ISO-42001
ISO/IEC 42001:2023 — AI Management Systems
- I. ISO/IEC 42001:2023 AI Management System Requirements
- Ch. I — Context, Leadership, and Planning (Clauses 4-6)
- Art. 4.1. Understanding the organization and its context (8)
- Art. 4.2. Understanding the needs and expectations of interested parties (4)
- Art. 4.3. Determining the scope of the AI management system (9)
- Art. 4.4. AI management system (12)
- Art. 5.1. Leadership and commitment (10)
- Art. 5.2. AI policy (8)
- Art. 5.3. Roles, responsibilities and authorities (10)
- Art. 6.1.1. General (actions to address risks and opportunities) (7)
- Art. 6.1.2. AI risk assessment (13)
- Art. 6.1.3. AI risk treatment (6)
- Art. 6.1.4. AI system impact assessment (5)
- Art. 6.2. AI objectives and planning to achieve them (12)
- Art. 6.3. Planning of changes (7)
- Ch. II — Support and Operation (Clauses 7-8)
- Art. 7.1. Resources (9)
- Art. 7.2. Competence (5)
- Art. 7.3. Awareness (6)
- Art. 7.4. Communication (3)
- Art. 7.5. Documented information (9)
- Art. 8.1. Operational planning and control (10)
- Art. 8.2. AI risk assessment (operational) (6)
- Art. 8.3. AI risk treatment (operational) (6)
- Art. 8.4. AI system impact assessment (operational) (13)
- Ch. III — Performance Evaluation and Improvement (Clauses 9-10)
- Art. 9.1. Monitoring, measurement, analysis and evaluation (4)
- Art. 9.2. Internal audit (10)
- Art. 9.3. Management review (10)
- Art. 10.1. Continual improvement (9)
- Art. 10.2. Nonconformity and corrective action (10)
- Ch. IV — Annex A Controls — Policies and Organization (A.2-A.3)
- Art. A.2.2. AI Policy (9)
- Art. A.2.3. Responsible AI Topics in AI Policy (4)
- Art. A.3.2. Roles and Responsibilities for AI (6)
- Art. A.3.3. Reporting of AI Concerns (9)
- Art. A.3.4. Impact of Organizational Changes (6)
- Ch. V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
- Art. A.4.2. Resources Related to AI Systems (5)
- Art. A.4.3. Competencies Related to AI Systems (4)
- Art. A.4.4. Awareness of Responsible Use of AI Systems (4)
- Art. A.4.5. Consultation (6)
- Art. A.4.6. Communication About the AI System (6)
- Art. A.5.2. AI System Risk Assessment (5)
- Art. A.5.3. AI System Impact Assessment (8)
- Art. A.5.4. Impact of AI System Documentation (4)
- Ch. VI — Annex A Controls — AI System Life Cycle (A.6)
- Art. A.6.2.2. Design and Development of AI System (5)
- Art. A.6.2.3. Training and Testing AI Model (14)
- Art. A.6.2.4. Verification and Validation of AI System (7)
- Art. A.6.2.5. Deployment of AI System (10)
- Art. A.6.2.6. Operation and Monitoring of AI System (10)
- Art. A.6.2.7. Retirement of AI System (10)
- Art. A.6.2.8. Responsible AI System Integration (9)
- Art. A.6.2.9. AI System Documentation (7)
- Art. A.6.2.10. Defined Use and Misuse of AI System (5)
- Art. A.6.2.11. Management of Third-Party AI System Components (6)
- Ch. VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
- Art. A.7.2. Data for Development and Enhancement of AI System (11)
- Art. A.7.3. Data Quality for ML and Data for AI System (11)
- Art. A.7.4. Data Preparation (11)
- Art. A.7.5. Data Acquisition and Collection (6)
- Art. A.7.6. Data Provenance (7)
- Art. A.8.2. Informing Interested Parties About AI System Interaction (6)
- Art. A.8.3. Informing Interested Parties About AI Outcomes (4)
- Art. A.8.4. Access to Information About AI System Interaction (5)
- Art. A.8.5. Enabling Appropriate Human Actions in Response to AI Outputs (7)
- Art. A.9.2. Objectives for Responsible Use of AI System (6)
- Art. A.9.3. Intended Use of AI System (4)
- Art. A.9.4. Processes for Responsible Use of AI System (7)
- Art. A.9.5. Human Oversight Aspects (11)
- Art. A.10.2. Suppliers of AI System Components (8)
- Art. A.10.3. Shared ML Models (14)
- Art. A.10.4. Provision of AI System to Third Parties (5)
Title I — ISO/IEC 42001:2023 AI Management System Requirements
Chapter I — Context, Leadership, and Planning (Clauses 4-6)
Chapter II — Support and Operation (Clauses 7-8)
Chapter III — Performance Evaluation and Improvement (Clauses 9-10)
Article 9.1. Monitoring, measurement, analysis and evaluation
1 obligation
Article 9.2. Internal audit
10 obligations
ISO42001-9.2-01
Monitoring
Conduct internal audits at planned intervals
The organization must conduct internal audits at planned intervals to provide information on whether the AI management s
ISO42001-9.2-02
Requirement
Plan audit program
The organization must plan an audit program that includes the frequency, methods, responsibilities, planning requirement
ISO42001-9.2-03
Requirement
Establish audit program
The organization must establish an audit program that includes the frequency, methods, responsibilities, planning requir
ISO42001-9.2-04
Requirement
Implement audit program
The organization must implement an audit program that includes the frequency, methods, responsibilities, planning requir
ISO42001-9.2-05
Requirement
Maintain audit program
The organization must maintain an audit program that includes the frequency, methods, responsibilities, planning require
ISO42001-9.2-06
Requirement
Consider process importance in audit program
The audit program must take into consideration the importance of the processes concerned when planning and conducting au
ISO42001-9.2-07
Requirement
Consider organizational changes in audit program
The audit program must take into consideration changes affecting the organization when planning and conducting audits.
ISO42001-9.2-08
Requirement
Consider previous audit results in audit program
The audit program must take into consideration the results of previous audits when planning and conducting audits.
ISO42001-9.2-09
Requirement
Select auditors to ensure objectivity and impartiality
The organization must select auditors and conduct audits in a manner that ensures objectivity and impartiality of the au
ISO42001-9.2-10
Requirement
Conduct audits to ensure objectivity and impartiality
The organization must conduct audits in a manner that ensures objectivity and impartiality of the audit process.
Article 9.3. Management review
10 obligations
ISO42001-9.3-01
Requirement
Conduct planned management reviews of AI management system
Top management must review the organization's AI management system at planned intervals to ensure its continuing suitabi
ISO42001-9.3-02
Requirement
Include status of previous management review actions in current review
The management review must include consideration of the status of actions from previous management reviews.
ISO42001-9.3-03
Requirement
Include external and internal changes in management review
The management review must include consideration of changes in external and internal issues relevant to the AI managemen
ISO42001-9.3-04
Requirement
Include stakeholder changes in management review
The management review must include consideration of changes in the needs and expectations of interested parties.
ISO42001-9.3-05
Requirement
Include AI management system performance feedback in review
The management review must include consideration of feedback on AI management system performance.
ISO42001-9.3-06
Requirement
Include assessment results in management review
The management review must include consideration of results of risk assessments and impact assessments.
ISO42001-9.3-07
Requirement
Include audit results in management review
The management review must include consideration of audit results.
ISO42001-9.3-08
Requirement
Include improvement opportunities in management review
The management review must include consideration of opportunities for continual improvement.
ISO42001-9.3-09
Documentation
Document management review outputs with improvement decisions
The outputs of the management review must include decisions related to continual improvement opportunities.
ISO42001-9.3-10
Documentation
Document management review outputs with system change decisions
The outputs of the management review must include any need for changes to the AI management system.
Chapter IV — Annex A Controls — Policies and Organization (A.2-A.3)
Chapter V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
Chapter VI — Annex A Controls — AI System Life Cycle (A.6)
Chapter VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
Article A.10.2. Suppliers of AI System Components
4 obligations
ISO42001-A.10.2-01
Requirement
Establish supplier relationship management processes
The organization must establish formal processes for managing relationships with suppliers of AI system components, cove
ISO42001-A.10.2-02
Requirement
Define AI-related requirements for suppliers
The organization must define specific AI-related requirements for suppliers covering quality, reliability, security, pri
ISO42001-A.10.2-03
Transparency
Communicate AI-related requirements to suppliers
The organization must communicate the defined AI-related requirements to suppliers, ensuring they understand expectation
ISO42001-A.10.2-04
Requirement
Include responsible AI requirements in supplier agreements
The organization must ensure that supplier agreements specifically address the organization's responsible AI requirement