ISO-42001
ISO/IEC 42001:2023 — AI Management Systems
- I. ISO/IEC 42001:2023 AI Management System Requirements
- Ch. I — Context, Leadership, and Planning (Clauses 4-6)
- Art. 4.1. Understanding the organization and its context (8)
- Art. 4.2. Understanding the needs and expectations of interested parties (4)
- Art. 4.3. Determining the scope of the AI management system (9)
- Art. 4.4. AI management system (12)
- Art. 5.1. Leadership and commitment (10)
- Art. 5.2. AI policy (8)
- Art. 5.3. Roles, responsibilities and authorities (10)
- Art. 6.1.1. General (actions to address risks and opportunities) (7)
- Art. 6.1.2. AI risk assessment (13)
- Art. 6.1.3. AI risk treatment (6)
- Art. 6.1.4. AI system impact assessment (5)
- Art. 6.2. AI objectives and planning to achieve them (12)
- Art. 6.3. Planning of changes (7)
- Ch. II — Support and Operation (Clauses 7-8)
- Art. 7.1. Resources (9)
- Art. 7.2. Competence (5)
- Art. 7.3. Awareness (6)
- Art. 7.4. Communication (3)
- Art. 7.5. Documented information (9)
- Art. 8.1. Operational planning and control (10)
- Art. 8.2. AI risk assessment (operational) (6)
- Art. 8.3. AI risk treatment (operational) (6)
- Art. 8.4. AI system impact assessment (operational) (13)
- Ch. III — Performance Evaluation and Improvement (Clauses 9-10)
- Art. 9.1. Monitoring, measurement, analysis and evaluation (4)
- Art. 9.2. Internal audit (10)
- Art. 9.3. Management review (10)
- Art. 10.1. Continual improvement (9)
- Art. 10.2. Nonconformity and corrective action (10)
- Ch. IV — Annex A Controls — Policies and Organization (A.2-A.3)
- Art. A.2.2. AI Policy (9)
- Art. A.2.3. Responsible AI Topics in AI Policy (4)
- Art. A.3.2. Roles and Responsibilities for AI (6)
- Art. A.3.3. Reporting of AI Concerns (9)
- Art. A.3.4. Impact of Organizational Changes (6)
- Ch. V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
- Art. A.4.2. Resources Related to AI Systems (5)
- Art. A.4.3. Competencies Related to AI Systems (4)
- Art. A.4.4. Awareness of Responsible Use of AI Systems (4)
- Art. A.4.5. Consultation (6)
- Art. A.4.6. Communication About the AI System (6)
- Art. A.5.2. AI System Risk Assessment (5)
- Art. A.5.3. AI System Impact Assessment (8)
- Art. A.5.4. Impact of AI System Documentation (4)
- Ch. VI — Annex A Controls — AI System Life Cycle (A.6)
- Art. A.6.2.2. Design and Development of AI System (5)
- Art. A.6.2.3. Training and Testing AI Model (14)
- Art. A.6.2.4. Verification and Validation of AI System (7)
- Art. A.6.2.5. Deployment of AI System (10)
- Art. A.6.2.6. Operation and Monitoring of AI System (10)
- Art. A.6.2.7. Retirement of AI System (10)
- Art. A.6.2.8. Responsible AI System Integration (9)
- Art. A.6.2.9. AI System Documentation (7)
- Art. A.6.2.10. Defined Use and Misuse of AI System (5)
- Art. A.6.2.11. Management of Third-Party AI System Components (6)
- Ch. VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
- Art. A.7.2. Data for Development and Enhancement of AI System (11)
- Art. A.7.3. Data Quality for ML and Data for AI System (11)
- Art. A.7.4. Data Preparation (11)
- Art. A.7.5. Data Acquisition and Collection (6)
- Art. A.7.6. Data Provenance (7)
- Art. A.8.2. Informing Interested Parties About AI System Interaction (6)
- Art. A.8.3. Informing Interested Parties About AI Outcomes (4)
- Art. A.8.4. Access to Information About AI System Interaction (5)
- Art. A.8.5. Enabling Appropriate Human Actions in Response to AI Outputs (7)
- Art. A.9.2. Objectives for Responsible Use of AI System (6)
- Art. A.9.3. Intended Use of AI System (4)
- Art. A.9.4. Processes for Responsible Use of AI System (7)
- Art. A.9.5. Human Oversight Aspects (11)
- Art. A.10.2. Suppliers of AI System Components (8)
- Art. A.10.3. Shared ML Models (14)
- Art. A.10.4. Provision of AI System to Third Parties (5)
Title I — ISO/IEC 42001:2023 AI Management System Requirements
Chapter I — Context, Leadership, and Planning (Clauses 4-6)
Chapter II — Support and Operation (Clauses 7-8)
Chapter III — Performance Evaluation and Improvement (Clauses 9-10)
Chapter IV — Annex A Controls — Policies and Organization (A.2-A.3)
Chapter V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
Chapter VI — Annex A Controls — AI System Life Cycle (A.6)
Article A.6.2.9. AI System Documentation
7 obligations
ISO42001-A.6.2.9-01
Documentation
Maintain comprehensive AI system documentation throughout lifecycle
The organization must maintain comprehensive documentation for each AI system covering its purpose, design, data sources
ISO42001-A.6.2.9-02
Documentation
Ensure documentation enables system behavior understanding
Documentation must be sufficient to enable understanding of the AI system's behavior by relevant stakeholders.
ISO42001-A.6.2.9-03
Documentation
Ensure documentation supports troubleshooting and incident investigation
Documentation must be adequate to support troubleshooting activities and investigation of incidents involving the AI sys
ISO42001-A.6.2.9-04
Documentation
Ensure documentation facilitates audits
Documentation must be designed and maintained to facilitate audit processes of the AI system.
ISO42001-A.6.2.9-05
Transparency
Provide transparency to interested parties through documentation
Documentation must provide transparency to interested parties regarding the AI system.
ISO42001-A.6.2.9-06
Documentation
Keep AI system documentation current
The organization must ensure that AI system documentation remains current and up-to-date.
ISO42001-A.6.2.9-07
Documentation
Update documentation when significant system changes occur
The organization must update AI system documentation whenever significant changes are made to the system.
Chapter VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
Article A.7.2. Data for Development and Enhancement of AI System
11 obligations
ISO42001-A.7.2-01
Requirement
Establish data identification, acquisition, and management processes
The organization must establish formal processes for identifying, acquiring, and managing data used for the development
ISO42001-A.7.2-02
Data Governance
Ensure data appropriateness for intended AI system purpose
The organization must verify and ensure that data used for training, testing, validation, and enhancement is appropriate
ISO42001-A.7.2-03
Data Governance
Ensure sufficient data quality for AI system development
The organization must ensure that data used for training, testing, validation, and enhancement meets sufficient quality
ISO42001-A.7.2-04
Data Governance
Ensure sufficient data quantity for AI system development
The organization must ensure that data used for training, testing, validation, and enhancement is available in sufficien
ISO42001-A.7.2-05
Data Governance
Ensure data representativeness for AI system development
The organization must ensure that data used for training, testing, validation, and enhancement is sufficiently represent
ISO42001-A.7.2-06
Requirement
Consider legal requirements applicable to data
The organization must identify, evaluate, and consider all legal requirements that apply to the data used in AI system d
ISO42001-A.7.2-07
Requirement
Consider ethical requirements applicable to data
The organization must identify, evaluate, and consider all ethical requirements and principles that apply to the data us
ISO42001-A.7.2-08
Requirement
Consider contractual requirements applicable to data
The organization must identify, evaluate, and consider all contractual requirements and obligations that apply to the da
ISO42001-A.7.2-09
Requirement
Consider intellectual property requirements for data
The organization must specifically identify, evaluate, and consider intellectual property rights and requirements that a
ISO42001-A.7.2-10
Requirement
Consider consent requirements for data
The organization must specifically identify, evaluate, and consider consent requirements that apply to the data used in
ISO42001-A.7.2-11
Documentation
Document data management activities throughout AI system lifecycle
The organization must maintain comprehensive documentation of all data management activities across the entire lifecycle
Article A.7.3. Data Quality for ML and Data for AI System
7 obligations
ISO42001-A.7.3-01
Data Governance
Establish Data Quality Criteria for ML and AI Systems
The organization must establish data quality criteria for data used in machine learning and AI systems, specifically inc
ISO42001-A.7.3-02
Data Governance
Apply Data Quality Criteria for ML and AI Systems
The organization must apply the established data quality criteria to data used in machine learning and AI systems.
ISO42001-A.7.3-03
Monitoring
Implement Data Quality Measurement Processes
The organization must implement processes to measure data quality for ML and AI systems.
ISO42001-A.7.3-04
Monitoring
Implement Data Quality Monitoring Processes
The organization must implement processes to monitor data quality for ML and AI systems on an ongoing basis.
ISO42001-A.7.3-05
Data Governance
Implement Data Quality Improvement Processes
The organization must implement processes to improve data quality for ML and AI systems.
ISO42001-A.7.3-06
Requirement
Address Data Quality Issues Before Use
The organization must address identified data quality issues before data is used in AI system development or operation.
ISO42001-A.7.3-07
Risk Management
Align Data Quality Requirements with Risk Level
The organization must ensure that data quality requirements are appropriate to the risk level of the AI system.