ISO-42001
ISO/IEC 42001:2023 — AI Management Systems
- I. ISO/IEC 42001:2023 AI Management System Requirements
- Ch. I — Context, Leadership, and Planning (Clauses 4-6)
- Art. 4.1. Understanding the organization and its context (8)
- Art. 4.2. Understanding the needs and expectations of interested parties (4)
- Art. 4.3. Determining the scope of the AI management system (9)
- Art. 4.4. AI management system (12)
- Art. 5.1. Leadership and commitment (10)
- Art. 5.2. AI policy (8)
- Art. 5.3. Roles, responsibilities and authorities (10)
- Art. 6.1.1. General (actions to address risks and opportunities) (7)
- Art. 6.1.2. AI risk assessment (13)
- Art. 6.1.3. AI risk treatment (6)
- Art. 6.1.4. AI system impact assessment (5)
- Art. 6.2. AI objectives and planning to achieve them (12)
- Art. 6.3. Planning of changes (7)
- Ch. II — Support and Operation (Clauses 7-8)
- Art. 7.1. Resources (9)
- Art. 7.2. Competence (5)
- Art. 7.3. Awareness (6)
- Art. 7.4. Communication (3)
- Art. 7.5. Documented information (9)
- Art. 8.1. Operational planning and control (10)
- Art. 8.2. AI risk assessment (operational) (6)
- Art. 8.3. AI risk treatment (operational) (6)
- Art. 8.4. AI system impact assessment (operational) (13)
- Ch. III — Performance Evaluation and Improvement (Clauses 9-10)
- Art. 9.1. Monitoring, measurement, analysis and evaluation (4)
- Art. 9.2. Internal audit (10)
- Art. 9.3. Management review (10)
- Art. 10.1. Continual improvement (9)
- Art. 10.2. Nonconformity and corrective action (10)
- Ch. IV — Annex A Controls — Policies and Organization (A.2-A.3)
- Art. A.2.2. AI Policy (9)
- Art. A.2.3. Responsible AI Topics in AI Policy (4)
- Art. A.3.2. Roles and Responsibilities for AI (6)
- Art. A.3.3. Reporting of AI Concerns (9)
- Art. A.3.4. Impact of Organizational Changes (6)
- Ch. V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
- Art. A.4.2. Resources Related to AI Systems (5)
- Art. A.4.3. Competencies Related to AI Systems (4)
- Art. A.4.4. Awareness of Responsible Use of AI Systems (4)
- Art. A.4.5. Consultation (6)
- Art. A.4.6. Communication About the AI System (6)
- Art. A.5.2. AI System Risk Assessment (5)
- Art. A.5.3. AI System Impact Assessment (8)
- Art. A.5.4. Impact of AI System Documentation (4)
- Ch. VI — Annex A Controls — AI System Life Cycle (A.6)
- Art. A.6.2.2. Design and Development of AI System (5)
- Art. A.6.2.3. Training and Testing AI Model (14)
- Art. A.6.2.4. Verification and Validation of AI System (7)
- Art. A.6.2.5. Deployment of AI System (10)
- Art. A.6.2.6. Operation and Monitoring of AI System (10)
- Art. A.6.2.7. Retirement of AI System (10)
- Art. A.6.2.8. Responsible AI System Integration (9)
- Art. A.6.2.9. AI System Documentation (7)
- Art. A.6.2.10. Defined Use and Misuse of AI System (5)
- Art. A.6.2.11. Management of Third-Party AI System Components (6)
- Ch. VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
- Art. A.7.2. Data for Development and Enhancement of AI System (11)
- Art. A.7.3. Data Quality for ML and Data for AI System (11)
- Art. A.7.4. Data Preparation (11)
- Art. A.7.5. Data Acquisition and Collection (6)
- Art. A.7.6. Data Provenance (7)
- Art. A.8.2. Informing Interested Parties About AI System Interaction (6)
- Art. A.8.3. Informing Interested Parties About AI Outcomes (4)
- Art. A.8.4. Access to Information About AI System Interaction (5)
- Art. A.8.5. Enabling Appropriate Human Actions in Response to AI Outputs (7)
- Art. A.9.2. Objectives for Responsible Use of AI System (6)
- Art. A.9.3. Intended Use of AI System (4)
- Art. A.9.4. Processes for Responsible Use of AI System (7)
- Art. A.9.5. Human Oversight Aspects (11)
- Art. A.10.2. Suppliers of AI System Components (8)
- Art. A.10.3. Shared ML Models (14)
- Art. A.10.4. Provision of AI System to Third Parties (5)
Title I — ISO/IEC 42001:2023 AI Management System Requirements
Chapter I — Context, Leadership, and Planning (Clauses 4-6)
Article 5.3. Roles, responsibilities and authorities
5 obligations
ISO42001-5.3-06
Risk Management
Include AI risk management roles
Roles must include those responsible for AI risk management within the organization
ISO42001-5.3-07
Requirement
Include AI system impact assessment roles
Roles must include those responsible for AI system impact assessment within the organization
ISO42001-5.3-08
Data Governance
Include data governance roles
Roles must include those responsible for data governance within the organization
ISO42001-5.3-09
Requirement
Include AI system lifecycle management roles
Roles must include those responsible for AI system lifecycle management within the organization
ISO42001-5.3-10
Conformity
Include compliance and ethical requirements roles
Roles must include those responsible for compliance with applicable AI-related regulations and ethical requirements
Article 6.1.1. General (actions to address risks and opportunities)
7 obligations
ISO42001-6.1.1-01
Requirement
Consider Context Issues and Requirements in AI Management System Planning
When planning for the AI management system, the organization must consider the issues referred to in clause 4.1 (underst
ISO42001-6.1.1-02
Risk Management
Determine Risks and Opportunities for AI Management System
The organization must identify and determine the risks and opportunities that need to be addressed in relation to the AI
ISO42001-6.1.1-03
Risk Management
Plan Actions to Address Risks and Opportunities
The organization must develop and plan specific actions to address the identified risks and opportunities related to the
ISO42001-6.1.1-04
Requirement
Integrate Actions into AI Management System Processes
The organization must integrate the planned actions for addressing risks and opportunities into its AI management system
ISO42001-6.1.1-05
Requirement
Implement Actions for Risks and Opportunities
The organization must implement the planned actions to address risks and opportunities within its AI management system p
ISO42001-6.1.1-06
Monitoring
Evaluate Effectiveness of Risk and Opportunity Actions
The organization must evaluate the effectiveness of the actions taken to address risks and opportunities in the AI manag
ISO42001-6.1.1-07
Requirement
Ensure Actions Are Proportionate to Potential Impact
Actions taken to address risks and opportunities must be proportionate to the potential impact on the conformity and int
Article 6.1.2. AI risk assessment
13 obligations
ISO42001-6.1.2-01
Risk Management
Define and apply AI risk assessment process
The organization must establish and implement a formal AI risk assessment process that includes defined methodologies an
ISO42001-6.1.2-02
Risk Management
Establish and maintain AI risk criteria
The organization must define, document, and keep current the criteria used to evaluate AI risks, including what constitu
ISO42001-6.1.2-03
Risk Management
Establish criteria for performing AI risk assessments
The organization must define the specific criteria and parameters that govern how AI risk assessments are to be conducte
ISO42001-6.1.2-04
Risk Management
Ensure consistent, valid, and comparable risk assessment results
The organization must implement controls and procedures to guarantee that repeated AI risk assessments produce results t
ISO42001-6.1.2-05
Risk Management
Identify AI system development risks
The organization must systematically identify and catalog risks associated with the development phase of AI systems, inc
ISO42001-6.1.2-06
Risk Management
Identify AI system provision risks
The organization must systematically identify and catalog risks associated with the provision or deployment of AI system
ISO42001-6.1.2-07
Risk Management
Identify AI system use risks
The organization must systematically identify and catalog risks associated with the use or operation of AI systems, incl
ISO42001-6.1.2-08
Risk Management
Analyze and evaluate identified AI risks
The organization must conduct detailed analysis and evaluation of all identified AI risks, systematically examining thei
ISO42001-6.1.2-09
Risk Management
Consider likelihood in AI risk evaluation
The organization must assess and factor in the probability or likelihood of identified AI risks materializing as part of
ISO42001-6.1.2-10
Risk Management
Consider severity in AI risk evaluation
The organization must assess and factor in the potential severity or magnitude of impact of identified AI risks as part
ISO42001-6.1.2-11
Risk Management
Consider nature of potential impacts in AI risk evaluation
The organization must assess and factor in the qualitative characteristics and nature of potential impacts from identifi
ISO42001-6.1.2-12
Risk Management
Compare risk evaluation results with established criteria
The organization must systematically compare the results of AI risk analysis and evaluation against the previously estab
ISO42001-6.1.2-13
Risk Management
Determine which risks require treatment
The organization must make explicit determinations about which identified and evaluated AI risks exceed acceptable thres