ISO-42001
ISO/IEC 42001:2023 — AI Management Systems
- I. ISO/IEC 42001:2023 AI Management System Requirements
- Ch. I — Context, Leadership, and Planning (Clauses 4-6)
- Art. 4.1. Understanding the organization and its context (8)
- Art. 4.2. Understanding the needs and expectations of interested parties (4)
- Art. 4.3. Determining the scope of the AI management system (9)
- Art. 4.4. AI management system (12)
- Art. 5.1. Leadership and commitment (10)
- Art. 5.2. AI policy (8)
- Art. 5.3. Roles, responsibilities and authorities (10)
- Art. 6.1.1. General (actions to address risks and opportunities) (7)
- Art. 6.1.2. AI risk assessment (13)
- Art. 6.1.3. AI risk treatment (6)
- Art. 6.1.4. AI system impact assessment (5)
- Art. 6.2. AI objectives and planning to achieve them (12)
- Art. 6.3. Planning of changes (7)
- Ch. II — Support and Operation (Clauses 7-8)
- Art. 7.1. Resources (9)
- Art. 7.2. Competence (5)
- Art. 7.3. Awareness (6)
- Art. 7.4. Communication (3)
- Art. 7.5. Documented information (9)
- Art. 8.1. Operational planning and control (10)
- Art. 8.2. AI risk assessment (operational) (6)
- Art. 8.3. AI risk treatment (operational) (6)
- Art. 8.4. AI system impact assessment (operational) (13)
- Ch. III — Performance Evaluation and Improvement (Clauses 9-10)
- Art. 9.1. Monitoring, measurement, analysis and evaluation (4)
- Art. 9.2. Internal audit (10)
- Art. 9.3. Management review (10)
- Art. 10.1. Continual improvement (9)
- Art. 10.2. Nonconformity and corrective action (10)
- Ch. IV — Annex A Controls — Policies and Organization (A.2-A.3)
- Art. A.2.2. AI Policy (9)
- Art. A.2.3. Responsible AI Topics in AI Policy (4)
- Art. A.3.2. Roles and Responsibilities for AI (6)
- Art. A.3.3. Reporting of AI Concerns (9)
- Art. A.3.4. Impact of Organizational Changes (6)
- Ch. V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
- Art. A.4.2. Resources Related to AI Systems (5)
- Art. A.4.3. Competencies Related to AI Systems (4)
- Art. A.4.4. Awareness of Responsible Use of AI Systems (4)
- Art. A.4.5. Consultation (6)
- Art. A.4.6. Communication About the AI System (6)
- Art. A.5.2. AI System Risk Assessment (5)
- Art. A.5.3. AI System Impact Assessment (8)
- Art. A.5.4. Impact of AI System Documentation (4)
- Ch. VI — Annex A Controls — AI System Life Cycle (A.6)
- Art. A.6.2.2. Design and Development of AI System (5)
- Art. A.6.2.3. Training and Testing AI Model (14)
- Art. A.6.2.4. Verification and Validation of AI System (7)
- Art. A.6.2.5. Deployment of AI System (10)
- Art. A.6.2.6. Operation and Monitoring of AI System (10)
- Art. A.6.2.7. Retirement of AI System (10)
- Art. A.6.2.8. Responsible AI System Integration (9)
- Art. A.6.2.9. AI System Documentation (7)
- Art. A.6.2.10. Defined Use and Misuse of AI System (5)
- Art. A.6.2.11. Management of Third-Party AI System Components (6)
- Ch. VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
- Art. A.7.2. Data for Development and Enhancement of AI System (11)
- Art. A.7.3. Data Quality for ML and Data for AI System (11)
- Art. A.7.4. Data Preparation (11)
- Art. A.7.5. Data Acquisition and Collection (6)
- Art. A.7.6. Data Provenance (7)
- Art. A.8.2. Informing Interested Parties About AI System Interaction (6)
- Art. A.8.3. Informing Interested Parties About AI Outcomes (4)
- Art. A.8.4. Access to Information About AI System Interaction (5)
- Art. A.8.5. Enabling Appropriate Human Actions in Response to AI Outputs (7)
- Art. A.9.2. Objectives for Responsible Use of AI System (6)
- Art. A.9.3. Intended Use of AI System (4)
- Art. A.9.4. Processes for Responsible Use of AI System (7)
- Art. A.9.5. Human Oversight Aspects (11)
- Art. A.10.2. Suppliers of AI System Components (8)
- Art. A.10.3. Shared ML Models (14)
- Art. A.10.4. Provision of AI System to Third Parties (5)
Title I — ISO/IEC 42001:2023 AI Management System Requirements
Chapter I — Context, Leadership, and Planning (Clauses 4-6)
Article 4.1. Understanding the organization and its context
2 obligations
ISO42001-4.1-07
Monitoring
Monitor issues at planned intervals
The organization must monitor the identified external and internal issues at planned intervals to ensure the AI manageme
ISO42001-4.1-08
Monitoring
Review issues at planned intervals
The organization must review the identified external and internal issues at planned intervals to ensure the AI managemen
Article 4.2. Understanding the needs and expectations of interested parties
4 obligations
ISO42001-4.2-01
Requirement
Determine relevant interested parties for AI management system
The organization must identify and determine which interested parties are relevant to their AI management system, specif
ISO42001-4.2-02
Requirement
Determine requirements of interested parties
The organization must identify and determine the relevant requirements of the interested parties, including legal, regul
ISO42001-4.2-03
Monitoring
Monitor interested party requirements
The organization must establish ongoing monitoring of the requirements from interested parties to ensure they remain cur
ISO42001-4.2-04
Requirement
Review interested party requirements
The organization must conduct regular reviews of interested party requirements to ensure they maintain continued relevan
Article 4.3. Determining the scope of the AI management system
9 obligations
ISO42001-4.3-01
Requirement
Determine AI management system boundaries and applicability
The organization must determine the boundaries and applicability of the AI management system to establish its scope.
ISO42001-4.3-02
Requirement
Consider external and internal issues in scope determination
When determining the scope, the organization must consider the external and internal issues referred to in clause 4.1.
ISO42001-4.3-03
Requirement
Consider interested parties requirements in scope determination
When determining the scope, the organization must consider the requirements of interested parties referred to in clause
ISO42001-4.3-04
Requirement
Consider AI systems in scope determination
When determining the scope, the organization must consider the AI systems developed, provided, or used by the organizati
ISO42001-4.3-05
Documentation
Make scope available as documented information
The organization must ensure the scope is available as documented information.
ISO42001-4.3-06
Transparency
Clearly identify covered AI systems in scope
The scope must clearly identify which AI systems are covered by the management system.
ISO42001-4.3-07
Transparency
Clearly identify covered processes in scope
The scope must clearly identify which processes are covered by the management system.
ISO42001-4.3-08
Transparency
Clearly identify covered organizational units in scope
The scope must clearly identify which organizational units are covered by the management system.
ISO42001-4.3-09
Transparency
Clearly identify covered locations in scope
The scope must clearly identify which locations are covered by the management system.
Article 4.4. AI management system
10 obligations
ISO42001-4.4-01
Requirement
Establish AI management system
The organization must establish an AI management system that includes all necessary processes and their interactions, in
ISO42001-4.4-02
Requirement
Implement AI management system
The organization must implement the established AI management system with all necessary processes and their interactions
ISO42001-4.4-03
Requirement
Maintain AI management system
The organization must maintain the AI management system and all its constituent processes and interactions on an ongoing
ISO42001-4.4-04
Requirement
Continually improve AI management system
The organization must continually improve the AI management system, including ongoing enhancement of processes and their
ISO42001-4.4-05
Requirement
Address responsible AI development throughout lifecycle
The AI management system must specifically address the responsible development of AI systems throughout their entire lif
ISO42001-4.4-06
Requirement
Address responsible AI provision throughout lifecycle
The AI management system must specifically address the responsible provision of AI systems throughout their entire lifec
ISO42001-4.4-07
Requirement
Address responsible AI use throughout lifecycle
The AI management system must specifically address the responsible use of AI systems throughout their entire lifecycle.
ISO42001-4.4-08
Requirement
Determine needed processes for AI management system
The organization must determine and identify all processes that are needed for the AI management system.
ISO42001-4.4-09
Requirement
Determine process sequence and interaction
The organization must determine the sequence and interaction of all processes within the AI management system.
ISO42001-4.4-10
Requirement
Determine criteria and methods for effective operation and control
The organization must determine the criteria and methods needed to ensure effective operation and control of AI manageme