ISO-42001
ISO/IEC 42001:2023 — AI Management Systems
- I. ISO/IEC 42001:2023 AI Management System Requirements
- Ch. I — Context, Leadership, and Planning (Clauses 4-6)
- Art. 4.1. Understanding the organization and its context (8)
- Art. 4.2. Understanding the needs and expectations of interested parties (4)
- Art. 4.3. Determining the scope of the AI management system (9)
- Art. 4.4. AI management system (12)
- Art. 5.1. Leadership and commitment (10)
- Art. 5.2. AI policy (8)
- Art. 5.3. Roles, responsibilities and authorities (10)
- Art. 6.1.1. General (actions to address risks and opportunities) (7)
- Art. 6.1.2. AI risk assessment (13)
- Art. 6.1.3. AI risk treatment (6)
- Art. 6.1.4. AI system impact assessment (5)
- Art. 6.2. AI objectives and planning to achieve them (12)
- Art. 6.3. Planning of changes (7)
- Ch. II — Support and Operation (Clauses 7-8)
- Art. 7.1. Resources (9)
- Art. 7.2. Competence (5)
- Art. 7.3. Awareness (6)
- Art. 7.4. Communication (3)
- Art. 7.5. Documented information (9)
- Art. 8.1. Operational planning and control (10)
- Art. 8.2. AI risk assessment (operational) (6)
- Art. 8.3. AI risk treatment (operational) (6)
- Art. 8.4. AI system impact assessment (operational) (13)
- Ch. III — Performance Evaluation and Improvement (Clauses 9-10)
- Art. 9.1. Monitoring, measurement, analysis and evaluation (4)
- Art. 9.2. Internal audit (10)
- Art. 9.3. Management review (10)
- Art. 10.1. Continual improvement (9)
- Art. 10.2. Nonconformity and corrective action (10)
- Ch. IV — Annex A Controls — Policies and Organization (A.2-A.3)
- Art. A.2.2. AI Policy (9)
- Art. A.2.3. Responsible AI Topics in AI Policy (4)
- Art. A.3.2. Roles and Responsibilities for AI (6)
- Art. A.3.3. Reporting of AI Concerns (9)
- Art. A.3.4. Impact of Organizational Changes (6)
- Ch. V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
- Art. A.4.2. Resources Related to AI Systems (5)
- Art. A.4.3. Competencies Related to AI Systems (4)
- Art. A.4.4. Awareness of Responsible Use of AI Systems (4)
- Art. A.4.5. Consultation (6)
- Art. A.4.6. Communication About the AI System (6)
- Art. A.5.2. AI System Risk Assessment (5)
- Art. A.5.3. AI System Impact Assessment (8)
- Art. A.5.4. Impact of AI System Documentation (4)
- Ch. VI — Annex A Controls — AI System Life Cycle (A.6)
- Art. A.6.2.2. Design and Development of AI System (5)
- Art. A.6.2.3. Training and Testing AI Model (14)
- Art. A.6.2.4. Verification and Validation of AI System (7)
- Art. A.6.2.5. Deployment of AI System (10)
- Art. A.6.2.6. Operation and Monitoring of AI System (10)
- Art. A.6.2.7. Retirement of AI System (10)
- Art. A.6.2.8. Responsible AI System Integration (9)
- Art. A.6.2.9. AI System Documentation (7)
- Art. A.6.2.10. Defined Use and Misuse of AI System (5)
- Art. A.6.2.11. Management of Third-Party AI System Components (6)
- Ch. VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
- Art. A.7.2. Data for Development and Enhancement of AI System (11)
- Art. A.7.3. Data Quality for ML and Data for AI System (11)
- Art. A.7.4. Data Preparation (11)
- Art. A.7.5. Data Acquisition and Collection (6)
- Art. A.7.6. Data Provenance (7)
- Art. A.8.2. Informing Interested Parties About AI System Interaction (6)
- Art. A.8.3. Informing Interested Parties About AI Outcomes (4)
- Art. A.8.4. Access to Information About AI System Interaction (5)
- Art. A.8.5. Enabling Appropriate Human Actions in Response to AI Outputs (7)
- Art. A.9.2. Objectives for Responsible Use of AI System (6)
- Art. A.9.3. Intended Use of AI System (4)
- Art. A.9.4. Processes for Responsible Use of AI System (7)
- Art. A.9.5. Human Oversight Aspects (11)
- Art. A.10.2. Suppliers of AI System Components (8)
- Art. A.10.3. Shared ML Models (14)
- Art. A.10.4. Provision of AI System to Third Parties (5)
Title I — ISO/IEC 42001:2023 AI Management System Requirements
Chapter I — Context, Leadership, and Planning (Clauses 4-6)
Article 6.3. Planning of changes
5 obligations
ISO42001-6.3-03
Risk Management
Consider integrity of AI management system during changes
The organization must evaluate and ensure that proposed changes do not compromise the overall integrity of the AI manage
ISO42001-6.3-04
Requirement
Consider resource availability for AI management system changes
The organization must assess and consider the availability of necessary resources before implementing changes to the AI
ISO42001-6.3-05
Requirement
Consider allocation of responsibilities and authorities for changes
The organization must evaluate and plan the allocation or reallocation of responsibilities and authorities when implemen
ISO42001-6.3-06
Documentation
Document changes to AI management system
The organization must create and maintain documentation of all changes made to the AI management system.
ISO42001-6.3-07
Monitoring
Verify changes achieve intended effect without adverse impact
The organization must verify that implemented changes to the AI management system accomplish their intended purpose and
Chapter II — Support and Operation (Clauses 7-8)
Article 7.1. Resources
9 obligations
ISO42001-7.1-01
Requirement
Determine Required Resources for AI Management System
The organization must identify and assess all resources needed for establishing, implementing, maintaining, and continua
ISO42001-7.1-02
Requirement
Provide Required Resources for AI Management System
The organization must allocate and make available all identified resources necessary for the AI management system across
ISO42001-7.1-03
Requirement
Consider Internal Resource Capabilities and Constraints
The organization must evaluate the capabilities and limitations of existing internal resources when planning for AI mana
ISO42001-7.1-04
Requirement
Identify External Resource Requirements
The organization must determine what resources need to be obtained from external providers to meet AI management system
ISO42001-7.1-05
Requirement
Provide Personnel Resources
The organization must ensure adequate personnel resources are available, appropriate to the scale and complexity of the
ISO42001-7.1-06
Requirement
Provide Infrastructure Resources
The organization must ensure adequate infrastructure resources, including computing resources, are available appropriate
ISO42001-7.1-07
Requirement
Provide Technology Resources
The organization must ensure adequate technology resources are available appropriate to the scale and complexity of the
ISO42001-7.1-08
Data Governance
Provide Data Resources
The organization must ensure adequate data resources are available appropriate to the scale and complexity of the organi
ISO42001-7.1-09
Requirement
Provide Financial Resources
The organization must ensure adequate financial resources are available appropriate to the scale and complexity of the o
Article 7.2. Competence
5 obligations
ISO42001-7.2-01
Requirement
Determine necessary competence for AI management system personnel
The organization must identify and determine the necessary competence of all persons doing work under its control that a
ISO42001-7.2-02
Requirement
Ensure personnel competence through education, training, or experience
The organization must ensure that persons doing work under its control that affects the AI management system are compete
ISO42001-7.2-03
Requirement
Take actions to acquire necessary competence when applicable
Where applicable, the organization must take actions to acquire the necessary competence for personnel affecting the AI
ISO42001-7.2-04
Monitoring
Evaluate effectiveness of competence acquisition actions
The organization must evaluate the effectiveness of actions taken to acquire necessary competence for personnel affectin
ISO42001-7.2-05
Documentation
Retain documented information as evidence of competence
The organization must retain appropriate documented information that serves as evidence of competence for persons doing
Article 7.3. Awareness
6 obligations
ISO42001-7.3-01
Requirement
AI Policy Awareness Requirement
Organizations must ensure that persons working under their control are aware of the AI policy
ISO42001-7.3-02
Requirement
AI Management System Contribution Awareness
Organizations must ensure that persons working under their control are aware of their contribution to the effectiveness
ISO42001-7.3-03
Requirement
Non-Conformance Implications Awareness
Organizations must ensure that persons working under their control are aware of the implications of not conforming with
ISO42001-7.3-04
Requirement
AI System Impact Awareness on Individuals and Society
Organizations must ensure that persons working under their control are aware of the potential impacts of AI systems on i
ISO42001-7.3-05
Requirement
Ethical Considerations Awareness Extension
Organizations must extend awareness to ethical considerations relevant to the organization's AI activities
ISO42001-7.3-06
Requirement
Responsible Use Principles Awareness Extension
Organizations must extend awareness to responsible use principles relevant to the organization's AI activities