ISO-42001
ISO/IEC 42001:2023 — AI Management Systems
- I. ISO/IEC 42001:2023 AI Management System Requirements
- Ch. I — Context, Leadership, and Planning (Clauses 4-6)
- Art. 4.1. Understanding the organization and its context (8)
- Art. 4.2. Understanding the needs and expectations of interested parties (4)
- Art. 4.3. Determining the scope of the AI management system (9)
- Art. 4.4. AI management system (12)
- Art. 5.1. Leadership and commitment (10)
- Art. 5.2. AI policy (8)
- Art. 5.3. Roles, responsibilities and authorities (10)
- Art. 6.1.1. General (actions to address risks and opportunities) (7)
- Art. 6.1.2. AI risk assessment (13)
- Art. 6.1.3. AI risk treatment (6)
- Art. 6.1.4. AI system impact assessment (5)
- Art. 6.2. AI objectives and planning to achieve them (12)
- Art. 6.3. Planning of changes (7)
- Ch. II — Support and Operation (Clauses 7-8)
- Art. 7.1. Resources (9)
- Art. 7.2. Competence (5)
- Art. 7.3. Awareness (6)
- Art. 7.4. Communication (3)
- Art. 7.5. Documented information (9)
- Art. 8.1. Operational planning and control (10)
- Art. 8.2. AI risk assessment (operational) (6)
- Art. 8.3. AI risk treatment (operational) (6)
- Art. 8.4. AI system impact assessment (operational) (13)
- Ch. III — Performance Evaluation and Improvement (Clauses 9-10)
- Art. 9.1. Monitoring, measurement, analysis and evaluation (4)
- Art. 9.2. Internal audit (10)
- Art. 9.3. Management review (10)
- Art. 10.1. Continual improvement (9)
- Art. 10.2. Nonconformity and corrective action (10)
- Ch. IV — Annex A Controls — Policies and Organization (A.2-A.3)
- Art. A.2.2. AI Policy (9)
- Art. A.2.3. Responsible AI Topics in AI Policy (4)
- Art. A.3.2. Roles and Responsibilities for AI (6)
- Art. A.3.3. Reporting of AI Concerns (9)
- Art. A.3.4. Impact of Organizational Changes (6)
- Ch. V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
- Art. A.4.2. Resources Related to AI Systems (5)
- Art. A.4.3. Competencies Related to AI Systems (4)
- Art. A.4.4. Awareness of Responsible Use of AI Systems (4)
- Art. A.4.5. Consultation (6)
- Art. A.4.6. Communication About the AI System (6)
- Art. A.5.2. AI System Risk Assessment (5)
- Art. A.5.3. AI System Impact Assessment (8)
- Art. A.5.4. Impact of AI System Documentation (4)
- Ch. VI — Annex A Controls — AI System Life Cycle (A.6)
- Art. A.6.2.2. Design and Development of AI System (5)
- Art. A.6.2.3. Training and Testing AI Model (14)
- Art. A.6.2.4. Verification and Validation of AI System (7)
- Art. A.6.2.5. Deployment of AI System (10)
- Art. A.6.2.6. Operation and Monitoring of AI System (10)
- Art. A.6.2.7. Retirement of AI System (10)
- Art. A.6.2.8. Responsible AI System Integration (9)
- Art. A.6.2.9. AI System Documentation (7)
- Art. A.6.2.10. Defined Use and Misuse of AI System (5)
- Art. A.6.2.11. Management of Third-Party AI System Components (6)
- Ch. VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
- Art. A.7.2. Data for Development and Enhancement of AI System (11)
- Art. A.7.3. Data Quality for ML and Data for AI System (11)
- Art. A.7.4. Data Preparation (11)
- Art. A.7.5. Data Acquisition and Collection (6)
- Art. A.7.6. Data Provenance (7)
- Art. A.8.2. Informing Interested Parties About AI System Interaction (6)
- Art. A.8.3. Informing Interested Parties About AI Outcomes (4)
- Art. A.8.4. Access to Information About AI System Interaction (5)
- Art. A.8.5. Enabling Appropriate Human Actions in Response to AI Outputs (7)
- Art. A.9.2. Objectives for Responsible Use of AI System (6)
- Art. A.9.3. Intended Use of AI System (4)
- Art. A.9.4. Processes for Responsible Use of AI System (7)
- Art. A.9.5. Human Oversight Aspects (11)
- Art. A.10.2. Suppliers of AI System Components (8)
- Art. A.10.3. Shared ML Models (14)
- Art. A.10.4. Provision of AI System to Third Parties (5)
Title I — ISO/IEC 42001:2023 AI Management System Requirements
Chapter I — Context, Leadership, and Planning (Clauses 4-6)
Chapter II — Support and Operation (Clauses 7-8)
Chapter III — Performance Evaluation and Improvement (Clauses 9-10)
Chapter IV — Annex A Controls — Policies and Organization (A.2-A.3)
Chapter V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
Chapter VI — Annex A Controls — AI System Life Cycle (A.6)
Article A.6.2.2. Design and Development of AI System
5 obligations
ISO42001-A.6.2.2-01
Requirement
Establish AI System Design and Development Processes
The organization must establish formal processes for the design and development of AI systems that incorporate responsib
ISO42001-A.6.2.2-02
Requirement
Consider Multiple Factors in Design and Development Processes
Design and development processes must consider the intended purpose of the system, requirements of interested parties, a
ISO42001-A.6.2.2-03
Requirement
Apply Appropriate Engineering Practices
The organization must apply appropriate engineering practices including requirements specification, architectural design
ISO42001-A.6.2.2-04
Requirement
Consider Fairness, Transparency, and Explainability Requirements
During design and development, the organization must specifically consider and address fairness, transparency, and expla
ISO42001-A.6.2.2-05
Documentation
Document Design Decisions with Rationale and Traceability
All design decisions must be documented with clear rationale and maintain traceability to the original requirements that
Article A.6.2.3. Training and Testing AI Model
10 obligations
ISO42001-A.6.2.3-01
Requirement
Establish AI model training and testing processes
The organization must establish formal processes for training and testing AI models to ensure they meet specified requir
ISO42001-A.6.2.3-02
Data Governance
Address data selection in training processes
Training processes must specifically address data selection as part of the AI model development methodology.
ISO42001-A.6.2.3-03
Data Governance
Address data quality in training processes
Training processes must specifically address data quality requirements and controls as part of the AI model development
ISO42001-A.6.2.3-04
Requirement
Address model architecture selection in training processes
Training processes must specifically address model architecture selection as part of the AI model development methodolog
ISO42001-A.6.2.3-05
Requirement
Address hyperparameter tuning in training processes
Training processes must specifically address hyperparameter tuning methodologies as part of the AI model development pro
ISO42001-A.6.2.3-06
Requirement
Prevent overfitting and underfitting in training processes
Training processes must specifically address the prevention of overfitting and underfitting to ensure model generalizabi
ISO42001-A.6.2.3-07
Requirement
Include validation against defined performance metrics in testing
Testing processes must include validation of AI models against defined performance metrics to verify they meet specified
ISO42001-A.6.2.3-08
Requirement
Include bias and fairness testing in testing processes
Testing processes must include specific testing for bias and fairness to ensure equitable AI model performance across di
ISO42001-A.6.2.3-09
Requirement
Include robustness testing in testing processes
Testing processes must include robustness testing to verify AI model stability and reliability under various conditions
ISO42001-A.6.2.3-10
Requirement
Include boundary condition analysis in testing processes
Testing processes must include boundary condition analysis to evaluate AI model behavior at the limits of its operationa
Article A.6.2.10. Defined Use and Misuse of AI System
4 obligations
ISO42001-A.6.2.10-02
Risk Management
Identify and Document Foreseeable Misuse Scenarios
The organization must identify and document reasonably foreseeable misuse scenarios and analyze the potential consequenc
ISO42001-A.6.2.10-03
Requirement
Implement Controls to Prevent or Mitigate Foreseeable Misuse
The organization must implement technical, procedural, or administrative controls to prevent or mitigate the identified
ISO42001-A.6.2.10-04
Transparency
Communicate Use and Misuse Information to Stakeholders
The organization must communicate information about proper use and potential misuse of the AI system to relevant stakeho
ISO42001-A.6.2.10-05
Monitoring
Monitor for Actual Instances of Misuse During Operation
The organization must establish and maintain monitoring processes to detect actual instances of AI system misuse during
Article A.6.2.11. Management of Third-Party AI System Components
6 obligations
ISO42001-A.6.2.11-01
Requirement
Establish Third-Party AI Component Management Processes
The organization must establish formal processes for the evaluation, selection, and management of third-party AI system
ISO42001-A.6.2.11-02
Risk Management
Assess Third-Party Component Risks
The organization must conduct risk assessments of third-party AI components covering quality, reliability, bias, securit
ISO42001-A.6.2.11-03
Requirement
Define Third-Party Component Requirements
The organization must define and document specific requirements for third-party AI components before procurement or impl
ISO42001-A.6.2.11-04
Requirement
Establish Supplier Agreements
The organization must establish formal agreements with suppliers of third-party AI components that govern the use and ma
ISO42001-A.6.2.11-05
Monitoring
Monitor Third-Party Component Performance and Compliance
The organization must continuously monitor the performance and compliance of third-party AI components during their oper
ISO42001-A.6.2.11-06
Documentation
Maintain Third-Party Component Documentation
The organization must maintain comprehensive documented information about the provenance and characteristics of all thir