ISO-42001

ISO/IEC 42001:2023 — AI Management Systems

International Version 1.0 503 obligations

Requirement 239 Risk Management 78 Documentation 71 Transparency 39 Monitoring 31 Data Governance 24 Human Oversight 12 Conformity 8 Reporting 1 Reset

I. ISO/IEC 42001:2023 AI Management System Requirements
Ch. I — Context, Leadership, and Planning (Clauses 4-6)
Art. 4.1. Understanding the organization and its context (8)
Art. 4.2. Understanding the needs and expectations of interested parties (4)
Art. 4.3. Determining the scope of the AI management system (9)
Art. 4.4. AI management system (12)
Art. 5.1. Leadership and commitment (10)
Art. 5.2. AI policy (8)
Art. 5.3. Roles, responsibilities and authorities (10)
Art. 6.1.1. General (actions to address risks and opportunities) (7)
Art. 6.1.2. AI risk assessment (13)
Art. 6.1.3. AI risk treatment (6)
Art. 6.1.4. AI system impact assessment (5)
Art. 6.2. AI objectives and planning to achieve them (12)
Art. 6.3. Planning of changes (7)
Ch. II — Support and Operation (Clauses 7-8)
Art. 7.1. Resources (9)
Art. 7.2. Competence (5)
Art. 7.3. Awareness (6)
Art. 7.4. Communication (3)
Art. 7.5. Documented information (9)
Art. 8.1. Operational planning and control (10)
Art. 8.2. AI risk assessment (operational) (6)
Art. 8.3. AI risk treatment (operational) (6)
Art. 8.4. AI system impact assessment (operational) (13)
Ch. III — Performance Evaluation and Improvement (Clauses 9-10)
Art. 9.1. Monitoring, measurement, analysis and evaluation (4)
Art. 9.2. Internal audit (10)
Art. 9.3. Management review (10)
Art. 10.1. Continual improvement (9)
Art. 10.2. Nonconformity and corrective action (10)
Ch. IV — Annex A Controls — Policies and Organization (A.2-A.3)
Art. A.2.2. AI Policy (9)
Art. A.2.3. Responsible AI Topics in AI Policy (4)
Art. A.3.2. Roles and Responsibilities for AI (6)
Art. A.3.3. Reporting of AI Concerns (9)
Art. A.3.4. Impact of Organizational Changes (6)
Ch. V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
Art. A.4.2. Resources Related to AI Systems (5)
Art. A.4.3. Competencies Related to AI Systems (4)
Art. A.4.4. Awareness of Responsible Use of AI Systems (4)
Art. A.4.5. Consultation (6)
Art. A.4.6. Communication About the AI System (6)
Art. A.5.2. AI System Risk Assessment (5)
Art. A.5.3. AI System Impact Assessment (8)
Art. A.5.4. Impact of AI System Documentation (4)
Ch. VI — Annex A Controls — AI System Life Cycle (A.6)
Art. A.6.2.2. Design and Development of AI System (5)
Art. A.6.2.3. Training and Testing AI Model (14)
Art. A.6.2.4. Verification and Validation of AI System (7)
Art. A.6.2.5. Deployment of AI System (10)
Art. A.6.2.6. Operation and Monitoring of AI System (10)
Art. A.6.2.7. Retirement of AI System (10)
Art. A.6.2.8. Responsible AI System Integration (9)
Art. A.6.2.9. AI System Documentation (7)
Art. A.6.2.10. Defined Use and Misuse of AI System (5)
Art. A.6.2.11. Management of Third-Party AI System Components (6)
Ch. VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
Art. A.7.2. Data for Development and Enhancement of AI System (11)
Art. A.7.3. Data Quality for ML and Data for AI System (11)
Art. A.7.4. Data Preparation (11)
Art. A.7.5. Data Acquisition and Collection (6)
Art. A.7.6. Data Provenance (7)
Art. A.8.2. Informing Interested Parties About AI System Interaction (6)
Art. A.8.3. Informing Interested Parties About AI Outcomes (4)
Art. A.8.4. Access to Information About AI System Interaction (5)
Art. A.8.5. Enabling Appropriate Human Actions in Response to AI Outputs (7)
Art. A.9.2. Objectives for Responsible Use of AI System (6)
Art. A.9.3. Intended Use of AI System (4)
Art. A.9.4. Processes for Responsible Use of AI System (7)
Art. A.9.5. Human Oversight Aspects (11)
Art. A.10.2. Suppliers of AI System Components (8)
Art. A.10.3. Shared ML Models (14)
Art. A.10.4. Provision of AI System to Third Parties (5)

Transparency Obligations

Title I — ISO/IEC 42001:2023 AI Management System Requirements

Chapter I — Context, Leadership, and Planning (Clauses 4-6)

Article 4.3. Determining the scope of the AI management system

4 obligations

ISO42001-4.3-06 Transparency

Clearly identify covered AI systems in scope

The scope must clearly identify which AI systems are covered by the management system.

ISO42001-4.3-07 Transparency

Clearly identify covered processes in scope

The scope must clearly identify which processes are covered by the management system.

ISO42001-4.3-08 Transparency

Clearly identify covered organizational units in scope

The scope must clearly identify which organizational units are covered by the management system.

ISO42001-4.3-09 Transparency

Clearly identify covered locations in scope

The scope must clearly identify which locations are covered by the management system.

Article 5.2. AI policy

2 obligations

ISO42001-5.2-07 Transparency

Communicate AI Policy Within Organization

The AI policy must be communicated within the organization.

ISO42001-5.2-08 Transparency

Make AI Policy Available to Interested Parties

The AI policy must be made available to relevant interested parties as appropriate.

Article 6.2. AI objectives and planning to achieve them

1 obligation

ISO42001-6.2-06 Transparency

Communicate AI objectives

AI objectives must be communicated to relevant stakeholders within the organization to ensure awareness and alignment.

Chapter II — Support and Operation (Clauses 7-8)

Article 7.4. Communication

2 obligations

ISO42001-7.4-02 Transparency

Address transparency requirements in AI system communications

All communications must specifically address and fulfill the transparency requirements that are associated with the orga

ISO42001-7.4-03 Transparency

Ensure interested parties receive appropriate AI system information

The organization must ensure that relevant interested parties, including affected individuals and groups, receive approp

Article 8.4. AI system impact assessment (operational)

1 obligation

ISO42001-8.4-13 Transparency

Use impact assessment findings to inform stakeholder communication decisions

The organization must utilize the findings from impact assessments to guide and inform decisions about stakeholder commu

Chapter III — Performance Evaluation and Improvement (Clauses 9-10)

Chapter IV — Annex A Controls — Policies and Organization (A.2-A.3)

Article A.2.2. AI Policy

2 obligations

ISO42001-A.2.2-08 Transparency

Communicate AI Policy to Personnel

The AI policy must be communicated to all relevant personnel.

ISO42001-A.2.2-09 Transparency

Make AI Policy Available to Interested Parties

The AI policy must be made available to interested parties as appropriate.

Article A.3.2. Roles and Responsibilities for AI

2 obligations

ISO42001-A.3.2-05 Transparency

Communicate roles and responsibilities to all relevant parties

The organization must communicate the defined and assigned AI-related roles and responsibilities to all relevant interna

ISO42001-A.3.2-06 Transparency

Communicate roles and responsibilities to third-party providers and partners

The organization must specifically communicate AI-related roles and responsibilities to third-party providers and partne

Article A.3.3. Reporting of AI Concerns

1 obligation

ISO42001-A.3.3-02 Transparency

Communicate AI concerns reporting mechanism

The organization must communicate the established reporting mechanism to personnel and other interested parties to ensur

Chapter V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)

Article A.4.6. Communication About the AI System

1 obligation

ISO42001-A.4.6-05 Transparency

Support transparency and accountability objectives through communication

AI system communication must support the transparency and accountability objectives established in the organization's AI

Article A.5.3. AI System Impact Assessment

1 obligation

ISO42001-A.5.3-08 Transparency

Use Results to Inform Stakeholder Communications

Impact assessment results must inform stakeholder communications and engagement activities.

Article A.5.4. Impact of AI System Documentation

1 obligation

ISO42001-A.5.4-02 Transparency

Ensure documentation supports transparency and accountability

Documentation of impact assessments must be sufficiently detailed to support transparency, accountability, and traceabil

Chapter VI — Annex A Controls — AI System Life Cycle (A.6)

Article A.6.2.5. Deployment of AI System

1 obligation

ISO42001-A.6.2.5-05 Transparency

Communicate to affected stakeholders during deployment

The organization must communicate with affected stakeholders as part of the AI system deployment process.

Article A.6.2.7. Retirement of AI System

1 obligation

ISO42001-A.6.2.7-05 Transparency

Notify Affected Stakeholders of AI System Retirement

Retirement processes must include procedures for notifying all affected stakeholders about the retirement of the AI syst

Article A.6.2.9. AI System Documentation

1 obligation

ISO42001-A.6.2.9-05 Transparency

Provide transparency to interested parties through documentation

Documentation must provide transparency to interested parties regarding the AI system.

Article A.6.2.10. Defined Use and Misuse of AI System

1 obligation

ISO42001-A.6.2.10-04 Transparency

Communicate Use and Misuse Information to Stakeholders

The organization must communicate information about proper use and potential misuse of the AI system to relevant stakeho

Chapter VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)

Article A.7.4. Data Preparation

1 obligation

ISO42001-A.7.4-11 Transparency

Record Data Preparation Methodology Rationale

The organization must record and document the rationale behind the choice of specific data preparation methodologies, ex

Article A.7.6. Data Provenance

1 obligation

ISO42001-A.7.6-02 Transparency

Ensure provenance records support traceability

Provenance records must be sufficient to trace data from its source through all processing steps to its use in the AI sy

Article A.8.2. Informing Interested Parties About AI System Interaction

5 obligations

ISO42001-A.8.2-01 Transparency

Inform interested parties about AI system interaction

Organizations must notify interested parties when they are interacting with an AI system. This notification must be prov

ISO42001-A.8.2-02 Transparency

Inform interested parties when AI assists in decisions affecting them

Organizations must notify interested parties when an AI system is being used to make or assist in decisions that affect

ISO42001-A.8.2-04 Transparency

Disclose nature and purpose of AI system interaction

Organizations must disclose the nature and purpose of the AI system interaction to interested parties, unless an excepti

ISO42001-A.8.2-05 Transparency

Disclose type of AI technology being used

Organizations must disclose the type of AI technology being used to interested parties, unless an exception applies unde

ISO42001-A.8.2-06 Transparency

Disclose meaningful information about logic involved

Organizations must disclose any meaningful information about the logic involved in the AI system to interested parties,

Article A.8.3. Informing Interested Parties About AI Outcomes

3 obligations

ISO42001-A.8.3-01 Transparency

Inform interested parties about AI outcomes that affect them

Organizations must inform interested parties about outcomes produced by AI systems that affect them, including decisions

ISO42001-A.8.3-02 Transparency

Provide basis and factors for AI outcomes

Organizations must provide information about the basis for AI outcomes, including the data and factors considered in pro

ISO42001-A.8.3-03 Transparency

Provide review and correction mechanisms for AI outcomes

Organizations must inform interested parties about any available means for individuals to seek review, clarification, or

Article A.8.4. Access to Information About AI System Interaction

1 obligation

ISO42001-A.8.4-01 Transparency

Provide mechanisms for AI system interaction information access

The organization must establish and maintain mechanisms that enable interested parties to access information about their

Article A.8.5. Enabling Appropriate Human Actions in Response to AI Outputs

1 obligation

ISO42001-A.8.5-04 Transparency

Provide sufficient information for effective human oversight

The organization must provide users with sufficient information to exercise effective oversight of AI systems.

Article A.9.3. Intended Use of AI System

1 obligation

ISO42001-A.9.3-02 Transparency

Communicate Intended Use Definition to Stakeholders

The organization must communicate the intended use definition to all relevant stakeholders, including developers, operat

Article A.10.2. Suppliers of AI System Components

1 obligation

ISO42001-A.10.2-03 Transparency

Communicate AI-related requirements to suppliers

The organization must communicate the defined AI-related requirements to suppliers, ensuring they understand expectation

Article A.10.3. Shared ML Models

2 obligations

ISO42001-A.10.3-10 Transparency

Provide documentation when sharing models externally

When sharing models externally, the organization must provide appropriate documentation.

ISO42001-A.10.3-11 Transparency

Provide usage guidance when sharing models externally

When sharing models externally, the organization must provide usage guidance.

Article A.10.4. Provision of AI System to Third Parties

1 obligation

ISO42001-A.10.4-02 Transparency

Provide comprehensive AI system information to third parties

The organization must provide third parties with sufficient information about the AI system, covering its intended use,

ISO-42001

Contents

Transparency Obligations

Title I — ISO/IEC 42001:2023 AI Management System Requirements

Chapter I — Context, Leadership, and Planning (Clauses 4-6)

Article 4.3. Determining the scope of the AI management system

Clearly identify covered AI systems in scope

Clearly identify covered processes in scope

Clearly identify covered organizational units in scope

Clearly identify covered locations in scope

Article 5.2. AI policy

Communicate AI Policy Within Organization

Make AI Policy Available to Interested Parties

Article 6.2. AI objectives and planning to achieve them

Communicate AI objectives

Chapter II — Support and Operation (Clauses 7-8)

Article 7.4. Communication

Address transparency requirements in AI system communications

Ensure interested parties receive appropriate AI system information

Article 8.4. AI system impact assessment (operational)

Use impact assessment findings to inform stakeholder communication decisions

Chapter III — Performance Evaluation and Improvement (Clauses 9-10)

Chapter IV — Annex A Controls — Policies and Organization (A.2-A.3)

Article A.2.2. AI Policy

Communicate AI Policy to Personnel

Make AI Policy Available to Interested Parties

Article A.3.2. Roles and Responsibilities for AI

Communicate roles and responsibilities to all relevant parties

Communicate roles and responsibilities to third-party providers and partners

Article A.3.3. Reporting of AI Concerns

Communicate AI concerns reporting mechanism

Chapter V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)

Article A.4.6. Communication About the AI System

Support transparency and accountability objectives through communication

Article A.5.3. AI System Impact Assessment

Use Results to Inform Stakeholder Communications

Article A.5.4. Impact of AI System Documentation

Ensure documentation supports transparency and accountability

Chapter VI — Annex A Controls — AI System Life Cycle (A.6)

Article A.6.2.5. Deployment of AI System

Communicate to affected stakeholders during deployment

Article A.6.2.7. Retirement of AI System

Notify Affected Stakeholders of AI System Retirement

Article A.6.2.9. AI System Documentation

Provide transparency to interested parties through documentation

Article A.6.2.10. Defined Use and Misuse of AI System

Communicate Use and Misuse Information to Stakeholders

Chapter VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)

Article A.7.4. Data Preparation

Record Data Preparation Methodology Rationale

Article A.7.6. Data Provenance

Ensure provenance records support traceability

Article A.8.2. Informing Interested Parties About AI System Interaction

Inform interested parties about AI system interaction

Inform interested parties when AI assists in decisions affecting them

Disclose nature and purpose of AI system interaction

Disclose type of AI technology being used

Disclose meaningful information about logic involved

Article A.8.3. Informing Interested Parties About AI Outcomes

Inform interested parties about AI outcomes that affect them

Provide basis and factors for AI outcomes

Provide review and correction mechanisms for AI outcomes

Article A.8.4. Access to Information About AI System Interaction

Provide mechanisms for AI system interaction information access

Article A.8.5. Enabling Appropriate Human Actions in Response to AI Outputs

Provide sufficient information for effective human oversight

Article A.9.3. Intended Use of AI System

Communicate Intended Use Definition to Stakeholders

Article A.10.2. Suppliers of AI System Components

Communicate AI-related requirements to suppliers

Article A.10.3. Shared ML Models

Provide documentation when sharing models externally

Provide usage guidance when sharing models externally

Article A.10.4. Provision of AI System to Third Parties

Provide comprehensive AI system information to third parties

Start your compliance assessment