Chapter Overview
This final chapter provides quick reference materials including key definitions, clause summaries, and essential tips for exam preparation and implementation.
Key Definitions (ISO 22989)
| Term | Definition |
|---|
| Artificial Intelligence (AI) | Capability of an engineered system to acquire, process, and apply knowledge and skills |
| AI System | Engineered system that generates outputs such as predictions, recommendations, or decisions |
| AI Management System (AIMS) | Set of interrelated elements to establish policies and objectives for responsible AI |
| Machine Learning | Process of optimizing model parameters through computational techniques using data |
| AI System Lifecycle | Stages a system goes through from conception to retirement |
| Interested Party | Person or organization that can affect, be affected by, or perceive itself affected by a decision |
| Risk | Effect of uncertainty on objectives |
| Control | Measure that modifies risk |
ISO 42001 Structure Summary
Clauses at a Glance
| Clause | Title | Key Focus | Key Output |
|---|
| 4 | Context | Understanding context, scope | AIMS Scope |
| 5 | Leadership | Commitment, policy, roles | AI Policy |
| 6 | Planning | Risk, treatment, objectives | SoA, Risk Treatment Plan |
| 7 | Support | Resources, competence, docs | Competence Evidence |
| 8 | Operation | Controls, risk, impact | Impact Assessments |
| 9 | Performance | Monitor, audit, review | Audit Reports, Review Minutes |
| 10 | Improvement | NC, corrective action | CA Records |
Annex A Control Domains
| Domain | Controls | Focus |
|---|
| A.2 Policies | 2 | Policy establishment and review |
| A.3 Organization | 4 | Roles, reporting, authorities |
| A.4 Resources | 4 | Data, tools, computing |
| A.5 Impacts | 4 | Individual and societal assessment |
| A.6 Lifecycle | 12 | AI system lifecycle management |
| A.7 Data | 5 | Data acquisition, quality, provenance |
| A.8 Information | 4 | Transparency, explainability |
| A.9 Use | 3 | Intended use, human oversight |
| A.10 Third-Party | 3 | Suppliers and customers |
| Total | 39 | |
PDCA Mapping
| PDCA Phase | Clauses | Activities |
|---|
| PLAN | 4, 5, 6, 7 | Context, policy, risk assessment, objectives, resources |
| DO | 8 | Implement controls, risk treatment, impact assessment |
| CHECK | 9 | Monitor, measure, audit, management review |
| ACT | 10 | Nonconformity, corrective action, improvement |
Mandatory Documents Quick List
16 Mandatory Documents
1. AIMS Scope (4.3)
2. AI Policy (5.2)
3. Risk Assessment Process (6.1.2)
4. Risk Treatment Process (6.1.3)
5. Statement of Applicability (6.1.3)
6. Risk Treatment Plan (6.1.3)
7. AI Objectives (6.2)
8. Competence Evidence (7.2)
9. Operational Planning Docs (8.1)
10. Risk Assessment Results (8.2)
11. Risk Treatment Results (8.3)
12. Impact Assessment Results (8.4)
13. Monitoring Results (9.1)
14. Audit Program & Results (9.2)
15. Management Review Results (9.3)
16. NC and CA Records (10.2)
Key Differences: ISO 42001 vs ISO 27001
| Aspect | ISO 27001 | ISO 42001 |
|---|
| Focus | Information Security | AI Governance |
| Risk Types | CIA (Confidentiality, Integrity, Availability) | AI-specific (bias, explainability, safety, ethics) |
| Impact Assessment | Not required | Required (8.4) - unique to ISO 42001 |
| Lifecycle Focus | Information assets | AI system lifecycle |
| Controls | 93 controls (Annex A) | 39 controls (Annex A) |
| Annexes | A only | A, B, C, D |
| Human Oversight | Not specific | Explicit control (A.9.4) |
Exam Tips Summary
Top 20 Exam Tips
Structure:
1. ISO 42001 follows Annex SL (same as ISO 27001, 9001)
2. PDCA: Plan (4-7), Do (8), Check (9), Act (10)
3. 39 controls in Annex A across 9 domains
4. Annexes: A (normative), B/C/D (informative)
Key Requirements:
5. AIMS Scope and AI Policy must be documented
6. SoA must list all 39 controls with justifications
7. Risk assessment must cover AI lifecycle
8. Impact assessment (8.4) is unique to ISO 42001
9. Impact assessment covers individuals AND society
Terminology:
10. ISO 22989 provides AI terminology (normative reference)
11. Interested parties include AI subjects (people affected by AI)
12. Top management = highest level of direction and control
Controls:
13. A.6 (Lifecycle) has the most controls (12)
14. A.9.4 (Human Oversight) is critical for high-risk AI
15. A.8.4 requires disclosure of AI interaction
Process:
16. Stage 1 = documentation review
17. Stage 2 = implementation audit
18. Internal audit must verify conformance AND effectiveness
19. Management review has specific required inputs (9.3.2)
20. Corrective action requires root cause analysis
Implementation Tips Summary
Top 10 Implementation Tips
1. Start with inventory: Know your AI systems first
2. Get executive buy-in: Leadership commitment is essential
3. Leverage existing MS: Integrate with ISO 27001/9001
4. Be practical: Focus on effectiveness, not paperwork
5. Prioritize high-risk: Address critical AI systems first
6. Involve stakeholders: AI governance needs diverse input
7. Train thoroughly: Competence is critical
8. Document as you go: Don't leave documentation to the end
9. Audit early: Internal audit reveals gaps before certification
10. Plan for ongoing: AIMS requires continuous operation
Common Audit Findings
| Area | Common Nonconformity |
|---|
| Scope | Scope excludes AI systems without justification |
| Policy | Policy not communicated or acknowledged |
| SoA | Missing justification for excluded controls |
| Risk Assessment | Doesn't cover full AI lifecycle |
| Impact Assessment | Not conducted or missing societal impacts |
| Competence | No evidence of competence for key roles |
| Human Oversight | Not defined for high-risk AI systems |
| Third Parties | AI requirements not in contracts |
| Internal Audit | Not covering all clauses/controls |
| Management Review | Missing required inputs |
Quick Reference: Certification Timeline
| Milestone | Typical Timeline |
|---|
| AIMS Implementation | 6-18 months |
| Internal Audit | 1-2 months before Stage 1 |
| Management Review | Before Stage 1 |
| Stage 1 Audit | 1-2 days |
| Gap Closure | 1-3 months |
| Stage 2 Audit | 2-5 days |
| Certificate Issued | 2-4 weeks after Stage 2 |
| Surveillance Audits | Annual |
| Recertification | Every 3 years |
Final Thoughts
ISO 42001 provides a comprehensive framework for AI governance. Success requires:
• Commitment: From top management to front-line
• Integration: Into existing processes and culture
• Practicality: Focus on real AI governance, not just compliance
• Continuous improvement: AIMS is a journey, not a destination
Good luck with your implementation and certification!