ISO-42001
ISO/IEC 42001:2023 — AI Management Systems
- I. ISO/IEC 42001:2023 AI Management System Requirements
- Ch. I — Context, Leadership, and Planning (Clauses 4-6)
- Art. 4.1. Understanding the organization and its context (8)
- Art. 4.2. Understanding the needs and expectations of interested parties (4)
- Art. 4.3. Determining the scope of the AI management system (9)
- Art. 4.4. AI management system (12)
- Art. 5.1. Leadership and commitment (10)
- Art. 5.2. AI policy (8)
- Art. 5.3. Roles, responsibilities and authorities (10)
- Art. 6.1.1. General (actions to address risks and opportunities) (7)
- Art. 6.1.2. AI risk assessment (13)
- Art. 6.1.3. AI risk treatment (6)
- Art. 6.1.4. AI system impact assessment (5)
- Art. 6.2. AI objectives and planning to achieve them (12)
- Art. 6.3. Planning of changes (7)
- Ch. II — Support and Operation (Clauses 7-8)
- Art. 7.1. Resources (9)
- Art. 7.2. Competence (5)
- Art. 7.3. Awareness (6)
- Art. 7.4. Communication (3)
- Art. 7.5. Documented information (9)
- Art. 8.1. Operational planning and control (10)
- Art. 8.2. AI risk assessment (operational) (6)
- Art. 8.3. AI risk treatment (operational) (6)
- Art. 8.4. AI system impact assessment (operational) (13)
- Ch. III — Performance Evaluation and Improvement (Clauses 9-10)
- Art. 9.1. Monitoring, measurement, analysis and evaluation (4)
- Art. 9.2. Internal audit (10)
- Art. 9.3. Management review (10)
- Art. 10.1. Continual improvement (9)
- Art. 10.2. Nonconformity and corrective action (10)
- Ch. IV — Annex A Controls — Policies and Organization (A.2-A.3)
- Art. A.2.2. AI Policy (9)
- Art. A.2.3. Responsible AI Topics in AI Policy (4)
- Art. A.3.2. Roles and Responsibilities for AI (6)
- Art. A.3.3. Reporting of AI Concerns (9)
- Art. A.3.4. Impact of Organizational Changes (6)
- Ch. V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
- Art. A.4.2. Resources Related to AI Systems (5)
- Art. A.4.3. Competencies Related to AI Systems (4)
- Art. A.4.4. Awareness of Responsible Use of AI Systems (4)
- Art. A.4.5. Consultation (6)
- Art. A.4.6. Communication About the AI System (6)
- Art. A.5.2. AI System Risk Assessment (5)
- Art. A.5.3. AI System Impact Assessment (8)
- Art. A.5.4. Impact of AI System Documentation (4)
- Ch. VI — Annex A Controls — AI System Life Cycle (A.6)
- Art. A.6.2.2. Design and Development of AI System (5)
- Art. A.6.2.3. Training and Testing AI Model (14)
- Art. A.6.2.4. Verification and Validation of AI System (7)
- Art. A.6.2.5. Deployment of AI System (10)
- Art. A.6.2.6. Operation and Monitoring of AI System (10)
- Art. A.6.2.7. Retirement of AI System (10)
- Art. A.6.2.8. Responsible AI System Integration (9)
- Art. A.6.2.9. AI System Documentation (7)
- Art. A.6.2.10. Defined Use and Misuse of AI System (5)
- Art. A.6.2.11. Management of Third-Party AI System Components (6)
- Ch. VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
- Art. A.7.2. Data for Development and Enhancement of AI System (11)
- Art. A.7.3. Data Quality for ML and Data for AI System (11)
- Art. A.7.4. Data Preparation (11)
- Art. A.7.5. Data Acquisition and Collection (6)
- Art. A.7.6. Data Provenance (7)
- Art. A.8.2. Informing Interested Parties About AI System Interaction (6)
- Art. A.8.3. Informing Interested Parties About AI Outcomes (4)
- Art. A.8.4. Access to Information About AI System Interaction (5)
- Art. A.8.5. Enabling Appropriate Human Actions in Response to AI Outputs (7)
- Art. A.9.2. Objectives for Responsible Use of AI System (6)
- Art. A.9.3. Intended Use of AI System (4)
- Art. A.9.4. Processes for Responsible Use of AI System (7)
- Art. A.9.5. Human Oversight Aspects (11)
- Art. A.10.2. Suppliers of AI System Components (8)
- Art. A.10.3. Shared ML Models (14)
- Art. A.10.4. Provision of AI System to Third Parties (5)
Title I — ISO/IEC 42001:2023 AI Management System Requirements
Chapter I — Context, Leadership, and Planning (Clauses 4-6)
Chapter II — Support and Operation (Clauses 7-8)
Chapter III — Performance Evaluation and Improvement (Clauses 9-10)
Chapter IV — Annex A Controls — Policies and Organization (A.2-A.3)
Chapter V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
Article A.4.5. Consultation
1 obligation
Article A.4.6. Communication About the AI System
6 obligations
ISO42001-A.4.6-01
Requirement
Establish AI system communication processes
The organization must establish formal processes for communicating relevant information about its AI systems to interest
ISO42001-A.4.6-02
Requirement
Ensure timely AI system communication
Communication about AI systems must be delivered in a timely manner to interested parties.
ISO42001-A.4.6-03
Requirement
Ensure accurate AI system communication
Communication about AI systems must be accurate and factually correct.
ISO42001-A.4.6-04
Requirement
Ensure audience-appropriate AI system communication
Communication about AI systems must be appropriate to the specific audience receiving the information.
ISO42001-A.4.6-05
Transparency
Support transparency and accountability objectives through communication
AI system communication must support the transparency and accountability objectives established in the organization's AI
ISO42001-A.4.6-06
Requirement
Consider stakeholder information needs
The organization must consider the specific information needs of different stakeholder groups, including end users, affe
Article A.5.2. AI System Risk Assessment
5 obligations
ISO42001-A.5.2-01
Risk Management
Conduct AI System Risk Assessments
The organization must perform risk assessments for each AI system, taking into account the system's specific characteris
ISO42001-A.5.2-02
Risk Management
Identify and Evaluate Multi-Domain AI System Risks
Risk assessments must identify and evaluate risks across multiple domains including accuracy, reliability, fairness, pri
ISO42001-A.5.2-03
Risk Management
Conduct Lifecycle-Wide Risk Assessment
The organization must consider risks across the entire AI system lifecycle, covering all phases from design and developm
ISO42001-A.5.2-04
Documentation
Document Risk Assessment Results
Risk assessment results must be properly documented and maintained.
ISO42001-A.5.2-05
Risk Management
Use Risk Assessment Results for Control Determination
Risk assessment results must be used to determine appropriate controls and risk treatment measures for the AI system.
Article A.5.3. AI System Impact Assessment
8 obligations
ISO42001-A.5.3-01
Risk Management
Conduct AI System Impact Assessments
The organization must conduct impact assessments to evaluate the potential effects of AI systems on individuals, groups,
ISO42001-A.5.3-02
Risk Management
Consider Direct and Indirect Impacts in Assessment
Impact assessments must consider both direct and indirect impacts, including effects on human rights, fundamental freedo
ISO42001-A.5.3-03
Risk Management
Ensure Proportionate Assessment to System Complexity
The impact assessment must be proportionate to the complexity and potential impact of the AI system being evaluated.
ISO42001-A.5.3-04
Risk Management
Consider Affected Stakeholder Perspectives
The impact assessment must consider the perspectives of affected stakeholders in the evaluation process.
ISO42001-A.5.3-05
Documentation
Document Impact Assessment Results
The results of impact assessments must be documented.
ISO42001-A.5.3-06
Risk Management
Use Results to Inform Risk Treatment Decisions
Impact assessment results must inform risk treatment decisions within the organization.
ISO42001-A.5.3-07
Risk Management
Use Results to Inform System Design Choices
Impact assessment results must inform system design choices and decisions.
ISO42001-A.5.3-08
Transparency
Use Results to Inform Stakeholder Communications
Impact assessment results must inform stakeholder communications and engagement activities.
Article A.5.4. Impact of AI System Documentation
4 obligations
ISO42001-A.5.4-01
Documentation
Document AI system impact assessment results
The organization must document the complete results of AI system impact assessments, including methodology used, impacts
ISO42001-A.5.4-02
Transparency
Ensure documentation supports transparency and accountability
Documentation of impact assessments must be sufficiently detailed to support transparency, accountability, and traceabil
ISO42001-A.5.4-03
Documentation
Maintain impact assessment documentation throughout AI system lifecycle
The organization must maintain impact assessment documentation continuously throughout the entire AI system lifecycle fr
ISO42001-A.5.4-04
Documentation
Update impact assessment documentation when significant changes occur
The organization must update impact assessment documentation whenever significant changes occur to the AI system or its
Chapter VI — Annex A Controls — AI System Life Cycle (A.6)
Article A.6.2.10. Defined Use and Misuse of AI System
1 obligation