regulation10.ae
Audit readiness

Arrive at your Reg 10 audit already audit-ready.

A DIFC Regulation 10 assessment is a review of evidence. The job before the audit is to build that evidence and keep it current. regulation10.ae produces the full Reg 10 evidence canon — register, DPIA, transparency notice, RoPA, ASO file, Statement of Applicability and an audit-grade evidence pack — and exports it to whichever Approved Certification Body or consultancy you engage.

What an assessment looks for

The auditor reads evidence, not intentions.

An Approved Certification Body or consultancy — for example White Label Consultancy, though the platform is deliberately ACB-agnostic — does not grade your ambitions. They check that each in-scope AI system has a documented purpose, a risk classification, a Data Protection Impact Assessment, a clear accountable owner and a record that the controls you claim are actually running.

Most of the work in passing that review is preparation: pulling the artefacts together, making sure they agree with one another, and proving they have not drifted out of date. That is the work regulation10.ae does for you — so the assessment becomes a confirmation, not a scramble.

You stay in control of who sees the evidence. Export a signed pack, or open a read-only evidence-room for your assessor. The platform never locks you to one body — your evidence is yours to take to any DIFC ACB.

Evidence-first

What the platform hands the assessor

  • Register entry per system, linked to every artefact
  • DPIA, transparency notice and RoPA generated from real facts
  • ASO appointment letter + competence file
  • ISO 42001 Statement of Applicability with justifications
  • Bias, threat-model and drift evidence, dated and attributable
  • WORM audit trail with SHA-256 content hashes
  • One signed evidence-pack ZIP, exportable to any ACB

Audit-readiness facilities

Every artefact an ACB asks for, produced and kept current.

Each facility below maps to a specific Regulation 10, DPL 2020 or ISO control. They are generated from your system facts, hash-pinned into the audit trail, and bundled into an evidence pack you can hand to any Approved Certification Body.

AI System Register

A live inventory of every in-scope AI system: purpose, data categories, risk class, owners and lifecycle stage. This is the spine an auditor reads first — every other artefact links back to a register entry.

DIFC Reg 10

Data Protection Impact Assessment

A structured DPIA per system — necessity, proportionality, risks to data subjects and the mitigations applied. Generated against the system facts in the register, not a blank template.

DPL Art 20

Transparency Notice

A plain-English notice that explains automated processing to the people it affects — what the system does, the legal basis, and how to exercise data-subject rights. Satisfies the DPL transparency duty.

DPL Art 13–14

ASO appointment + competence file

Reg 10 names one accountable human — the Appointed Senior Officer. The platform produces the appointment letter and a competence file (role, qualifications, training log) so the auditor has a single signature and an evidence trail behind it.

DIFC Reg 10

Record of Processing Activities (RoPA)

The Article 15 processing record — purposes, categories of data and recipients, retention and cross-border transfers — kept in step with the register so it is never a stale spreadsheet.

DPL Art 15

Statement of Applicability

An ISO/IEC 42001 Annex A Statement of Applicability — each control marked applicable or not, with justification and a link to the evidence that satisfies it. The document a Stage-1 reviewer works through line by line.

ISO 42001 Annex A

Bias, threat & drift evidence

Quantified evidence from the assurance modules: bias and fairness testing, an adversarial threat model, and drift monitoring over time. Each run is dated and attributable, so the auditor sees an ongoing control, not a one-off screenshot.

DIFC Reg 10

WORM audit trail

Every artefact, decision and approval is written to a write-once, read-many audit trail with content hashes. Tamper-evidence is built in: an auditor can confirm nothing was edited after the fact.

DIFC Reg 10

Evidence-pack export (ZIP)

One signed ZIP that bundles the register entry, DPIA, transparency notice, RoPA, Statement of Applicability, ASO file and assurance evidence — each with a SHA-256 hash and a manifest. Hand it to any ACB; the platform stays ACB-agnostic.

Exportable to any ACB

Auditor evidence-room

A read-only room where your chosen ACB or consultancy reviews the live evidence in place, organised the way an assessor expects. The structure aligns to ISO/IEC 42006:2025 so the review process is familiar from the first click.

ISO/IEC 42006:2025

Gap analysis & readiness scoring

Before you book the audit, the platform scores each system against the Reg 10 evidence canon and surfaces the gaps — missing artefacts, stale runs, unsigned approvals — as a ranked, fixable to-do list.

Readiness score

ISO 42001 / 27001 cross-map

A cross-map that shows where your Reg 10 evidence already satisfies ISO/IEC 42001 (AI management) and ISO/IEC 27001 (information security) controls — so a single body of work stands up against more than one framework.

ISO 42001 / 27001

Standards alignment

One body of evidence, mapped to the frameworks your assessor already knows.

Reg 10 is the primary obligation, but the same evidence is structured to stand up under the international AI and security standards. That cross-mapping is why a single readiness programme can serve more than one audit.

ISO/IEC 42001

AI management system

The Statement of Applicability and evidence pack are sized to feed a Stage-1 readiness review against the AI management standard.

ISO/IEC 42006:2025

Bodies certifying AI

The auditor evidence-room is organised to align with the requirements placed on bodies that audit and certify AI management systems.

ISO/IEC 27001

Information security

The cross-map shows where your Reg 10 controls already satisfy information-security controls, avoiding duplicate work.

DPL 2020

DIFC Data Protection Law

Transparency notices, the RoPA (Art 15) and the DPIA (Art 20) are anchored directly to the data-protection law that Reg 10 sits within.

The path to audit-ready

Audit-ready in about five weeks.

The timeline below is a working guide for a typical portfolio of a handful of systems. Larger estates take longer; a single system can be audit-ready sooner. The readiness score tells you exactly where you stand at every step.

  1. Week 1

    Register your systems

    Walk each in-scope AI system through the onboarding wizard. The platform builds the AI System Register and runs the first readiness score, so you can see the size of the job on day one.

  2. Weeks 2–3

    Generate the evidence

    The modules produce the DPIA, transparency notice, RoPA and Statement of Applicability against your real system facts, and run the bias, threat and drift checks. Every output lands in the WORM audit trail.

  3. Week 4

    Close the gaps

    Work the ranked gap list to zero: missing artefacts, stale runs, unsigned approvals. Confirm the ASO appointment and competence file. Re-score until the readiness number is where you want it.

  4. Week 5+

    Hand off to your ACB

    Export the evidence-pack ZIP, or open the read-only auditor evidence-room, for your chosen Approved Certification Body or consultancy. The platform stays ACB-agnostic — your evidence goes wherever your assessor is.

See exactly how audit-ready you are.

Run your AI systems through the readiness assessment. You will get a register, a readiness score and a ranked gap list in the first session — and a clear, ACB-agnostic path to an evidence pack you can hand to any assessor. Audit-ready means evidence for assessment, not a certification claim we cannot make for you.