ISO-42001
ISO/IEC 42001:2023 — AI Management Systems
- I. ISO/IEC 42001:2023 AI Management System Requirements
- Ch. I — Context, Leadership, and Planning (Clauses 4-6)
- Art. 4.1. Understanding the organization and its context (8)
- Art. 4.2. Understanding the needs and expectations of interested parties (4)
- Art. 4.3. Determining the scope of the AI management system (9)
- Art. 4.4. AI management system (12)
- Art. 5.1. Leadership and commitment (10)
- Art. 5.2. AI policy (8)
- Art. 5.3. Roles, responsibilities and authorities (10)
- Art. 6.1.1. General (actions to address risks and opportunities) (7)
- Art. 6.1.2. AI risk assessment (13)
- Art. 6.1.3. AI risk treatment (6)
- Art. 6.1.4. AI system impact assessment (5)
- Art. 6.2. AI objectives and planning to achieve them (12)
- Art. 6.3. Planning of changes (7)
- Ch. II — Support and Operation (Clauses 7-8)
- Art. 7.1. Resources (9)
- Art. 7.2. Competence (5)
- Art. 7.3. Awareness (6)
- Art. 7.4. Communication (3)
- Art. 7.5. Documented information (9)
- Art. 8.1. Operational planning and control (10)
- Art. 8.2. AI risk assessment (operational) (6)
- Art. 8.3. AI risk treatment (operational) (6)
- Art. 8.4. AI system impact assessment (operational) (13)
- Ch. III — Performance Evaluation and Improvement (Clauses 9-10)
- Art. 9.1. Monitoring, measurement, analysis and evaluation (4)
- Art. 9.2. Internal audit (10)
- Art. 9.3. Management review (10)
- Art. 10.1. Continual improvement (9)
- Art. 10.2. Nonconformity and corrective action (10)
- Ch. IV — Annex A Controls — Policies and Organization (A.2-A.3)
- Art. A.2.2. AI Policy (9)
- Art. A.2.3. Responsible AI Topics in AI Policy (4)
- Art. A.3.2. Roles and Responsibilities for AI (6)
- Art. A.3.3. Reporting of AI Concerns (9)
- Art. A.3.4. Impact of Organizational Changes (6)
- Ch. V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
- Art. A.4.2. Resources Related to AI Systems (5)
- Art. A.4.3. Competencies Related to AI Systems (4)
- Art. A.4.4. Awareness of Responsible Use of AI Systems (4)
- Art. A.4.5. Consultation (6)
- Art. A.4.6. Communication About the AI System (6)
- Art. A.5.2. AI System Risk Assessment (5)
- Art. A.5.3. AI System Impact Assessment (8)
- Art. A.5.4. Impact of AI System Documentation (4)
- Ch. VI — Annex A Controls — AI System Life Cycle (A.6)
- Art. A.6.2.2. Design and Development of AI System (5)
- Art. A.6.2.3. Training and Testing AI Model (14)
- Art. A.6.2.4. Verification and Validation of AI System (7)
- Art. A.6.2.5. Deployment of AI System (10)
- Art. A.6.2.6. Operation and Monitoring of AI System (10)
- Art. A.6.2.7. Retirement of AI System (10)
- Art. A.6.2.8. Responsible AI System Integration (9)
- Art. A.6.2.9. AI System Documentation (7)
- Art. A.6.2.10. Defined Use and Misuse of AI System (5)
- Art. A.6.2.11. Management of Third-Party AI System Components (6)
- Ch. VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
- Art. A.7.2. Data for Development and Enhancement of AI System (11)
- Art. A.7.3. Data Quality for ML and Data for AI System (11)
- Art. A.7.4. Data Preparation (11)
- Art. A.7.5. Data Acquisition and Collection (6)
- Art. A.7.6. Data Provenance (7)
- Art. A.8.2. Informing Interested Parties About AI System Interaction (6)
- Art. A.8.3. Informing Interested Parties About AI Outcomes (4)
- Art. A.8.4. Access to Information About AI System Interaction (5)
- Art. A.8.5. Enabling Appropriate Human Actions in Response to AI Outputs (7)
- Art. A.9.2. Objectives for Responsible Use of AI System (6)
- Art. A.9.3. Intended Use of AI System (4)
- Art. A.9.4. Processes for Responsible Use of AI System (7)
- Art. A.9.5. Human Oversight Aspects (11)
- Art. A.10.2. Suppliers of AI System Components (8)
- Art. A.10.3. Shared ML Models (14)
- Art. A.10.4. Provision of AI System to Third Parties (5)
Title I — ISO/IEC 42001:2023 AI Management System Requirements
Chapter I — Context, Leadership, and Planning (Clauses 4-6)
Chapter II — Support and Operation (Clauses 7-8)
Chapter III — Performance Evaluation and Improvement (Clauses 9-10)
Chapter IV — Annex A Controls — Policies and Organization (A.2-A.3)
Article A.3.3. Reporting of AI Concerns
1 obligation
Article A.3.4. Impact of Organizational Changes
6 obligations
ISO42001-A.3.4-01
Risk Management
Assess Impact of Organizational Changes on AI Systems
The organization must evaluate how organizational changes (strategy, structure, processes, personnel, technology, or bus
ISO42001-A.3.4-02
Risk Management
Review and Update AI Risk Assessments When Changes Affect Performance
When organizational changes may affect the performance, risk profile, or compliance of AI systems, the organization must
ISO42001-A.3.4-03
Risk Management
Review and Update Impact Assessments When Changes Affect Systems
When organizational changes may affect the performance, risk profile, or compliance of AI systems, the organization must
ISO42001-A.3.4-04
Risk Management
Review and Update Associated Controls When Changes Affect Systems
When organizational changes may affect the performance, risk profile, or compliance of AI systems, the organization must
ISO42001-A.3.4-05
Requirement
Ensure Continuity of AI Management During Organizational Change
The organization must maintain continuity of AI management during periods of organizational change.
ISO42001-A.3.4-06
Requirement
Ensure Integrity of AI Management During Organizational Change
The organization must maintain integrity of AI management during periods of organizational change.
Chapter V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
Article A.4.2. Resources Related to AI Systems
5 obligations
ISO42001-A.4.2-01
Requirement
Identify Resources for AI System Lifecycle
The organization must identify all resources needed for the AI system lifecycle, including computing infrastructure, dat
ISO42001-A.4.2-02
Requirement
Provide Resources for AI System Lifecycle
The organization must provide all identified resources needed for the AI system lifecycle, including computing infrastru
ISO42001-A.4.2-03
Requirement
Maintain Resources for AI System Lifecycle
The organization must maintain all resources needed for the AI system lifecycle, including computing infrastructure, dat
ISO42001-A.4.2-04
Requirement
Conduct Resource Planning for Current and Anticipated AI System Needs
The organization must conduct resource planning that considers both current and anticipated needs of AI systems, includi
ISO42001-A.4.2-05
Requirement
Ensure Resource Sufficiency for Responsible AI System Lifecycle
The organization must ensure that resources are sufficient to support the responsible development, deployment, operation
Article A.4.3. Competencies Related to AI Systems
4 obligations
ISO42001-A.4.3-01
Requirement
Identify AI-related competencies for all relevant roles
The organization must identify the specific competencies needed for all roles involved in AI system development, deploym
ISO42001-A.4.3-02
Requirement
Ensure personnel possess required AI competencies
The organization must ensure that all personnel performing roles related to AI systems actually possess the competencies
ISO42001-A.4.3-03
Requirement
Provide training to address competency gaps
The organization must provide training or other means to address any identified gaps between the required competencies f
ISO42001-A.4.3-04
Monitoring
Review and update competency requirements as AI evolves
The organization must regularly review and update the identified competency requirements to ensure they remain current a
Article A.4.4. Awareness of Responsible Use of AI Systems
4 obligations
ISO42001-A.4.4-01
Requirement
Ensure AI Awareness for All Personnel
The organization must ensure that all personnel involved in or affected by AI systems are aware of the organization's AI
ISO42001-A.4.4-02
Requirement
Role-Appropriate Awareness Activities
Awareness activities must be designed and delivered to be appropriate to the specific roles and responsibilities of the
ISO42001-A.4.4-03
Requirement
Comprehensive Topic Coverage in Awareness
Awareness activities must cover specific topics including bias, fairness, transparency, data protection, and ethical con
ISO42001-A.4.4-04
Requirement
Ongoing Awareness Reinforcement
The organization must reinforce awareness through continuous training and communication activities, not just one-time ac
Article A.4.5. Consultation
5 obligations
ISO42001-A.4.5-01
Requirement
Establish consultation processes for AI systems
The organization must establish formal processes for consulting with relevant interested parties about its AI systems, i
ISO42001-A.4.5-02
Requirement
Conduct consultation at appropriate AI system lifecycle stages
The organization must conduct consultation at appropriate stages of the AI system lifecycle, with mandatory consultation
ISO42001-A.4.5-03
Documentation
Document consultation processes and procedures
The organization must document its consultation process, including the established procedures, methodologies, and framew
ISO42001-A.4.5-04
Documentation
Document parties consulted in AI system consultations
The organization must maintain documentation identifying all parties that were consulted regarding its AI systems, inclu
ISO42001-A.4.5-05
Documentation
Document input received from consultations
The organization must document all input, feedback, recommendations, and concerns received from consulted parties regard