ISO-42001
ISO/IEC 42001:2023 — AI Management Systems
- I. ISO/IEC 42001:2023 AI Management System Requirements
- Ch. I — Context, Leadership, and Planning (Clauses 4-6)
- Art. 4.1. Understanding the organization and its context (8)
- Art. 4.2. Understanding the needs and expectations of interested parties (4)
- Art. 4.3. Determining the scope of the AI management system (9)
- Art. 4.4. AI management system (12)
- Art. 5.1. Leadership and commitment (10)
- Art. 5.2. AI policy (8)
- Art. 5.3. Roles, responsibilities and authorities (10)
- Art. 6.1.1. General (actions to address risks and opportunities) (7)
- Art. 6.1.2. AI risk assessment (13)
- Art. 6.1.3. AI risk treatment (6)
- Art. 6.1.4. AI system impact assessment (5)
- Art. 6.2. AI objectives and planning to achieve them (12)
- Art. 6.3. Planning of changes (7)
- Ch. II — Support and Operation (Clauses 7-8)
- Art. 7.1. Resources (9)
- Art. 7.2. Competence (5)
- Art. 7.3. Awareness (6)
- Art. 7.4. Communication (3)
- Art. 7.5. Documented information (9)
- Art. 8.1. Operational planning and control (10)
- Art. 8.2. AI risk assessment (operational) (6)
- Art. 8.3. AI risk treatment (operational) (6)
- Art. 8.4. AI system impact assessment (operational) (13)
- Ch. III — Performance Evaluation and Improvement (Clauses 9-10)
- Art. 9.1. Monitoring, measurement, analysis and evaluation (4)
- Art. 9.2. Internal audit (10)
- Art. 9.3. Management review (10)
- Art. 10.1. Continual improvement (9)
- Art. 10.2. Nonconformity and corrective action (10)
- Ch. IV — Annex A Controls — Policies and Organization (A.2-A.3)
- Art. A.2.2. AI Policy (9)
- Art. A.2.3. Responsible AI Topics in AI Policy (4)
- Art. A.3.2. Roles and Responsibilities for AI (6)
- Art. A.3.3. Reporting of AI Concerns (9)
- Art. A.3.4. Impact of Organizational Changes (6)
- Ch. V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
- Art. A.4.2. Resources Related to AI Systems (5)
- Art. A.4.3. Competencies Related to AI Systems (4)
- Art. A.4.4. Awareness of Responsible Use of AI Systems (4)
- Art. A.4.5. Consultation (6)
- Art. A.4.6. Communication About the AI System (6)
- Art. A.5.2. AI System Risk Assessment (5)
- Art. A.5.3. AI System Impact Assessment (8)
- Art. A.5.4. Impact of AI System Documentation (4)
- Ch. VI — Annex A Controls — AI System Life Cycle (A.6)
- Art. A.6.2.2. Design and Development of AI System (5)
- Art. A.6.2.3. Training and Testing AI Model (14)
- Art. A.6.2.4. Verification and Validation of AI System (7)
- Art. A.6.2.5. Deployment of AI System (10)
- Art. A.6.2.6. Operation and Monitoring of AI System (10)
- Art. A.6.2.7. Retirement of AI System (10)
- Art. A.6.2.8. Responsible AI System Integration (9)
- Art. A.6.2.9. AI System Documentation (7)
- Art. A.6.2.10. Defined Use and Misuse of AI System (5)
- Art. A.6.2.11. Management of Third-Party AI System Components (6)
- Ch. VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
- Art. A.7.2. Data for Development and Enhancement of AI System (11)
- Art. A.7.3. Data Quality for ML and Data for AI System (11)
- Art. A.7.4. Data Preparation (11)
- Art. A.7.5. Data Acquisition and Collection (6)
- Art. A.7.6. Data Provenance (7)
- Art. A.8.2. Informing Interested Parties About AI System Interaction (6)
- Art. A.8.3. Informing Interested Parties About AI Outcomes (4)
- Art. A.8.4. Access to Information About AI System Interaction (5)
- Art. A.8.5. Enabling Appropriate Human Actions in Response to AI Outputs (7)
- Art. A.9.2. Objectives for Responsible Use of AI System (6)
- Art. A.9.3. Intended Use of AI System (4)
- Art. A.9.4. Processes for Responsible Use of AI System (7)
- Art. A.9.5. Human Oversight Aspects (11)
- Art. A.10.2. Suppliers of AI System Components (8)
- Art. A.10.3. Shared ML Models (14)
- Art. A.10.4. Provision of AI System to Third Parties (5)
Title I — ISO/IEC 42001:2023 AI Management System Requirements
Chapter I — Context, Leadership, and Planning (Clauses 4-6)
Chapter II — Support and Operation (Clauses 7-8)
Article 7.4. Communication
3 obligations
ISO42001-7.4-01
Requirement
Determine internal and external communications for AI management system
The organization must identify and define all internal and external communications that are relevant to the AI managemen
ISO42001-7.4-02
Transparency
Address transparency requirements in AI system communications
All communications must specifically address and fulfill the transparency requirements that are associated with the orga
ISO42001-7.4-03
Transparency
Ensure interested parties receive appropriate AI system information
The organization must ensure that relevant interested parties, including affected individuals and groups, receive approp
Article 7.5. Documented information
9 obligations
ISO42001-7.5-01
Documentation
Include required documented information in AI management system
The organization must include in its AI management system all documented information required by the ISO/IEC 42001:2023
ISO42001-7.5-02
Documentation
Include specific AI management documents
The organization must include specific documented information in the AI management system: AI policy, AI objectives, AI
ISO42001-7.5-03
Documentation
Ensure proper identification of documented information
When creating and updating documented information, the organization must ensure appropriate identification of the docume
ISO42001-7.5-04
Documentation
Ensure proper format of documented information
When creating and updating documented information, the organization must ensure appropriate format of the documents.
ISO42001-7.5-05
Documentation
Ensure review and approval of documented information
When creating and updating documented information, the organization must ensure appropriate review and approval processe
ISO42001-7.5-06
Documentation
Control documented information availability
The organization must control documented information to ensure it is available and suitable for use where and when neede
ISO42001-7.5-07
Data Governance
Protect documented information from loss of confidentiality
The organization must adequately protect documented information from loss of confidentiality.
ISO42001-7.5-08
Data Governance
Protect documented information from improper use
The organization must adequately protect documented information from improper use.
ISO42001-7.5-09
Data Governance
Protect documented information from loss of integrity
The organization must adequately protect documented information from loss of integrity.
Article 8.1. Operational planning and control
10 obligations
ISO42001-8.1-01
Requirement
Plan processes for AI management system requirements
The organization must plan the processes needed to meet AI management system requirements and to implement the actions d
ISO42001-8.1-02
Requirement
Implement processes for AI management system requirements
The organization must implement the processes needed to meet AI management system requirements and to implement the acti
ISO42001-8.1-03
Requirement
Control processes for AI management system requirements
The organization must control the processes needed to meet AI management system requirements and to implement the action
ISO42001-8.1-04
Requirement
Establish criteria for processes
The organization must establish criteria for the processes used in the AI management system.
ISO42001-8.1-05
Requirement
Implement control of processes according to established criteria
The organization must implement control of the processes in accordance with the criteria that have been established.
ISO42001-8.1-06
Documentation
Maintain documented information for process confidence
The organization must keep documented information to the extent necessary to have confidence that the processes have bee
ISO42001-8.1-07
Requirement
Control planned changes
The organization must control planned changes to the AI management system processes.
ISO42001-8.1-08
Monitoring
Review consequences of unintended changes
The organization must review the consequences of unintended changes to the AI management system.
ISO42001-8.1-09
Risk Management
Take action to mitigate adverse effects from unintended changes
The organization must take action to mitigate any adverse effects from unintended changes as necessary.
ISO42001-8.1-10
Requirement
Ensure control of outsourced processes
The organization must ensure that outsourced processes relevant to the AI management system are controlled.
Article 8.2. AI risk assessment (operational)
3 obligations
ISO42001-8.2-01
Risk Management
Perform AI risk assessments at planned intervals
The organization must conduct AI risk assessments at predetermined scheduled intervals, following the criteria establish
ISO42001-8.2-02
Risk Management
Perform AI risk assessments when significant changes occur
The organization must conduct AI risk assessments whenever significant changes are proposed or occur to AI systems, appl
ISO42001-8.2-03
Risk Management
Conduct risk assessments for each AI system within scope
The organization must perform AI risk assessments for every individual AI system that falls within the scope of the mana