Article 5.3. Roles, responsibilities and authorities

1 obligation

ISO42001-5.3-06 Risk Management

Include AI risk management roles

Roles must include those responsible for AI risk management within the organization

Article 6.1.1. General (actions to address risks and opportunities)

2 obligations

ISO42001-6.1.1-02 Risk Management

Determine Risks and Opportunities for AI Management System

The organization must identify and determine the risks and opportunities that need to be addressed in relation to the AI

ISO42001-6.1.1-03 Risk Management

Plan Actions to Address Risks and Opportunities

The organization must develop and plan specific actions to address the identified risks and opportunities related to the

Article 6.1.2. AI risk assessment

13 obligations

ISO42001-6.1.2-01 Risk Management

Define and apply AI risk assessment process

The organization must establish and implement a formal AI risk assessment process that includes defined methodologies an

ISO42001-6.1.2-02 Risk Management

Establish and maintain AI risk criteria

The organization must define, document, and keep current the criteria used to evaluate AI risks, including what constitu

ISO42001-6.1.2-03 Risk Management

Establish criteria for performing AI risk assessments

The organization must define the specific criteria and parameters that govern how AI risk assessments are to be conducte

ISO42001-6.1.2-04 Risk Management

Ensure consistent, valid, and comparable risk assessment results

The organization must implement controls and procedures to guarantee that repeated AI risk assessments produce results t

ISO42001-6.1.2-05 Risk Management

Identify AI system development risks

The organization must systematically identify and catalog risks associated with the development phase of AI systems, inc

ISO42001-6.1.2-06 Risk Management

Identify AI system provision risks

The organization must systematically identify and catalog risks associated with the provision or deployment of AI system

ISO42001-6.1.2-07 Risk Management

Identify AI system use risks

The organization must systematically identify and catalog risks associated with the use or operation of AI systems, incl

ISO42001-6.1.2-08 Risk Management

Analyze and evaluate identified AI risks

The organization must conduct detailed analysis and evaluation of all identified AI risks, systematically examining thei

ISO42001-6.1.2-09 Risk Management

Consider likelihood in AI risk evaluation

The organization must assess and factor in the probability or likelihood of identified AI risks materializing as part of

ISO42001-6.1.2-10 Risk Management

Consider severity in AI risk evaluation

The organization must assess and factor in the potential severity or magnitude of impact of identified AI risks as part

ISO42001-6.1.2-11 Risk Management

Consider nature of potential impacts in AI risk evaluation

The organization must assess and factor in the qualitative characteristics and nature of potential impacts from identifi

ISO42001-6.1.2-12 Risk Management

Compare risk evaluation results with established criteria

The organization must systematically compare the results of AI risk analysis and evaluation against the previously estab

ISO42001-6.1.2-13 Risk Management

Determine which risks require treatment

The organization must make explicit determinations about which identified and evaluated AI risks exceed acceptable thres

Article 6.1.3. AI risk treatment

5 obligations

ISO42001-6.1.3-01 Risk Management

Define and apply AI risk treatment process

The organization must establish and implement a formal AI risk treatment process that selects appropriate risk treatment

ISO42001-6.1.3-02 Risk Management

Determine necessary controls for AI risk treatment

The organization must identify and determine all controls required to implement the chosen AI risk treatment options, wh

ISO42001-6.1.3-04 Risk Management

Formulate AI risk treatment plan

The organization must develop a comprehensive AI risk treatment plan as part of the risk treatment process.

ISO42001-6.1.3-05 Risk Management

Obtain risk owners' approval of treatment plan

The organization must secure formal approval from risk owners for the AI risk treatment plan before implementation.

ISO42001-6.1.3-06 Risk Management

Obtain risk owners' acceptance of residual AI risks

The organization must secure formal acceptance from risk owners for the residual AI risks that remain after treatment im

Article 6.1.4. AI system impact assessment

1 obligation

ISO42001-6.1.4-04 Risk Management

Use impact assessments to inform risk treatment decisions

The organization must use the results of AI system impact assessments to inform AI risk treatment decisions.

Article 6.3. Planning of changes

2 obligations

ISO42001-6.3-02 Risk Management

Consider purpose and consequences of AI management system changes

The organization must evaluate and consider the purpose of proposed changes to the AI management system and assess their

ISO42001-6.3-03 Risk Management

Consider integrity of AI management system during changes

The organization must evaluate and ensure that proposed changes do not compromise the overall integrity of the AI manage

Article 8.1. Operational planning and control

1 obligation

ISO42001-8.1-09 Risk Management

Take action to mitigate adverse effects from unintended changes

The organization must take action to mitigate any adverse effects from unintended changes as necessary.

Article 8.2. AI risk assessment (operational)

4 obligations

ISO42001-8.2-01 Risk Management

Perform AI risk assessments at planned intervals

The organization must conduct AI risk assessments at predetermined scheduled intervals, following the criteria establish

ISO42001-8.2-02 Risk Management

Perform AI risk assessments when significant changes occur

The organization must conduct AI risk assessments whenever significant changes are proposed or occur to AI systems, appl

ISO42001-8.2-03 Risk Management

Conduct risk assessments for each AI system within scope

The organization must perform AI risk assessments for every individual AI system that falls within the scope of the mana

ISO42001-8.2-04 Risk Management

Consider system-specific characteristics in risk assessments

The organization must take into account the specific characteristics, data inputs, outputs, operational context, and aff

Article 8.3. AI risk treatment (operational)

3 obligations

ISO42001-8.3-01 Risk Management

Implement AI risk treatment plan

The organization must implement the AI risk treatment plan that was established in section 6.1.3 of the standard.

ISO42001-8.3-05 Risk Management

Review and update risk treatment plan when outcomes not achieved

When AI risk treatment actions do not achieve the desired outcomes, the organization must review and update the risk tre

ISO42001-8.3-06 Risk Management

Integrate risk treatment into AI system lifecycle processes

The organization must ensure that risk treatment activities are integrated into the AI system lifecycle processes.

Article 8.4. AI system impact assessment (operational)

9 obligations

ISO42001-8.4-01 Risk Management

Perform AI system impact assessments in accordance with established process

The organization must conduct AI system impact assessments following the process established in section 6.1.4 of the sta

ISO42001-8.4-03 Risk Management

Conduct impact assessments when significant changes are proposed to AI systems

The organization must perform impact assessments whenever significant changes to AI systems are proposed, before impleme

ISO42001-8.4-04 Risk Management

Conduct impact assessments when significant changes occur to AI systems

The organization must perform impact assessments whenever significant changes actually occur to AI systems or their oper

ISO42001-8.4-05 Risk Management

Perform impact assessments before deployment of new AI systems

The organization must complete impact assessments prior to deploying any new AI systems into operational use.

ISO42001-8.4-06 Risk Management

Perform impact assessments for material changes to existing systems

The organization must conduct impact assessments when there are material changes to existing AI systems.

ISO42001-8.4-08 Risk Management

Perform impact assessments for material changes to operational environment

The organization must conduct impact assessments when there are material changes to the operational environment of AI sy

ISO42001-8.4-09 Risk Management

Perform impact assessments for material changes to affected populations

The organization must conduct impact assessments when there are material changes to the populations that AI systems affe

ISO42001-8.4-11 Risk Management

Use impact assessment findings to inform risk treatment decisions

The organization must utilize the findings from impact assessments to guide and inform risk treatment decisions.

ISO42001-8.4-12 Risk Management

Use impact assessment findings to inform system design decisions

The organization must utilize the findings from impact assessments to guide and inform AI system design decisions.

Article 10.1. Continual improvement

1 obligation

ISO42001-10.1-07 Risk Management

Address emerging risks in continual improvement

Continual improvement activities must specifically address emerging risks as part of the improvement process.

Article A.2.2. AI Policy

1 obligation

ISO42001-A.2.2-04 Risk Management

Address Risk Management in Policy

The AI policy must address the organization's approach to risk management.

Article A.2.3. Responsible AI Topics in AI Policy

1 obligation

ISO42001-A.2.3-02 Risk Management

Determine Applicable Responsible AI Topics

The organization must assess and determine which responsible AI topics are applicable based on the nature of its AI syst

Article A.3.3. Reporting of AI Concerns

1 obligation

ISO42001-A.3.3-08 Risk Management

Use findings to inform AI risk management

The organization must use findings from reported concerns to inform and improve their AI risk management processes and a

Article A.3.4. Impact of Organizational Changes

4 obligations

ISO42001-A.3.4-01 Risk Management

Assess Impact of Organizational Changes on AI Systems

The organization must evaluate how organizational changes (strategy, structure, processes, personnel, technology, or bus

ISO42001-A.3.4-02 Risk Management

Review and Update AI Risk Assessments When Changes Affect Performance

When organizational changes may affect the performance, risk profile, or compliance of AI systems, the organization must

ISO42001-A.3.4-03 Risk Management

Review and Update Impact Assessments When Changes Affect Systems

When organizational changes may affect the performance, risk profile, or compliance of AI systems, the organization must

ISO42001-A.3.4-04 Risk Management

Review and Update Associated Controls When Changes Affect Systems

When organizational changes may affect the performance, risk profile, or compliance of AI systems, the organization must

Article A.5.2. AI System Risk Assessment

4 obligations

ISO42001-A.5.2-01 Risk Management

Conduct AI System Risk Assessments

The organization must perform risk assessments for each AI system, taking into account the system's specific characteris

ISO42001-A.5.2-02 Risk Management

Identify and Evaluate Multi-Domain AI System Risks

Risk assessments must identify and evaluate risks across multiple domains including accuracy, reliability, fairness, pri

ISO42001-A.5.2-03 Risk Management

Conduct Lifecycle-Wide Risk Assessment

The organization must consider risks across the entire AI system lifecycle, covering all phases from design and developm

ISO42001-A.5.2-05 Risk Management

Use Risk Assessment Results for Control Determination

Risk assessment results must be used to determine appropriate controls and risk treatment measures for the AI system.

Article A.5.3. AI System Impact Assessment

6 obligations

ISO42001-A.5.3-01 Risk Management

Conduct AI System Impact Assessments

The organization must conduct impact assessments to evaluate the potential effects of AI systems on individuals, groups,

ISO42001-A.5.3-02 Risk Management

Consider Direct and Indirect Impacts in Assessment

Impact assessments must consider both direct and indirect impacts, including effects on human rights, fundamental freedo

ISO42001-A.5.3-03 Risk Management

Ensure Proportionate Assessment to System Complexity

The impact assessment must be proportionate to the complexity and potential impact of the AI system being evaluated.

ISO42001-A.5.3-04 Risk Management

Consider Affected Stakeholder Perspectives

The impact assessment must consider the perspectives of affected stakeholders in the evaluation process.

ISO42001-A.5.3-06 Risk Management

Use Results to Inform Risk Treatment Decisions

Impact assessment results must inform risk treatment decisions within the organization.

ISO42001-A.5.3-07 Risk Management

Use Results to Inform System Design Choices

Impact assessment results must inform system design choices and decisions.

Article A.6.2.5. Deployment of AI System

1 obligation

ISO42001-A.6.2.5-03 Risk Management

Confirm risk treatment implementation

The organization must confirm that risk treatments have been implemented as part of the deployment process.

Article A.6.2.6. Operation and Monitoring of AI System

1 obligation

ISO42001-A.6.2.6-04 Risk Management

Identify Emerging Risks

Organizations must implement monitoring to identify emerging risks associated with their AI systems during operation.

Article A.6.2.7. Retirement of AI System

1 obligation

ISO42001-A.6.2.7-07 Risk Management

Manage Residual Risks During AI System Retirement

Retirement processes must include procedures for the management of residual risks that remain after AI system retirement

Article A.6.2.8. Responsible AI System Integration

2 obligations

ISO42001-A.6.2.8-05 Risk Management

Consider Potential for Unintended Consequences from System Interactions

Integration activities must consider the potential for unintended consequences arising from system interactions.

ISO42001-A.6.2.8-06 Risk Management

Assess and Manage Integration Context Risks

The organization must assess and manage risks specific to the integration context.

Article A.6.2.10. Defined Use and Misuse of AI System

1 obligation

ISO42001-A.6.2.10-02 Risk Management

Identify and Document Foreseeable Misuse Scenarios

The organization must identify and document reasonably foreseeable misuse scenarios and analyze the potential consequenc

Article A.6.2.11. Management of Third-Party AI System Components

1 obligation

ISO42001-A.6.2.11-02 Risk Management

Assess Third-Party Component Risks

The organization must conduct risk assessments of third-party AI components covering quality, reliability, bias, securit

Article A.7.3. Data Quality for ML and Data for AI System

1 obligation

ISO42001-A.7.3-07 Risk Management

Align Data Quality Requirements with Risk Level

The organization must ensure that data quality requirements are appropriate to the risk level of the AI system.

Article A.7.5. Data Acquisition and Collection

1 obligation

ISO42001-A.7.5-06 Risk Management

Assess Data Acquisition Risks

The organization must assess the risks associated with data acquisition activities, including risks related to bias, rep

Article A.7.6. Data Provenance

1 obligation

ISO42001-A.7.6-04 Risk Management

Use provenance information to identify potential biases

The organization must utilize provenance information to identify potential biases in data used in AI systems.

Article A.8.4. Access to Information About AI System Interaction

1 obligation

ISO42001-A.8.4-02 Risk Management

Ensure access mechanisms are proportionate to system sensitivity and impact

The organization must design access mechanisms that are proportionate to the sensitivity and impact level of the AI syst

Article A.8.5. Enabling Appropriate Human Actions in Response to AI Outputs

1 obligation

ISO42001-A.8.5-03 Risk Management

Consider appropriate level of human oversight based on risk and impact

The organization must consider the level of human oversight appropriate to the risk level and impact of the AI system wh

Article A.9.4. Processes for Responsible Use of AI System

1 obligation

ISO42001-A.9.4-04 Risk Management

Ensure processes are proportionate to AI system risk and impact

The organization must ensure that the processes for responsible AI use are proportionate to the risk level and impact of

Article A.10.3. Shared ML Models

4 obligations

ISO42001-A.10.3-02 Risk Management

Assess shared models for quality before integration

Controls must address the assessment of shared models for quality before integration into the organization's AI systems.

ISO42001-A.10.3-03 Risk Management

Assess shared models for bias before integration

Controls must address the assessment of shared models for bias before integration into the organization's AI systems.

ISO42001-A.10.3-04 Risk Management

Assess shared models for security vulnerabilities before integration

Controls must address the assessment of shared models for security vulnerabilities before integration into the organizat

ISO42001-A.10.3-05 Risk Management

Assess shared models for fitness for purpose before integration

Controls must address the assessment of shared models for fitness for purpose before integration into the organization's

Article A.10.4. Provision of AI System to Third Parties

2 obligations

ISO42001-A.10.4-04 Risk Management

Consider potential for third-party misuse

The organization must actively consider and assess the potential for misuse of AI systems by third parties as part of th

ISO42001-A.10.4-05 Risk Management

Implement controls to mitigate third-party misuse risks

The organization must implement appropriate controls to mitigate the risks associated with potential misuse of AI system