ISO-42001
ISO/IEC 42001:2023 — AI Management Systems
- I. ISO/IEC 42001:2023 AI Management System Requirements
- Ch. I — Context, Leadership, and Planning (Clauses 4-6)
- Art. 4.1. Understanding the organization and its context (8)
- Art. 4.2. Understanding the needs and expectations of interested parties (4)
- Art. 4.3. Determining the scope of the AI management system (9)
- Art. 4.4. AI management system (12)
- Art. 5.1. Leadership and commitment (10)
- Art. 5.2. AI policy (8)
- Art. 5.3. Roles, responsibilities and authorities (10)
- Art. 6.1.1. General (actions to address risks and opportunities) (7)
- Art. 6.1.2. AI risk assessment (13)
- Art. 6.1.3. AI risk treatment (6)
- Art. 6.1.4. AI system impact assessment (5)
- Art. 6.2. AI objectives and planning to achieve them (12)
- Art. 6.3. Planning of changes (7)
- Ch. II — Support and Operation (Clauses 7-8)
- Art. 7.1. Resources (9)
- Art. 7.2. Competence (5)
- Art. 7.3. Awareness (6)
- Art. 7.4. Communication (3)
- Art. 7.5. Documented information (9)
- Art. 8.1. Operational planning and control (10)
- Art. 8.2. AI risk assessment (operational) (6)
- Art. 8.3. AI risk treatment (operational) (6)
- Art. 8.4. AI system impact assessment (operational) (13)
- Ch. III — Performance Evaluation and Improvement (Clauses 9-10)
- Art. 9.1. Monitoring, measurement, analysis and evaluation (4)
- Art. 9.2. Internal audit (10)
- Art. 9.3. Management review (10)
- Art. 10.1. Continual improvement (9)
- Art. 10.2. Nonconformity and corrective action (10)
- Ch. IV — Annex A Controls — Policies and Organization (A.2-A.3)
- Art. A.2.2. AI Policy (9)
- Art. A.2.3. Responsible AI Topics in AI Policy (4)
- Art. A.3.2. Roles and Responsibilities for AI (6)
- Art. A.3.3. Reporting of AI Concerns (9)
- Art. A.3.4. Impact of Organizational Changes (6)
- Ch. V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
- Art. A.4.2. Resources Related to AI Systems (5)
- Art. A.4.3. Competencies Related to AI Systems (4)
- Art. A.4.4. Awareness of Responsible Use of AI Systems (4)
- Art. A.4.5. Consultation (6)
- Art. A.4.6. Communication About the AI System (6)
- Art. A.5.2. AI System Risk Assessment (5)
- Art. A.5.3. AI System Impact Assessment (8)
- Art. A.5.4. Impact of AI System Documentation (4)
- Ch. VI — Annex A Controls — AI System Life Cycle (A.6)
- Art. A.6.2.2. Design and Development of AI System (5)
- Art. A.6.2.3. Training and Testing AI Model (14)
- Art. A.6.2.4. Verification and Validation of AI System (7)
- Art. A.6.2.5. Deployment of AI System (10)
- Art. A.6.2.6. Operation and Monitoring of AI System (10)
- Art. A.6.2.7. Retirement of AI System (10)
- Art. A.6.2.8. Responsible AI System Integration (9)
- Art. A.6.2.9. AI System Documentation (7)
- Art. A.6.2.10. Defined Use and Misuse of AI System (5)
- Art. A.6.2.11. Management of Third-Party AI System Components (6)
- Ch. VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
- Art. A.7.2. Data for Development and Enhancement of AI System (11)
- Art. A.7.3. Data Quality for ML and Data for AI System (11)
- Art. A.7.4. Data Preparation (11)
- Art. A.7.5. Data Acquisition and Collection (6)
- Art. A.7.6. Data Provenance (7)
- Art. A.8.2. Informing Interested Parties About AI System Interaction (6)
- Art. A.8.3. Informing Interested Parties About AI Outcomes (4)
- Art. A.8.4. Access to Information About AI System Interaction (5)
- Art. A.8.5. Enabling Appropriate Human Actions in Response to AI Outputs (7)
- Art. A.9.2. Objectives for Responsible Use of AI System (6)
- Art. A.9.3. Intended Use of AI System (4)
- Art. A.9.4. Processes for Responsible Use of AI System (7)
- Art. A.9.5. Human Oversight Aspects (11)
- Art. A.10.2. Suppliers of AI System Components (8)
- Art. A.10.3. Shared ML Models (14)
- Art. A.10.4. Provision of AI System to Third Parties (5)
Title I — ISO/IEC 42001:2023 AI Management System Requirements
Chapter I — Context, Leadership, and Planning (Clauses 4-6)
Chapter II — Support and Operation (Clauses 7-8)
Chapter III — Performance Evaluation and Improvement (Clauses 9-10)
Chapter IV — Annex A Controls — Policies and Organization (A.2-A.3)
Chapter V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
Chapter VI — Annex A Controls — AI System Life Cycle (A.6)
Chapter VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
Article A.7.3. Data Quality for ML and Data for AI System
4 obligations
ISO42001-A.7.3-08
Requirement
Align Data Quality Requirements with Intended Use
The organization must ensure that data quality requirements are appropriate to the intended use of the AI system.
ISO42001-A.7.3-09
Documentation
Document Data Quality Processes
The organization must document its data quality processes for ML and AI systems.
ISO42001-A.7.3-10
Documentation
Document Data Quality Metrics
The organization must document its data quality metrics for ML and AI systems.
ISO42001-A.7.3-11
Documentation
Document Data Quality Results
The organization must document its data quality results for ML and AI systems.
Article A.7.4. Data Preparation
11 obligations
ISO42001-A.7.4-01
Requirement
Establish Data Preparation Processes
The organization must establish formal processes for preparing data used in AI systems, covering data cleaning, transfor
ISO42001-A.7.4-02
Documentation
Document Data Preparation Processes
Data preparation processes must be documented to ensure they can be understood, reviewed, and audited by relevant stakeh
ISO42001-A.7.4-03
Requirement
Ensure Data Preparation Process Reproducibility
Data preparation processes must be designed and implemented in a way that allows them to be repeated with consistent res
ISO42001-A.7.4-04
Requirement
Ensure Data Preparation Process Traceability
Data preparation processes must maintain traceability, allowing the organization to track and record all steps and trans
ISO42001-A.7.4-05
Data Governance
Preserve Data Integrity During Preparation
The organization must ensure that data preparation activities maintain the integrity of the data, preventing corruption,
ISO42001-A.7.4-06
Data Governance
Preserve Data Quality During Preparation
The organization must ensure that data preparation activities maintain and do not degrade the quality of the data used i
ISO42001-A.7.4-07
Requirement
Prevent Introduction of Bias in Data Preparation
The organization must ensure that data preparation activities do not introduce new biases into the dataset that could ne
ISO42001-A.7.4-08
Requirement
Prevent Amplification of Existing Bias in Data Preparation
The organization must ensure that data preparation activities do not amplify or worsen existing biases present in the so
ISO42001-A.7.4-09
Requirement
Validate Prepared Data Quality Criteria Compliance
The organization must validate that data prepared for use in AI systems meets the specific quality criteria that have be
ISO42001-A.7.4-10
Documentation
Record Data Preparation Methodologies
The organization must record the specific methodologies and approaches used for data preparation to support transparency
ISO42001-A.7.4-11
Transparency
Record Data Preparation Methodology Rationale
The organization must record and document the rationale behind the choice of specific data preparation methodologies, ex
Article A.7.5. Data Acquisition and Collection
6 obligations
ISO42001-A.7.5-01
Requirement
Establish Data Acquisition and Collection Processes
The organization must establish formal processes for the acquisition and collection of data for AI systems that comply w
ISO42001-A.7.5-02
Data Governance
Obtain Data Through Lawful and Ethical Means
The organization must ensure that all data is obtained through lawful and ethical means, adhering to applicable legal an
ISO42001-A.7.5-03
Data Governance
Respect Privacy Rights and Consent Requirements
The organization must respect privacy rights and meet all applicable consent requirements when acquiring and collecting
ISO42001-A.7.5-04
Requirement
Ensure Proportionate Data Acquisition Activities
The organization must ensure that data acquisition activities are proportionate to the intended purpose of the AI system
ISO42001-A.7.5-05
Documentation
Document Data Acquisition Sources, Methods, and Conditions
The organization must document the sources, methods, and conditions of data acquisition for AI systems.
ISO42001-A.7.5-06
Risk Management
Assess Data Acquisition Risks
The organization must assess the risks associated with data acquisition activities, including risks related to bias, rep
Article A.7.6. Data Provenance
4 obligations
ISO42001-A.7.6-01
Documentation
Establish and maintain data provenance records
The organization must establish and maintain comprehensive records of data provenance for all data used in AI systems, d
ISO42001-A.7.6-02
Transparency
Ensure provenance records support traceability
Provenance records must be sufficient to trace data from its source through all processing steps to its use in the AI sy
ISO42001-A.7.6-03
Data Governance
Use provenance information for data quality assessment
The organization must utilize provenance information to assess the quality of data used in AI systems.
ISO42001-A.7.6-04
Risk Management
Use provenance information to identify potential biases
The organization must utilize provenance information to identify potential biases in data used in AI systems.