ISO 42001 Requirements Summary: Clauses 4-10

Overview of ISO 42001 Structure

ISO/IEC 42001 follows the Harmonized Structure (HS) common to all ISO management system standards. This structure organizes requirements into ten clauses, with Clauses 1-3 covering scope, normative references, and terms and definitions. Clauses 4-10 contain the actual requirements that organizations must implement to achieve certification.

Understanding these clauses is essential for organizations preparing for ISO 42001 certification. Each clause builds upon the previous ones, creating a comprehensive framework for AI governance.

Clause 4: Context of the Organization

Clause 4 establishes the foundation for your AI Management System by requiring organizations to understand their context and stakeholder needs.

4.1 Understanding the Organization and Its Context

Organizations must determine external and internal issues relevant to their purpose and affecting their ability to achieve AIMS objectives. For AI systems, this includes:

• Regulatory landscape (EU AI Act, sector-specific regulations)
• Technological environment and AI maturity
• Organizational culture regarding innovation and risk
• Competitive landscape and market expectations
• Societal and ethical considerations in target markets

4.2 Understanding Stakeholder Needs

Identify all parties with an interest in your AI systems:

• Customers and end-users of AI systems
• Regulatory bodies and certification authorities
• Affected third parties (individuals subject to AI decisions)
• Investors and shareholders
• Employees and AI operators
• Civil society organizations and advocacy groups

4.3 Determining the Scope

Define boundaries and applicability of your AIMS. The scope statement must specify:

• AI systems included (developed, provided, or used)
• Business units and processes covered
• Geographic locations
• Any exclusions with justification

4.4 AI Management System

Establish, implement, maintain, and continually improve an AIMS including required processes and their interactions.

Clause 5: Leadership

Clause 5 emphasizes that effective AI governance requires active engagement from top management. Leadership commitment is not just symbolic - it requires tangible actions and resource allocation.

5.1 Leadership and Commitment

Top management must demonstrate leadership by:

• Ensuring AI policy and objectives are established and compatible with strategic direction
• Ensuring integration of AIMS requirements into business processes
• Ensuring adequate resources are available
• Communicating the importance of effective AI management
• Ensuring AIMS achieves intended outcomes
• Directing and supporting continuous improvement

5.2 AI Policy

The AI policy is a critical document that must:

• Be appropriate to the organization's purpose
• Provide a framework for setting AI objectives
• Include commitment to satisfy applicable requirements
• Include commitment to continual improvement
• Address responsible AI principles (fairness, transparency, accountability)
• Be documented, communicated, and available to relevant stakeholders

The AI policy sets the tone for your entire AIMS. It should be specific enough to provide real guidance while remaining adaptable as your AI capabilities and regulatory requirements evolve.

5.3 Organizational Roles, Responsibilities, and Authorities

Top management must assign and communicate responsibilities for:

• Ensuring AIMS conforms to ISO 42001 requirements
• Reporting on AIMS performance to top management
• AI risk assessment and treatment decisions
• AI impact assessment processes
• Incident management and response

Clause 6: Planning

Clause 6 addresses how organizations plan their AIMS, including risk management and objective setting. This clause is where AI-specific requirements become most prominent.

6.1 Actions to Address Risks and Opportunities

Organizations must determine risks and opportunities that need to be addressed, considering:

• Issues from Clause 4.1 (organizational context)
• Requirements from Clause 4.2 (stakeholder needs)
• AI-specific risks including bias, fairness, safety, and transparency

6.1.2 AI Risk Assessment

A critical requirement specific to ISO 42001. Organizations must:

• Define and apply an AI risk assessment process
• Identify risks associated with AI systems throughout their lifecycle
• Analyze risks considering likelihood and consequences
• Evaluate risks against defined criteria
• Document results and maintain records

6.1.3 AI Risk Treatment

For identified risks, organizations must:

• Select appropriate risk treatment options (mitigate, accept, transfer, avoid)
• Determine controls necessary to implement treatment options
• Compare controls with Annex A to ensure nothing is overlooked
• Produce a Statement of Applicability (SoA)
• Formulate an AI risk treatment plan

6.1.4 AI System Impact Assessment

A unique requirement of ISO 42001. Organizations must conduct impact assessments covering:

• Potential impacts on individuals affected by AI decisions
• Societal impacts and public interest considerations
• Environmental impacts where applicable
• Impacts on fundamental rights and freedoms

6.2 AI Objectives and Planning

Establish measurable AI objectives that are:

• Consistent with the AI policy
• Measurable and monitored
• Communicated and updated as appropriate

6.3 Planning of Changes

When changes to the AIMS are needed, they must be carried out in a planned manner considering purpose, consequences, integrity, and resources.

Clause 7: Support

Clause 7 ensures organizations have the resources and capabilities needed to implement and maintain their AIMS effectively.

7.1 Resources

Determine and provide resources needed for AIMS establishment, implementation, maintenance, and improvement. This includes:

• Personnel with appropriate expertise
• Technical infrastructure for AI governance
• Financial resources for implementation and audits
• Tools for monitoring and assessment

7.2 Competence

Ensure persons doing work affecting AI system performance are competent based on appropriate education, training, or experience. Key competencies include:

• AI system development and deployment
• AI risk assessment and management
• Ethical AI principles and practices
• Relevant regulatory requirements

7.3 Awareness

Persons doing work under organizational control must be aware of:

• The AI policy
• Their contribution to AIMS effectiveness
• Implications of not conforming to AIMS requirements

7.4 Communication

Determine internal and external communications relevant to the AIMS, including what, when, with whom, and how to communicate.

7.5 Documented Information

The AIMS must include documented information required by the standard and determined necessary by the organization. Requirements cover creation, updating, and control of documents.

Clause 8: Operation

Clause 8 addresses the implementation of plans and controls developed in earlier clauses. This is where AI governance moves from planning to action.

8.1 Operational Planning and Control

Plan, implement, and control processes needed to meet AIMS requirements by:

• Establishing criteria for processes
• Implementing control of processes in accordance with criteria
• Keeping documented information to demonstrate processes were carried out as planned

8.2 AI Risk Assessment

Perform AI risk assessments at planned intervals or when significant changes are proposed. Retain documented information of results.

8.3 AI Risk Treatment

Implement the AI risk treatment plan. Retain documented information of results.

8.4 AI System Impact Assessment

Conduct impact assessments for AI systems as planned and when significant changes occur. Document and retain results.

Clause 9: Performance Evaluation

Clause 9 requires organizations to measure, analyze, and evaluate their AIMS to ensure it is achieving intended outcomes.

9.1 Monitoring, Measurement, Analysis, and Evaluation

Determine:

• What needs to be monitored and measured
• Methods for monitoring, measurement, analysis, and evaluation
• When monitoring and measuring shall be performed
• When results shall be analyzed and evaluated

9.2 Internal Audit

Conduct internal audits at planned intervals to verify that the AIMS:

• Conforms to the organization's own requirements
• Conforms to ISO 42001 requirements
• Is effectively implemented and maintained

Establish an audit program considering importance of processes and previous audit results.

9.3 Management Review

Top management must review the AIMS at planned intervals considering:

• Status of actions from previous reviews
• Changes in external and internal issues
• Performance indicators including nonconformities and corrective actions
• Monitoring and measurement results
• Audit results
• Opportunities for continual improvement

Output must include decisions on improvement opportunities and any need for changes to the AIMS.

Clause 10: Improvement

Clause 10 ensures the AIMS continually improves its suitability, adequacy, and effectiveness.

10.1 Continual Improvement

Organizations must continually improve AIMS suitability, adequacy, and effectiveness. This is not optional - it is a requirement for certification maintenance.

10.2 Nonconformity and Corrective Action

When nonconformity occurs, organizations must:

• React to the nonconformity and take action to control and correct it
• Evaluate the need for action to eliminate root causes
• Implement any action needed
• Review the effectiveness of corrective action taken
• Make changes to the AIMS if necessary

Documented information must be retained as evidence of the nature of nonconformities, actions taken, and results.

Continual improvement is not about perfection - it is about systematic learning and adaptation. The best AIMS are those that embrace findings as opportunities for strengthening AI governance.