Article 4.1. Understanding the organization and its context

6 obligations

ISO42001-4.1-01 Requirement

Determine relevant external and internal issues

The organization must identify and determine external and internal issues that are relevant to its purpose and that affe

ISO42001-4.1-02 Requirement

Consider AI-related regulatory factors

The organization must consider applicable AI-related regulations when determining relevant external and internal issues

ISO42001-4.1-03 Requirement

Consider industry standards factors

The organization must consider relevant industry standards when determining external and internal issues affecting its A

ISO42001-4.1-04 Requirement

Consider stakeholder expectations factors

The organization must consider stakeholder expectations when determining external and internal issues affecting its AI m

ISO42001-4.1-05 Requirement

Consider technological developments factors

The organization must consider technological developments when determining external and internal issues affecting its AI

ISO42001-4.1-06 Requirement

Consider ethical and societal implications

The organization must consider the ethical and societal implications of its AI activities when determining external and

Article 4.2. Understanding the needs and expectations of interested parties

3 obligations

ISO42001-4.2-01 Requirement

Determine relevant interested parties for AI management system

The organization must identify and determine which interested parties are relevant to their AI management system, specif

ISO42001-4.2-02 Requirement

Determine requirements of interested parties

The organization must identify and determine the relevant requirements of the interested parties, including legal, regul

ISO42001-4.2-04 Requirement

Review interested party requirements

The organization must conduct regular reviews of interested party requirements to ensure they maintain continued relevan

Article 4.3. Determining the scope of the AI management system

4 obligations

ISO42001-4.3-01 Requirement

Determine AI management system boundaries and applicability

The organization must determine the boundaries and applicability of the AI management system to establish its scope.

ISO42001-4.3-02 Requirement

Consider external and internal issues in scope determination

When determining the scope, the organization must consider the external and internal issues referred to in clause 4.1.

ISO42001-4.3-03 Requirement

Consider interested parties requirements in scope determination

When determining the scope, the organization must consider the requirements of interested parties referred to in clause

ISO42001-4.3-04 Requirement

Consider AI systems in scope determination

When determining the scope, the organization must consider the AI systems developed, provided, or used by the organizati

Article 4.4. AI management system

12 obligations

ISO42001-4.4-01 Requirement

Establish AI management system

The organization must establish an AI management system that includes all necessary processes and their interactions, in

ISO42001-4.4-02 Requirement

Implement AI management system

The organization must implement the established AI management system with all necessary processes and their interactions

ISO42001-4.4-03 Requirement

Maintain AI management system

The organization must maintain the AI management system and all its constituent processes and interactions on an ongoing

ISO42001-4.4-04 Requirement

Continually improve AI management system

The organization must continually improve the AI management system, including ongoing enhancement of processes and their

ISO42001-4.4-05 Requirement

Address responsible AI development throughout lifecycle

The AI management system must specifically address the responsible development of AI systems throughout their entire lif

ISO42001-4.4-06 Requirement

Address responsible AI provision throughout lifecycle

The AI management system must specifically address the responsible provision of AI systems throughout their entire lifec

ISO42001-4.4-07 Requirement

Address responsible AI use throughout lifecycle

The AI management system must specifically address the responsible use of AI systems throughout their entire lifecycle.

ISO42001-4.4-08 Requirement

Determine needed processes for AI management system

The organization must determine and identify all processes that are needed for the AI management system.

ISO42001-4.4-09 Requirement

Determine process sequence and interaction

The organization must determine the sequence and interaction of all processes within the AI management system.

ISO42001-4.4-10 Requirement

Determine criteria and methods for effective operation and control

The organization must determine the criteria and methods needed to ensure effective operation and control of AI manageme

ISO42001-4.4-11 Requirement

Determine needed resources

The organization must determine and identify all resources needed for AI management system processes.

ISO42001-4.4-12 Requirement

Determine responsibilities and authorities for processes

The organization must determine and assign the responsibilities and authorities for all AI management system processes.

Article 5.1. Leadership and commitment

9 obligations

ISO42001-5.1-01 Requirement

Demonstrate leadership and commitment to AI management system

Top management must actively demonstrate leadership and commitment with respect to the AI management system through thei

ISO42001-5.1-02 Requirement

Establish AI policy compatible with strategic direction

Top management must ensure that an AI policy is established and that it is compatible with the organization's strategic

ISO42001-5.1-03 Requirement

Establish AI objectives compatible with strategic direction

Top management must ensure that AI objectives are established and that they are compatible with the organization's strat

ISO42001-5.1-04 Requirement

Integrate AI management system requirements into business processes

Top management must ensure that the requirements of the AI management system are integrated into the organization's busi

ISO42001-5.1-05 Requirement

Ensure availability of resources for AI management system

Top management must ensure that adequate resources needed for the AI management system are available.

ISO42001-5.1-06 Requirement

Promote continual improvement of AI management system

Top management must actively promote continual improvement of the AI management system.

ISO42001-5.1-07 Requirement

Communicate importance of effective AI management

Top management must communicate the importance of effective AI management throughout the organization.

ISO42001-5.1-09 Requirement

Direct persons to contribute to AI management system effectiveness

Top management must direct persons within the organization to contribute to the effectiveness of the AI management syste

ISO42001-5.1-10 Requirement

Support persons to contribute to AI management system effectiveness

Top management must support persons within the organization to contribute to the effectiveness of the AI management syst

Article 5.2. AI policy

5 obligations

ISO42001-5.2-01 Requirement

Establish AI Policy

Top management must establish an AI policy that is appropriate to the organization's purpose and context and provides a

ISO42001-5.2-02 Requirement

Commit to Satisfy Applicable Requirements

The AI policy must include a commitment to satisfy applicable requirements.

ISO42001-5.2-03 Requirement

Commit to Responsible AI Development and Use

The AI policy must include a commitment to responsible development and use of AI.

ISO42001-5.2-04 Requirement

Commit to Continual Improvement

The AI policy must include a commitment to continual improvement of the AI management system.

ISO42001-5.2-05 Requirement

Address Key AI Topics in Policy

The AI policy must address topics such as transparency, fairness, accountability, safety, privacy, and security of AI sy

Article 5.3. Roles, responsibilities and authorities

5 obligations

ISO42001-5.3-01 Requirement

Assign responsibilities and authorities for relevant roles

Top management must assign the responsibilities and authorities for relevant roles within the AI management system

ISO42001-5.3-02 Requirement

Communicate responsibilities and authorities for relevant roles

Top management must communicate the responsibilities and authorities for relevant roles throughout the organization

ISO42001-5.3-03 Requirement

Ensure understanding of responsibilities and authorities

Top management must ensure that the responsibilities and authorities for relevant roles are understood within the organi

ISO42001-5.3-07 Requirement

Include AI system impact assessment roles

Roles must include those responsible for AI system impact assessment within the organization

ISO42001-5.3-09 Requirement

Include AI system lifecycle management roles

Roles must include those responsible for AI system lifecycle management within the organization

Article 6.1.1. General (actions to address risks and opportunities)

4 obligations

ISO42001-6.1.1-01 Requirement

Consider Context Issues and Requirements in AI Management System Planning

When planning for the AI management system, the organization must consider the issues referred to in clause 4.1 (underst

ISO42001-6.1.1-04 Requirement

Integrate Actions into AI Management System Processes

The organization must integrate the planned actions for addressing risks and opportunities into its AI management system

ISO42001-6.1.1-05 Requirement

Implement Actions for Risks and Opportunities

The organization must implement the planned actions to address risks and opportunities within its AI management system p

ISO42001-6.1.1-07 Requirement

Ensure Actions Are Proportionate to Potential Impact

Actions taken to address risks and opportunities must be proportionate to the potential impact on the conformity and int

Article 6.1.4. AI system impact assessment

2 obligations

ISO42001-6.1.4-01 Requirement

Establish AI system impact assessment process

The organization must establish a formal process for assessing the potential impacts of AI systems on individuals, group

ISO42001-6.1.4-02 Requirement

Consider specific factors in impact assessment

The impact assessment must consider the intended purpose of the AI system, foreseeable misuse, the affected populations,

Article 6.2. AI objectives and planning to achieve them

10 obligations

ISO42001-6.2-01 Requirement

Establish AI objectives at relevant functions, levels, and processes

The organization must establish AI objectives at all relevant functions, levels, and processes that are needed for the A

ISO42001-6.2-02 Requirement

Ensure AI objectives are consistent with AI policy

AI objectives must be aligned with and consistent with the organization's established AI policy.

ISO42001-6.2-03 Requirement

Make AI objectives measurable where practicable

AI objectives must be defined in measurable terms when it is practicable to do so, allowing for quantitative or qualitat

ISO42001-6.2-04 Requirement

Account for applicable requirements in AI objectives

AI objectives must take into consideration and incorporate all applicable legal, regulatory, and other requirements rele

ISO42001-6.2-07 Requirement

Update AI objectives as appropriate

AI objectives must be reviewed and updated when circumstances change or when it is otherwise appropriate to ensure conti

ISO42001-6.2-08 Requirement

Determine what will be done to achieve AI objectives

When planning how to achieve AI objectives, the organization must determine and define the specific actions and activiti

ISO42001-6.2-09 Requirement

Determine required resources for achieving AI objectives

The organization must identify and determine what resources (human, financial, technological, etc.) will be required to

ISO42001-6.2-10 Requirement

Determine responsibility for achieving AI objectives

The organization must assign and determine who will be responsible for executing the plans and achieving the AI objectiv

ISO42001-6.2-11 Requirement

Determine completion timeline for AI objectives

The organization must establish and determine when the activities and objectives will be completed, setting clear timeli

ISO42001-6.2-12 Requirement

Determine evaluation method for results

The organization must determine and establish how the results of AI objective achievement will be evaluated and assessed

Article 6.3. Planning of changes

3 obligations

ISO42001-6.3-01 Requirement

Carry out AI management system changes in planned manner

When determining the need for changes to the AI management system, the organization must execute those changes following

ISO42001-6.3-04 Requirement

Consider resource availability for AI management system changes

The organization must assess and consider the availability of necessary resources before implementing changes to the AI

ISO42001-6.3-05 Requirement

Consider allocation of responsibilities and authorities for changes

The organization must evaluate and plan the allocation or reallocation of responsibilities and authorities when implemen

Article 7.1. Resources

8 obligations

ISO42001-7.1-01 Requirement

Determine Required Resources for AI Management System

The organization must identify and assess all resources needed for establishing, implementing, maintaining, and continua

ISO42001-7.1-02 Requirement

Provide Required Resources for AI Management System

The organization must allocate and make available all identified resources necessary for the AI management system across

ISO42001-7.1-03 Requirement

Consider Internal Resource Capabilities and Constraints

The organization must evaluate the capabilities and limitations of existing internal resources when planning for AI mana

ISO42001-7.1-04 Requirement

Identify External Resource Requirements

The organization must determine what resources need to be obtained from external providers to meet AI management system

ISO42001-7.1-05 Requirement

Provide Personnel Resources

The organization must ensure adequate personnel resources are available, appropriate to the scale and complexity of the

ISO42001-7.1-06 Requirement

Provide Infrastructure Resources

The organization must ensure adequate infrastructure resources, including computing resources, are available appropriate

ISO42001-7.1-07 Requirement

Provide Technology Resources

The organization must ensure adequate technology resources are available appropriate to the scale and complexity of the

ISO42001-7.1-09 Requirement

Provide Financial Resources

The organization must ensure adequate financial resources are available appropriate to the scale and complexity of the o

Article 7.2. Competence

3 obligations

ISO42001-7.2-01 Requirement

Determine necessary competence for AI management system personnel

The organization must identify and determine the necessary competence of all persons doing work under its control that a

ISO42001-7.2-02 Requirement

Ensure personnel competence through education, training, or experience

The organization must ensure that persons doing work under its control that affects the AI management system are compete

ISO42001-7.2-03 Requirement

Take actions to acquire necessary competence when applicable

Where applicable, the organization must take actions to acquire the necessary competence for personnel affecting the AI

Article 7.3. Awareness

6 obligations

ISO42001-7.3-01 Requirement

AI Policy Awareness Requirement

Organizations must ensure that persons working under their control are aware of the AI policy

ISO42001-7.3-02 Requirement

AI Management System Contribution Awareness

Organizations must ensure that persons working under their control are aware of their contribution to the effectiveness

ISO42001-7.3-03 Requirement

Non-Conformance Implications Awareness

Organizations must ensure that persons working under their control are aware of the implications of not conforming with

ISO42001-7.3-04 Requirement

AI System Impact Awareness on Individuals and Society

Organizations must ensure that persons working under their control are aware of the potential impacts of AI systems on i

ISO42001-7.3-05 Requirement

Ethical Considerations Awareness Extension

Organizations must extend awareness to ethical considerations relevant to the organization's AI activities

ISO42001-7.3-06 Requirement

Responsible Use Principles Awareness Extension

Organizations must extend awareness to responsible use principles relevant to the organization's AI activities

Article 7.4. Communication

1 obligation

ISO42001-7.4-01 Requirement

Determine internal and external communications for AI management system

The organization must identify and define all internal and external communications that are relevant to the AI managemen

Article 8.1. Operational planning and control

7 obligations

ISO42001-8.1-01 Requirement

Plan processes for AI management system requirements

The organization must plan the processes needed to meet AI management system requirements and to implement the actions d

ISO42001-8.1-02 Requirement

Implement processes for AI management system requirements

The organization must implement the processes needed to meet AI management system requirements and to implement the acti

ISO42001-8.1-03 Requirement

Control processes for AI management system requirements

The organization must control the processes needed to meet AI management system requirements and to implement the action

ISO42001-8.1-04 Requirement

Establish criteria for processes

The organization must establish criteria for the processes used in the AI management system.

ISO42001-8.1-05 Requirement

Implement control of processes according to established criteria

The organization must implement control of the processes in accordance with the criteria that have been established.

ISO42001-8.1-07 Requirement

Control planned changes

The organization must control planned changes to the AI management system processes.

ISO42001-8.1-10 Requirement

Ensure control of outsourced processes

The organization must ensure that outsourced processes relevant to the AI management system are controlled.

Article 9.1. Monitoring, measurement, analysis and evaluation

2 obligations

ISO42001-9.1-02 Requirement

Establish methods for monitoring and measurement activities

The organization must determine and establish the specific methods to be used for monitoring, measurement, analysis, and

ISO42001-9.1-03 Requirement

Define timing for monitoring and evaluation activities

The organization must establish and determine the schedule and timing for when monitoring and measuring activities will

Article 9.2. Internal audit

9 obligations

ISO42001-9.2-02 Requirement

Plan audit program

The organization must plan an audit program that includes the frequency, methods, responsibilities, planning requirement

ISO42001-9.2-03 Requirement

Establish audit program

The organization must establish an audit program that includes the frequency, methods, responsibilities, planning requir

ISO42001-9.2-04 Requirement

Implement audit program

The organization must implement an audit program that includes the frequency, methods, responsibilities, planning requir

ISO42001-9.2-05 Requirement

Maintain audit program

The organization must maintain an audit program that includes the frequency, methods, responsibilities, planning require

ISO42001-9.2-06 Requirement

Consider process importance in audit program

The audit program must take into consideration the importance of the processes concerned when planning and conducting au

ISO42001-9.2-07 Requirement

Consider organizational changes in audit program

The audit program must take into consideration changes affecting the organization when planning and conducting audits.

ISO42001-9.2-08 Requirement

Consider previous audit results in audit program

The audit program must take into consideration the results of previous audits when planning and conducting audits.

ISO42001-9.2-09 Requirement

Select auditors to ensure objectivity and impartiality

The organization must select auditors and conduct audits in a manner that ensures objectivity and impartiality of the au

ISO42001-9.2-10 Requirement

Conduct audits to ensure objectivity and impartiality

The organization must conduct audits in a manner that ensures objectivity and impartiality of the audit process.

Article 9.3. Management review

8 obligations

ISO42001-9.3-01 Requirement

Conduct planned management reviews of AI management system

Top management must review the organization's AI management system at planned intervals to ensure its continuing suitabi

ISO42001-9.3-02 Requirement

Include status of previous management review actions in current review

The management review must include consideration of the status of actions from previous management reviews.

ISO42001-9.3-03 Requirement

Include external and internal changes in management review

The management review must include consideration of changes in external and internal issues relevant to the AI managemen

ISO42001-9.3-04 Requirement

Include stakeholder changes in management review

The management review must include consideration of changes in the needs and expectations of interested parties.

ISO42001-9.3-05 Requirement

Include AI management system performance feedback in review

The management review must include consideration of feedback on AI management system performance.

ISO42001-9.3-06 Requirement

Include assessment results in management review

The management review must include consideration of results of risk assessments and impact assessments.

ISO42001-9.3-07 Requirement

Include audit results in management review

The management review must include consideration of audit results.

ISO42001-9.3-08 Requirement

Include improvement opportunities in management review

The management review must include consideration of opportunities for continual improvement.

Article 10.1. Continual improvement

8 obligations

ISO42001-10.1-01 Requirement

Continually improve AI management system suitability, adequacy, and effectiveness

The organization must continuously enhance the suitability, adequacy, and effectiveness of its AI management system thro

ISO42001-10.1-02 Requirement

Consider analysis and evaluation results for improvement opportunities

The organization must take into account results from analysis and evaluation activities, including monitoring and measur

ISO42001-10.1-03 Requirement

Consider audit findings for improvement opportunities

The organization must take into account audit findings to identify opportunities for improvement of the AI management sy

ISO42001-10.1-04 Requirement

Consider management review outputs for improvement opportunities

The organization must take into account outputs from management reviews to identify opportunities for improvement of the

ISO42001-10.1-05 Requirement

Consider interested party feedback for improvement opportunities

The organization must take into account feedback from interested parties to identify opportunities for improvement of th

ISO42001-10.1-06 Requirement

Address evolving AI technologies in continual improvement

Continual improvement activities must specifically address the evolving nature of AI technologies as part of the improve

ISO42001-10.1-08 Requirement

Address changes in regulatory requirements in continual improvement

Continual improvement activities must specifically address changes in regulatory requirements as part of the improvement

ISO42001-10.1-09 Requirement

Address advances in responsible AI practices in continual improvement

Continual improvement activities must specifically address advances in responsible AI practices as part of the improveme

Article 10.2. Nonconformity and corrective action

9 obligations

ISO42001-10.2-01 Requirement

React to nonconformity immediately

When a nonconformity occurs, the organization must immediately take action to control and correct the nonconformity and

ISO42001-10.2-02 Requirement

Evaluate need for root cause elimination action

The organization must evaluate whether action is needed to eliminate the causes of nonconformity to prevent recurrence o

ISO42001-10.2-03 Requirement

Review nonconformity occurrence

The organization must review the nonconformity that occurred as part of the evaluation process.

ISO42001-10.2-04 Requirement

Determine causes of nonconformity

The organization must determine the root causes of the nonconformity that occurred.

ISO42001-10.2-05 Requirement

Assess potential similar nonconformities

The organization must determine whether similar nonconformities exist or could potentially occur elsewhere in the system

ISO42001-10.2-06 Requirement

Implement necessary corrective actions

The organization must implement any action that is determined to be needed based on the evaluation of the nonconformity.

ISO42001-10.2-07 Requirement

Review effectiveness of corrective actions

The organization must review the effectiveness of any corrective action that was taken.

ISO42001-10.2-08 Requirement

Update AI management system when necessary

The organization must make changes to the AI management system if determined necessary based on the nonconformity and co

ISO42001-10.2-09 Requirement

Ensure corrective actions are proportionate

Corrective actions must be proportionate to the effects of the nonconformities encountered.

Article A.2.2. AI Policy

5 obligations

ISO42001-A.2.2-01 Requirement

Establish AI Policy

The organization must establish an AI policy that is appropriate to its purpose and provides a framework for setting AI

ISO42001-A.2.2-02 Requirement

Define Commitment to Responsible AI

The AI policy must define the organization's commitment to the responsible development, deployment, and use of AI system

ISO42001-A.2.2-03 Requirement

Address AI Governance in Policy

The AI policy must address the organization's approach to AI governance.

ISO42001-A.2.2-05 Requirement

Address Ethical Considerations in Policy

The AI policy must address the organization's approach to ethical considerations.

ISO42001-A.2.2-07 Requirement

Top Management Approval of AI Policy

The AI policy must be approved by top management.

Article A.2.3. Responsible AI Topics in AI Policy

1 obligation

ISO42001-A.2.3-01 Requirement

Address Responsible AI Topics in AI Policy

The organization must include responsible AI topics in its AI policy, covering fairness, transparency, explainability, a

Article A.3.2. Roles and Responsibilities for AI

3 obligations

ISO42001-A.3.2-01 Requirement

Define and assign roles and responsibilities for AI-related activities

The organization must define and assign specific roles and responsibilities for all AI-related activities including AI s

ISO42001-A.3.2-02 Requirement

Assign responsibilities to individuals or teams with appropriate authority and competence

The organization must ensure that AI-related responsibilities are assigned only to individuals or teams who possess the

ISO42001-A.3.2-03 Requirement

Ensure clear accountability for AI system decisions and outcomes

The organization must establish and maintain clear accountability mechanisms for AI system decisions and outcomes, ensur

Article A.3.3. Reporting of AI Concerns

5 obligations

ISO42001-A.3.3-01 Requirement

Establish AI concerns reporting mechanism

The organization must establish a formal mechanism that enables personnel and other interested parties to report concern

ISO42001-A.3.3-03 Requirement

Enable reporting without fear of reprisal

The reporting mechanism must be designed and implemented to allow concerns to be raised without fear of reprisal, ensuri

ISO42001-A.3.3-04 Requirement

Investigate reported AI concerns

The organization must ensure that all reported concerns about AI systems are properly investigated in a timely manner.

ISO42001-A.3.3-05 Requirement

Address reported AI concerns

The organization must ensure that reported concerns about AI systems are properly addressed in a timely manner, taking a

ISO42001-A.3.3-09 Requirement

Use findings for continual improvement

The organization must use findings from reported concerns to drive continual improvement activities in their AI manageme

Article A.3.4. Impact of Organizational Changes

2 obligations

ISO42001-A.3.4-05 Requirement

Ensure Continuity of AI Management During Organizational Change

The organization must maintain continuity of AI management during periods of organizational change.

ISO42001-A.3.4-06 Requirement

Ensure Integrity of AI Management During Organizational Change

The organization must maintain integrity of AI management during periods of organizational change.

Article A.4.2. Resources Related to AI Systems

5 obligations

ISO42001-A.4.2-01 Requirement

Identify Resources for AI System Lifecycle

The organization must identify all resources needed for the AI system lifecycle, including computing infrastructure, dat

ISO42001-A.4.2-02 Requirement

Provide Resources for AI System Lifecycle

The organization must provide all identified resources needed for the AI system lifecycle, including computing infrastru

ISO42001-A.4.2-03 Requirement

Maintain Resources for AI System Lifecycle

The organization must maintain all resources needed for the AI system lifecycle, including computing infrastructure, dat

ISO42001-A.4.2-04 Requirement

Conduct Resource Planning for Current and Anticipated AI System Needs

The organization must conduct resource planning that considers both current and anticipated needs of AI systems, includi

ISO42001-A.4.2-05 Requirement

Ensure Resource Sufficiency for Responsible AI System Lifecycle

The organization must ensure that resources are sufficient to support the responsible development, deployment, operation

Article A.4.3. Competencies Related to AI Systems

3 obligations

ISO42001-A.4.3-01 Requirement

Identify AI-related competencies for all relevant roles

The organization must identify the specific competencies needed for all roles involved in AI system development, deploym

ISO42001-A.4.3-02 Requirement

Ensure personnel possess required AI competencies

The organization must ensure that all personnel performing roles related to AI systems actually possess the competencies

ISO42001-A.4.3-03 Requirement

Provide training to address competency gaps

The organization must provide training or other means to address any identified gaps between the required competencies f

Article A.4.4. Awareness of Responsible Use of AI Systems

4 obligations

ISO42001-A.4.4-01 Requirement

Ensure AI Awareness for All Personnel

The organization must ensure that all personnel involved in or affected by AI systems are aware of the organization's AI

ISO42001-A.4.4-02 Requirement

Role-Appropriate Awareness Activities

Awareness activities must be designed and delivered to be appropriate to the specific roles and responsibilities of the

ISO42001-A.4.4-03 Requirement

Comprehensive Topic Coverage in Awareness

Awareness activities must cover specific topics including bias, fairness, transparency, data protection, and ethical con

ISO42001-A.4.4-04 Requirement

Ongoing Awareness Reinforcement

The organization must reinforce awareness through continuous training and communication activities, not just one-time ac

Article A.4.5. Consultation

2 obligations

ISO42001-A.4.5-01 Requirement

Establish consultation processes for AI systems

The organization must establish formal processes for consulting with relevant interested parties about its AI systems, i

ISO42001-A.4.5-02 Requirement

Conduct consultation at appropriate AI system lifecycle stages

The organization must conduct consultation at appropriate stages of the AI system lifecycle, with mandatory consultation

Article A.4.6. Communication About the AI System

5 obligations

ISO42001-A.4.6-01 Requirement

Establish AI system communication processes

The organization must establish formal processes for communicating relevant information about its AI systems to interest

ISO42001-A.4.6-02 Requirement

Ensure timely AI system communication

Communication about AI systems must be delivered in a timely manner to interested parties.

ISO42001-A.4.6-03 Requirement

Ensure accurate AI system communication

Communication about AI systems must be accurate and factually correct.

ISO42001-A.4.6-04 Requirement

Ensure audience-appropriate AI system communication

Communication about AI systems must be appropriate to the specific audience receiving the information.

ISO42001-A.4.6-06 Requirement

Consider stakeholder information needs

The organization must consider the specific information needs of different stakeholder groups, including end users, affe

Article A.6.2.2. Design and Development of AI System

4 obligations

ISO42001-A.6.2.2-01 Requirement

Establish AI System Design and Development Processes

The organization must establish formal processes for the design and development of AI systems that incorporate responsib

ISO42001-A.6.2.2-02 Requirement

Consider Multiple Factors in Design and Development Processes

Design and development processes must consider the intended purpose of the system, requirements of interested parties, a

ISO42001-A.6.2.2-03 Requirement

Apply Appropriate Engineering Practices

The organization must apply appropriate engineering practices including requirements specification, architectural design

ISO42001-A.6.2.2-04 Requirement

Consider Fairness, Transparency, and Explainability Requirements

During design and development, the organization must specifically consider and address fairness, transparency, and expla

Article A.6.2.3. Training and Testing AI Model

8 obligations

ISO42001-A.6.2.3-01 Requirement

Establish AI model training and testing processes

The organization must establish formal processes for training and testing AI models to ensure they meet specified requir

ISO42001-A.6.2.3-04 Requirement

Address model architecture selection in training processes

Training processes must specifically address model architecture selection as part of the AI model development methodolog

ISO42001-A.6.2.3-05 Requirement

Address hyperparameter tuning in training processes

Training processes must specifically address hyperparameter tuning methodologies as part of the AI model development pro

ISO42001-A.6.2.3-06 Requirement

Prevent overfitting and underfitting in training processes

Training processes must specifically address the prevention of overfitting and underfitting to ensure model generalizabi

ISO42001-A.6.2.3-07 Requirement

Include validation against defined performance metrics in testing

Testing processes must include validation of AI models against defined performance metrics to verify they meet specified

ISO42001-A.6.2.3-08 Requirement

Include bias and fairness testing in testing processes

Testing processes must include specific testing for bias and fairness to ensure equitable AI model performance across di

ISO42001-A.6.2.3-09 Requirement

Include robustness testing in testing processes

Testing processes must include robustness testing to verify AI model stability and reliability under various conditions

ISO42001-A.6.2.3-10 Requirement

Include boundary condition analysis in testing processes

Testing processes must include boundary condition analysis to evaluate AI model behavior at the limits of its operationa

Article A.6.2.4. Verification and Validation of AI System

6 obligations

ISO42001-A.6.2.4-01 Requirement

Establish AI System Verification and Validation Processes

The organization must establish formal processes for verification and validation of AI systems to confirm the system mee

ISO42001-A.6.2.4-02 Requirement

Conduct System Verification Against Design Specifications

The organization must perform verification activities to confirm that the AI system has been built correctly according t

ISO42001-A.6.2.4-03 Requirement

Conduct System Validation in Operational Environment

The organization must perform validation activities to confirm that the AI system meets the needs and expectations of in

ISO42001-A.6.2.4-04 Requirement

Define Acceptance Criteria for AI Systems

The organization must establish and define clear acceptance criteria for AI systems as part of the verification and vali

ISO42001-A.6.2.4-05 Requirement

Conduct Verification and Validation Activities

The organization must actively perform appropriate verification and validation activities for AI systems.

ISO42001-A.6.2.4-07 Requirement

Address Deficiencies Before Deployment

The organization must identify and address any deficiencies found during verification and validation before the AI syste

Article A.6.2.5. Deployment of AI System

5 obligations

ISO42001-A.6.2.5-01 Requirement

Establish AI system deployment processes

The organization must establish formal processes for the deployment of AI systems that ensure the system is ready for op

ISO42001-A.6.2.5-02 Requirement

Conduct pre-deployment reviews

The organization must include pre-deployment reviews as part of their deployment processes before making AI systems oper

ISO42001-A.6.2.5-06 Requirement

Establish feedback channels during deployment

The organization must establish feedback channels as part of the AI system deployment process to enable ongoing communic

ISO42001-A.6.2.5-07 Requirement

Define deployment criteria

The organization must define specific criteria that must be met before AI systems can be deployed into operational use.

ISO42001-A.6.2.5-08 Requirement

Conduct deployment activities in controlled manner

The organization must conduct deployment activities for AI systems in a controlled manner to ensure proper oversight and

Article A.6.2.6. Operation and Monitoring of AI System

4 obligations

ISO42001-A.6.2.6-01 Requirement

Establish AI System Operation and Monitoring Processes

Organizations must establish formal processes for the ongoing operation and monitoring of AI systems to ensure continued

ISO42001-A.6.2.6-07 Requirement

Define Thresholds and Triggers for Corrective Action

Organizations must define specific thresholds and triggers that will initiate corrective action when monitoring detects

ISO42001-A.6.2.6-08 Requirement

Define Thresholds and Triggers for Escalation

Organizations must define specific thresholds and triggers that will initiate escalation procedures when monitoring dete

ISO42001-A.6.2.6-09 Requirement

Define Thresholds and Triggers for System Review

Organizations must define specific thresholds and triggers that will initiate system review when monitoring detects issu

Article A.6.2.7. Retirement of AI System

2 obligations

ISO42001-A.6.2.7-01 Requirement

Establish AI System Retirement Processes

The organization must establish comprehensive processes for the retirement of AI systems to ensure safe, responsible, an

ISO42001-A.6.2.7-06 Requirement

Address Functionality Migration in AI System Retirement

Where applicable, retirement processes must address the migration of functionality to replacement systems during AI syst

Article A.6.2.8. Responsible AI System Integration

3 obligations

ISO42001-A.6.2.8-01 Requirement

Ensure Responsible AI System Integration

The organization must ensure that AI systems are integrated responsibly into broader systems, processes, and organizatio

ISO42001-A.6.2.8-02 Requirement

Consider AI-System Component Interactions

Integration activities must consider the interactions between the AI system and other system components.

ISO42001-A.6.2.8-03 Requirement

Consider AI System Impact on Workflows and Decision Processes

Integration activities must consider the impact of the AI system on existing workflows and decision processes.

Article A.6.2.10. Defined Use and Misuse of AI System

1 obligation

ISO42001-A.6.2.10-03 Requirement

Implement Controls to Prevent or Mitigate Foreseeable Misuse

The organization must implement technical, procedural, or administrative controls to prevent or mitigate the identified

Article A.6.2.11. Management of Third-Party AI System Components

3 obligations

ISO42001-A.6.2.11-01 Requirement

Establish Third-Party AI Component Management Processes

The organization must establish formal processes for the evaluation, selection, and management of third-party AI system

ISO42001-A.6.2.11-03 Requirement

Define Third-Party Component Requirements

The organization must define and document specific requirements for third-party AI components before procurement or impl

ISO42001-A.6.2.11-04 Requirement

Establish Supplier Agreements

The organization must establish formal agreements with suppliers of third-party AI components that govern the use and ma

Article A.7.2. Data for Development and Enhancement of AI System

6 obligations

ISO42001-A.7.2-01 Requirement

Establish data identification, acquisition, and management processes

The organization must establish formal processes for identifying, acquiring, and managing data used for the development

ISO42001-A.7.2-06 Requirement

Consider legal requirements applicable to data

The organization must identify, evaluate, and consider all legal requirements that apply to the data used in AI system d

ISO42001-A.7.2-07 Requirement

Consider ethical requirements applicable to data

The organization must identify, evaluate, and consider all ethical requirements and principles that apply to the data us

ISO42001-A.7.2-08 Requirement

Consider contractual requirements applicable to data

The organization must identify, evaluate, and consider all contractual requirements and obligations that apply to the da

ISO42001-A.7.2-09 Requirement

Consider intellectual property requirements for data

The organization must specifically identify, evaluate, and consider intellectual property rights and requirements that a

ISO42001-A.7.2-10 Requirement

Consider consent requirements for data

The organization must specifically identify, evaluate, and consider consent requirements that apply to the data used in

Article A.7.3. Data Quality for ML and Data for AI System

2 obligations

ISO42001-A.7.3-06 Requirement

Address Data Quality Issues Before Use

The organization must address identified data quality issues before data is used in AI system development or operation.

ISO42001-A.7.3-08 Requirement

Align Data Quality Requirements with Intended Use

The organization must ensure that data quality requirements are appropriate to the intended use of the AI system.

Article A.7.4. Data Preparation

6 obligations

ISO42001-A.7.4-01 Requirement

Establish Data Preparation Processes

The organization must establish formal processes for preparing data used in AI systems, covering data cleaning, transfor

ISO42001-A.7.4-03 Requirement

Ensure Data Preparation Process Reproducibility

Data preparation processes must be designed and implemented in a way that allows them to be repeated with consistent res

ISO42001-A.7.4-04 Requirement

Ensure Data Preparation Process Traceability

Data preparation processes must maintain traceability, allowing the organization to track and record all steps and trans

ISO42001-A.7.4-07 Requirement

Prevent Introduction of Bias in Data Preparation

The organization must ensure that data preparation activities do not introduce new biases into the dataset that could ne

ISO42001-A.7.4-08 Requirement

Prevent Amplification of Existing Bias in Data Preparation

The organization must ensure that data preparation activities do not amplify or worsen existing biases present in the so

ISO42001-A.7.4-09 Requirement

Validate Prepared Data Quality Criteria Compliance

The organization must validate that data prepared for use in AI systems meets the specific quality criteria that have be

Article A.7.5. Data Acquisition and Collection

2 obligations

ISO42001-A.7.5-01 Requirement

Establish Data Acquisition and Collection Processes

The organization must establish formal processes for the acquisition and collection of data for AI systems that comply w

ISO42001-A.7.5-04 Requirement

Ensure Proportionate Data Acquisition Activities

The organization must ensure that data acquisition activities are proportionate to the intended purpose of the AI system

Article A.8.2. Informing Interested Parties About AI System Interaction

1 obligation

ISO42001-A.8.2-03 Requirement

Provide notifications in clear, timely, and accessible manner

Organizations must ensure that AI system notifications are delivered in a manner that is clear, timely, and accessible,

Article A.8.3. Informing Interested Parties About AI Outcomes

1 obligation

ISO42001-A.8.3-04 Requirement

Ensure understandable and actionable communication of AI outcomes

Organizations must ensure that information about AI outcomes is communicated in a manner that is understandable and acti

Article A.8.4. Access to Information About AI System Interaction

1 obligation

ISO42001-A.8.4-04 Requirement

Establish processes for timely handling of access requests

The organization must create and implement processes that handle access requests from interested parties in a timely man

Article A.8.5. Enabling Appropriate Human Actions in Response to AI Outputs

4 obligations

ISO42001-A.8.5-01 Requirement

Design AI systems to enable appropriate human response actions

The organization must ensure that AI systems are designed in a manner that enables appropriate human actions in response

ISO42001-A.8.5-02 Requirement

Deploy AI systems to enable appropriate human response actions

The organization must ensure that AI systems are deployed in a manner that enables appropriate human actions in response

ISO42001-A.8.5-05 Requirement

Provide sufficient training for effective human oversight

The organization must provide users with sufficient training to exercise effective oversight of AI systems.

ISO42001-A.8.5-06 Requirement

Provide sufficient tools for effective human oversight

The organization must provide users with sufficient tools to exercise effective oversight of AI systems.

Article A.9.2. Objectives for Responsible Use of AI System

5 obligations

ISO42001-A.9.2-01 Requirement

Establish objectives for responsible use of each AI system

The organization must establish specific objectives for the responsible use of each AI system that align with the AI pol

ISO42001-A.9.2-02 Requirement

Ensure objectives are specific and measurable

Objectives for responsible use of AI systems must be specific and measurable where practicable.

ISO42001-A.9.2-03 Requirement

Address responsible AI aspects in objectives

Objectives must address aspects such as fairness, accuracy, transparency, privacy, safety, and accountability.

ISO42001-A.9.2-05 Requirement

Take corrective action when objectives are not met

The organization must take action when objectives for responsible use of AI systems are not being met.

ISO42001-A.9.2-06 Requirement

Update objectives based on changes

The organization must update objectives as the AI system, its operational context, or stakeholder expectations change.

Article A.9.3. Intended Use of AI System

1 obligation

ISO42001-A.9.3-03 Requirement

Ensure AI Systems Used Only for Intended Purposes

The organization must ensure that AI systems are used only for their intended purposes and not for any other application

Article A.9.4. Processes for Responsible Use of AI System

4 obligations

ISO42001-A.9.4-01 Requirement

Establish processes for responsible AI system use

The organization must establish processes to ensure the responsible use of AI systems throughout their lifecycle, includ

ISO42001-A.9.4-02 Requirement

Implement processes for responsible AI system use

The organization must implement the established processes for responsible use of AI systems throughout their lifecycle,

ISO42001-A.9.4-03 Requirement

Integrate AI processes into existing business processes

The organization must integrate the processes for responsible AI use into the organization's existing business processes

ISO42001-A.9.4-06 Requirement

Assign responsibilities for process execution

The organization must assign responsibilities for the execution of the processes for responsible AI use.

Article A.10.2. Suppliers of AI System Components

5 obligations

ISO42001-A.10.2-01 Requirement

Establish supplier relationship management processes

The organization must establish formal processes for managing relationships with suppliers of AI system components, cove

ISO42001-A.10.2-02 Requirement

Define AI-related requirements for suppliers

The organization must define specific AI-related requirements for suppliers covering quality, reliability, security, pri

ISO42001-A.10.2-04 Requirement

Include responsible AI requirements in supplier agreements

The organization must ensure that supplier agreements specifically address the organization's responsible AI requirement

ISO42001-A.10.2-05 Requirement

Include audit rights in supplier agreements

The organization must ensure that supplier agreements include provisions for audit rights, allowing the organization to

ISO42001-A.10.2-06 Requirement

Include incident notification obligations in supplier agreements

The organization must ensure that supplier agreements include specific obligations for suppliers to notify the organizat

Article A.10.3. Shared ML Models

4 obligations

ISO42001-A.10.3-01 Requirement

Establish controls for shared ML models

The organization must establish controls for the use and sharing of machine learning models, including pre-trained model

ISO42001-A.10.3-12 Requirement

Establish agreements governing terms of use for external model sharing

When sharing models externally, the organization must establish agreements governing the terms of use.

ISO42001-A.10.3-13 Requirement

Establish agreements governing liability for external model sharing

When sharing models externally, the organization must establish agreements governing liability.

ISO42001-A.10.3-14 Requirement

Establish agreements governing support for external model sharing

When sharing models externally, the organization must establish agreements governing support.

Article A.10.4. Provision of AI System to Third Parties

2 obligations

ISO42001-A.10.4-01 Requirement

Establish processes for responsible AI system provision to third parties

The organization must establish formal processes specifically designed for the responsible provision of AI systems or AI

ISO42001-A.10.4-03 Requirement

Establish responsibility-defining agreements with third parties

The organization must establish formal agreements that clearly define the respective responsibilities of both the organi