ISO-42001
ISO/IEC 42001:2023 — AI Management Systems
- I. ISO/IEC 42001:2023 AI Management System Requirements
- Ch. I — Context, Leadership, and Planning (Clauses 4-6)
- Art. 4.1. Understanding the organization and its context (8)
- Art. 4.2. Understanding the needs and expectations of interested parties (4)
- Art. 4.3. Determining the scope of the AI management system (9)
- Art. 4.4. AI management system (12)
- Art. 5.1. Leadership and commitment (10)
- Art. 5.2. AI policy (8)
- Art. 5.3. Roles, responsibilities and authorities (10)
- Art. 6.1.1. General (actions to address risks and opportunities) (7)
- Art. 6.1.2. AI risk assessment (13)
- Art. 6.1.3. AI risk treatment (6)
- Art. 6.1.4. AI system impact assessment (5)
- Art. 6.2. AI objectives and planning to achieve them (12)
- Art. 6.3. Planning of changes (7)
- Ch. II — Support and Operation (Clauses 7-8)
- Art. 7.1. Resources (9)
- Art. 7.2. Competence (5)
- Art. 7.3. Awareness (6)
- Art. 7.4. Communication (3)
- Art. 7.5. Documented information (9)
- Art. 8.1. Operational planning and control (10)
- Art. 8.2. AI risk assessment (operational) (6)
- Art. 8.3. AI risk treatment (operational) (6)
- Art. 8.4. AI system impact assessment (operational) (13)
- Ch. III — Performance Evaluation and Improvement (Clauses 9-10)
- Art. 9.1. Monitoring, measurement, analysis and evaluation (4)
- Art. 9.2. Internal audit (10)
- Art. 9.3. Management review (10)
- Art. 10.1. Continual improvement (9)
- Art. 10.2. Nonconformity and corrective action (10)
- Ch. IV — Annex A Controls — Policies and Organization (A.2-A.3)
- Art. A.2.2. AI Policy (9)
- Art. A.2.3. Responsible AI Topics in AI Policy (4)
- Art. A.3.2. Roles and Responsibilities for AI (6)
- Art. A.3.3. Reporting of AI Concerns (9)
- Art. A.3.4. Impact of Organizational Changes (6)
- Ch. V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
- Art. A.4.2. Resources Related to AI Systems (5)
- Art. A.4.3. Competencies Related to AI Systems (4)
- Art. A.4.4. Awareness of Responsible Use of AI Systems (4)
- Art. A.4.5. Consultation (6)
- Art. A.4.6. Communication About the AI System (6)
- Art. A.5.2. AI System Risk Assessment (5)
- Art. A.5.3. AI System Impact Assessment (8)
- Art. A.5.4. Impact of AI System Documentation (4)
- Ch. VI — Annex A Controls — AI System Life Cycle (A.6)
- Art. A.6.2.2. Design and Development of AI System (5)
- Art. A.6.2.3. Training and Testing AI Model (14)
- Art. A.6.2.4. Verification and Validation of AI System (7)
- Art. A.6.2.5. Deployment of AI System (10)
- Art. A.6.2.6. Operation and Monitoring of AI System (10)
- Art. A.6.2.7. Retirement of AI System (10)
- Art. A.6.2.8. Responsible AI System Integration (9)
- Art. A.6.2.9. AI System Documentation (7)
- Art. A.6.2.10. Defined Use and Misuse of AI System (5)
- Art. A.6.2.11. Management of Third-Party AI System Components (6)
- Ch. VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
- Art. A.7.2. Data for Development and Enhancement of AI System (11)
- Art. A.7.3. Data Quality for ML and Data for AI System (11)
- Art. A.7.4. Data Preparation (11)
- Art. A.7.5. Data Acquisition and Collection (6)
- Art. A.7.6. Data Provenance (7)
- Art. A.8.2. Informing Interested Parties About AI System Interaction (6)
- Art. A.8.3. Informing Interested Parties About AI Outcomes (4)
- Art. A.8.4. Access to Information About AI System Interaction (5)
- Art. A.8.5. Enabling Appropriate Human Actions in Response to AI Outputs (7)
- Art. A.9.2. Objectives for Responsible Use of AI System (6)
- Art. A.9.3. Intended Use of AI System (4)
- Art. A.9.4. Processes for Responsible Use of AI System (7)
- Art. A.9.5. Human Oversight Aspects (11)
- Art. A.10.2. Suppliers of AI System Components (8)
- Art. A.10.3. Shared ML Models (14)
- Art. A.10.4. Provision of AI System to Third Parties (5)
Title I — ISO/IEC 42001:2023 AI Management System Requirements
Chapter I — Context, Leadership, and Planning (Clauses 4-6)
Chapter II — Support and Operation (Clauses 7-8)
Chapter III — Performance Evaluation and Improvement (Clauses 9-10)
Chapter IV — Annex A Controls — Policies and Organization (A.2-A.3)
Chapter V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
Chapter VI — Annex A Controls — AI System Life Cycle (A.6)
Chapter VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
Article A.7.6. Data Provenance
3 obligations
ISO42001-A.7.6-05
Conformity
Use provenance information to verify legal and contractual compliance
The organization must utilize provenance information to verify compliance with applicable legal and contractual requirem
ISO42001-A.7.6-06
Monitoring
Use provenance information for incident investigation
The organization must utilize provenance information to support incident investigation activities related to AI systems.
ISO42001-A.7.6-07
Monitoring
Use provenance information for audit activities
The organization must utilize provenance information to support audit activities related to AI systems.
Article A.8.2. Informing Interested Parties About AI System Interaction
6 obligations
ISO42001-A.8.2-01
Transparency
Inform interested parties about AI system interaction
Organizations must notify interested parties when they are interacting with an AI system. This notification must be prov
ISO42001-A.8.2-02
Transparency
Inform interested parties when AI assists in decisions affecting them
Organizations must notify interested parties when an AI system is being used to make or assist in decisions that affect
ISO42001-A.8.2-03
Requirement
Provide notifications in clear, timely, and accessible manner
Organizations must ensure that AI system notifications are delivered in a manner that is clear, timely, and accessible,
ISO42001-A.8.2-04
Transparency
Disclose nature and purpose of AI system interaction
Organizations must disclose the nature and purpose of the AI system interaction to interested parties, unless an excepti
ISO42001-A.8.2-05
Transparency
Disclose type of AI technology being used
Organizations must disclose the type of AI technology being used to interested parties, unless an exception applies unde
ISO42001-A.8.2-06
Transparency
Disclose meaningful information about logic involved
Organizations must disclose any meaningful information about the logic involved in the AI system to interested parties,
Article A.8.3. Informing Interested Parties About AI Outcomes
4 obligations
ISO42001-A.8.3-01
Transparency
Inform interested parties about AI outcomes that affect them
Organizations must inform interested parties about outcomes produced by AI systems that affect them, including decisions
ISO42001-A.8.3-02
Transparency
Provide basis and factors for AI outcomes
Organizations must provide information about the basis for AI outcomes, including the data and factors considered in pro
ISO42001-A.8.3-03
Transparency
Provide review and correction mechanisms for AI outcomes
Organizations must inform interested parties about any available means for individuals to seek review, clarification, or
ISO42001-A.8.3-04
Requirement
Ensure understandable and actionable communication of AI outcomes
Organizations must ensure that information about AI outcomes is communicated in a manner that is understandable and acti
Article A.8.4. Access to Information About AI System Interaction
5 obligations
ISO42001-A.8.4-01
Transparency
Provide mechanisms for AI system interaction information access
The organization must establish and maintain mechanisms that enable interested parties to access information about their
ISO42001-A.8.4-02
Risk Management
Ensure access mechanisms are proportionate to system sensitivity and impact
The organization must design access mechanisms that are proportionate to the sensitivity and impact level of the AI syst
ISO42001-A.8.4-03
Data Governance
Comply with privacy and data protection requirements in access mechanisms
The organization must ensure that all access mechanisms for AI system interaction information comply with applicable pri
ISO42001-A.8.4-04
Requirement
Establish processes for timely handling of access requests
The organization must create and implement processes that handle access requests from interested parties in a timely man
ISO42001-A.8.4-05
Documentation
Document available access mechanisms and procedures
The organization must document both the access mechanisms that are available to interested parties and the procedures fo
Article A.8.5. Enabling Appropriate Human Actions in Response to AI Outputs
7 obligations
ISO42001-A.8.5-01
Requirement
Design AI systems to enable appropriate human response actions
The organization must ensure that AI systems are designed in a manner that enables appropriate human actions in response
ISO42001-A.8.5-02
Requirement
Deploy AI systems to enable appropriate human response actions
The organization must ensure that AI systems are deployed in a manner that enables appropriate human actions in response
ISO42001-A.8.5-03
Risk Management
Consider appropriate level of human oversight based on risk and impact
The organization must consider the level of human oversight appropriate to the risk level and impact of the AI system wh
ISO42001-A.8.5-04
Transparency
Provide sufficient information for effective human oversight
The organization must provide users with sufficient information to exercise effective oversight of AI systems.
ISO42001-A.8.5-05
Requirement
Provide sufficient training for effective human oversight
The organization must provide users with sufficient training to exercise effective oversight of AI systems.
ISO42001-A.8.5-06
Requirement
Provide sufficient tools for effective human oversight
The organization must provide users with sufficient tools to exercise effective oversight of AI systems.
ISO42001-A.8.5-07
Human Oversight
Design systems to support human judgment in high-stakes contexts
Systems must be designed to support, rather than replace, human judgment in high-stakes decision-making contexts.