ISO-42001
ISO/IEC 42001:2023 — AI Management Systems
- I. ISO/IEC 42001:2023 AI Management System Requirements
- Ch. I — Context, Leadership, and Planning (Clauses 4-6)
- Art. 4.1. Understanding the organization and its context (8)
- Art. 4.2. Understanding the needs and expectations of interested parties (4)
- Art. 4.3. Determining the scope of the AI management system (9)
- Art. 4.4. AI management system (12)
- Art. 5.1. Leadership and commitment (10)
- Art. 5.2. AI policy (8)
- Art. 5.3. Roles, responsibilities and authorities (10)
- Art. 6.1.1. General (actions to address risks and opportunities) (7)
- Art. 6.1.2. AI risk assessment (13)
- Art. 6.1.3. AI risk treatment (6)
- Art. 6.1.4. AI system impact assessment (5)
- Art. 6.2. AI objectives and planning to achieve them (12)
- Art. 6.3. Planning of changes (7)
- Ch. II — Support and Operation (Clauses 7-8)
- Art. 7.1. Resources (9)
- Art. 7.2. Competence (5)
- Art. 7.3. Awareness (6)
- Art. 7.4. Communication (3)
- Art. 7.5. Documented information (9)
- Art. 8.1. Operational planning and control (10)
- Art. 8.2. AI risk assessment (operational) (6)
- Art. 8.3. AI risk treatment (operational) (6)
- Art. 8.4. AI system impact assessment (operational) (13)
- Ch. III — Performance Evaluation and Improvement (Clauses 9-10)
- Art. 9.1. Monitoring, measurement, analysis and evaluation (4)
- Art. 9.2. Internal audit (10)
- Art. 9.3. Management review (10)
- Art. 10.1. Continual improvement (9)
- Art. 10.2. Nonconformity and corrective action (10)
- Ch. IV — Annex A Controls — Policies and Organization (A.2-A.3)
- Art. A.2.2. AI Policy (9)
- Art. A.2.3. Responsible AI Topics in AI Policy (4)
- Art. A.3.2. Roles and Responsibilities for AI (6)
- Art. A.3.3. Reporting of AI Concerns (9)
- Art. A.3.4. Impact of Organizational Changes (6)
- Ch. V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
- Art. A.4.2. Resources Related to AI Systems (5)
- Art. A.4.3. Competencies Related to AI Systems (4)
- Art. A.4.4. Awareness of Responsible Use of AI Systems (4)
- Art. A.4.5. Consultation (6)
- Art. A.4.6. Communication About the AI System (6)
- Art. A.5.2. AI System Risk Assessment (5)
- Art. A.5.3. AI System Impact Assessment (8)
- Art. A.5.4. Impact of AI System Documentation (4)
- Ch. VI — Annex A Controls — AI System Life Cycle (A.6)
- Art. A.6.2.2. Design and Development of AI System (5)
- Art. A.6.2.3. Training and Testing AI Model (14)
- Art. A.6.2.4. Verification and Validation of AI System (7)
- Art. A.6.2.5. Deployment of AI System (10)
- Art. A.6.2.6. Operation and Monitoring of AI System (10)
- Art. A.6.2.7. Retirement of AI System (10)
- Art. A.6.2.8. Responsible AI System Integration (9)
- Art. A.6.2.9. AI System Documentation (7)
- Art. A.6.2.10. Defined Use and Misuse of AI System (5)
- Art. A.6.2.11. Management of Third-Party AI System Components (6)
- Ch. VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
- Art. A.7.2. Data for Development and Enhancement of AI System (11)
- Art. A.7.3. Data Quality for ML and Data for AI System (11)
- Art. A.7.4. Data Preparation (11)
- Art. A.7.5. Data Acquisition and Collection (6)
- Art. A.7.6. Data Provenance (7)
- Art. A.8.2. Informing Interested Parties About AI System Interaction (6)
- Art. A.8.3. Informing Interested Parties About AI Outcomes (4)
- Art. A.8.4. Access to Information About AI System Interaction (5)
- Art. A.8.5. Enabling Appropriate Human Actions in Response to AI Outputs (7)
- Art. A.9.2. Objectives for Responsible Use of AI System (6)
- Art. A.9.3. Intended Use of AI System (4)
- Art. A.9.4. Processes for Responsible Use of AI System (7)
- Art. A.9.5. Human Oversight Aspects (11)
- Art. A.10.2. Suppliers of AI System Components (8)
- Art. A.10.3. Shared ML Models (14)
- Art. A.10.4. Provision of AI System to Third Parties (5)
Title I — ISO/IEC 42001:2023 AI Management System Requirements
Chapter I — Context, Leadership, and Planning (Clauses 4-6)
Chapter II — Support and Operation (Clauses 7-8)
Article 8.2. AI risk assessment (operational)
3 obligations
ISO42001-8.2-04
Risk Management
Consider system-specific characteristics in risk assessments
The organization must take into account the specific characteristics, data inputs, outputs, operational context, and aff
ISO42001-8.2-05
Documentation
Retain documented information of risk assessment results
The organization must maintain and preserve documented information containing the results of all AI risk assessments per
ISO42001-8.2-06
Documentation
Ensure traceability between risks and AI systems
The organization must establish and maintain traceability that links identified risks to the specific AI systems to whic
Article 8.3. AI risk treatment (operational)
6 obligations
ISO42001-8.3-01
Risk Management
Implement AI risk treatment plan
The organization must implement the AI risk treatment plan that was established in section 6.1.3 of the standard.
ISO42001-8.3-02
Documentation
Retain documented information of AI risk treatment results
The organization must maintain documented information showing the results of AI risk treatment activities.
ISO42001-8.3-03
Documentation
Provide evidence of effective control implementation
The organization must maintain evidence demonstrating that selected controls have been implemented effectively as part o
ISO42001-8.3-04
Documentation
Document acceptable residual risk levels
The organization must maintain documentation showing that residual risks are within acceptable levels after risk treatme
ISO42001-8.3-05
Risk Management
Review and update risk treatment plan when outcomes not achieved
When AI risk treatment actions do not achieve the desired outcomes, the organization must review and update the risk tre
ISO42001-8.3-06
Risk Management
Integrate risk treatment into AI system lifecycle processes
The organization must ensure that risk treatment activities are integrated into the AI system lifecycle processes.
Article 8.4. AI system impact assessment (operational)
13 obligations
ISO42001-8.4-01
Risk Management
Perform AI system impact assessments in accordance with established process
The organization must conduct AI system impact assessments following the process established in section 6.1.4 of the sta
ISO42001-8.4-02
Monitoring
Conduct impact assessments at planned intervals
The organization must perform AI system impact assessments at predetermined, scheduled intervals as part of ongoing moni
ISO42001-8.4-03
Risk Management
Conduct impact assessments when significant changes are proposed to AI systems
The organization must perform impact assessments whenever significant changes to AI systems are proposed, before impleme
ISO42001-8.4-04
Risk Management
Conduct impact assessments when significant changes occur to AI systems
The organization must perform impact assessments whenever significant changes actually occur to AI systems or their oper
ISO42001-8.4-05
Risk Management
Perform impact assessments before deployment of new AI systems
The organization must complete impact assessments prior to deploying any new AI systems into operational use.
ISO42001-8.4-06
Risk Management
Perform impact assessments for material changes to existing systems
The organization must conduct impact assessments when there are material changes to existing AI systems.
ISO42001-8.4-07
Data Governance
Perform impact assessments for material changes to data inputs
The organization must conduct impact assessments when there are material changes to the data inputs of AI systems.
ISO42001-8.4-08
Risk Management
Perform impact assessments for material changes to operational environment
The organization must conduct impact assessments when there are material changes to the operational environment of AI sy
ISO42001-8.4-09
Risk Management
Perform impact assessments for material changes to affected populations
The organization must conduct impact assessments when there are material changes to the populations that AI systems affe
ISO42001-8.4-10
Documentation
Retain documented information of impact assessment results
The organization must maintain and preserve documented information containing the results of all AI system impact assess
ISO42001-8.4-11
Risk Management
Use impact assessment findings to inform risk treatment decisions
The organization must utilize the findings from impact assessments to guide and inform risk treatment decisions.
ISO42001-8.4-12
Risk Management
Use impact assessment findings to inform system design decisions
The organization must utilize the findings from impact assessments to guide and inform AI system design decisions.
ISO42001-8.4-13
Transparency
Use impact assessment findings to inform stakeholder communication decisions
The organization must utilize the findings from impact assessments to guide and inform decisions about stakeholder commu
Chapter III — Performance Evaluation and Improvement (Clauses 9-10)
Article 9.1. Monitoring, measurement, analysis and evaluation
3 obligations
ISO42001-9.1-01
Monitoring
Determine monitoring and measurement scope for AI management system
The organization must identify and determine what aspects of the AI management system and its AI systems need to be moni
ISO42001-9.1-02
Requirement
Establish methods for monitoring and measurement activities
The organization must determine and establish the specific methods to be used for monitoring, measurement, analysis, and
ISO42001-9.1-03
Requirement
Define timing for monitoring and evaluation activities
The organization must establish and determine the schedule and timing for when monitoring and measuring activities will