Article 4.3. Determining the scope of the AI management system

1 obligation

ISO42001-4.3-05 Documentation

Make scope available as documented information

The organization must ensure the scope is available as documented information.

Article 5.2. AI policy

1 obligation

ISO42001-5.2-06 Documentation

Document AI Policy

The AI policy must be available as documented information.

Article 6.1.3. AI risk treatment

1 obligation

ISO42001-6.1.3-03 Documentation

Produce Statement of Applicability

The organization must create a Statement of Applicability documenting necessary controls, justification for their inclus

Article 6.1.4. AI system impact assessment

1 obligation

ISO42001-6.1.4-03 Documentation

Document AI system impact assessment results

The organization must document the results of AI system impact assessments performed.

Article 6.3. Planning of changes

1 obligation

ISO42001-6.3-06 Documentation

Document changes to AI management system

The organization must create and maintain documentation of all changes made to the AI management system.

Article 7.2. Competence

1 obligation

ISO42001-7.2-05 Documentation

Retain documented information as evidence of competence

The organization must retain appropriate documented information that serves as evidence of competence for persons doing

Article 7.5. Documented information

6 obligations

ISO42001-7.5-01 Documentation

Include required documented information in AI management system

The organization must include in its AI management system all documented information required by the ISO/IEC 42001:2023

ISO42001-7.5-02 Documentation

Include specific AI management documents

The organization must include specific documented information in the AI management system: AI policy, AI objectives, AI

ISO42001-7.5-03 Documentation

Ensure proper identification of documented information

When creating and updating documented information, the organization must ensure appropriate identification of the docume

ISO42001-7.5-04 Documentation

Ensure proper format of documented information

When creating and updating documented information, the organization must ensure appropriate format of the documents.

ISO42001-7.5-05 Documentation

Ensure review and approval of documented information

When creating and updating documented information, the organization must ensure appropriate review and approval processe

ISO42001-7.5-06 Documentation

Control documented information availability

The organization must control documented information to ensure it is available and suitable for use where and when neede

Article 8.1. Operational planning and control

1 obligation

ISO42001-8.1-06 Documentation

Maintain documented information for process confidence

The organization must keep documented information to the extent necessary to have confidence that the processes have bee

Article 8.2. AI risk assessment (operational)

2 obligations

ISO42001-8.2-05 Documentation

Retain documented information of risk assessment results

The organization must maintain and preserve documented information containing the results of all AI risk assessments per

ISO42001-8.2-06 Documentation

Ensure traceability between risks and AI systems

The organization must establish and maintain traceability that links identified risks to the specific AI systems to whic

Article 8.3. AI risk treatment (operational)

3 obligations

ISO42001-8.3-02 Documentation

Retain documented information of AI risk treatment results

The organization must maintain documented information showing the results of AI risk treatment activities.

ISO42001-8.3-03 Documentation

Provide evidence of effective control implementation

The organization must maintain evidence demonstrating that selected controls have been implemented effectively as part o

ISO42001-8.3-04 Documentation

Document acceptable residual risk levels

The organization must maintain documentation showing that residual risks are within acceptable levels after risk treatme

Article 8.4. AI system impact assessment (operational)

1 obligation

ISO42001-8.4-10 Documentation

Retain documented information of impact assessment results

The organization must maintain and preserve documented information containing the results of all AI system impact assess

Article 9.1. Monitoring, measurement, analysis and evaluation

1 obligation

ISO42001-9.1-04 Documentation

Retain documented evidence of monitoring results

The organization must maintain and retain appropriate documented information that serves as evidence of the results obta

Article 9.3. Management review

2 obligations

ISO42001-9.3-09 Documentation

Document management review outputs with improvement decisions

The outputs of the management review must include decisions related to continual improvement opportunities.

ISO42001-9.3-10 Documentation

Document management review outputs with system change decisions

The outputs of the management review must include any need for changes to the AI management system.

Article 10.2. Nonconformity and corrective action

1 obligation

ISO42001-10.2-10 Documentation

Retain nonconformity and corrective action documentation

The organization must retain documented information as evidence of the nature of nonconformities, any actions taken, and

Article A.2.3. Responsible AI Topics in AI Policy

1 obligation

ISO42001-A.2.3-03 Documentation

Provide Lifecycle Guidance for Responsible AI Topics

The policy must provide guidance on how responsible AI topics are to be considered throughout the AI system lifecycle.

Article A.3.2. Roles and Responsibilities for AI

1 obligation

ISO42001-A.3.2-04 Documentation

Document roles and responsibilities

The organization must create and maintain documentation of all AI-related roles and responsibilities that have been defi

Article A.3.3. Reporting of AI Concerns

1 obligation

ISO42001-A.3.3-06 Documentation

Document AI concerns handling

The organization must document the investigation and resolution of reported AI concerns in a timely manner, maintaining

Article A.4.5. Consultation

4 obligations

ISO42001-A.4.5-03 Documentation

Document consultation processes and procedures

The organization must document its consultation process, including the established procedures, methodologies, and framew

ISO42001-A.4.5-04 Documentation

Document parties consulted in AI system consultations

The organization must maintain documentation identifying all parties that were consulted regarding its AI systems, inclu

ISO42001-A.4.5-05 Documentation

Document input received from consultations

The organization must document all input, feedback, recommendations, and concerns received from consulted parties regard

ISO42001-A.4.5-06 Documentation

Document consideration of consultation input in AI system decisions

The organization must document how the input received from consultations was considered, evaluated, and incorporated (or

Article A.5.2. AI System Risk Assessment

1 obligation

ISO42001-A.5.2-04 Documentation

Document Risk Assessment Results

Risk assessment results must be properly documented and maintained.

Article A.5.3. AI System Impact Assessment

1 obligation

ISO42001-A.5.3-05 Documentation

Document Impact Assessment Results

The results of impact assessments must be documented.

Article A.5.4. Impact of AI System Documentation

3 obligations

ISO42001-A.5.4-01 Documentation

Document AI system impact assessment results

The organization must document the complete results of AI system impact assessments, including methodology used, impacts

ISO42001-A.5.4-03 Documentation

Maintain impact assessment documentation throughout AI system lifecycle

The organization must maintain impact assessment documentation continuously throughout the entire AI system lifecycle fr

ISO42001-A.5.4-04 Documentation

Update impact assessment documentation when significant changes occur

The organization must update impact assessment documentation whenever significant changes occur to the AI system or its

Article A.6.2.2. Design and Development of AI System

1 obligation

ISO42001-A.6.2.2-05 Documentation

Document Design Decisions with Rationale and Traceability

All design decisions must be documented with clear rationale and maintain traceability to the original requirements that

Article A.6.2.3. Training and Testing AI Model

4 obligations

ISO42001-A.6.2.3-11 Documentation

Document training and testing methodologies

The organization must document the methodologies used for training and testing AI models as part of their compliance req

ISO42001-A.6.2.3-12 Documentation

Document datasets used in training and testing

The organization must document all datasets used in the training and testing of AI models, including their characteristi

ISO42001-A.6.2.3-13 Documentation

Document training and testing results obtained

The organization must document all results obtained from training and testing processes, including performance metrics a

ISO42001-A.6.2.3-14 Documentation

Document decisions made based on training and testing results

The organization must document all decisions made based on training and testing results, including rationale and justifi

Article A.6.2.4. Verification and Validation of AI System

1 obligation

ISO42001-A.6.2.4-06 Documentation

Document Verification and Validation Results

The organization must document all results from verification and validation activities performed on AI systems.

Article A.6.2.5. Deployment of AI System

2 obligations

ISO42001-A.6.2.5-09 Documentation

Document the deployment process

The organization must document the AI system deployment process to maintain records of deployment activities and decisio

ISO42001-A.6.2.5-10 Documentation

Document deviations from planned deployment activities and their resolution

The organization must document any deviations from planned deployment activities and how these deviations were resolved.

Article A.6.2.6. Operation and Monitoring of AI System

1 obligation

ISO42001-A.6.2.6-10 Documentation

Retain Records of Monitoring Activities and Outcomes

Organizations must maintain and retain comprehensive records of all monitoring activities and their outcomes for AI syst

Article A.6.2.7. Retirement of AI System

4 obligations

ISO42001-A.6.2.7-04 Documentation

Address Documentation Preservation or Secure Disposal in Retirement

Retirement processes must include procedures for the preservation or secure disposal of documentation associated with th

ISO42001-A.6.2.7-08 Documentation

Document AI System Retirement Decisions

The organization must document all decisions related to the retirement of AI systems.

ISO42001-A.6.2.7-09 Documentation

Document AI System Retirement Activities

The organization must document all activities performed during the retirement of AI systems.

ISO42001-A.6.2.7-10 Documentation

Document Ongoing Obligations Related to Retired AI Systems

The organization must document any ongoing obligations that remain after the AI system has been retired.

Article A.6.2.9. AI System Documentation

6 obligations

ISO42001-A.6.2.9-01 Documentation

Maintain comprehensive AI system documentation throughout lifecycle

The organization must maintain comprehensive documentation for each AI system covering its purpose, design, data sources

ISO42001-A.6.2.9-02 Documentation

Ensure documentation enables system behavior understanding

Documentation must be sufficient to enable understanding of the AI system's behavior by relevant stakeholders.

ISO42001-A.6.2.9-03 Documentation

Ensure documentation supports troubleshooting and incident investigation

Documentation must be adequate to support troubleshooting activities and investigation of incidents involving the AI sys

ISO42001-A.6.2.9-04 Documentation

Ensure documentation facilitates audits

Documentation must be designed and maintained to facilitate audit processes of the AI system.

ISO42001-A.6.2.9-06 Documentation

Keep AI system documentation current

The organization must ensure that AI system documentation remains current and up-to-date.

ISO42001-A.6.2.9-07 Documentation

Update documentation when significant system changes occur

The organization must update AI system documentation whenever significant changes are made to the system.

Article A.6.2.10. Defined Use and Misuse of AI System

1 obligation

ISO42001-A.6.2.10-01 Documentation

Define and Document Intended AI System Use

The organization must define and document the intended use of each AI system, specifying operational context, target use

Article A.6.2.11. Management of Third-Party AI System Components

1 obligation

ISO42001-A.6.2.11-06 Documentation

Maintain Third-Party Component Documentation

The organization must maintain comprehensive documented information about the provenance and characteristics of all thir

Article A.7.2. Data for Development and Enhancement of AI System

1 obligation

ISO42001-A.7.2-11 Documentation

Document data management activities throughout AI system lifecycle

The organization must maintain comprehensive documentation of all data management activities across the entire lifecycle

Article A.7.3. Data Quality for ML and Data for AI System

3 obligations

ISO42001-A.7.3-09 Documentation

Document Data Quality Processes

The organization must document its data quality processes for ML and AI systems.

ISO42001-A.7.3-10 Documentation

Document Data Quality Metrics

The organization must document its data quality metrics for ML and AI systems.

ISO42001-A.7.3-11 Documentation

Document Data Quality Results

The organization must document its data quality results for ML and AI systems.

Article A.7.4. Data Preparation

2 obligations

ISO42001-A.7.4-02 Documentation

Document Data Preparation Processes

Data preparation processes must be documented to ensure they can be understood, reviewed, and audited by relevant stakeh

ISO42001-A.7.4-10 Documentation

Record Data Preparation Methodologies

The organization must record the specific methodologies and approaches used for data preparation to support transparency

Article A.7.5. Data Acquisition and Collection

1 obligation

ISO42001-A.7.5-05 Documentation

Document Data Acquisition Sources, Methods, and Conditions

The organization must document the sources, methods, and conditions of data acquisition for AI systems.

Article A.7.6. Data Provenance

1 obligation

ISO42001-A.7.6-01 Documentation

Establish and maintain data provenance records

The organization must establish and maintain comprehensive records of data provenance for all data used in AI systems, d

Article A.8.4. Access to Information About AI System Interaction

1 obligation

ISO42001-A.8.4-05 Documentation

Document available access mechanisms and procedures

The organization must document both the access mechanisms that are available to interested parties and the procedures fo

Article A.9.3. Intended Use of AI System

1 obligation

ISO42001-A.9.3-01 Documentation

Define and Document Intended Use of AI Systems

The organization must clearly define and document the intended use of each AI system, including the specific tasks the s

Article A.9.4. Processes for Responsible Use of AI System

1 obligation

ISO42001-A.9.4-05 Documentation

Document responsible AI use processes

The organization must document the processes established for responsible use of AI systems.

Article A.10.3. Shared ML Models

4 obligations

ISO42001-A.10.3-06 Documentation

Maintain documentation of shared model provenance

The organization must maintain documentation of the provenance of shared models.

ISO42001-A.10.3-07 Documentation

Maintain documentation of shared model training data characteristics

The organization must maintain documentation of the training data characteristics of shared models.

ISO42001-A.10.3-08 Documentation

Maintain documentation of shared model known limitations

The organization must maintain documentation of the known limitations of shared models.

ISO42001-A.10.3-09 Documentation

Maintain documentation of shared model performance characteristics

The organization must maintain documentation of the performance characteristics of shared models.