ISO 42001ISO / IEC · 2023

ISO/IEC 42001:2023

An auditable management-system standard (like ISO 27001 for security) that tells an organisation HOW to build, run, and continually improve an AI Management System. Clauses 4–10 are the system. Annex A is the control catalogue.

Open in explorer →Take guided tour

// On this page

4 - Context of the organization 5 - Leadership 6 - Planning 7 - Support 8 - Operation 9 - Performance evaluation 10 - Improvement Annex A.2 - Policies related to AI Annex A.3 - Internal organization Annex A.4 - Resources for AI systems Annex A.5 - Assessing impacts of AI systems Annex A.6.1 - Management guidance for AI system development Annex A.6.2 - AI system life cycle Annex A.7 - Data for AI systems Annex A.8 - Information for interested parties Annex A.9 - Use of AI systems Annex A.10 - Third-party and customer relationships

// Walkthrough

Read ISO 42001 as a step-by-step path

Each section shows the intent, the steps, and the equivalent provisions in the other two frameworks.

Section 1 of 17

4 - Context of the organization

4 items

// Why this section exists

Before you can manage AI, you scope it. Clause 4 forces you to define what AI is inside your management system, who the stakeholders are, and what 'success' means.

// Step-by-step

1List internal/external issues that affect your AI work (regulation, customer expectations, third-party models).
2Identify interested parties - users, regulators, affected persons - and capture their requirements.
3Draw the AIMS scope: which AI systems, business units and processes are in/out.
4Document the AIMS itself and how its processes interact.

// In the other frameworks

NIST AI RMF

NIST starts in GOVERN 1.1 (legal/regulatory) and MAP 1.x (context). Same idea, no certification.

EU AI Act

EU AI Act doesn't ask for 'context' explicitly, but Art.16/17 obligations only apply once you've classified yourself as provider or deployer of a given AI system.

Step 1Clause 4.1

Understanding the organization and its context

Identify internal/external issues relevant to the AI Management System (AIMS) and the intended outcomes.

// Maps to

NIST AI RMFGOVERN 1.1 MAP 1.1

EU AI ActArticle 9

Step 2Clause 4.2

Needs and expectations of interested parties

Identify interested parties (users, regulators, affected persons) and their requirements.

// Maps to

NIST AI RMFMAP 1.2 MAP 3.1

EU AI ActArticle 26 Article 27

Step 3Clause 4.3

Scope of the AI Management System

Define which AI systems, processes and units are inside the AIMS boundary.

// Maps to

NIST AI RMFGOVERN 1.1

EU AI ActArticle 16 Article 3

Step 4Clause 4.4

AI Management System

Establish, implement, maintain and continually improve the AIMS and its processes.

// Maps to

NIST AI RMFGOVERN 1.1

EU AI ActArticle 17 Article 8 Article 16

Section 2 of 17

5 - Leadership

3 items

// Why this section exists

Top management has to own AI risk, not just delegate it. Without signed commitment, the rest of the system is theatre.

// Step-by-step

1Executive accountability statement and resourcing decision.
2Approve an AI policy aligned with strategy.
3Assign documented roles, responsibilities and authorities for AI.

// In the other frameworks

NIST AI RMF

GOVERN 2.1–2.3 cover the same accountability and roles.

EU AI Act

Art.26 puts named legal duties on deployers; Art.17 mandates a quality management system signed off by management for high-risk AI.

Step 1Clause 5.1

Leadership and commitment

Top management demonstrates commitment to the AIMS and accountability for outcomes.

// Maps to

NIST AI RMFGOVERN 2.1 GOVERN 2.2

EU AI ActArticle 26

Step 2Clause 5.2

AI policy

Establish an AI policy aligned with strategy, signed off by top management.

// Maps to

NIST AI RMFGOVERN 1.1 GOVERN 1.2

EU AI ActArticle 17

Step 3Clause 5.3

Roles, responsibilities and authorities

Assign and communicate AI roles, including authority for AIMS conformance.

// Maps to

NIST AI RMFGOVERN 2.1 GOVERN 2.3

EU AI ActArticle 26

Section 3 of 17

6 - Planning

5 items

// Why this section exists

Planning is where AI risk management becomes real: pick a method, run risk + impact assessments, then choose treatments traceable to Annex A controls.

// Step-by-step

1Plan actions to address risks and opportunities from your context.
2Run an AI risk assessment using a documented method.
3Pick treatments and produce the Statement of Applicability (SoA) against Annex A.
4Run an AI system impact assessment on people and society.
5Set measurable AI objectives.

// In the other frameworks

NIST AI RMF

Maps almost 1:1 to MAP and MEASURE: MAP 5.x for impact, MEASURE 2.x for risk quantification, MANAGE 1.x for treatment.

EU AI Act

Art.9 = risk management system; Art.27 = fundamental-rights impact assessment for certain deployers.

Step 1Clause 6.1.1

Actions to address risks and opportunities

Plan actions to address AI risks and opportunities arising from context.

// Maps to

NIST AI RMFMAP 1.1 MANAGE 1.1

EU AI ActArticle 9

Step 2Clause 6.1.2

AI risk assessment

Define and apply a process to identify, analyse and evaluate AI risks.

// Maps to

NIST AI RMFMAP 5.1 MEASURE 2.1 GOVERN 1.4

EU AI ActArticle 9

Step 3Clause 6.1.3

AI risk treatment

Select and apply risk treatments; produce a Statement of Applicability against Annex A.

// Maps to

NIST AI RMFMANAGE 1.3 MANAGE 2.1

EU AI ActArticle 9

Step 4Clause 6.1.4

AI system impact assessment

Assess potential consequences for individuals, groups and society throughout the AI lifecycle.

// Maps to

NIST AI RMFMAP 5.1 MAP 5.2

EU AI ActArticle 27

Step 5Clause 6.2

AI objectives and planning

Set measurable AI objectives consistent with the AI policy.

// Maps to

NIST AI RMFGOVERN 1.1 MEASURE 1.1

EU AI ActArticle 9

Section 4 of 17

7 - Support

5 items

// Why this section exists

An AIMS needs fuel: people, skills, awareness, communications and documented information. Most failed audits trace back here.

// Step-by-step

1Allocate resources (compute, tooling, headcount, data).
2Confirm competence and retain proof.
3Drive awareness of the AI policy across the workforce.
4Run internal/external communications on AI.
5Control documented information end-to-end.

// In the other frameworks

NIST AI RMF

GOVERN 3 covers workforce; GOVERN 1.4 covers documentation; GOVERN 5 covers communications.

EU AI Act

Art.4 makes AI literacy a hard legal duty; Art.11 + Annex IV require a documentation pack for high-risk AI.

Step 1Clause 7.1

Resources

Provide resources needed to establish and run the AIMS.

// Maps to

NIST AI RMFGOVERN 2.1

EU AI ActNo direct equivalent in EU AI Act.

Step 2Clause 7.2

Competence

Ensure people performing AI work are competent and demonstrate it.

// Maps to

NIST AI RMFGOVERN 3.2

EU AI ActArticle 4 Article 14

Step 3Clause 7.3

Awareness

Workforce is aware of AI policy, their contribution and risks of non-conformance.

// Maps to

NIST AI RMFGOVERN 3.1

EU AI ActArticle 4

Step 4Clause 7.4

Communication

Internal and external communications regarding AIMS.

// Maps to

NIST AI RMFGOVERN 5.1

EU AI ActArticle 13

Step 5Clause 7.5

Documented information

Create, control and retain documented information required by the AIMS.

// Maps to

NIST AI RMFGOVERN 1.4 MAP 4.2

EU AI ActArticle 11 Article 18 Article 12 Article 53

Section 5 of 17

8 - Operation

4 items

// Why this section exists

Clause 8 is the operational mirror of Clause 6 - you re-run risk and impact assessments as conditions change, and execute the treatment plan.

// Step-by-step

1Plan and control operational processes for the AI lifecycle.
2Re-run risk assessments at planned intervals and on significant change.
3Implement and verify the risk treatment plan.
4Re-run AI system impact assessments operationally.

// In the other frameworks

NIST AI RMF

Lives in MANAGE 1–2 with continuous re-MEASURE.

EU AI Act

Art.9 is continuous by design; Art.72 adds post-market monitoring that loops back into operation.

Step 1Clause 8.1

Operational planning and control

Plan, implement and control operational processes for the AI lifecycle.

// Maps to

NIST AI RMFMANAGE 1.1

EU AI ActArticle 17

Step 2Clause 8.2

AI risk assessment (operational)

Perform risk assessments at planned intervals and on significant change.

// Maps to

NIST AI RMFMEASURE 2.1 MANAGE 2.2 MEASURE 2.6

EU AI ActArticle 9 Article 72

Step 3Clause 8.3

AI risk treatment (operational)

Implement risk treatment plan and verify it is effective.

// Maps to

NIST AI RMFMANAGE 2.1 MANAGE 2.3

EU AI ActArticle 9

Step 4Clause 8.4

AI system impact assessment (operational)

Conduct impact assessments at planned intervals and on change.

// Maps to

NIST AI RMFMAP 5.1

EU AI ActArticle 27

Section 6 of 17

9 - Performance evaluation

3 items

// Why this section exists

You can't claim conformity if you can't measure. Clause 9 forces measurement, internal audit and management review.

// Step-by-step

1Decide what you monitor, how, how often, and how you evaluate it.
2Run internal audits of the AIMS on a planned schedule.
3Have top management formally review AIMS effectiveness.

// In the other frameworks

NIST AI RMF

MEASURE 1.x picks the metrics; MANAGE 4.x closes the loop; GOVERN 2.2 ensures leadership review.

EU AI Act

Art.72 obliges post-market monitoring; Art.15 obliges declared accuracy/robustness levels measured over time.

Step 1Clause 9.1

Monitoring, measurement, analysis and evaluation

Define what to monitor, methods, frequency, and evaluate AI performance.

// Maps to

NIST AI RMFMEASURE 1.1 MEASURE 2.5

EU AI ActArticle 72 Article 15

Step 2Clause 9.2

Internal audit

Plan and conduct internal audits of the AIMS at planned intervals.

// Maps to

NIST AI RMFGOVERN 4.1

EU AI ActArticle 17

Step 3Clause 9.3

Management review

Top management reviews AIMS suitability, adequacy and effectiveness.

// Maps to

NIST AI RMFGOVERN 2.2

EU AI ActArticle 17

Section 7 of 17

10 - Improvement

2 items

// Why this section exists

Continual improvement and corrective action - the engine that stops the AIMS from drifting into shelfware.

// Step-by-step

1Improve suitability, adequacy and effectiveness continually.
2Respond to nonconformities with root-cause analysis and corrective action.

// In the other frameworks

NIST AI RMF

MANAGE 4.x is the equivalent - measure, learn, improve.

EU AI Act

Art.20 corrective action + Art.73 serious-incident reporting are the legal teeth.

Step 1Clause 10.1

Continual improvement

Continually improve suitability, adequacy and effectiveness of the AIMS.

// Maps to

NIST AI RMFMANAGE 4.1 MANAGE 4.2

EU AI ActArticle 72

Step 2Clause 10.2

Nonconformity and corrective action

Respond to nonconformities, take corrective action and prevent recurrence.

// Maps to

NIST AI RMFMANAGE 4.2 MANAGE 4.3

EU AI ActArticle 20 Article 73

Section 9 of 17

Annex A.3 - Internal organization

2 items

2 items in this section. Click any item to see its cross-framework mapping in the explorer.

Step 1Annex A.3.2

AI roles and responsibilities

Define, assign and communicate roles, responsibilities and authorities for AI activities.

// Maps to

NIST AI RMFGOVERN 2.1 GOVERN 2.3

EU AI ActArticle 26

Step 2Annex A.3.3

Reporting of concerns

Provide a mechanism for personnel to raise concerns about AI systems without fear of reprisal.

// Maps to

NIST AI RMFGOVERN 4.1 MANAGE 4.3

EU AI ActArticle 26

Section 10 of 17

Annex A.4 - Resources for AI systems

5 items

5 items in this section. Click any item to see its cross-framework mapping in the explorer.

Step 1Annex A.4.2

Resource documentation

Identify and document the resources (data, tooling, compute, people) needed for each AI system.

// Maps to

NIST AI RMFMAP 4.1

EU AI ActArticle 11 Article 10

Step 2Annex A.4.3

Data resources

Document the data resources used by AI systems across the lifecycle.

// Maps to

NIST AI RMFMAP 2.3

EU AI ActArticle 10

Step 3Annex A.4.4

Tooling resources

Document the tools used to develop, deploy and operate AI systems.

// Maps to

NIST AI RMFMAP 4.1

EU AI ActArticle 17

Step 4Annex A.4.5

System and computing resources

Document the system and computing resources (infrastructure, compute) supporting AI systems.

// Maps to

NIST AI RMFMAP 4.1

EU AI ActArticle 15

Step 5Annex A.4.6

Human resources

Document the human resources, competences and AI literacy needed for AI systems.

// Maps to

NIST AI RMFGOVERN 3.2

EU AI ActArticle 4

Section 11 of 17

Annex A.5 - Assessing impacts of AI systems

4 items

4 items in this section. Click any item to see its cross-framework mapping in the explorer.

Step 1Annex A.5.2

AI system impact assessment process

Establish a process to assess the potential impacts of AI systems on people and society.

// Maps to

NIST AI RMFMAP 5.1 MEASURE 2.11

EU AI ActArticle 27

Step 2Annex A.5.3

Documentation of impact assessments

Document the results of AI system impact assessments and keep them available for review.

// Maps to

NIST AI RMFMAP 5.1 MEASURE 2.11

EU AI ActArticle 27

Step 3Annex A.5.4

Assessing AI system impact on individuals and groups

Assess potential impacts of AI systems on individuals and groups of individuals.

// Maps to

NIST AI RMFMAP 5.1 MAP 5.2

EU AI ActArticle 27

Step 4Annex A.5.5

Assessing societal impacts

Assess potential societal impacts of AI systems beyond direct users.

// Maps to

NIST AI RMFMAP 5.1 MEASURE 2.11

EU AI ActArticle 27

Section 12 of 17

Annex A.6.1 - Management guidance for AI system development

2 items

2 items in this section. Click any item to see its cross-framework mapping in the explorer.

Step 1Annex A.6.1.2

Objectives for responsible development

Set objectives that guide responsible development of AI systems across the lifecycle.

// Maps to

NIST AI RMFMAP 1.1 GOVERN 1.2 MAP 2.1

EU AI ActArticle 17

Step 2Annex A.6.1.3

Processes for responsible design and development

Define processes for the responsible design and development of AI systems.

// Maps to

NIST AI RMFMAP 2.1 MANAGE 1.1

EU AI ActArticle 17

Section 13 of 17

Annex A.6.2 - AI system life cycle

7 items

7 items in this section. Click any item to see its cross-framework mapping in the explorer.

Step 1Annex A.6.2.2

AI system requirements and specification

Specify and document requirements for each AI system, including performance and risk criteria.

// Maps to

NIST AI RMFMAP 2.1

EU AI ActArticle 9

Step 2Annex A.6.2.3

Documentation of AI system design and development

Document the design and development of AI systems to support review and audit.

// Maps to

NIST AI RMFMAP 2.3

EU AI ActArticle 11

Step 3Annex A.6.2.4

AI system verification and validation

Define and apply measures to verify and validate AI systems against requirements.

// Maps to

NIST AI RMFMEASURE 2.5 MEASURE 2.7 MAP 2.3

EU AI ActArticle 15 Article 55

Step 4Annex A.6.2.5

AI system deployment

Plan and control the deployment of AI systems into production environments.

// Maps to

NIST AI RMFMANAGE 1.1

EU AI ActArticle 16

Step 5Annex A.6.2.6

AI system operation and monitoring

Operate and monitor AI systems in production, including drift and performance checks.

// Maps to

NIST AI RMFMEASURE 2.5 MANAGE 4.1

EU AI ActArticle 72 Article 26

Step 6Annex A.6.2.7

AI system technical documentation

Produce technical documentation that describes the AI system to stakeholders and regulators.

// Maps to

NIST AI RMFMAP 2.3

EU AI ActArticle 11 Article 18

Step 7Annex A.6.2.8

AI system recording of event logs

Record event logs from AI systems to support traceability, monitoring and incident response.

// Maps to

NIST AI RMFMEASURE 2.5 MANAGE 4.1

EU AI ActArticle 12 Article 72

Section 14 of 17

Annex A.7 - Data for AI systems

5 items

5 items in this section. Click any item to see its cross-framework mapping in the explorer.

Step 1Annex A.7.2

Data for development and enhancement

Manage the data used to develop and enhance AI systems across the lifecycle.

// Maps to

NIST AI RMFMAP 2.3 MEASURE 2.10 MEASURE 2.11

EU AI ActArticle 10

Step 2Annex A.7.3

Acquisition of data

Control how data is acquired for AI systems, including sourcing and legal basis.

// Maps to

NIST AI RMFMAP 2.3

EU AI ActArticle 10

Step 3Annex A.7.4

Quality of data

Manage the quality of data used by AI systems, including accuracy, completeness and bias.

// Maps to

NIST AI RMFMEASURE 2.10 MEASURE 2.11

EU AI ActArticle 10

Step 4Annex A.7.5

Data provenance

Track the provenance of data used for AI systems so origin and changes are known.

// Maps to

NIST AI RMFMAP 2.3

EU AI ActArticle 10

Step 5Annex A.7.6

Data preparation

Manage the preparation of data (cleaning, labelling, transformation) used for AI systems.

// Maps to

NIST AI RMFMEASURE 2.10

EU AI ActArticle 10

Section 15 of 17

Annex A.8 - Information for interested parties

4 items

4 items in this section. Click any item to see its cross-framework mapping in the explorer.

Step 1Annex A.8.2

System documentation and information for users

Provide system documentation and information so users can use the AI system correctly.

// Maps to

NIST AI RMFGOVERN 5.1 MEASURE 2.8 MEASURE 2.9 MEASURE 3.3

EU AI ActArticle 13 Article 50

Step 2Annex A.8.3

External reporting

Report externally on AI system performance, incidents and impacts as appropriate.

// Maps to

NIST AI RMFGOVERN 5.1 MEASURE 3.3

EU AI ActArticle 50

Step 3Annex A.8.4

Communication of incidents

Communicate AI system incidents to affected parties and authorities in a timely way.

// Maps to

NIST AI RMFMANAGE 4.3

EU AI ActArticle 73

Step 4Annex A.8.5

Information for interested parties

Provide information about AI systems to interested parties beyond direct users.

// Maps to

NIST AI RMFGOVERN 5.1 MEASURE 2.9

EU AI ActArticle 13 Article 50

Section 16 of 17

Annex A.9 - Use of AI systems

3 items

3 items in this section. Click any item to see its cross-framework mapping in the explorer.

Step 1Annex A.9.2

Processes for responsible use

Define processes for the responsible use of AI systems within the organisation.

// Maps to

NIST AI RMFMANAGE 1.2 MEASURE 3.1 MAP 5.2 MEASURE 2.9+1

EU AI ActArticle 26 Article 14

Step 2Annex A.9.3

Objectives for responsible use

Set objectives for the responsible use of AI systems, aligned with the AI policy.

// Maps to

NIST AI RMFGOVERN 1.2

EU AI ActArticle 26

Step 3Annex A.9.4

Intended use of the AI system

Ensure AI systems are used for their intended purpose, with human oversight in place.

// Maps to

NIST AI RMFMAP 1.1 MAP 5.2 MEASURE 2.9

EU AI ActArticle 14 Article 26

Section 17 of 17

Annex A.10 - Third-party and customer relationships

3 items

3 items in this section. Click any item to see its cross-framework mapping in the explorer.

Step 1Annex A.10.2

Allocating responsibilities

Allocate responsibilities for AI risk between the organisation and third parties.

// Maps to

NIST AI RMFGOVERN 6.1 GOVERN 6.2 MAP 4.1

EU AI ActArticle 25 Article 53

Step 2Annex A.10.3

Suppliers

Manage AI risk arising from suppliers of data, models, tools and services.

// Maps to

NIST AI RMFGOVERN 6.1 MAP 4.1

EU AI ActArticle 25

Step 3Annex A.10.4

Customers

Manage AI risk arising from how customers use the AI systems the organisation provides.

// Maps to

NIST AI RMFGOVERN 6.2 MAP 4.1

EU AI ActArticle 25 Article 53