April 29, 2024

Last Updated on May 1, 2024

Generative AI offers enormous transformational potential across seemingly limitless use cases. But responsible AI development and use is critical to ensuring trustworthy outcomes and avoiding unacceptable cybersecurity, privacy, and ethical risks.

As the first AI management system guidance, ISO 42001:2023, “Information technology – Artificial intelligence – Management system” directly addresses AI’s unique and rapidly evolving management and governance challenges. This new international standard supports collaboration among AI providers, users, and regulators, while enabling businesses to demonstrate their commitment and conformance to best-practice AI solutions and deployments.

This article explains ISO 42001’s overall scope, structure, and key focus areas.


What does ISO 42001 cover?

ISO 42001 describes a comprehensive approach to managing AI systems across their lifecycle from design through development and deployment. It enables organizations to efficiently integrate an AI management system (AIMS) with related business processes to drive reliable outcomes, continuous improvement, and ongoing compliance with regulations and policy.

Key elements of the AIMS requirements and the 39 related controls include:

  • AI governance policies and processes
  • Organizational roles and responsibilities for AI governance
  • Resources for AI systems (data, human expertise, computing power, etc.)
  • Implementation guidance for operationalizing responsible AI
  • Evaluating and monitoring AI system impacts (required under the EU AI Act)
  • Understanding and managing the full lifecycle of AI systems and data
  • Fostering continuous AIMS improvement
  • Addressing concerns around bias, inclusion, and diversity in AI models

ISO 23894:2023, “Information technology – Artificial intelligence – Guidance on risk management focuses more narrowly on AI risk management. In contrast, ISO 42001 covers the company-wide management and governance of AI development, deployment, and use, of which risk management is a foundational component.


What are the ISO 42001 clauses 4 through 10

Like its predecessor, ISO 27001 for information security management systems (ISMS), the new standard includes seven clauses (numbered 4 through 10) that define the AI management system requirements and describe the recommended controls.

ISO 42001 also parallels ISO 27001 by requiring organizations to define and comply with internal as well as external requirements. These requirements can come from customers, suppliers, users, your board, investors, regulators, and other stakeholders, as well as a company’s objectives for leveraging AI.

ISO 42001 compliance is currently optional. But it may quickly become a regulatory or contractual requirement in specific verticals, such as cloud services or government supply chains.

At first glance ISO 42001 might seem simplistic or lightweight because it defines “only” 39 controls. (ISO 27001:2022, for example, has 93.) Yet for businesses that have no formal AI governance program, implementing ISO 42001 is likely to present unique challenges and demand new expertise.

The seven ISO 42001 clauses (4 through 10) include:

  • Context of the organization
    Why does AI matter to your business? What are your internal and external stakeholders’ requirements and expectations? What should the scope and boundaries of your AIMS be?
  • Leadership
    Strong senior leadership involvement, commitment, and “tone from the top” are essential to an effective AI risk management and efficient AIMS governance. This clause helps guide development of AI policy, roles, and responsibilities. It also supports defining management’s overarching objectives for AI, which defines what the AIMS should achieve.
  • Planning
    How will the organization take action to assess and treat AI risks? This includes an AI impact assessment, similar to a privacy impact assessment in ISO 27701, to help understand AI-specific risks to individuals, groups, organizations, and society as a whole. It also covers developing an AI risk treatment plan.
  • Support
    The guidance in this clause helps companies define the financial, technology, staffing, information, and other resources required to develop, maintain, monitor, and continuously improve the AIMS. This includes effective communication and awareness of AI policy throughout the business, along with documenting performance metrics, usage metrics, etc.
  • Operation
    Within a “Plan Do Check Act” model, Clause 8 covers the “Do” phase. How should the business apply the resources identified in Clause 7 to drive AIMS implementation based on the AI risk assessment and risk treatment methodology and the AI impact assessment?
  • Performance evaluation
    How do you know your AIMS is performing as intended? Are you achieving the objectives you established using Clause 8? Clause 9 also includes guidelines for the internal audit program, as well as management/stakeholder review of the AIMS.
  • Improvement
    Continuous improvement—a cornerstone of ISO 27001 and other ISO standards—is only possible with adequate monitoring and evaluation per Clause 9. Clause 10 underscores that ISO 42001 compliance is not “pass-fail” but consists of measuring AIMS effectiveness, identifying gaps, and strengthening control implementation and operation. Besides helping companies address changes that impact current controls, Clause 10 also supports developing a plan for identifying nonconformities and taking corrective action.


What are the ISO 42001 Annexes A through D?

Besides the clauses in the main body of the standard, ISO 42001 also includes four annexes, which offer detailed compliance guidance:

  • Annex A – A comprehensive description of each of the standard’s 39 controls and their objectives, similar to ISO 27001’s Annex A
  • Annex B – Helpful guidance on implementing the Annex A controls and associated data management processes, similar to how ISO 27002 relates to ISO 27001’s Annex A
  • Annex C – A discussion of AI risk sources, potential organizational objectives for AI, and AI risk management background
  • Annex D – Explores issues with using AI and operating an AIMS across different industries and scenarios


What’s next?

For more guidance on this topic, listen to Episode 136 of The Virtual CISO Podcast with guest Ariel Allensworth, Senior GRC Consultant at CBIZ Pivot Point Security.

Suggest a link to the CPPS ISO 27001 services page here:



Suggest a link to this CPPS services page for ISO 27701:

ISO 27701 Consulting Services