Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Learn More
866.254.0000
Contact Us
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
Build Your Compliance Roadmap
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

What are the ISO 42001 Requirements? Blog Feature
Megan Sajewski

By: Megan Sajewski

Print/Save as PDF

What are the ISO 42001 Requirements?

ISO Certifications

When seeking ISO 42001:2023 certification, you must ensure that your artificial intelligence management system (AIMS) aligns with the standard’s key clauses (4-10), each of which focuses on a specific facet—context, leadership, planning, support, operation, performance evaluation, and improvement.

For those acquainted with other, more established ISO standards, that format may feel familiar initially, but there are some key differences in ISO 42001, including its expansion of clauses 6 and 8 to cover interactions of artificial intelligence with individuals and the public sector.

To have your AIMS certified, you’ll need to satisfy those additional nuances, as well as the rest of the specific requirements clauses 4 through 10, and as an experienced Certification Body with accreditation from ANAB and UKAS, we’re going to help in providing you with a starting baseline.

In this article, we’ll break down each of ISO 42001’s clauses 4-10 in detail along with some basic strategies for compliance with their requirements so that you’ll gain a solid understanding of what will be expected of your AIMS as you begin to stand it up and engage in initial certification services.

What are the Key Clauses of ISO 42001?

 

Similar to other ISO standards, clauses 1-3 of ISO 42001 are more general and provide the background information you’ll need when implementing the requirements outlined in clauses 4-10:

  • Clause 1: Scope
    • Defines the boundaries and applicability of the ISO 42001 standard.
  • Clause 2: Normative References
    • Refers to documents that are referenced in the text of the ISO 42001 standard in such a way that some or all of their content constitutes requirements of the standard. That document is ISO/IEC 22989:2022, Information Technology – Artificial intelligence – Artificial intelligence concepts and terminology.
  • Clause 3: Terms & Definitions
    • Establishes common terminology used in the framework to facilitate consistent implementation of the standard across organizations.

Context of the Organization (Clause 4)

What’s Required: The identification of:

 

  • The scope of your AIMS
  • All the issues relevant to the purpose and strategic direction of your AIMS
  • The needs of both internal and external stakeholders, who may include customers, suppliers, employees, and regulatory bodies

Every organization’s AIMS should be tailored to its individual needs, but before you can cut yours to the right fit, you must first demonstrate a complete understanding of your specific context, including things like:

  • Your strategic business objectives (e.g., competitive market share, stakeholders’ expectations, compliance with global laws);
  • Relevant risks (e.g., threats and vulnerabilities); and
  • Your customer expectations (e.g., required functionality of AI tools, etc.).

How to Get Started with Compliance:

  • Determine which of your existing processes, personnel departments, activities, software dependencies, and locations should be included in your AIMS.
  • Identify and document factors that could impact your AIMS, including relevant market trends, regulatory requirements, technological advancements, competitive pressures, organizational culture, resources, current capabilities, and performance metrics.
  • Consider the intended purpose for the AI product or processes relating to the following:
    • Incentives or consequences associated with the intended purpose of AI,
    • Culture, traditions, values, norms, and ethics for the development and utilization of AI, as well as the competitive landscape and trends for new products and processes relying on AI.
    • Internal context-related issues focused on governance, objectives, policies, procedures, and contractual obligations, for example.
  • Determine and document the needs of all relevant stakeholders (e.g., interested parties) regarding your AI products or services, quality standards, delivery schedules, and communication preferences.
  • Develop a document that reflects your organization's commitment to meeting those needs, complying with applicable regulations, and continually improving your products, services, and processes (NOTE: You should also communicate that policy to your organization).
  • Determine whether or not climate change is a factor in developing and continually improving the AIMS and document it either way.

Leadership (Clause 5)

What’s Required: The commitment of top management to your AIMS, artificial intelligence policy, and AIMS roles, responsibilities, and authorities

To ensure the effectiveness of your AIMS’ implementation, maintenance, and continual improvement throughout the three-year certification lifecycle—from initial certification to surveillance and recertification—management must be actively involved in support, especially through the artificial intelligence policy and communicated roles and responsibilities.

(While the standard does require that, executive and senior leadership—in many cases, even the Board of Directors (BoD), if possible—can also further benefit from getting involved and remaining involved in your ISO 42001 certification, as your AIMS can integrate formerly siloed departments and teams’ work and create more meaningful cross-functional collaboration.)

How to Get Started with Compliance:

  • Top management should:
    • Contribute to the establishment of your artificial intelligence (AI) policy, its communication to your wider organization, and its integration into your overall business process and strategies.
    • Provide and assign adequate resources, support, and direction for the AIMS by visibly championing AI initiatives, promoting a culture of continuous improvement, and actively engaging in AIMS activities—including regular reviews of the AIMS’ effectiveness with reporting sent up the management chain to the BoD so that the AIMS remains funded appropriately.
    • Create roles and responsibilities that govern and provide moderated authority to personnel serving the AIMS, including top management, safety and risk committee members, and day-to-day operators of the AIMS.

Planning (Clause 6)

What’s Required:

 

  • The setting of artificial intelligence objectives
  • The determination of AIMS risks, impact, and opportunities, as well as the planning of actions to address them

Integrating your AIMS into established processes so that it achieves your organizational priorities—and so that it is set up to endure and improve—will take careful planning. But as we noted before, clause 6 within ISO 42001 goes a step further than some of the other familiar ISO standards—specifically through its required completion of an AI impact assessment.

How to Get Started with Compliance:

  • Identify AI risk criteria and organizational AI appetite for risk that supports distinguishing acceptable from non-acceptable risks—that may mean performing AI-specific risk assessments, conducting AI-specific risk treatment, and assessing AI-specific risk impacts.
  • Conduct a comprehensive risk assessment to identify those that may affect your ability to achieve your AI objectives and develop related mitigation (risk treatment) strategies.
  • Develop detailed procedures—including those addressing the implementation of changes to the AIMS and contingency plans for any deviations—to ensure the ongoing effectiveness of AIMS processes and achievement of AI objectives.
  • Consider and document formal steps for how changes to the AIMS will be enacted when the need for such a change arises.
  • Define roles, responsibilities, and authorities for executing planned activities and ongoing monitoring of their progress.
  • Establish metrics and targets for the effectiveness of AIMS activities and achievement of AI objectives.
  • Maintain accurate records of all these planning activities and ensure that this documented information is accessible, up-to-date, and effectively communicated to relevant stakeholders.

Tips for Your AI Impact Assessment:

 

  • Define a process to assess the potential consequences that can result from AI systems on individuals, groups, and societies.
  • Outline the potential consequences of an AI deployment, intended use, and potential misuse for individuals, groups, and societies.
  • Understand the context—both technical and social—where your AIMS is primarily deployed considering applicable jurisdictions.
  • Retain documented information of the AI impact assessment, available to internal and external interested parties (as determined by the organization’s strategic alignment).
  • Use the results of the AI impact assessment as inputs for your AI risk assessment as required by ISO 42001.

Support (Clause 7)

What’s Required: The allocation of adequate resources to support the operation and effectiveness of the AIMS, appropriate competence for persons doing work under the AIMS, personnel’s awareness of the AIMS, as well as communication and documented information regarding the AIMS

In requiring the allocation of resources, ISO 42001 doesn’t just mean employing adequate personnel and deploying the necessary data, tooling, systems, and assets (including human capital) to support your AIMS—the framework also mandates a certain level of competence, awareness, communication, and documented information as part of that support.

How to Get Started with Compliance:

  • Identify the knowledge, skills, and competencies required for personnel involved in AIMS-related activities and assign/hire them—that includes providing any necessary training for your existing relevant workforce on AI—and document the mechanisms used to verify these competencies.
  • Make sure that your employee base is aware of your AI policy and how each individual can aid in achieving the AIMS strategic priorities.
  • Establish and use effective communication channels to facilitate the flow of information related to the AIMS, including the importance of individual contributions to the AIMS, policies, procedures, instructions, and feedback.
  • Develop and maintain documented information necessary for the effective planning, operation, and control of AIMS processes—make sure that information is accurate, up-to-date, accessible, and properly controlled through designed procedures for such.

Operation (Clause 8)

What’s Required: The implementation of processes regarding your artificial intelligence offerings

Together with Clause 6, Clause 8 is paramount for your compliance—it addresses the conformance of AI operational planning and control within your design, development, and production processes through effective, efficient, and agile implementations.

How to Get Started with Compliance:

  • Plan, implement, and control actions determined in your completed AI assessment by implementing and measuring the success of controls related to the operation of the AIMS (refer to the AI controls in Annex A and the implementation guidance in Annex B).
  • Monitor the effectiveness of controls and institute corrective actions if intended results are not wholly achieved, all while forming and maintaining documented information to ensure confidence that the processes as stated have been performed.
  • Control and formalize planned changes, review the results of unintended changes, act on any perceived or real adverse effects, and verify that third-party products or services needed for the functioning of the AIMS are controlled.
  • Perform AI risk assessment, treatment, and impact assessments at planned intervals or when significant changes occur. When treatment plans are not effective, review, revalidate, and update the risk assessment, treatment, and AI impact processes.
  • Retain documented information on the process (e.g., policies, standards) and results (e.g., output, reporting, evaluation) of your AI risk assessment, AI risk treatment, and AI impact assessments.

Performance Evaluation (Clause 9)

What’s Required: The monitoring, measurement, analysis, and evaluation of AIMS processes and performance, internal audit against the AIMS framework and applicable Annex A controls, and a dedicated management review

Clause 9 requires the measurement of key performance indicators, regular internal audits, and management review, which constitute inputs towards analysis and evaluation for driving AIMS effectiveness over the entire certification lifecycle.

How to Get Started with Compliance:

  • Design and implement a systematic approach to collecting, recording, and analyzing performance data—whatever you can measure for an accurate heartbeat of your AI product/tool—to evaluate the effectiveness and efficiency of AI operational processes, its conformity to expected behavior, its performance versus real human capability, and real or perceived customer satisfaction, among any other relevant metrics.
  • Conduct regular, impartial / objective internal audits against ISO 42001 requirements. (These can be done by a qualified third party or by internal personnel not involved in the running of the AIMS.)
  • Regularly review AIMS performance data and feedback to evaluate the effectiveness of the AIMS and identify opportunities for improvement.
  • Document and store information related to the operational effectiveness of the AIMS, including the results of regular measuring, internal audit against ISO 42001 requirements, and the subsequent resulting reports related to both measuring and internal audit delivered to top management during planned regular management reviews.

Improvement (Clause 10)

What’s Required: The correction of nonconformities and continual improvement of your AIMS

Though taking a systemic approach to artificial intelligence management through the establishment of an AIMS is already a big step, ISO 42001 also requires that you remain vigilant and seek opportunities to further enhance the success and functioning of your AIMS—that includes adapting your AIMS to any changing technologies, circumstances, or objectives.

The compliance journey will necessitate the correction of gaps, identified as major or minor nonconformities, which can be raised by your organization, your internal auditors, or by an external certification body performing a readiness assessment or initial certification.

How to Get Started with Compliance:

  • Develop processes for identifying, documenting, and addressing nonconformities, areas of concern, and opportunities for improvement identified through internal or external assessments to ensure the implementation of necessary corrective actions to prevent recurrence.
  • Establish and analyze systematically the root cause of any identified deviation from the ISO 42001 standard requirements and periodically evaluate the results of each applied corrective step to sustainably remediate nonconformities when they arise.
  • Continuously monitor and review your AIMS to identify opportunities for the improvement of its suitability, adequacy, and effectiveness.
  • Establish mechanisms for capturing and implementing improvement ideas from employees as well as internal and external stakeholders.

 

Getting ISO 42001 Certified

While you’ll require more than this short outline of clauses 4-10 to implement a comprehensive AIMS, we hope that what has been provided here will make for a good start in addressing the requirements of each of these key clauses within ISO 42001 as you build out your AIMS.

If we could offer one last tip, it would be to document everything as you go through these planning and implementation motions, as not only will that be key for compliance, but it’ll also help streamline your operations throughout the certification lifecycle.

Once you stand up your AIMS and believe it is effective, you’ll be looking for a Certification Body to guide you through a gap assessment and eventual initial certification against ISO 42001 requirements, Schellman may be the right fit. Contact us today to speak with our ISO team and learn more about how a strategic partnership with us can serve your organization beyond the gap assessment and eventual certification of your AIMS.

About Megan Sajewski

Megan Sajewski is a Senior ISO Associate and ISO 42001 Lead Auditor with Schellman based in Dearborn, Michigan. Prior to joining Schellman in 2023, Megan worked as a Senior Associate, Attest Services, for a small public accounting company specializing in SOC and ISO reports. Megan also led and supported various other projects, including technical writing for metal forming 3D printing, and design software. Megan has over 11 years of experience comprised of serving clients in various industries, including cybersecurity, engineering, and academia. Megan is now focused primarily on ISO examinations for organizations across various industries.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.