ISO 42001:2023 (Detailed) v2023
ISO AI Management System Detailed
Framework data extracted from the Secure Controls Framework (SCF) v2025.4 Set Theory Relationship Mapping (STRM) files, licensed under CC BY-ND 4.0 . Attribution required per license terms.
155 All
1 — Scope (1 controls)
2 — Normative References (1 controls)
3 — Terms and Definitions (1 controls)
4 — Context of the Organization (5 controls)
5 — Leadership (10 controls)
5.0Leadership
5.1Leadership and Commitment
5.2AI Policy
5.2(a)AI Policy - Purpose Appropriateness
5.2(b)AI Policy - Framework for Objectives
5.2(c)AI Policy - Commitment to Requirements
5.2(d)AI Policy - Continual Improvement Commitment
5.3Organizational Roles, Responsibilities and Authorities
5.3(a)Roles - AIMS Conformity
5.3(b)Roles - AIMS Performance Reporting
6 — Planning (32 controls)
6.0Planning
6.1Actions to Address Risks and Opportunities
6.1.1General Risk and Opportunity Assessment
6.1.2AI Risk Assessment
6.1.2(a)Risk Assessment - Criteria Definition
6.1.2(b)Risk Assessment - Consistent Results
6.1.2(c)Risk Assessment - Risk Identification
6.1.2(d)Risk Assessment - Risk Analysis
6.1.2(d)(1)Risk Analysis - Consequence Assessment
6.1.2(d)(2)Risk Analysis - Likelihood Assessment
6.1.2(d)(3)Risk Analysis - Risk Level Determination
6.1.2(e)Risk Assessment - Risk Evaluation
6.1.2(e)(1)Risk Evaluation - Criteria Comparison
6.1.2(e)(2)Risk Evaluation - Treatment Prioritization
6.1.3AI Risk Treatment
6.1.3(a)Risk Treatment - Option Selection
6.1.3(b)Risk Treatment - Control Determination
6.1.3(c)Risk Treatment - Annex A Comparison
6.1.3(d)Risk Treatment - Statement of Applicability
6.1.3(e)Risk Treatment - Plan Formulation
6.1.3(f)Risk Treatment - Risk Owner Approval
6.1.3(g)Risk Treatment - Residual Risk Acceptance
6.1.4AI System Impact Assessment
6.2AI Objectives and Planning to Achieve Them
6.2(a)Objectives - Policy Consistency
6.2(b)Objectives - Measurability
6.2(c)Objectives - Requirements Consideration
6.2(d)Objectives - Monitoring
6.2(e)Objectives - Communication
6.2(f)Objectives - Updates
6.2(g)Objectives - Documentation
6.3Planning of Changes
7 — Support (13 controls)
7.0Support
7.1Resources
7.2Competence
7.3Awareness
7.4Communication
7.5Documented Information
7.5.1Documented Information - General
7.5.1(a)Documented Information - Standard Requirements
7.5.1(b)Documented Information - AIMS Effectiveness
7.5.2Creating and Updating
7.5.3Control of Documented Information
7.5.3(a)Information Control - Availability and Suitability
7.5.3(b)Information Control - Protection
8 — Operation (5 controls)
9 — Performance Evaluation (24 controls)
9.0Performance Evaluation
9.1Monitoring, Measurement, Analysis and Evaluation
9.2Internal Audit
9.2.1Internal Audit - General
9.2.1(a)Audit - Conformity Verification
9.2.1(a)(1)Audit - Organization Requirements
9.2.1(a)(2)Audit - Standard Requirements
9.2.1(b)Audit - Implementation and Maintenance
9.2.2Internal Audit - Programme
9.2.2(a)Audit Programme - Planning
9.2.2(b)Audit Programme - Criteria and Scope
9.2.2(c)Audit Programme - Objectivity and Impartiality
9.3Management Review
9.3.1Management Review - General
9.3.2Management Review - Inputs
9.3.2(a)Review Inputs - Previous Actions Status
9.3.2(b)Review Inputs - Changes to External and Internal Issues
9.3.2(c)Review Inputs - AIMS Performance Information
9.3.2(d)Review Inputs - Interested Party Feedback
9.3.2(d)(1)Feedback - AI System Users
9.3.2(d)(2)Feedback - Affected Parties
9.3.2(d)(3)Feedback - Other Interested Parties
9.3.2(e)Review Inputs - Continual Improvement Opportunities
9.3.3Management Review - Outputs
10 — Improvement (13 controls)
10.0Improvement
10.1Nonconformity and Corrective Action
10.2Continual Improvement
10.2(a)Improvement - Corrective Actions
10.2(a)(1)Corrective - Nonconformity Reaction
10.2(a)(2)Corrective - Cause Evaluation
10.2(b)Improvement - Preventive Actions
10.2(b)(1)Preventive - Need Determination
10.2(b)(2)Preventive - Action Implementation
10.2(b)(3)Preventive - Effectiveness Review
10.2(c)Improvement - AIMS Changes
10.2(d)Improvement - Suitability Consideration
10.2(e)Improvement - Documented Information
A — Annex A - Reference Controls (50 controls)
A.1AI Policies
A.2Internal Organization
A.2.2AI Roles and Responsibilities
A.2.3Reporting of Concerns
A.2.4AI System Inventory
A.3Resources for AI Systems
A.3.2Data for AI Systems
A.3.3Tools and Frameworks
A.4AI System Impact Assessment
A.4.2Assessing AI Impacts on Individuals
A.4.3Assessing AI Impacts on Groups and Society
A.4.4Documenting Impact Assessment Results
A.4.5Impact Assessment as Part of Risk Management
A.4.6Impact Mitigation
A.5AI System Lifecycle
A.5.2AI System Requirements
A.5.3AI System Design and Development
A.5.4AI System Testing and Validation
A.5.5AI System Deployment and Operation
A.6Data for AI Systems
A.6.1Data Management
A.6.1.2Data Quality
A.6.1.3Data Provenance
A.6.2Data for Development and Enhancement
A.6.2.2Acquisition of Data
A.6.2.3Data Collection Processes
A.6.2.4Data Pre-Processing
A.6.2.5Labeling and Annotation of Data
A.6.2.6Data Sets and Statistical Properties
A.6.2.7Data Preparation for Model Building
A.6.2.8Data for Testing and Evaluation
A.7AI System Monitoring and Measurement
A.7.2System Performance Monitoring
A.7.3AI System Logs
A.7.4Bias and Fairness Monitoring
A.7.5Safety and Security Monitoring
A.7.6User Feedback and Complaints
A.8Third-Party and Customer Relationships
A.8.2Supply Chain for AI Systems
A.8.3Third-Party Performance Monitoring
A.8.4Customer and Interested Party Communication
A.8.5Use and Adaptation by Third Parties
A.9Use of AI Systems
A.9.2Responsible Use
A.9.3Providing Information to Users
A.9.4Providing Information to Other Stakeholders
A.10Third-Party and Customer Relationships (Cont.)
A.10.2Compliance with AI-Related Obligations
A.10.3Documentation of Compliance
A.10.4Compliance Monitoring