ISO-42001
ISO/IEC 42001:2023 — AI Management Systems
- I. ISO/IEC 42001:2023 AI Management System Requirements
- Ch. I — Context, Leadership, and Planning (Clauses 4-6)
- Art. 4.1. Understanding the organization and its context (8)
- Art. 4.2. Understanding the needs and expectations of interested parties (4)
- Art. 4.3. Determining the scope of the AI management system (9)
- Art. 4.4. AI management system (12)
- Art. 5.1. Leadership and commitment (10)
- Art. 5.2. AI policy (8)
- Art. 5.3. Roles, responsibilities and authorities (10)
- Art. 6.1.1. General (actions to address risks and opportunities) (7)
- Art. 6.1.2. AI risk assessment (13)
- Art. 6.1.3. AI risk treatment (6)
- Art. 6.1.4. AI system impact assessment (5)
- Art. 6.2. AI objectives and planning to achieve them (12)
- Art. 6.3. Planning of changes (7)
- Ch. II — Support and Operation (Clauses 7-8)
- Art. 7.1. Resources (9)
- Art. 7.2. Competence (5)
- Art. 7.3. Awareness (6)
- Art. 7.4. Communication (3)
- Art. 7.5. Documented information (9)
- Art. 8.1. Operational planning and control (10)
- Art. 8.2. AI risk assessment (operational) (6)
- Art. 8.3. AI risk treatment (operational) (6)
- Art. 8.4. AI system impact assessment (operational) (13)
- Ch. III — Performance Evaluation and Improvement (Clauses 9-10)
- Art. 9.1. Monitoring, measurement, analysis and evaluation (4)
- Art. 9.2. Internal audit (10)
- Art. 9.3. Management review (10)
- Art. 10.1. Continual improvement (9)
- Art. 10.2. Nonconformity and corrective action (10)
- Ch. IV — Annex A Controls — Policies and Organization (A.2-A.3)
- Art. A.2.2. AI Policy (9)
- Art. A.2.3. Responsible AI Topics in AI Policy (4)
- Art. A.3.2. Roles and Responsibilities for AI (6)
- Art. A.3.3. Reporting of AI Concerns (9)
- Art. A.3.4. Impact of Organizational Changes (6)
- Ch. V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
- Art. A.4.2. Resources Related to AI Systems (5)
- Art. A.4.3. Competencies Related to AI Systems (4)
- Art. A.4.4. Awareness of Responsible Use of AI Systems (4)
- Art. A.4.5. Consultation (6)
- Art. A.4.6. Communication About the AI System (6)
- Art. A.5.2. AI System Risk Assessment (5)
- Art. A.5.3. AI System Impact Assessment (8)
- Art. A.5.4. Impact of AI System Documentation (4)
- Ch. VI — Annex A Controls — AI System Life Cycle (A.6)
- Art. A.6.2.2. Design and Development of AI System (5)
- Art. A.6.2.3. Training and Testing AI Model (14)
- Art. A.6.2.4. Verification and Validation of AI System (7)
- Art. A.6.2.5. Deployment of AI System (10)
- Art. A.6.2.6. Operation and Monitoring of AI System (10)
- Art. A.6.2.7. Retirement of AI System (10)
- Art. A.6.2.8. Responsible AI System Integration (9)
- Art. A.6.2.9. AI System Documentation (7)
- Art. A.6.2.10. Defined Use and Misuse of AI System (5)
- Art. A.6.2.11. Management of Third-Party AI System Components (6)
- Ch. VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
- Art. A.7.2. Data for Development and Enhancement of AI System (11)
- Art. A.7.3. Data Quality for ML and Data for AI System (11)
- Art. A.7.4. Data Preparation (11)
- Art. A.7.5. Data Acquisition and Collection (6)
- Art. A.7.6. Data Provenance (7)
- Art. A.8.2. Informing Interested Parties About AI System Interaction (6)
- Art. A.8.3. Informing Interested Parties About AI Outcomes (4)
- Art. A.8.4. Access to Information About AI System Interaction (5)
- Art. A.8.5. Enabling Appropriate Human Actions in Response to AI Outputs (7)
- Art. A.9.2. Objectives for Responsible Use of AI System (6)
- Art. A.9.3. Intended Use of AI System (4)
- Art. A.9.4. Processes for Responsible Use of AI System (7)
- Art. A.9.5. Human Oversight Aspects (11)
- Art. A.10.2. Suppliers of AI System Components (8)
- Art. A.10.3. Shared ML Models (14)
- Art. A.10.4. Provision of AI System to Third Parties (5)
Title I — ISO/IEC 42001:2023 AI Management System Requirements
Chapter I — Context, Leadership, and Planning (Clauses 4-6)
Chapter II — Support and Operation (Clauses 7-8)
Chapter III — Performance Evaluation and Improvement (Clauses 9-10)
Chapter IV — Annex A Controls — Policies and Organization (A.2-A.3)
Article A.2.2. AI Policy
7 obligations
ISO42001-A.2.2-03
Requirement
Address AI Governance in Policy
The AI policy must address the organization's approach to AI governance.
ISO42001-A.2.2-04
Risk Management
Address Risk Management in Policy
The AI policy must address the organization's approach to risk management.
ISO42001-A.2.2-05
Requirement
Address Ethical Considerations in Policy
The AI policy must address the organization's approach to ethical considerations.
ISO42001-A.2.2-06
Conformity
Address Legal Compliance in Policy
The AI policy must address the organization's approach to compliance with applicable laws and regulations.
ISO42001-A.2.2-07
Requirement
Top Management Approval of AI Policy
The AI policy must be approved by top management.
ISO42001-A.2.2-08
Transparency
Communicate AI Policy to Personnel
The AI policy must be communicated to all relevant personnel.
ISO42001-A.2.2-09
Transparency
Make AI Policy Available to Interested Parties
The AI policy must be made available to interested parties as appropriate.
Article A.2.3. Responsible AI Topics in AI Policy
4 obligations
ISO42001-A.2.3-01
Requirement
Address Responsible AI Topics in AI Policy
The organization must include responsible AI topics in its AI policy, covering fairness, transparency, explainability, a
ISO42001-A.2.3-02
Risk Management
Determine Applicable Responsible AI Topics
The organization must assess and determine which responsible AI topics are applicable based on the nature of its AI syst
ISO42001-A.2.3-03
Documentation
Provide Lifecycle Guidance for Responsible AI Topics
The policy must provide guidance on how responsible AI topics are to be considered throughout the AI system lifecycle.
ISO42001-A.2.3-04
Monitoring
Periodically Review AI Policy for Continued Relevance
The organization must review the AI policy periodically to ensure continued relevance as AI technologies and societal ex
Article A.3.2. Roles and Responsibilities for AI
6 obligations
ISO42001-A.3.2-01
Requirement
Define and assign roles and responsibilities for AI-related activities
The organization must define and assign specific roles and responsibilities for all AI-related activities including AI s
ISO42001-A.3.2-02
Requirement
Assign responsibilities to individuals or teams with appropriate authority and competence
The organization must ensure that AI-related responsibilities are assigned only to individuals or teams who possess the
ISO42001-A.3.2-03
Requirement
Ensure clear accountability for AI system decisions and outcomes
The organization must establish and maintain clear accountability mechanisms for AI system decisions and outcomes, ensur
ISO42001-A.3.2-04
Documentation
Document roles and responsibilities
The organization must create and maintain documentation of all AI-related roles and responsibilities that have been defi
ISO42001-A.3.2-05
Transparency
Communicate roles and responsibilities to all relevant parties
The organization must communicate the defined and assigned AI-related roles and responsibilities to all relevant interna
ISO42001-A.3.2-06
Transparency
Communicate roles and responsibilities to third-party providers and partners
The organization must specifically communicate AI-related roles and responsibilities to third-party providers and partne
Article A.3.3. Reporting of AI Concerns
8 obligations
ISO42001-A.3.3-01
Requirement
Establish AI concerns reporting mechanism
The organization must establish a formal mechanism that enables personnel and other interested parties to report concern
ISO42001-A.3.3-02
Transparency
Communicate AI concerns reporting mechanism
The organization must communicate the established reporting mechanism to personnel and other interested parties to ensur
ISO42001-A.3.3-03
Requirement
Enable reporting without fear of reprisal
The reporting mechanism must be designed and implemented to allow concerns to be raised without fear of reprisal, ensuri
ISO42001-A.3.3-04
Requirement
Investigate reported AI concerns
The organization must ensure that all reported concerns about AI systems are properly investigated in a timely manner.
ISO42001-A.3.3-05
Requirement
Address reported AI concerns
The organization must ensure that reported concerns about AI systems are properly addressed in a timely manner, taking a
ISO42001-A.3.3-06
Documentation
Document AI concerns handling
The organization must document the investigation and resolution of reported AI concerns in a timely manner, maintaining
ISO42001-A.3.3-07
Monitoring
Track reported AI concerns
The organization must maintain a tracking system for all reported concerns related to AI systems to monitor patterns and
ISO42001-A.3.3-08
Risk Management
Use findings to inform AI risk management
The organization must use findings from reported concerns to inform and improve their AI risk management processes and a