ISO-42001
ISO/IEC 42001:2023 — AI Management Systems
- I. ISO/IEC 42001:2023 AI Management System Requirements
- Ch. I — Context, Leadership, and Planning (Clauses 4-6)
- Art. 4.1. Understanding the organization and its context (8)
- Art. 4.2. Understanding the needs and expectations of interested parties (4)
- Art. 4.3. Determining the scope of the AI management system (9)
- Art. 4.4. AI management system (12)
- Art. 5.1. Leadership and commitment (10)
- Art. 5.2. AI policy (8)
- Art. 5.3. Roles, responsibilities and authorities (10)
- Art. 6.1.1. General (actions to address risks and opportunities) (7)
- Art. 6.1.2. AI risk assessment (13)
- Art. 6.1.3. AI risk treatment (6)
- Art. 6.1.4. AI system impact assessment (5)
- Art. 6.2. AI objectives and planning to achieve them (12)
- Art. 6.3. Planning of changes (7)
- Ch. II — Support and Operation (Clauses 7-8)
- Art. 7.1. Resources (9)
- Art. 7.2. Competence (5)
- Art. 7.3. Awareness (6)
- Art. 7.4. Communication (3)
- Art. 7.5. Documented information (9)
- Art. 8.1. Operational planning and control (10)
- Art. 8.2. AI risk assessment (operational) (6)
- Art. 8.3. AI risk treatment (operational) (6)
- Art. 8.4. AI system impact assessment (operational) (13)
- Ch. III — Performance Evaluation and Improvement (Clauses 9-10)
- Art. 9.1. Monitoring, measurement, analysis and evaluation (4)
- Art. 9.2. Internal audit (10)
- Art. 9.3. Management review (10)
- Art. 10.1. Continual improvement (9)
- Art. 10.2. Nonconformity and corrective action (10)
- Ch. IV — Annex A Controls — Policies and Organization (A.2-A.3)
- Art. A.2.2. AI Policy (9)
- Art. A.2.3. Responsible AI Topics in AI Policy (4)
- Art. A.3.2. Roles and Responsibilities for AI (6)
- Art. A.3.3. Reporting of AI Concerns (9)
- Art. A.3.4. Impact of Organizational Changes (6)
- Ch. V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
- Art. A.4.2. Resources Related to AI Systems (5)
- Art. A.4.3. Competencies Related to AI Systems (4)
- Art. A.4.4. Awareness of Responsible Use of AI Systems (4)
- Art. A.4.5. Consultation (6)
- Art. A.4.6. Communication About the AI System (6)
- Art. A.5.2. AI System Risk Assessment (5)
- Art. A.5.3. AI System Impact Assessment (8)
- Art. A.5.4. Impact of AI System Documentation (4)
- Ch. VI — Annex A Controls — AI System Life Cycle (A.6)
- Art. A.6.2.2. Design and Development of AI System (5)
- Art. A.6.2.3. Training and Testing AI Model (14)
- Art. A.6.2.4. Verification and Validation of AI System (7)
- Art. A.6.2.5. Deployment of AI System (10)
- Art. A.6.2.6. Operation and Monitoring of AI System (10)
- Art. A.6.2.7. Retirement of AI System (10)
- Art. A.6.2.8. Responsible AI System Integration (9)
- Art. A.6.2.9. AI System Documentation (7)
- Art. A.6.2.10. Defined Use and Misuse of AI System (5)
- Art. A.6.2.11. Management of Third-Party AI System Components (6)
- Ch. VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
- Art. A.7.2. Data for Development and Enhancement of AI System (11)
- Art. A.7.3. Data Quality for ML and Data for AI System (11)
- Art. A.7.4. Data Preparation (11)
- Art. A.7.5. Data Acquisition and Collection (6)
- Art. A.7.6. Data Provenance (7)
- Art. A.8.2. Informing Interested Parties About AI System Interaction (6)
- Art. A.8.3. Informing Interested Parties About AI Outcomes (4)
- Art. A.8.4. Access to Information About AI System Interaction (5)
- Art. A.8.5. Enabling Appropriate Human Actions in Response to AI Outputs (7)
- Art. A.9.2. Objectives for Responsible Use of AI System (6)
- Art. A.9.3. Intended Use of AI System (4)
- Art. A.9.4. Processes for Responsible Use of AI System (7)
- Art. A.9.5. Human Oversight Aspects (11)
- Art. A.10.2. Suppliers of AI System Components (8)
- Art. A.10.3. Shared ML Models (14)
- Art. A.10.4. Provision of AI System to Third Parties (5)
Title I — ISO/IEC 42001:2023 AI Management System Requirements
Chapter I — Context, Leadership, and Planning (Clauses 4-6)
Article 6.1.3. AI risk treatment
6 obligations
ISO42001-6.1.3-01
Risk Management
Define and apply AI risk treatment process
The organization must establish and implement a formal AI risk treatment process that selects appropriate risk treatment
ISO42001-6.1.3-02
Risk Management
Determine necessary controls for AI risk treatment
The organization must identify and determine all controls required to implement the chosen AI risk treatment options, wh
ISO42001-6.1.3-03
Documentation
Produce Statement of Applicability
The organization must create a Statement of Applicability documenting necessary controls, justification for their inclus
ISO42001-6.1.3-04
Risk Management
Formulate AI risk treatment plan
The organization must develop a comprehensive AI risk treatment plan as part of the risk treatment process.
ISO42001-6.1.3-05
Risk Management
Obtain risk owners' approval of treatment plan
The organization must secure formal approval from risk owners for the AI risk treatment plan before implementation.
ISO42001-6.1.3-06
Risk Management
Obtain risk owners' acceptance of residual AI risks
The organization must secure formal acceptance from risk owners for the residual AI risks that remain after treatment im
Article 6.1.4. AI system impact assessment
5 obligations
ISO42001-6.1.4-01
Requirement
Establish AI system impact assessment process
The organization must establish a formal process for assessing the potential impacts of AI systems on individuals, group
ISO42001-6.1.4-02
Requirement
Consider specific factors in impact assessment
The impact assessment must consider the intended purpose of the AI system, foreseeable misuse, the affected populations,
ISO42001-6.1.4-03
Documentation
Document AI system impact assessment results
The organization must document the results of AI system impact assessments performed.
ISO42001-6.1.4-04
Risk Management
Use impact assessments to inform risk treatment decisions
The organization must use the results of AI system impact assessments to inform AI risk treatment decisions.
ISO42001-6.1.4-05
Monitoring
Review impact assessments upon significant changes
Impact assessments must be reviewed when there are significant changes to the AI system or its operational context.
Article 6.2. AI objectives and planning to achieve them
12 obligations
ISO42001-6.2-01
Requirement
Establish AI objectives at relevant functions, levels, and processes
The organization must establish AI objectives at all relevant functions, levels, and processes that are needed for the A
ISO42001-6.2-02
Requirement
Ensure AI objectives are consistent with AI policy
AI objectives must be aligned with and consistent with the organization's established AI policy.
ISO42001-6.2-03
Requirement
Make AI objectives measurable where practicable
AI objectives must be defined in measurable terms when it is practicable to do so, allowing for quantitative or qualitat
ISO42001-6.2-04
Requirement
Account for applicable requirements in AI objectives
AI objectives must take into consideration and incorporate all applicable legal, regulatory, and other requirements rele
ISO42001-6.2-05
Monitoring
Monitor AI objectives
The organization must establish and implement monitoring processes to track progress and performance against the establi
ISO42001-6.2-06
Transparency
Communicate AI objectives
AI objectives must be communicated to relevant stakeholders within the organization to ensure awareness and alignment.
ISO42001-6.2-07
Requirement
Update AI objectives as appropriate
AI objectives must be reviewed and updated when circumstances change or when it is otherwise appropriate to ensure conti
ISO42001-6.2-08
Requirement
Determine what will be done to achieve AI objectives
When planning how to achieve AI objectives, the organization must determine and define the specific actions and activiti
ISO42001-6.2-09
Requirement
Determine required resources for achieving AI objectives
The organization must identify and determine what resources (human, financial, technological, etc.) will be required to
ISO42001-6.2-10
Requirement
Determine responsibility for achieving AI objectives
The organization must assign and determine who will be responsible for executing the plans and achieving the AI objectiv
ISO42001-6.2-11
Requirement
Determine completion timeline for AI objectives
The organization must establish and determine when the activities and objectives will be completed, setting clear timeli
ISO42001-6.2-12
Requirement
Determine evaluation method for results
The organization must determine and establish how the results of AI objective achievement will be evaluated and assessed
Article 6.3. Planning of changes
2 obligations
ISO42001-6.3-01
Requirement
Carry out AI management system changes in planned manner
When determining the need for changes to the AI management system, the organization must execute those changes following
ISO42001-6.3-02
Risk Management
Consider purpose and consequences of AI management system changes
The organization must evaluate and consider the purpose of proposed changes to the AI management system and assess their