The ISO 42001 Certification Requirements Explained

When seeking ISO 42001:2023 certification, you need to ensure that your artificial intelligence management system (AIMS) aligns with the standard’s framework clauses (4-10), each of which focuses on a specific facet—context, leadership, planning, support, operation, performance evaluation, and improvement. 

For those acquainted with other, more established ISO standards, the format may feel familiar initially, but there are some key differences in ISO 42001, including its expansion of clauses 6 and 8 to cover interactions of AI with individuals and the public sector. 

To have your AIMS certified, you will need to satisfy those additional nuances, as well as the rest of the specific requirements of clauses 4 through 10 and any applicable Annex A controls, and as an experienced Certification Body with accreditation from ANAB and UKAS, we’re going to help in providing you with a starting baseline. 

In this article, we will break down each of ISO 42001’s clauses 4-10 in detail along with some basic strategies for compliance with their requirements so that you can gain a solid understanding of what will be expected of your AIMS as you begin to stand it up and engage in initial certification services. 

What are the Key Clauses of ISO 42001? 

Like other ISO standards, clauses 1-3 of ISO 42001 are more general and provide the background information you’ll need when implementing the requirements outlined in clauses 4-10: 

• Clause 1: Scope 
  • Defines the boundaries and applicability of the ISO 42001 standard. 

• Clause 2: Normative References 
  • Refers to documents that are referenced in the text of the ISO 42001 standard in such a way that some or all of their content constitutes requirements of the standard. That document is ISO/IEC 22989:2022, Information Technology – Artificial intelligence – Artificial intelligence concepts and terminology. 

• Clause 3: Terms & Definitions 
  • Establishes common terminology used in the framework to facilitate consistent implementation of the standard across organizations. 

Clause 4: Context of the Organization  

Every organization’s AIMS should be tailored to its individual needs, but before you can cut yours to the right fit, you must first demonstrate a complete understanding of your specific context, including things like: 

• Your strategic business objectives (e.g., competitive market share, stakeholders’ expectations, compliance with global laws) 
• Relevant risks (e.g., threats and vulnerabilities) 
• Your customer expectations (e.g., required functionality of AI tools, etc.) 

How to Get Started with Compliance 

• Determine which of your existing processes, personnel departments, activities, software dependencies, and locations should be included in your AIMS. 
• Identify and document factors that could impact your AIMS, including relevant market trends, regulatory requirements, technological advancements, competitive pressures, organizational culture, resources, current capabilities, and performance metrics. 
• Consider the intended purpose for the AI product or processes relating to the following: 
  • Incentives or consequences associated with the intended purpose of AI 
  • Culture, traditions, values, norms, and ethics for the development and utilization of AI, as well as the competitive landscape and trends for new products and processes relying on AI 
  • Internal context-related issues focused on governance, objectives, policies, procedures, and contractual obligations 
•  Determine and document the needs of all relevant stakeholders (e.g., interested parties) regarding your AI products or services, quality standards, delivery schedules, and communication preferences. 
• Develop a document that reflects your organization's commitment to meeting those needs, complying with applicable regulations, and continually improving your products, services, and processes. It's best practice to communicate this policy to your organization as well. 
• Determine whether or not climate change is a factor in developing and continually improving the AIMS and document it either way. 

Clause 5: Leadership 

To ensure the effectiveness of your AIMS’ implementation, maintenance, and continual improvement throughout the three-year certification lifecycle—from initial certification to surveillance and recertification—management must be actively involved in support, especially through the artificial intelligence policy and communicated roles and responsibilities. 

While the standard does require that, executive and senior leadership—in many cases, even the Board of Directors (BoD), if possible—can also further benefit from remaining involved in your ISO 42001 certification, as your AIMS can integrate formerly siloed departments and teams’ work and create more meaningful cross-functional collaboration. 

How to Get Started with Compliance 

Top management should: 

• Contribute to the establishment of your AI policy, its communication to your wider organization, and its integration into your overall business process and strategies. 
• Provide and assign adequate resources, support, and direction for the AIMS by visibly championing AI initiatives, promoting a culture of continuous improvement, and actively engaging in AIMS activities—including regular reviews of the AIMS’ effectiveness with reporting sent up the management chain to the BoD so that the AIMS remains funded appropriately. 
• Create roles and responsibilities that govern and provide moderated authority to personnel serving the AIMS, including top management, safety and risk committee members, and day-to-day operators of the AIMS. 

Clause 6: Planning 

Integrating your AIMS into established processes so that it achieves organizational priorities—and so that it is set up to endure and improve—takes careful planning. But as we noted before, clause 6 within ISO 42001 goes a step further than some of the other familiar ISO standards—specifically through its required completion of an AI impact assessment. 

How to Get Started with Compliance 

• Identify AI risk criteria and organizational AI appetite for risk that supports distinguishing acceptable from non-acceptable risks—that may mean performing AI-specific risk assessments, conducting AI-specific risk treatment, and assessing AI-specific risk impacts. 
• Conduct a comprehensive risk assessment to identify those that may affect your ability to achieve your AI objectives and develop related mitigation (risk treatment) strategies. 
• Develop detailed procedures—including those addressing the implementation of changes to the AIMS and contingency plans for any deviations—to ensure the ongoing effectiveness of AIMS processes and achievement of AI objectives. 
• Consider and document formal steps for how changes to the AIMS will be enacted when the need for such a change arises. 
• Define roles, responsibilities, and authorities for executing planned activities and ongoing monitoring of their progress. 
• Establish metrics and targets for the effectiveness of AIMS activities and achievement of AI objectives. 
• Maintain accurate records of all these planning activities and ensure that this documented information is accessible, up-to-date, and effectively communicated to relevant stakeholders. 

Tips for Your AI Impact Assessment  

• Define a process to assess the potential consequences that can result from AI systems on individuals, groups, and societies. 
• Outline the potential consequences of an AI deployment, intended use, and potential misuse for individuals, groups, and societies. 
• Understand the context—both technical and social—where your AIMS is primarily deployed considering applicable jurisdictions. 
• Retain documented information of the AI impact assessment, available to internal and external interested parties as determined by the organization’s strategic alignment. 
• Use the results of the AI impact assessment as inputs for your AI risk assessment as required by ISO 42001. 

Clause 7: Support 

In requiring the allocation of resources, ISO 42001 doesn’t just mean employing adequate personnel and deploying the necessary data, tooling, systems, and assets (including human capital) to support your AIMS—the framework also mandates a certain level of competence, awareness, communication, and documented information as part of that support. 

How to Get Started with Compliance 

• Identify the knowledge, skills, and competencies required for personnel involved in AIMS-related activities and assign or hire them, including providing any necessary training for your existing relevant workforce on AI, and document the mechanisms used to verify these competencies. 
• Make sure that your employee base is aware of your AI policy and how everyone can aid in achieving the AIMS strategic priorities. 
• Establish and use effective communication channels to facilitate the flow of information related to the AIMS, including the importance of individual contributions to the AIMS, policies, procedures, instructions, and feedback. 
• Develop and maintain documented information necessary for the effective planning, operation, and control of AIMS processes—make sure that information is accurate, up-to-date, accessible, and properly controlled through designed procedures. 

Clause 8: Operation  

Together with Clause 6, Clause 8 is paramount for your compliance—it addresses the conformance of AI operational planning and control within your design, development, and production processes through effective, efficient, and agile implementations. 

How to Get Started with Compliance 

• Plan, implement, and control actions determined in your completed AI assessment by implementing and measuring the success of controls related to the operation of the AIMS (refer to the AI controls in Annex A and the implementation guidance in Annex B). 
• Monitor the effectiveness of controls and institute corrective actions if intended results are not wholly achieved, all while forming and maintaining documented information to ensure confidence that the processes stated have been performed. 
• Control and formalize planned changes, review the results of unintended changes, act on any perceived or real adverse effects, and verify that third-party products or services needed for the functioning of the AIMS are controlled. 
• Perform AI risk assessment, treatment, and impact assessments at planned intervals or whenever significant changes occur. When treatment plans are not effective, review, revalidate, and update the risk assessment, treatment, and AI impact processes. 
• Retain documented information on the process (e.g., policies, standards) and results (e.g., output, reporting, evaluation) of your AI risk assessment, AI risk treatment, and AI impact assessments. 

Clause 9: Performance Evaluation 

Clause 9 requires the measurement of key performance indicators, regular internal audits, and management review, which constitute inputs towards analysis and evaluation for driving AIMS effectiveness over the entire certification lifecycle. 

How to Get Started with Compliance 

• Design and implement a systematic approach to collecting, recording, and analyzing performance data or anything you can measure for an accurate heartbeat of your AI product/tool to evaluate the effectiveness and efficiency of AI operational processes, its conformity to expected behavior, its performance versus real human capability, and real or perceived customer satisfaction, among any other relevant metrics. 
• Conduct regular, impartial/objective internal audits against ISO 42001 requirements. These can be done by a qualified third party or by internal personnel not involved in the running of the AIMS.
• Regularly review AIMS performance data and feedback to evaluate the effectiveness of the AIMS and identify opportunities for improvement. 
• Document and store information related to the operational effectiveness of the AIMS, including the results of regular measuring, internal audit against ISO 42001 requirements, and the subsequent resulting reports related to both measuring and internal audit delivered to top management during planned regular management reviews. 

Clause 10: Improvement  

Though taking a systemic approach to artificial intelligence management through the establishment of an AIMS is already a big step, ISO 42001 also requires that you remain vigilant and seek opportunities to further enhance the success and functioning of your AIMS, including adapting your AIMS to any changing technologies, circumstances, or objectives. 

The compliance journey will necessitate the correction of gaps, identified as major or minor nonconformities, which can be raised by your organization, your internal auditors, or by an external certification body performing a readiness assessment or initial certification. 

How to Get Started with Compliance 

• Develop processes for identifying, documenting, and addressing nonconformities, areas of concern, and opportunities for improvement identified through internal or external assessments to ensure the implementation of necessary corrective actions to prevent recurrence. 
• Establish and systematically analyze the root cause of any identified deviation from the ISO 42001 standard requirements and periodically evaluate the results of each applied corrective step to sustainably remediate nonconformities when they arise. 
• Continuously monitor and review your AIMS to identify opportunities for the improvement of its suitability, adequacy, and effectiveness. 
• Establish mechanisms for capturing and implementing improvement ideas from employees as well as internal and external stakeholders. 

Getting ISO 42001 Certified 

While you’ll require more than this outline of clauses 4-10 to implement a comprehensive AIMS, we hope that what has been provided here will make for a good start in addressing the requirements of each of these key clauses within ISO 42001 as you build out your AIMS. 

As a final tip, it’s best practice to document everything as you go through these planning and implementation motions, which is key for compliance and will also help streamline your operations throughout the certification lifecycle. 

Once you stand up your AIMS, you’ll be looking for a Certification Body to guide you through a gap assessment and eventual initial certification against the ISO 42001 requirements, and Schellman may be the right fit. Contact us today to speak with our ISO team and learn more about how a strategic partnership with us can serve your organization beyond the gap assessment and eventual certification of your AIMS. 

In the meantime, discover additional ISO 42001 insights in these helpful sources:  

• ISO 42001: Frequently Asked Questions 
• What to Expect in the ISO 42001 Certification Process 
• ISO 42001: Lessons Learned from Auditing and Implementing the Framework 
• A Global Snapshot of AI Laws and How Compliance with ISO 42001 Can Help 
• How to Assess and Treat AI Risks and Impacts with ISO/IEC 42001:2023