What are the ISO 42001 Requirements?

The ISO 42001 requirements are structured across ten clauses, with seven containing auditable requirements for an AI Management System (AIMS). Clauses 1-3 provide introductory information, while clauses 4-10 contain the ISO 42001 requirements organisations must fulfil. The standard is unique in addressing the responsible development and use of AI systems, incorporating ethical considerations alongside traditional management system elements.

The standard follows the Plan-Do-Check-Act (PDCA) cycle and includes annexes covering AI-specific controls. Below is a complete checklist covering all ten clauses:

1. Scope – Defines the boundaries and applicability of the standard to AI management systems.

2. Normative References – Lists referenced documents essential for application of the standard.

3. Terms and Definitions – Provides AI-specific vocabulary including terms for AI systems, machine learning, and algorithmic processes.

4. Context of the Organisation

This clause requires organisations to understand internal and external factors affecting their AIMS, including societal expectations regarding AI ethics and governance.

• 4.1 Understanding the organisation and its context
• 4.2 Understanding the needs and expectations of interested parties
• 4.3 Determining the scope of the AI management system
• 4.4 AI management system

5. Leadership

Top management must demonstrate commitment to responsible AI by establishing policy, assigning roles, and ensuring accountability for AI governance.

• 5.1 Leadership and commitment
• 5.2 AI policy
• 5.3 Organisational roles, responsibilities and authorities

6. Planning

Organisations must identify AI-specific risks and opportunities, conduct risk assessments, and establish objectives for responsible AI development.

• 6.1 Actions to address risks and opportunities
• 6.1.1 General
• 6.1.2 AI risk assessment
• 6.1.3 AI risk treatment
• 6.1.4 Planning action
• 6.2 AI objectives and planning to achieve them
• 6.2.1 AI objectives
• 6.2.2 Planning actions to achieve AI objectives

7. Support

This clause addresses resources, competence (including AI-specific skills), awareness, communication, and documented information.

• 7.1 Resources
• 7.2 Competence
• 7.3 Awareness
• 7.4 Communication
• 7.4.1 General
• 7.4.2 Internal communication
• 7.4.3 External communication
• 7.5 Documented information
• 7.5.1 General
• 7.5.2 Creating and updating
• 7.5.3 Control of documented information

8. Operation

Operational requirements focus on AI system lifecycle management, data governance, and transparency for users.

• 8.1 Operational planning and control
• 8.2 AI risk treatment implementation
• 8.3 AI system lifecycle processes
• 8.4 Data management
• 8.5 AI system documentation and information for users

9. Performance Evaluation

Organisations must monitor AI system performance, conduct internal audits, and hold management reviews to evaluate AIMS effectiveness.

• 9.1 Monitoring, measurement, analysis and evaluation
• 9.2 Internal audit
• 9.2.1 General
• 9.2.2 Internal audit programme
• 9.3 Management review

10. Improvement

The final clause addresses nonconformities, corrective actions, and continual improvement of the AI management system.

• 10.1 General
• 10.2 Nonconformity and corrective action
• 10.3 Continual improvement

ISO 42001 requires all clause requirements (4-10) to be addressed within the defined scope. The standard also includes Annex A controls specific to AI systems, which must be assessed for applicability based on the organisation’s AI risk assessment and documented in a Statement of Applicability.

Organisations can exclude specific Annex A controls if they are not relevant to their AI systems or context, provided exclusions are justified and do not compromise responsible AI governance. The scope statement must clearly identify which AI systems and processes are covered.