ISO-42001
ISO/IEC 42001:2023 — AI Management Systems
- I. ISO/IEC 42001:2023 AI Management System Requirements
- Ch. I — Context, Leadership, and Planning (Clauses 4-6)
- Art. 4.1. Understanding the organization and its context (8)
- Art. 4.2. Understanding the needs and expectations of interested parties (4)
- Art. 4.3. Determining the scope of the AI management system (9)
- Art. 4.4. AI management system (12)
- Art. 5.1. Leadership and commitment (10)
- Art. 5.2. AI policy (8)
- Art. 5.3. Roles, responsibilities and authorities (10)
- Art. 6.1.1. General (actions to address risks and opportunities) (7)
- Art. 6.1.2. AI risk assessment (13)
- Art. 6.1.3. AI risk treatment (6)
- Art. 6.1.4. AI system impact assessment (5)
- Art. 6.2. AI objectives and planning to achieve them (12)
- Art. 6.3. Planning of changes (7)
- Ch. II — Support and Operation (Clauses 7-8)
- Art. 7.1. Resources (9)
- Art. 7.2. Competence (5)
- Art. 7.3. Awareness (6)
- Art. 7.4. Communication (3)
- Art. 7.5. Documented information (9)
- Art. 8.1. Operational planning and control (10)
- Art. 8.2. AI risk assessment (operational) (6)
- Art. 8.3. AI risk treatment (operational) (6)
- Art. 8.4. AI system impact assessment (operational) (13)
- Ch. III — Performance Evaluation and Improvement (Clauses 9-10)
- Art. 9.1. Monitoring, measurement, analysis and evaluation (4)
- Art. 9.2. Internal audit (10)
- Art. 9.3. Management review (10)
- Art. 10.1. Continual improvement (9)
- Art. 10.2. Nonconformity and corrective action (10)
- Ch. IV — Annex A Controls — Policies and Organization (A.2-A.3)
- Art. A.2.2. AI Policy (9)
- Art. A.2.3. Responsible AI Topics in AI Policy (4)
- Art. A.3.2. Roles and Responsibilities for AI (6)
- Art. A.3.3. Reporting of AI Concerns (9)
- Art. A.3.4. Impact of Organizational Changes (6)
- Ch. V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
- Art. A.4.2. Resources Related to AI Systems (5)
- Art. A.4.3. Competencies Related to AI Systems (4)
- Art. A.4.4. Awareness of Responsible Use of AI Systems (4)
- Art. A.4.5. Consultation (6)
- Art. A.4.6. Communication About the AI System (6)
- Art. A.5.2. AI System Risk Assessment (5)
- Art. A.5.3. AI System Impact Assessment (8)
- Art. A.5.4. Impact of AI System Documentation (4)
- Ch. VI — Annex A Controls — AI System Life Cycle (A.6)
- Art. A.6.2.2. Design and Development of AI System (5)
- Art. A.6.2.3. Training and Testing AI Model (14)
- Art. A.6.2.4. Verification and Validation of AI System (7)
- Art. A.6.2.5. Deployment of AI System (10)
- Art. A.6.2.6. Operation and Monitoring of AI System (10)
- Art. A.6.2.7. Retirement of AI System (10)
- Art. A.6.2.8. Responsible AI System Integration (9)
- Art. A.6.2.9. AI System Documentation (7)
- Art. A.6.2.10. Defined Use and Misuse of AI System (5)
- Art. A.6.2.11. Management of Third-Party AI System Components (6)
- Ch. VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
- Art. A.7.2. Data for Development and Enhancement of AI System (11)
- Art. A.7.3. Data Quality for ML and Data for AI System (11)
- Art. A.7.4. Data Preparation (11)
- Art. A.7.5. Data Acquisition and Collection (6)
- Art. A.7.6. Data Provenance (7)
- Art. A.8.2. Informing Interested Parties About AI System Interaction (6)
- Art. A.8.3. Informing Interested Parties About AI Outcomes (4)
- Art. A.8.4. Access to Information About AI System Interaction (5)
- Art. A.8.5. Enabling Appropriate Human Actions in Response to AI Outputs (7)
- Art. A.9.2. Objectives for Responsible Use of AI System (6)
- Art. A.9.3. Intended Use of AI System (4)
- Art. A.9.4. Processes for Responsible Use of AI System (7)
- Art. A.9.5. Human Oversight Aspects (11)
- Art. A.10.2. Suppliers of AI System Components (8)
- Art. A.10.3. Shared ML Models (14)
- Art. A.10.4. Provision of AI System to Third Parties (5)
Title I — ISO/IEC 42001:2023 AI Management System Requirements
Chapter I — Context, Leadership, and Planning (Clauses 4-6)
Article 4.1. Understanding the organization and its context
6 obligations
ISO42001-4.1-01
Requirement
Determine relevant external and internal issues
The organization must identify and determine external and internal issues that are relevant to its purpose and that affe
ISO42001-4.1-02
Requirement
Consider AI-related regulatory factors
The organization must consider applicable AI-related regulations when determining relevant external and internal issues
ISO42001-4.1-03
Requirement
Consider industry standards factors
The organization must consider relevant industry standards when determining external and internal issues affecting its A
ISO42001-4.1-04
Requirement
Consider stakeholder expectations factors
The organization must consider stakeholder expectations when determining external and internal issues affecting its AI m
ISO42001-4.1-05
Requirement
Consider technological developments factors
The organization must consider technological developments when determining external and internal issues affecting its AI
ISO42001-4.1-06
Requirement
Consider ethical and societal implications
The organization must consider the ethical and societal implications of its AI activities when determining external and
Chapter II — Support and Operation (Clauses 7-8)
Chapter III — Performance Evaluation and Improvement (Clauses 9-10)
Article 10.1. Continual improvement
9 obligations
ISO42001-10.1-01
Requirement
Continually improve AI management system suitability, adequacy, and effectiveness
The organization must continuously enhance the suitability, adequacy, and effectiveness of its AI management system thro
ISO42001-10.1-02
Requirement
Consider analysis and evaluation results for improvement opportunities
The organization must take into account results from analysis and evaluation activities, including monitoring and measur
ISO42001-10.1-03
Requirement
Consider audit findings for improvement opportunities
The organization must take into account audit findings to identify opportunities for improvement of the AI management sy
ISO42001-10.1-04
Requirement
Consider management review outputs for improvement opportunities
The organization must take into account outputs from management reviews to identify opportunities for improvement of the
ISO42001-10.1-05
Requirement
Consider interested party feedback for improvement opportunities
The organization must take into account feedback from interested parties to identify opportunities for improvement of th
ISO42001-10.1-06
Requirement
Address evolving AI technologies in continual improvement
Continual improvement activities must specifically address the evolving nature of AI technologies as part of the improve
ISO42001-10.1-07
Risk Management
Address emerging risks in continual improvement
Continual improvement activities must specifically address emerging risks as part of the improvement process.
ISO42001-10.1-08
Requirement
Address changes in regulatory requirements in continual improvement
Continual improvement activities must specifically address changes in regulatory requirements as part of the improvement
ISO42001-10.1-09
Requirement
Address advances in responsible AI practices in continual improvement
Continual improvement activities must specifically address advances in responsible AI practices as part of the improveme
Article 10.2. Nonconformity and corrective action
10 obligations
ISO42001-10.2-01
Requirement
React to nonconformity immediately
When a nonconformity occurs, the organization must immediately take action to control and correct the nonconformity and
ISO42001-10.2-02
Requirement
Evaluate need for root cause elimination action
The organization must evaluate whether action is needed to eliminate the causes of nonconformity to prevent recurrence o
ISO42001-10.2-03
Requirement
Review nonconformity occurrence
The organization must review the nonconformity that occurred as part of the evaluation process.
ISO42001-10.2-04
Requirement
Determine causes of nonconformity
The organization must determine the root causes of the nonconformity that occurred.
ISO42001-10.2-05
Requirement
Assess potential similar nonconformities
The organization must determine whether similar nonconformities exist or could potentially occur elsewhere in the system
ISO42001-10.2-06
Requirement
Implement necessary corrective actions
The organization must implement any action that is determined to be needed based on the evaluation of the nonconformity.
ISO42001-10.2-07
Requirement
Review effectiveness of corrective actions
The organization must review the effectiveness of any corrective action that was taken.
ISO42001-10.2-08
Requirement
Update AI management system when necessary
The organization must make changes to the AI management system if determined necessary based on the nonconformity and co
ISO42001-10.2-09
Requirement
Ensure corrective actions are proportionate
Corrective actions must be proportionate to the effects of the nonconformities encountered.
ISO42001-10.2-10
Documentation
Retain nonconformity and corrective action documentation
The organization must retain documented information as evidence of the nature of nonconformities, any actions taken, and