludedJustify in SoA
  4. Gap vs 42001 foundGap analysis report
  5. Risk unacceptableRisk treatment plan

AI Risk & Impact Assessment

Risk assessment
Identify/analyze/evaluate risk
Impact assessment
Effect on individuals/society
SoA
Statement of Applicability
Gap analysis
Current vs required state
AI policy
Top-level AI commitment
Risk treatment
Select risk options

Planning Inputs

Internal context
Org culture/resources
External context
Regulatory/market factors
Interested parties
Stakeholder needs
AIMS objectives
Measurable targets
Project plan
Implementation roadmap

Annex A 9 Objectives

Policy Org Resource Impact Lifecycle Data Info Use Third-party

A.2-A.4: policy/org/resourcesA.5-A.6: impact/lifecycleA.7-A.8: data/infoA.9-A.10: use/third-party

Annex A Control Picker

  1. Need AI policyA.2(Top-level commitment)
  2. Define AI rolesA.3(Internal organization)
  3. Need resources/computeA.4(Resource allocation)
  4. Assess AI impactA.5(Impact assessment)
  5. Control model lifecycleA.6(AI system lifecycle)
  6. Govern training dataA.7(Data controls)
  7. Inform stakeholdersA.8(Transparency info)
  8. Ensure responsible useA.9(Use of AI)
  9. Manage vendor AIA.10(Third-party controls)

Annex A: 9 Objectives

A.2
AI policies
A.3
Internal organization
A.4
Resources for AI
A.5
Impact assessment
A.6
AI system lifecycle
A.7
Data for AI
A.8
Info for interested parties
A.9
Responsible use of AI
A.10
Third-party relationships

Bias Mitigation Stages

Pre -> In -> Post processing

Pre: reweigh dataIn: adversarial debiasPost: adjust threshold

Bias Mitigation Methods

Pre-processing
Reweigh/resample data
In-processing
Adversarial debiasing
Post-processing
Threshold adjustment
Reweighing
Adjust sample weights

Explainability Methods

LIME
Local approximation
SHAP
Shapley value attribution
Model card
Model documentation
Datasheet
Dataset documentation

AIMS Implementation Tasks

AI landscape
Inventory AI systems
Documentation
Records + control evidence
Training program
Awareness + skills
Communication plan
Stakeholder engagement
Change management
Control AI updates

Major vs Minor NC

Major NC

  • Systemic failure
  • Certification blocked

Minor NC

  • Isolated lapse
  • Corrective plan ok

System vs isolated

Monitoring & Measurement

AIMS metrics
Performance indicators
Drift monitoring
Detect data/model shift
Internal audit
ISO 19011 based
Management review
Top mgmt evaluation
Suitability review
Policy still fits

PDCA Improvement Cycle

Plan -> Do -> Check -> Act

Plan: set objectivesDo: implement AIMSCheck: monitor/auditAct: correct/improve

Stage 1 vs Stage 2 Audit

Stage 1

  • Review documents
  • Readiness check
  • Off-site often

Stage 2

  • Test implementation
  • Evidence of operation
  • On-site typical

Paper vs practice

Certification Audit Stage Picker

  1. Docs not yet reviewedStage 1 audit
  2. Ready to test controlsStage 2 audit
  3. One year post-certSurveillance audit
  4. Three years post-certRecertification audit

Continual Improvement Cycle

Nonconformity
Requirement not met
Root cause
Underlying failure source
Corrective action
Fix + prevent recurrence
PDCA
Plan-Do-Check-Act
Lessons learned
Incident-based insight

Certification Audit Stages

Stage 1
Documentation readiness review
Stage 2
Implementation effectiveness audit
Surveillance audit
Annual follow-up check
Recertification
3-year renewal audit
CB selection
Choose certification body

Common Traps

42001 vs 27001 scope

42001 = AI mgmt 27001 = info security

Risk vs impact assessment

Risk: harm to org Impact: harm to society

Annex A vs Annex B

A: what to do B: how to do it

3 options not 4

Only 1 correct answer 2 distractors always

Open-book but timed

Standard + notes ok No internet lookup

Stage 1 vs Stage 2

1: review documents 2: test operation

Major vs minor NC

Major: systemic failure Minor: isolated lapse

Last Minute

  1. 1.Weights 21-6-25-22-13-13%
  2. 2.80 MCQ, 3 options each
  3. 3.Pass score is 70%
  4. 4.Open-book: standard + notes only
  5. 5.Clauses 4-10 = harmonized structure
  6. 6.Annex A = 38 controls
  7. 7.9 Annex A objectives: A.2-A.10
  8. 8.Impact assessment differs from risk assessment
  9. 9.Stage 1 = docs, Stage 2 = practice
  10. 10.PDCA drives continual improvement clause
Same family resources

Explore More PECB Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.