📐

ISO/IEC 42001:2023 — AI Management System

The first international management-system standard for artificial intelligence. Provides certifiable framework for organisations developing, providing, or using AI systems. Modelled on ISO/IEC 27001's structure (Clauses 4-10) so organisations with mature ISMS can extend to AI management system with familiar PDCA + continual improvement cadence.

5 high10 medium

42001-4.1ISO42001-4-001medium

Organisational context determined

Clause 4.1 — Internal and external issues relevant to the AI management system, including organisational purpose, AI use cases, and obligations.

→

42001-4.2ISO42001-4-002medium

Interested parties identified

Clause 4.2 — Needs and expectations of interested parties (users, regulators, affected groups, suppliers) relevant to AI identified.

→

42001-5.1ISO42001-5-001high

Leadership commitment to AIMS

Clause 5.1 — Top management demonstrates leadership and commitment: AI policy + accountability + resource allocation + integration into business processes + continual improvement.

→

42001-5.2ISO42001-5-002high

AI policy established and communicated

Clause 5.2 — AI policy includes commitment to satisfying applicable requirements, framework for setting objectives, commitment to continual improvement, and is communicated within the organisation.

→

42001-6.1ISO42001-6-001high

Actions to address risks and opportunities

Clause 6.1 — Risks and opportunities related to the AIMS planned and addressed; risk treatment plan with controls; opportunities pursued.

→

42001-6.2ISO42001-6-002medium

AI management system objectives

Clause 6.2 — Measurable AIMS objectives consistent with the AI policy; planning to achieve them.

→

42001-7.1ISO42001-7-001medium

Resources for AIMS allocated

Clause 7.1 — Resources determined and provided: people, infrastructure, environment, technology, financial.

→

42001-7.2ISO42001-7-002medium

Competence of AI personnel

Clause 7.2 — Persons performing AI-related work are competent based on education, training, experience; competence assured by certification or training records.

→

42001-7.4ISO42001-7-003medium

Communication about AIMS

Clause 7.4 — Communication needs determined: what, when, with whom, how, by whom.

→

42001-8.2ISO42001-8-001high

AI workload least-privilege RBAC

Clause 8.2 — Operational controls applied to AI processes; access controls enforced.

→

42001-8.3ISO42001-8-002high

AI system impact assessment

Clause 8.3 — Impact assessment performed for AI systems; updated as system evolves.

→

42001-8.4ISO42001-8-003medium

AI image registry policy

Clause 8.4 — Data and software components sourced from approved registries; integrity verified.

→

42001-9.1ISO42001-9-001medium

AIMS monitoring, measurement, evaluation

Clause 9.1 — AIMS performance monitored, measured, analysed, evaluated; results documented.

→

42001-9.2ISO42001-9-002medium

Internal audit of AIMS

Clause 9.2 — Internal audit at planned intervals; findings documented; corrective actions tracked.

→

42001-10.1ISO42001-10-001medium

Continual improvement of AIMS

Clause 10.1 — AIMS continually improved based on audit findings, incidents, management review, stakeholder feedback.

→