ISO-42001
ISO/IEC 42001:2023 — AI Management Systems
- I. ISO/IEC 42001:2023 AI Management System Requirements
- Ch. I — Context, Leadership, and Planning (Clauses 4-6)
- Art. 4.1. Understanding the organization and its context (8)
- Art. 4.2. Understanding the needs and expectations of interested parties (4)
- Art. 4.3. Determining the scope of the AI management system (9)
- Art. 4.4. AI management system (12)
- Art. 5.1. Leadership and commitment (10)
- Art. 5.2. AI policy (8)
- Art. 5.3. Roles, responsibilities and authorities (10)
- Art. 6.1.1. General (actions to address risks and opportunities) (7)
- Art. 6.1.2. AI risk assessment (13)
- Art. 6.1.3. AI risk treatment (6)
- Art. 6.1.4. AI system impact assessment (5)
- Art. 6.2. AI objectives and planning to achieve them (12)
- Art. 6.3. Planning of changes (7)
- Ch. II — Support and Operation (Clauses 7-8)
- Art. 7.1. Resources (9)
- Art. 7.2. Competence (5)
- Art. 7.3. Awareness (6)
- Art. 7.4. Communication (3)
- Art. 7.5. Documented information (9)
- Art. 8.1. Operational planning and control (10)
- Art. 8.2. AI risk assessment (operational) (6)
- Art. 8.3. AI risk treatment (operational) (6)
- Art. 8.4. AI system impact assessment (operational) (13)
- Ch. III — Performance Evaluation and Improvement (Clauses 9-10)
- Art. 9.1. Monitoring, measurement, analysis and evaluation (4)
- Art. 9.2. Internal audit (10)
- Art. 9.3. Management review (10)
- Art. 10.1. Continual improvement (9)
- Art. 10.2. Nonconformity and corrective action (10)
- Ch. IV — Annex A Controls — Policies and Organization (A.2-A.3)
- Art. A.2.2. AI Policy (9)
- Art. A.2.3. Responsible AI Topics in AI Policy (4)
- Art. A.3.2. Roles and Responsibilities for AI (6)
- Art. A.3.3. Reporting of AI Concerns (9)
- Art. A.3.4. Impact of Organizational Changes (6)
- Ch. V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
- Art. A.4.2. Resources Related to AI Systems (5)
- Art. A.4.3. Competencies Related to AI Systems (4)
- Art. A.4.4. Awareness of Responsible Use of AI Systems (4)
- Art. A.4.5. Consultation (6)
- Art. A.4.6. Communication About the AI System (6)
- Art. A.5.2. AI System Risk Assessment (5)
- Art. A.5.3. AI System Impact Assessment (8)
- Art. A.5.4. Impact of AI System Documentation (4)
- Ch. VI — Annex A Controls — AI System Life Cycle (A.6)
- Art. A.6.2.2. Design and Development of AI System (5)
- Art. A.6.2.3. Training and Testing AI Model (14)
- Art. A.6.2.4. Verification and Validation of AI System (7)
- Art. A.6.2.5. Deployment of AI System (10)
- Art. A.6.2.6. Operation and Monitoring of AI System (10)
- Art. A.6.2.7. Retirement of AI System (10)
- Art. A.6.2.8. Responsible AI System Integration (9)
- Art. A.6.2.9. AI System Documentation (7)
- Art. A.6.2.10. Defined Use and Misuse of AI System (5)
- Art. A.6.2.11. Management of Third-Party AI System Components (6)
- Ch. VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
- Art. A.7.2. Data for Development and Enhancement of AI System (11)
- Art. A.7.3. Data Quality for ML and Data for AI System (11)
- Art. A.7.4. Data Preparation (11)
- Art. A.7.5. Data Acquisition and Collection (6)
- Art. A.7.6. Data Provenance (7)
- Art. A.8.2. Informing Interested Parties About AI System Interaction (6)
- Art. A.8.3. Informing Interested Parties About AI Outcomes (4)
- Art. A.8.4. Access to Information About AI System Interaction (5)
- Art. A.8.5. Enabling Appropriate Human Actions in Response to AI Outputs (7)
- Art. A.9.2. Objectives for Responsible Use of AI System (6)
- Art. A.9.3. Intended Use of AI System (4)
- Art. A.9.4. Processes for Responsible Use of AI System (7)
- Art. A.9.5. Human Oversight Aspects (11)
- Art. A.10.2. Suppliers of AI System Components (8)
- Art. A.10.3. Shared ML Models (14)
- Art. A.10.4. Provision of AI System to Third Parties (5)
Title I — ISO/IEC 42001:2023 AI Management System Requirements
Chapter I — Context, Leadership, and Planning (Clauses 4-6)
Chapter II — Support and Operation (Clauses 7-8)
Chapter III — Performance Evaluation and Improvement (Clauses 9-10)
Chapter IV — Annex A Controls — Policies and Organization (A.2-A.3)
Chapter V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
Chapter VI — Annex A Controls — AI System Life Cycle (A.6)
Article A.6.2.3. Training and Testing AI Model
4 obligations
ISO42001-A.6.2.3-11
Documentation
Document training and testing methodologies
The organization must document the methodologies used for training and testing AI models as part of their compliance req
ISO42001-A.6.2.3-12
Documentation
Document datasets used in training and testing
The organization must document all datasets used in the training and testing of AI models, including their characteristi
ISO42001-A.6.2.3-13
Documentation
Document training and testing results obtained
The organization must document all results obtained from training and testing processes, including performance metrics a
ISO42001-A.6.2.3-14
Documentation
Document decisions made based on training and testing results
The organization must document all decisions made based on training and testing results, including rationale and justifi
Article A.6.2.4. Verification and Validation of AI System
7 obligations
ISO42001-A.6.2.4-01
Requirement
Establish AI System Verification and Validation Processes
The organization must establish formal processes for verification and validation of AI systems to confirm the system mee
ISO42001-A.6.2.4-02
Requirement
Conduct System Verification Against Design Specifications
The organization must perform verification activities to confirm that the AI system has been built correctly according t
ISO42001-A.6.2.4-03
Requirement
Conduct System Validation in Operational Environment
The organization must perform validation activities to confirm that the AI system meets the needs and expectations of in
ISO42001-A.6.2.4-04
Requirement
Define Acceptance Criteria for AI Systems
The organization must establish and define clear acceptance criteria for AI systems as part of the verification and vali
ISO42001-A.6.2.4-05
Requirement
Conduct Verification and Validation Activities
The organization must actively perform appropriate verification and validation activities for AI systems.
ISO42001-A.6.2.4-06
Documentation
Document Verification and Validation Results
The organization must document all results from verification and validation activities performed on AI systems.
ISO42001-A.6.2.4-07
Requirement
Address Deficiencies Before Deployment
The organization must identify and address any deficiencies found during verification and validation before the AI syste
Article A.6.2.5. Deployment of AI System
10 obligations
ISO42001-A.6.2.5-01
Requirement
Establish AI system deployment processes
The organization must establish formal processes for the deployment of AI systems that ensure the system is ready for op
ISO42001-A.6.2.5-02
Requirement
Conduct pre-deployment reviews
The organization must include pre-deployment reviews as part of their deployment processes before making AI systems oper
ISO42001-A.6.2.5-03
Risk Management
Confirm risk treatment implementation
The organization must confirm that risk treatments have been implemented as part of the deployment process.
ISO42001-A.6.2.5-04
Monitoring
Verify monitoring mechanisms are operational
The organization must verify that monitoring mechanisms are operational before deployment of AI systems.
ISO42001-A.6.2.5-05
Transparency
Communicate to affected stakeholders during deployment
The organization must communicate with affected stakeholders as part of the AI system deployment process.
ISO42001-A.6.2.5-06
Requirement
Establish feedback channels during deployment
The organization must establish feedback channels as part of the AI system deployment process to enable ongoing communic
ISO42001-A.6.2.5-07
Requirement
Define deployment criteria
The organization must define specific criteria that must be met before AI systems can be deployed into operational use.
ISO42001-A.6.2.5-08
Requirement
Conduct deployment activities in controlled manner
The organization must conduct deployment activities for AI systems in a controlled manner to ensure proper oversight and
ISO42001-A.6.2.5-09
Documentation
Document the deployment process
The organization must document the AI system deployment process to maintain records of deployment activities and decisio
ISO42001-A.6.2.5-10
Documentation
Document deviations from planned deployment activities and their resolution
The organization must document any deviations from planned deployment activities and how these deviations were resolved.
Article A.6.2.6. Operation and Monitoring of AI System
4 obligations
ISO42001-A.6.2.6-01
Requirement
Establish AI System Operation and Monitoring Processes
Organizations must establish formal processes for the ongoing operation and monitoring of AI systems to ensure continued
ISO42001-A.6.2.6-02
Monitoring
Monitor System Performance Metrics
Organizations must implement monitoring that includes tracking of system performance metrics as part of their ongoing AI
ISO42001-A.6.2.6-03
Monitoring
Detect Data Drift and Model Degradation
Organizations must implement monitoring capabilities to detect data drift and model degradation in their AI systems.
ISO42001-A.6.2.6-04
Risk Management
Identify Emerging Risks
Organizations must implement monitoring to identify emerging risks associated with their AI systems during operation.