ISO/IEC 42001:2023
Publisher: International Organization for Standardization
Version: 2023
The world's first AI management system standard. Specifies requirements for establishing, implementing, and improving an AI Management System (AIMS). 10 clauses + Annex A with 9 control domains.
| ID | Name | Description | Domains |
|---|---|---|---|
| Clause 1 | Scope | Defines the scope of ISO/IEC 42001, specifying requirements for establishing, implementing, maintaining, and continua... |
govern
|
| Clause 2 | Normative References | Lists the normative references essential for the application of ISO/IEC 42001, including foundational AI terminology ... |
govern
|
| Clause 3 | Terms and Definitions | Establishes the key terms and definitions used throughout ISO 42001, drawn from ISO/IEC 22989 and ISO/IEC 23053, ensu... |
govern
|
| Clause 4 | Context of the Organization | Establishes requirements for understanding organizational context, identifying interested parties and their requireme... |
govern
|
| Clause 5 | Leadership | Defines leadership accountability for the AI management system, including establishment of AI policy and assignment o... |
govern
|
| Clause 6 | Planning | Requires planning to address AI risks and opportunities, establish measurable AI objectives, and plan changes to the ... |
govern
|
| Clause 7 | Support | Addresses support mechanisms including resources, competence, awareness, communication, and documentation required fo... |
govern
build
|
| Clause 8 | Operation | Defines operational requirements for AI system planning, development, and deployment including risk assessment, impac... |
build
deploy
|
| Clause 9 | Performance Evaluation | Establishes requirements for monitoring, measuring, analyzing, and evaluating AI management system performance throug... |
monitor
|
| Clause 10 | Improvement | Requires continual improvement of the AI management system through identification and correction of nonconformities a... |
improve
|
| Annex A.2 | Policies Related to AI | Covers establishment of AI-specific policies addressing ethical use, acceptable use, human oversight, and stakeholder... |
govern
|
| A.2.1 | AI policy | Documented policy defining organizational approach to AI development, deployment, and use aligned with values and leg... |
govern
|
| A.2.2 | Acceptable use policy for AI | Policy defining permitted and prohibited uses of AI systems, including boundaries for autonomous decision-making and ... |
govern
|
| A.2.3 | Human oversight of AI systems | Policy establishing requirements for meaningful human oversight, intervention mechanisms, and escalation procedures f... |
govern
|
| A.2.4 | Stakeholder engagement in AI policy | Policy ensuring diverse stakeholder participation in AI policy development, including affected communities and domain... |
govern
|
| Annex A.3 | Internal Organization | Addresses organizational structure for AI governance, including role definition, segregation of duties, accountabilit... |
govern
|
| A.3.1 | AI roles and responsibilities | Defined and communicated roles for AI development, deployment, governance, and oversight with clear authorities and a... |
govern
|
| A.3.2 | Segregation of duties for AI systems | Separation of conflicting responsibilities in AI lifecycle (development, testing, approval, monitoring) to prevent co... |
govern
|
| A.3.3 | Accountability for AI system decisions | Clear assignment of accountability for AI system design, decisions, outcomes, and impacts to specific individuals or ... |
govern
|
| A.3.4 | AI ethics oversight | Established AI ethics board or committee with authority to review high-risk AI systems and resolve ethical concerns. |
govern
|
| Annex A.4 | Resources for AI Systems | Covers resource management for AI including computational infrastructure, tools, competence development, awareness pr... |
build
|
| A.4.1 | AI system computational resources | Adequate computing infrastructure for AI training, testing, and operation with capacity planning and environmental im... |
build
|
| A.4.2 | AI development tools and technologies | Appropriate tools, frameworks, and platforms for responsible AI development including fairness testing and explainabi... |
build
|
| A.4.3 | Competence in AI systems | Personnel possess required technical, ethical, and domain competencies for their AI-related roles with documented ski... |
build
|
| A.4.4 | Awareness of AI systems | Organization-wide awareness programs covering AI capabilities, limitations, risks, and responsible use principles. |
build
|
| A.4.5 | Communication regarding AI systems | Effective communication channels for AI-related information, concerns, and incidents across organizational levels. |
build
|
| A.4.6 | Use of external AI expertise | Processes for engaging external AI specialists, researchers, or auditors to supplement internal capabilities and prov... |
build
|
| Annex A.5 | AI System Life Cycle | Addresses AI-specific lifecycle management including design principles, development practices, testing and validation... |
build
deploy
|
| A.5.1 | AI system design | Systematic design process incorporating safety, security, fairness, transparency, and accountability by design from i... |
build
deploy
|
| A.5.2 | AI system development | Disciplined development practices including version control, peer review, documentation, and responsible AI principle... |
build
deploy
|
| A.5.3 | AI system verification and validation | Rigorous testing of AI systems for accuracy, fairness, robustness, security, and compliance before and after deployment. |
build
deploy
|
| A.5.4 | AI system deployment | Controlled deployment with phased rollout, monitoring, human oversight activation, and documented approval from accou... |
build
deploy
|
| A.5.5 | AI system change management | Managed changes to AI systems including model updates, data changes, and configuration modifications with impact asse... |
build
deploy
|
| A.5.6 | AI system retirement | Planned retirement or decommissioning of AI systems with data retention, transfer procedures, and stakeholder communi... |
build
deploy
|
| Annex A.6 | Data for AI Systems | Focuses on data management for AI including quality assurance, provenance tracking, privacy protection, bias mitigati... |
build
|
| A.6.1 | Data quality for AI systems | Processes ensuring AI training and operational data meet quality standards for accuracy, completeness, consistency, a... |
build
|
| A.6.2 | Data provenance and traceability | Documentation of data sources, collection methods, transformations, and lineage throughout the AI system lifecycle. |
build
|
| A.6.3 | Privacy and personal data protection in AI | Privacy-preserving techniques and compliance with data protection regulations in AI data collection, processing, and ... |
build
|
| A.6.4 | Data bias identification and mitigation | Systematic assessment and mitigation of bias in training data that could lead to discriminatory AI system outcomes. |
build
|
| A.6.5 | Data handling and security for AI | Secure data handling practices including access control, encryption, sanitization, and protection of training data an... |
build
|
| Annex A.7 | Information for Interested Parties | Addresses transparency and communication requirements including AI system disclosure, explainability of decisions, us... |
deploy
|
| A.7.1 | Transparency about AI use | Clear disclosure when individuals interact with AI systems or when AI significantly influences decisions affecting them. |
deploy
|
| A.7.2 | Explainability of AI system outcomes | Provision of meaningful explanations for AI decisions appropriate to the audience and system risk level. |
deploy
|
| A.7.3 | Information for users of AI systems | Comprehensive information to AI system users about capabilities, limitations, proper use, and recourse mechanisms. |
deploy
|
| A.7.4 | Communication of AI system incidents | Timely and appropriate communication to affected parties about AI system failures, security incidents, or adverse imp... |
deploy
|
| Annex A.8 | Use of AI Systems | Covers operational use controls including system monitoring, performance tracking, feedback collection, and continuou... |
secure
improve
|
| A.8.1 | AI system monitoring | Continuous monitoring of deployed AI systems for performance degradation, drift, security threats, and unexpected beh... |
secure
improve
|
| A.8.2 | AI system performance measurement | Regular measurement and reporting of AI system performance against defined metrics including accuracy, fairness, and ... |
secure
improve
|
| A.8.3 | Feedback and complaints regarding AI systems | Mechanisms for users and affected parties to provide feedback, report concerns, and file complaints about AI system b... |
secure
improve
|
| A.8.4 | Continuous learning and adaptation of AI systems | Controlled processes for AI systems that learn from operational data, including validation of learned behaviors and p... |
secure
improve
|
| Annex A.9 | Third-Party Relationships | Addresses third-party AI risks including supplier assessment, contractual controls, dependency management, and auditi... |
govern
secure
|
| A.9.1 | AI system supplier evaluation | Due diligence assessment of AI system suppliers covering technical capabilities, responsible AI practices, and securi... |
govern
secure
|
| A.9.2 | Third-party AI system agreements | Contracts with AI suppliers defining performance standards, security requirements, liability, audit rights, and respo... |
govern
secure
|
| A.9.3 | Management of third-party AI systems | Ongoing management of third-party AI dependencies including performance monitoring, compliance verification, and rela... |
govern
secure
|
| A.9.4 | Auditing third-party AI systems | Periodic audits or assessments of third-party AI systems to verify contractual compliance, security controls, and res... |
govern
secure
|
| Annex A.10 | AI System Management | Covers ongoing AI system management including impact assessment updates, version control, documentation maintenance, ... |
monitor
|
| A.10.1 | AI system impact re-assessment | Periodic re-evaluation of AI system impacts as context, usage, or system capabilities change over time. |
monitor
|
| A.10.2 | AI system version control | Management of AI system versions including models, training data, code, and configurations with traceability and roll... |
monitor
|
| A.10.3 | AI system documentation maintenance | Ongoing maintenance of AI system documentation to reflect current state, changes, and operational learnings. |
monitor
|