ISO-42001
ISO/IEC 42001:2023 — AI Management Systems
- I. ISO/IEC 42001:2023 AI Management System Requirements
- Ch. I — Context, Leadership, and Planning (Clauses 4-6)
- Art. 4.1. Understanding the organization and its context (8)
- Art. 4.2. Understanding the needs and expectations of interested parties (4)
- Art. 4.3. Determining the scope of the AI management system (9)
- Art. 4.4. AI management system (12)
- Art. 5.1. Leadership and commitment (10)
- Art. 5.2. AI policy (8)
- Art. 5.3. Roles, responsibilities and authorities (10)
- Art. 6.1.1. General (actions to address risks and opportunities) (7)
- Art. 6.1.2. AI risk assessment (13)
- Art. 6.1.3. AI risk treatment (6)
- Art. 6.1.4. AI system impact assessment (5)
- Art. 6.2. AI objectives and planning to achieve them (12)
- Art. 6.3. Planning of changes (7)
- Ch. II — Support and Operation (Clauses 7-8)
- Art. 7.1. Resources (9)
- Art. 7.2. Competence (5)
- Art. 7.3. Awareness (6)
- Art. 7.4. Communication (3)
- Art. 7.5. Documented information (9)
- Art. 8.1. Operational planning and control (10)
- Art. 8.2. AI risk assessment (operational) (6)
- Art. 8.3. AI risk treatment (operational) (6)
- Art. 8.4. AI system impact assessment (operational) (13)
- Ch. III — Performance Evaluation and Improvement (Clauses 9-10)
- Art. 9.1. Monitoring, measurement, analysis and evaluation (4)
- Art. 9.2. Internal audit (10)
- Art. 9.3. Management review (10)
- Art. 10.1. Continual improvement (9)
- Art. 10.2. Nonconformity and corrective action (10)
- Ch. IV — Annex A Controls — Policies and Organization (A.2-A.3)
- Art. A.2.2. AI Policy (9)
- Art. A.2.3. Responsible AI Topics in AI Policy (4)
- Art. A.3.2. Roles and Responsibilities for AI (6)
- Art. A.3.3. Reporting of AI Concerns (9)
- Art. A.3.4. Impact of Organizational Changes (6)
- Ch. V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
- Art. A.4.2. Resources Related to AI Systems (5)
- Art. A.4.3. Competencies Related to AI Systems (4)
- Art. A.4.4. Awareness of Responsible Use of AI Systems (4)
- Art. A.4.5. Consultation (6)
- Art. A.4.6. Communication About the AI System (6)
- Art. A.5.2. AI System Risk Assessment (5)
- Art. A.5.3. AI System Impact Assessment (8)
- Art. A.5.4. Impact of AI System Documentation (4)
- Ch. VI — Annex A Controls — AI System Life Cycle (A.6)
- Art. A.6.2.2. Design and Development of AI System (5)
- Art. A.6.2.3. Training and Testing AI Model (14)
- Art. A.6.2.4. Verification and Validation of AI System (7)
- Art. A.6.2.5. Deployment of AI System (10)
- Art. A.6.2.6. Operation and Monitoring of AI System (10)
- Art. A.6.2.7. Retirement of AI System (10)
- Art. A.6.2.8. Responsible AI System Integration (9)
- Art. A.6.2.9. AI System Documentation (7)
- Art. A.6.2.10. Defined Use and Misuse of AI System (5)
- Art. A.6.2.11. Management of Third-Party AI System Components (6)
- Ch. VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
- Art. A.7.2. Data for Development and Enhancement of AI System (11)
- Art. A.7.3. Data Quality for ML and Data for AI System (11)
- Art. A.7.4. Data Preparation (11)
- Art. A.7.5. Data Acquisition and Collection (6)
- Art. A.7.6. Data Provenance (7)
- Art. A.8.2. Informing Interested Parties About AI System Interaction (6)
- Art. A.8.3. Informing Interested Parties About AI Outcomes (4)
- Art. A.8.4. Access to Information About AI System Interaction (5)
- Art. A.8.5. Enabling Appropriate Human Actions in Response to AI Outputs (7)
- Art. A.9.2. Objectives for Responsible Use of AI System (6)
- Art. A.9.3. Intended Use of AI System (4)
- Art. A.9.4. Processes for Responsible Use of AI System (7)
- Art. A.9.5. Human Oversight Aspects (11)
- Art. A.10.2. Suppliers of AI System Components (8)
- Art. A.10.3. Shared ML Models (14)
- Art. A.10.4. Provision of AI System to Third Parties (5)
Title I — ISO/IEC 42001:2023 AI Management System Requirements
Chapter I — Context, Leadership, and Planning (Clauses 4-6)
Chapter II — Support and Operation (Clauses 7-8)
Chapter III — Performance Evaluation and Improvement (Clauses 9-10)
Chapter IV — Annex A Controls — Policies and Organization (A.2-A.3)
Chapter V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
Chapter VI — Annex A Controls — AI System Life Cycle (A.6)
Article A.6.2.6. Operation and Monitoring of AI System
6 obligations
ISO42001-A.6.2.6-05
Monitoring
Observe System Behavior in Production
Organizations must implement monitoring to observe AI system behavior while the system is operating in production enviro
ISO42001-A.6.2.6-06
Monitoring
Collect Feedback from Users and Affected Parties
Organizations must implement processes to collect feedback from users and affected parties as part of their AI system mo
ISO42001-A.6.2.6-07
Requirement
Define Thresholds and Triggers for Corrective Action
Organizations must define specific thresholds and triggers that will initiate corrective action when monitoring detects
ISO42001-A.6.2.6-08
Requirement
Define Thresholds and Triggers for Escalation
Organizations must define specific thresholds and triggers that will initiate escalation procedures when monitoring dete
ISO42001-A.6.2.6-09
Requirement
Define Thresholds and Triggers for System Review
Organizations must define specific thresholds and triggers that will initiate system review when monitoring detects issu
ISO42001-A.6.2.6-10
Documentation
Retain Records of Monitoring Activities and Outcomes
Organizations must maintain and retain comprehensive records of all monitoring activities and their outcomes for AI syst
Article A.6.2.7. Retirement of AI System
10 obligations
ISO42001-A.6.2.7-01
Requirement
Establish AI System Retirement Processes
The organization must establish comprehensive processes for the retirement of AI systems to ensure safe, responsible, an
ISO42001-A.6.2.7-02
Data Governance
Address Data Preservation or Secure Disposal in Retirement
Retirement processes must include procedures for the preservation or secure disposal of data associated with the AI syst
ISO42001-A.6.2.7-03
Data Governance
Address Model Preservation or Secure Disposal in Retirement
Retirement processes must include procedures for the preservation or secure disposal of models associated with the AI sy
ISO42001-A.6.2.7-04
Documentation
Address Documentation Preservation or Secure Disposal in Retirement
Retirement processes must include procedures for the preservation or secure disposal of documentation associated with th
ISO42001-A.6.2.7-05
Transparency
Notify Affected Stakeholders of AI System Retirement
Retirement processes must include procedures for notifying all affected stakeholders about the retirement of the AI syst
ISO42001-A.6.2.7-06
Requirement
Address Functionality Migration in AI System Retirement
Where applicable, retirement processes must address the migration of functionality to replacement systems during AI syst
ISO42001-A.6.2.7-07
Risk Management
Manage Residual Risks During AI System Retirement
Retirement processes must include procedures for the management of residual risks that remain after AI system retirement
ISO42001-A.6.2.7-08
Documentation
Document AI System Retirement Decisions
The organization must document all decisions related to the retirement of AI systems.
ISO42001-A.6.2.7-09
Documentation
Document AI System Retirement Activities
The organization must document all activities performed during the retirement of AI systems.
ISO42001-A.6.2.7-10
Documentation
Document Ongoing Obligations Related to Retired AI Systems
The organization must document any ongoing obligations that remain after the AI system has been retired.
Article A.6.2.8. Responsible AI System Integration
9 obligations
ISO42001-A.6.2.8-01
Requirement
Ensure Responsible AI System Integration
The organization must ensure that AI systems are integrated responsibly into broader systems, processes, and organizatio
ISO42001-A.6.2.8-02
Requirement
Consider AI-System Component Interactions
Integration activities must consider the interactions between the AI system and other system components.
ISO42001-A.6.2.8-03
Requirement
Consider AI System Impact on Workflows and Decision Processes
Integration activities must consider the impact of the AI system on existing workflows and decision processes.
ISO42001-A.6.2.8-04
Human Oversight
Consider Adequacy of Human Oversight Mechanisms
Integration activities must consider the adequacy of human oversight mechanisms.
ISO42001-A.6.2.8-05
Risk Management
Consider Potential for Unintended Consequences from System Interactions
Integration activities must consider the potential for unintended consequences arising from system interactions.
ISO42001-A.6.2.8-06
Risk Management
Assess and Manage Integration Context Risks
The organization must assess and manage risks specific to the integration context.
ISO42001-A.6.2.8-07
Conformity
Verify Integrated System Performance Requirements
The organization must verify that the integrated system meets its overall performance requirements.
ISO42001-A.6.2.8-08
Conformity
Verify Integrated System Safety Requirements
The organization must verify that the integrated system meets its overall safety requirements.
ISO42001-A.6.2.8-09
Conformity
Verify Integrated System Compliance Requirements
The organization must verify that the integrated system meets its overall compliance requirements.