ISO-42001
ISO/IEC 42001:2023 — AI Management Systems
- I. ISO/IEC 42001:2023 AI Management System Requirements
- Ch. I — Context, Leadership, and Planning (Clauses 4-6)
- Art. 4.1. Understanding the organization and its context (8)
- Art. 4.2. Understanding the needs and expectations of interested parties (4)
- Art. 4.3. Determining the scope of the AI management system (9)
- Art. 4.4. AI management system (12)
- Art. 5.1. Leadership and commitment (10)
- Art. 5.2. AI policy (8)
- Art. 5.3. Roles, responsibilities and authorities (10)
- Art. 6.1.1. General (actions to address risks and opportunities) (7)
- Art. 6.1.2. AI risk assessment (13)
- Art. 6.1.3. AI risk treatment (6)
- Art. 6.1.4. AI system impact assessment (5)
- Art. 6.2. AI objectives and planning to achieve them (12)
- Art. 6.3. Planning of changes (7)
- Ch. II — Support and Operation (Clauses 7-8)
- Art. 7.1. Resources (9)
- Art. 7.2. Competence (5)
- Art. 7.3. Awareness (6)
- Art. 7.4. Communication (3)
- Art. 7.5. Documented information (9)
- Art. 8.1. Operational planning and control (10)
- Art. 8.2. AI risk assessment (operational) (6)
- Art. 8.3. AI risk treatment (operational) (6)
- Art. 8.4. AI system impact assessment (operational) (13)
- Ch. III — Performance Evaluation and Improvement (Clauses 9-10)
- Art. 9.1. Monitoring, measurement, analysis and evaluation (4)
- Art. 9.2. Internal audit (10)
- Art. 9.3. Management review (10)
- Art. 10.1. Continual improvement (9)
- Art. 10.2. Nonconformity and corrective action (10)
- Ch. IV — Annex A Controls — Policies and Organization (A.2-A.3)
- Art. A.2.2. AI Policy (9)
- Art. A.2.3. Responsible AI Topics in AI Policy (4)
- Art. A.3.2. Roles and Responsibilities for AI (6)
- Art. A.3.3. Reporting of AI Concerns (9)
- Art. A.3.4. Impact of Organizational Changes (6)
- Ch. V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
- Art. A.4.2. Resources Related to AI Systems (5)
- Art. A.4.3. Competencies Related to AI Systems (4)
- Art. A.4.4. Awareness of Responsible Use of AI Systems (4)
- Art. A.4.5. Consultation (6)
- Art. A.4.6. Communication About the AI System (6)
- Art. A.5.2. AI System Risk Assessment (5)
- Art. A.5.3. AI System Impact Assessment (8)
- Art. A.5.4. Impact of AI System Documentation (4)
- Ch. VI — Annex A Controls — AI System Life Cycle (A.6)
- Art. A.6.2.2. Design and Development of AI System (5)
- Art. A.6.2.3. Training and Testing AI Model (14)
- Art. A.6.2.4. Verification and Validation of AI System (7)
- Art. A.6.2.5. Deployment of AI System (10)
- Art. A.6.2.6. Operation and Monitoring of AI System (10)
- Art. A.6.2.7. Retirement of AI System (10)
- Art. A.6.2.8. Responsible AI System Integration (9)
- Art. A.6.2.9. AI System Documentation (7)
- Art. A.6.2.10. Defined Use and Misuse of AI System (5)
- Art. A.6.2.11. Management of Third-Party AI System Components (6)
- Ch. VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
- Art. A.7.2. Data for Development and Enhancement of AI System (11)
- Art. A.7.3. Data Quality for ML and Data for AI System (11)
- Art. A.7.4. Data Preparation (11)
- Art. A.7.5. Data Acquisition and Collection (6)
- Art. A.7.6. Data Provenance (7)
- Art. A.8.2. Informing Interested Parties About AI System Interaction (6)
- Art. A.8.3. Informing Interested Parties About AI Outcomes (4)
- Art. A.8.4. Access to Information About AI System Interaction (5)
- Art. A.8.5. Enabling Appropriate Human Actions in Response to AI Outputs (7)
- Art. A.9.2. Objectives for Responsible Use of AI System (6)
- Art. A.9.3. Intended Use of AI System (4)
- Art. A.9.4. Processes for Responsible Use of AI System (7)
- Art. A.9.5. Human Oversight Aspects (11)
- Art. A.10.2. Suppliers of AI System Components (8)
- Art. A.10.3. Shared ML Models (14)
- Art. A.10.4. Provision of AI System to Third Parties (5)
Title I — ISO/IEC 42001:2023 AI Management System Requirements
Chapter I — Context, Leadership, and Planning (Clauses 4-6)
Chapter II — Support and Operation (Clauses 7-8)
Chapter III — Performance Evaluation and Improvement (Clauses 9-10)
Chapter IV — Annex A Controls — Policies and Organization (A.2-A.3)
Chapter V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
Chapter VI — Annex A Controls — AI System Life Cycle (A.6)
Chapter VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
Article A.9.2. Objectives for Responsible Use of AI System
6 obligations
ISO42001-A.9.2-01
Requirement
Establish objectives for responsible use of each AI system
The organization must establish specific objectives for the responsible use of each AI system that align with the AI pol
ISO42001-A.9.2-02
Requirement
Ensure objectives are specific and measurable
Objectives for responsible use of AI systems must be specific and measurable where practicable.
ISO42001-A.9.2-03
Requirement
Address responsible AI aspects in objectives
Objectives must address aspects such as fairness, accuracy, transparency, privacy, safety, and accountability.
ISO42001-A.9.2-04
Monitoring
Monitor progress toward achieving objectives
The organization must monitor progress toward achieving the established objectives for responsible use of AI systems.
ISO42001-A.9.2-05
Requirement
Take corrective action when objectives are not met
The organization must take action when objectives for responsible use of AI systems are not being met.
ISO42001-A.9.2-06
Requirement
Update objectives based on changes
The organization must update objectives as the AI system, its operational context, or stakeholder expectations change.
Article A.9.3. Intended Use of AI System
4 obligations
ISO42001-A.9.3-01
Documentation
Define and Document Intended Use of AI Systems
The organization must clearly define and document the intended use of each AI system, including the specific tasks the s
ISO42001-A.9.3-02
Transparency
Communicate Intended Use Definition to Stakeholders
The organization must communicate the intended use definition to all relevant stakeholders, including developers, operat
ISO42001-A.9.3-03
Requirement
Ensure AI Systems Used Only for Intended Purposes
The organization must ensure that AI systems are used only for their intended purposes and not for any other application
ISO42001-A.9.3-04
Monitoring
Implement Controls to Detect and Prevent Misuse
The organization must implement controls to detect and prevent use of AI systems outside the defined scope of their inte
Article A.9.4. Processes for Responsible Use of AI System
7 obligations
ISO42001-A.9.4-01
Requirement
Establish processes for responsible AI system use
The organization must establish processes to ensure the responsible use of AI systems throughout their lifecycle, includ
ISO42001-A.9.4-02
Requirement
Implement processes for responsible AI system use
The organization must implement the established processes for responsible use of AI systems throughout their lifecycle,
ISO42001-A.9.4-03
Requirement
Integrate AI processes into existing business processes
The organization must integrate the processes for responsible AI use into the organization's existing business processes
ISO42001-A.9.4-04
Risk Management
Ensure processes are proportionate to AI system risk and impact
The organization must ensure that the processes for responsible AI use are proportionate to the risk level and impact of
ISO42001-A.9.4-05
Documentation
Document responsible AI use processes
The organization must document the processes established for responsible use of AI systems.
ISO42001-A.9.4-06
Requirement
Assign responsibilities for process execution
The organization must assign responsibilities for the execution of the processes for responsible AI use.
ISO42001-A.9.4-07
Monitoring
Monitor effectiveness of responsible AI processes
The organization must monitor the effectiveness of the processes for responsible AI use.
Article A.9.5. Human Oversight Aspects
8 obligations
ISO42001-A.9.5-01
Human Oversight
Determine and implement human oversight measures
The organization must identify and put in place appropriate human oversight measures for its AI systems that are proport
ISO42001-A.9.5-02
Human Oversight
Enable qualified individuals to understand AI system capabilities and limitations
Human oversight measures must enable qualified individuals to understand the AI system's capabilities and limitations.
ISO42001-A.9.5-03
Monitoring
Enable monitoring of AI system operation
Human oversight measures must enable qualified individuals to monitor the AI system's operation.
ISO42001-A.9.5-04
Human Oversight
Enable interpretation of AI system outputs
Human oversight measures must enable qualified individuals to interpret the AI system's outputs.
ISO42001-A.9.5-05
Human Oversight
Enable intervention when necessary
Human oversight measures must enable qualified individuals to intervene when necessary in AI system operations.
ISO42001-A.9.5-06
Human Oversight
Enable override or halt of AI system to prevent harm
Human oversight measures must enable qualified individuals to override or halt the AI system in situations where continu
ISO42001-A.9.5-07
Human Oversight
Ensure oversight personnel have appropriate authority
The organization must ensure that individuals performing oversight roles have the authority needed to exercise effective
ISO42001-A.9.5-08
Human Oversight
Ensure oversight personnel have appropriate competence
The organization must ensure that individuals performing oversight roles have the competence needed to exercise effectiv