ISO 42001:2023 Checklist for AI

Management Systems
The International Organization for Standardization (ISO) and the International Electrotechnical
Commission (IEC) published ISO/IEC 42001:2023 in December 20231. This standard isn't only
applicable to companies that offer AI as one of their products or services, it affects all
organizations that implement an AI system at any point in their operations3. Even if you're only
using AI for specific tasks, you can, and should, implement the ISO 42001 guidelines3. This
standard aims to bring stability to the implementation and use of AI systems, considering the
inherent risks associated with AI technology3. ISO 42001:2023 specifies requirements for
establishing, implementing, maintaining, and continually improving an Artificial Intelligence
Management System (AIMS)4. The design and implementation of the AIMS is influenced by the
organization's needs and objectives, processes, size, structure, and the organization role (e.g.,
producer, developer/provider, or user)5. It is important to note that ISO 42001:2023 is a
voluntary standard and is not legally binding2.

Key principles of ISO 42001 include transparency, accountability, fairness, explainability, data
privacy, and reliability3. These principles guide the ethical and responsible use of AI, ensuring
that AI systems are developed and deployed in a manner that benefits both organizations and
society as a whole.

This checklist was developed by first reviewing the official ISO 42001:2023 standard document
6
, then exploring articles and guides on its implementation 1, and finally examining examples of
ISO 42001 checklists from reputable sources 7. This checklist will guide your organization
through the process of implementing ISO 42001:2023. It is structured around the core clauses
of the standard, ensuring a systematic approach to compliance. Each section includes specific
questions or criteria to assess compliance with each requirement, along with guidance or tips for
implementation.

4. Context of the Organization

Clause Requirement Questions/Criteria Guidance/Tips

4.1 Understanding the - What are the - Conduct a

Clause Requirement Questions/Criteria Guidance/Tips

organization and internal and thorough analysis

its context external issues of the internal and
that are relevant to external
the organization's environment, such
purpose and that as by performing a
affect its ability to SWOT analysis, to
achieve the identify relevant
intended factors, including
outcome(s) of its technological
AI management advancements,
system? <br> - regulatory
What is the changes,
organization's role economic
in relation to the AI conditions, and
system(s) (e.g., AI societal
provider, AI expectations. <br>
producer, AI - Clearly define the
customer)? <br> - organization's role
Does the in the AI
organization have ecosystem,
a process for considering its
reporting concerns involvement in the
about AI design,
system(s)? development,
deployment, or
use of AI systems.
<br> - Establish a
clear and
accessible
reporting
mechanism for
AI-related
concerns, ensuring
that employees,
customers, and
other stakeholders
can easily raise
questions or report
potential issues.
This could include
dedicated
communication
channels, online
Clause Requirement Questions/Criteria Guidance/Tips

forms, or
designated
personnel
responsible for
handling AI-related
inquiries.

4.2 Understanding the - Who are the - Identify all

needs and interested parties stakeholders who
expectations of that are relevant to have an interest in
interested parties the AI the organization's
management AI systems,
system? <br> - including
What are the customers,
relevant needs employees,
and expectations investors,
of these interested regulatory bodies,
parties? and the wider
community. <br> -
Determine the
expectations of
each stakeholder
group regarding AI
ethics, safety, and
performance. This
may involve
conducting
surveys,
interviews, or
focus groups to
gather feedback
and understand
their perspectives.

4.3 Determining the - What are the - Clearly define the

scope of the AI boundaries and scope of the AIMS,
management applicability of the including specific
system AI management AI systems and
system? <br> - processes
Which AI covered. This
system(s), should be
processes, and documented and
Clause Requirement Questions/Criteria Guidance/Tips

technologies are readily available to

included within the all relevant
scope of the AI personnel. <br> -
management Justify any
system? <br> - exclusions from
Are there any the scope,
specific exclusions providing clear
from the scope? reasoning for why
certain AI systems
or processes are
not included within
the AIMS.

4.4 AI management - Has the - Develop a

system organization comprehensive
established an AI AIMS that
management addresses all
system? <br> - relevant
Does the AI requirements of
management ISO 42001:2023.
system include the This may involve
necessary establishing new
processes and processes or
their interactions, integrating AI
in accordance with considerations into
the requirements existing
of ISO organizational
42001:2023? workflows. <br> -
Ensure the AIMS
is integrated with
existing
organizational
processes, such
as risk
management,
quality
management, and
data governance
frameworks, to
avoid duplication
and ensure
consistency.
5. Leadership

Clause Requirement Questions/Criteria Guidance/Tips

5.1 Leadership and - Has top - Secure active

commitment management participation and
demonstrated support from top
leadership and management by
commitment with communicating the
respect to the AI importance of AI
management governance and
system? <br> - the benefits of ISO
How has top 42001:2023
management compliance. This
ensured that the AI may involve
management presentations,
system workshops, or
requirements are dedicated training
integrated into the sessions for senior
organization's leaders. <br> -
business Align the AIMS
processes? with the
organization's
strategic
objectives,
ensuring that AI
initiatives
contribute to the
overall business
goals and values.
This could involve
incorporating AI
considerations into
the organization's
mission statement,
strategic plans,
and performance
Clause Requirement Questions/Criteria Guidance/Tips

targets.

5.2 AI policy - Has the - Develop a

organization comprehensive AI
established an AI policy that
policy that is addresses ethical
appropriate to its considerations,
purpose and risk management,
provides a and continuous
framework for improvement. This
setting AI policy should be
objectives? <br> - clearly
Does the AI policy communicated to
include a all personnel and
commitment to made readily
satisfy applicable available. <br> -
requirements Ensure the AI
related to AI policy is aligned
system(s)? <br> - with relevant laws,
Does the AI policy regulations, and
include a organizational
commitment to values. This may
continual involve conducting
improvement of legal reviews,
the AI consulting with
management ethical experts,
system? and engaging with
stakeholders to
gather feedback.

5.3 Organizational - Has top - Define clear roles

roles, management and
responsibilities assigned the responsibilities for
and authorities responsibility and AI governance and
authority for: <br> oversight. This
a) ensuring that may involve
the AI establishing an AI
management steering
system conforms committee,
to the appointing an AI
requirements of ethics officer, or
ISO 42001:2023; assigning specific
 Clause Requirement Questions/Criteria Guidance/Tips

<br> b) responsibilities to
reporting on the existing personnel.
performance of the <br> - Establish
AI management communication
system to top channels for
management for reporting on AIMS
review, including performance,
recommendations ensuring that
for improvement? relevant
information is
regularly
communicated to
top management
for review and
decision-making.
This could include
periodic reports,
dashboards, or
dedicated
meetings to
discuss AIMS
performance.

6. Planning

Clause Requirement Questions/Criteria Guidance/Tips

6.1 Actions to address - Has the - Conduct

risks and organization comprehensive
opportunities established and risk assessments
applied a to identify potential
process(es) for: risks associated
<br> a) with AI systems.
Clause Requirement Questions/Criteria Guidance/Tips

identifying the This should

risks and include a thorough
opportunities that analysis of
need to be potential ethical,
addressed to: <br> legal, social, and
1) give operational risks.
assurance that the <br> - Develop
AI management mitigation
system can strategies to
achieve its address identified
intended risks. This may
outcome(s); <br> involve
2) prevent, or implementing
reduce, undesired technical controls,
effects; <br> establishing ethical
3) achieve guidelines, or
improvement; <br> developing
b) planning contingency plans.
actions to address <br> - Regularly
these risks and review and update
opportunities; <br> risk assessments
c) integrating to ensure they
and implementing remain relevant
these actions into and effective as AI
its AI management technologies and
system processes; organizational
<br> d) contexts evolve.
evaluating the
effectiveness of
these actions?

6.1.2 AI risk assessment - Has the - Develop a

organization structured AI risk
established and assessment
applied a process methodology that
for AI risk considers the
assessment? specific
characteristics of
AI systems and
their potential
impact. This may
involve adopting
existing risk
Clause Requirement Questions/Criteria Guidance/Tips

assessment
frameworks or
developing a
customized
approach tailored
to the
organization's
needs. <br> -
Consider using AI
risk assessment
tools and
frameworks to
facilitate the
identification and
evaluation of
AI-related risks.
These tools can
help automate
certain aspects of
the risk
assessment
process and
provide a
structured
approach to risk
analysis.

6.1.3 AI risk treatment - Has the - Implement

organization appropriate
established and controls to mitigate
applied a process identified AI risks.
for AI risk This may involve
treatment? implementing
technical
safeguards,
establishing clear
policies and
procedures, or
providing training
to personnel. <br>
- Prioritize risk
treatment based
on the likelihood
Clause Requirement Questions/Criteria Guidance/Tips

and potential
impact of risks,
focusing on the
most critical risks
first.

6.1.4 AI system impact - Has the - Conduct impact

assessment organization assessments to
established and evaluate the
applied a process potential
for AI system consequences of
impact AI systems on
assessment? individuals,
groups, and
society. This
should include an
analysis of
potential biases,
discrimination,
privacy violations,
and other ethical
concerns. <br> -
Consider ethical,
social, and
environmental
impacts when
conducting impact
assessments,
ensuring that AI
systems are
developed and
deployed in a
responsible and
sustainable
manner.

6.2 AI objectives and - Has the - Set clear and

planning to organization measurable
achieve them established AI objectives for the
objectives at AIMS. This may
relevant functions involve defining
and levels? <br> - specific targets for
Clause Requirement Questions/Criteria Guidance/Tips

Are the AI AI performance,

objectives: <br> ethical
a) consistent with compliance, or risk
the AI policy; <br> mitigation. <br> -
b) measurable Ensure objectives
(if practicable); are aligned with
<br> c) taken the AI policy and
into account relevant
applicable requirements,
requirements; <br> such as legal
d) relevant to obligations,
conformity of AI industry standards,
system(s) and to and ethical
continual guidelines.
improvement of
the AI
management
system; <br> e)
monitored; <br>
f) communicated;
<br> g)
updated as
appropriate?

6.3 Planning of - When the - Plan for changes

changes organization to the AIMS in a
determines the controlled manner,
need for changes ensuring that
to the AI changes are
management properly assessed
system, does it and implemented
plan the changes, without
taking into compromising the
account: <br> effectiveness of
a) the purpose of the system. <br> -
the changes and Assess the
their potential potential impact of
consequences; changes on the
<br> b) the AIMS and its
integrity of the AI effectiveness,
management considering
system; <br> c) potential risks,
the availability of resource
 Clause Requirement Questions/Criteria Guidance/Tips

resources; <br> requirements, and

d) the allocation or the need for
reallocation of communication
responsibilities and training.
and authorities?

7. Support

Clause Requirement Questions/Criteria Guidance/Tips

7.1 Resources - Has the - Allocate sufficient

organization resources to
determined and support the AIMS,
provided the including
resources needed personnel,
for the technology, and
establishment, financial
implementation, resources. This
maintenance and may involve hiring
continual specialized staff,
improvement of investing in AI
the AI tools and
management infrastructure, or
system? allocating budget
for training and
development. <br>
- Regularly review
resource allocation
to ensure it
remains adequate
to support the
AIMS as AI
technologies and
Clause Requirement Questions/Criteria Guidance/Tips

organizational
needs evolve.

7.2 Competence - Has the - Identify the skills

organization and knowledge
determined the required for
necessary personnel involved
competence of in AI system
person(s) doing development and
work under its management. This
control that affects may include
its AI system(s) technical
performance? expertise, ethical
<br> - Does the awareness, and
organization: <br> risk management
a) ensure these skills. <br> -
persons are Provide training
competent on the and development
basis of opportunities to
appropriate ensure personnel
education, training, competence. This
or experience; could involve
<br> b) where online courses,
applicable, take workshops,
actions to acquire mentoring
the necessary programs, or
competence, and certifications in
evaluate the AI-related fields.
effectiveness of
the actions taken;
<br> c) retain
appropriate
documented
information as
evidence of
competence?

7.3 Awareness - Does the - Raise awareness

organization among personnel
ensure that about the AIMS, its
person(s) doing importance, and
work under the their roles in its
Clause Requirement Questions/Criteria Guidance/Tips

organization's effectiveness. This

control that affects could involve
its AI system(s) internal
performance are communication
aware of: <br> campaigns,
a) the AI policy; training sessions,
<br> b) the or regular updates
relevant AI on AIMS
management performance. <br>
system - Communicate the
requirements; <br> AI policy and
c) the potential relevant
consequences of requirements to all
departure from personnel,
established AI ensuring that they
management understand their
system responsibilities
requirements; <br> and the
d) their implications of
contribution to the non-compliance.
effectiveness of
the AI
management
system, including
the benefits of
improved
performance; <br>
e) the
implications of not
conforming with
the AI
management
system
requirements?

7.4 Communication - Has the - Establish clear

organization communication
determined the channels for
internal and internal and
external external
communications stakeholders. This
relevant to the AI may involve using
management different
Clause Requirement Questions/Criteria Guidance/Tips

system, including: communication

<br> a) on what methods, such as
it will email, intranet,
communicate; newsletters, or
<br> b) when to social media, to
communicate; reach different
<br> c) with audiences. <br> -
whom to Provide regular
communicate; updates on AIMS
<br> d) how to performance and
communicate; relevant
<br> - Does the developments,
organization ensuring that
communicate stakeholders are
information about informed about the
its AI management organization's AI
system to relevant initiatives and their
interested parties? impact.

7.5 Documented - Does the - Maintain

information organization comprehensive
maintain documentation of
documented the AIMS,
information including policies,
required by ISO procedures, and
42001:2023 and records. This
documented documentation
information should be
determined by the well-organized,
organization as accessible, and
being necessary regularly updated.
for the <br> - Ensure
effectiveness of documentation is
the AI readily accessible
management and updated
system? <br> - regularly. This may
Does the involve using a
organization's document
documented management
information for the system or
AI management establishing clear
system include: procedures for
<br> a) document control
 Clause Requirement Questions/Criteria Guidance/Tips

documented and versioning.

information
required by ISO
42001:2023; <br>
b) documented
information
determined by the
organization as
being necessary
for the
effectiveness of
the AI
management
system?

8. Operation

Clause Requirement Questions/Criteria Guidance/Tips

8.1 Operational - Has the - Develop

planning and organization operational plans
control established and to implement the
applied a AIMS and address
process(es) for identified risks.
operational This may involve
planning and integrating AI
control to considerations into
implement the existing
actions determined operational
in Clause 6 to procedures or
address risks and establishing new
opportunities? processes
specifically for
Clause Requirement Questions/Criteria Guidance/Tips

AI-related
activities. <br> -
Integrate AI
considerations into
relevant
operational
processes, such
as data
acquisition, model
training, and
system monitoring,
to ensure that AI
systems are
operated in a safe
and responsible
manner.

8.2 AI-related - Has the - Define clear

requirements organization requirements for
established and AI systems,
applied a considering
process(es) to ethical, legal, and
ensure that performance
AI-related aspects. This may
requirements are involve
addressed when it establishing
determines criteria for
requirements for fairness, accuracy,
its AI system(s)? transparency, and
security. <br> -
Ensure
requirements are
documented and
communicated to
relevant
personnel,
including
developers,
operators, and
users of AI
systems.
Clause Requirement Questions/Criteria Guidance/Tips

8.3 Design and - Has the - Implement a

development of AI organization robust design and
system(s) established and development
applied a process for AI
process(es) for the systems that
design and incorporates
development of its ethical
AI system(s)? considerations,
risk assessments,
and impact
assessments. This
may involve
adopting industry
best practices,
such as agile
development
methodologies, or
developing a
customized
approach tailored
to the
organization's
needs. <br> -
Incorporate risk
assessments and
impact
assessments into
the design phase
to identify and
mitigate potential
issues early in the
development
lifecycle.

8.4 Deployment, - Has the - Develop

operation and organization procedures for
monitoring of AI established and deploying,
system(s) applied a operating, and
process(es) for the monitoring AI
deployment, systems. This may
operation and involve
monitoring of its AI establishing clear
guidelines for data
 Clause Requirement Questions/Criteria Guidance/Tips

system(s)? handling, model

deployment, and
performance
monitoring. <br> -
Establish
monitoring
mechanisms to
track AI system
performance and
identify potential
issues. This could
involve using
automated
monitoring tools,
conducting regular
audits, or
establishing
feedback
mechanisms for
users and
stakeholders.

9. Performance Evaluation

Clause Requirement Questions/Criteria Guidance/Tips

9.1 Monitoring, - Has the - Establish metrics

measurement, organization and methods to
analysis and determined: <br> monitor and
evaluation a) what needs evaluate AIMS
to be monitored performance. This
and measured; may involve
<br> b) the defining key
Clause Requirement Questions/Criteria Guidance/Tips

methods for performance

monitoring, indicators (KPIs)
measurement, related to AI
analysis and ethics, safety,
evaluation, as efficiency, and
applicable, to compliance with
ensure valid regulatory
results; <br> c) requirements. <br>
when the - Regularly track
monitoring and key performance
measuring shall be indicators (KPIs)
performed; <br> related to AI
d) when the ethics, safety, and
results from efficiency. This
monitoring and could involve using
measurement shall dashboards,
be analyzed and reports, or
evaluated? <br> - automated
Does the monitoring tools to
organization track progress and
evaluate the identify areas for
performance and improvement.
the effectiveness
of the AI
management
system? <br> -
Does the
organization retain
appropriate
documented
information as
evidence of the
monitoring,
measurement,
analysis and
evaluation results?

9.2 Internal audit - Has the - Conduct regular

organization internal audits to
established and assess compliance
applied an internal with ISO
audit programme? 42001:2023 and
<br> - Does the the effectiveness
Clause Requirement Questions/Criteria Guidance/Tips

organization: <br> of the AIMS. This

a) plan, may involve
establish, reviewing
implement and documentation,
maintain an audit interviewing
programme(s) personnel, and
including the observing
frequency, AI-related
methods, processes. <br> -
responsibilities, Ensure audits are
planning conducted by
requirements and qualified and
reporting, which impartial
shall take into personnel. This
consideration the could involve
importance of the training internal
process(es) staff to conduct
concerned, audits or engaging
changes affecting external auditors
the organization, to provide an
and the results of independent
previous audits; assessment.
<br> b) define
the audit criteria
and scope for
each audit; <br>
c) select
auditors and
conduct audits to
ensure objectivity
and the impartiality
of the audit
process; <br>
d) ensure that the
results of the
audits are reported
to relevant
management; <br>
e) retain
documented
information as
evidence of the
implementation of
Clause Requirement Questions/Criteria Guidance/Tips

the audit
programme and
the audit results?

9.3 Management - Does top - Conduct regular

review management management
review the reviews to assess
organization's AI the overall
management performance and
system, at planned effectiveness of
intervals, to ensure the AIMS. This
its continuing should involve a
suitability, comprehensive
adequacy and review of AIMS
effectiveness? processes,
<br> - Does the performance data,
management and stakeholder
review include feedback. <br> -
consideration of: Use management
<br> a) the reviews to identify
status of actions areas for
from previous improvement and
management make necessary
reviews; <br> adjustments to the
b) changes in AIMS. This may
external and involve revising
internal issues that policies, updating
are relevant to the procedures, or
AI management allocating
system; <br> c) additional
information on the resources.
performance and
effectiveness of
the AI
management
system, including
trends in: <br>
1)
nonconformities
and corrective
actions; <br>
2) monitoring and
measurement
 Clause Requirement Questions/Criteria Guidance/Tips

results; <br>
3) audit results;
<br> 4) the
extent to which AI
objectives have
been met; <br>
5) feedback
from interested
parties, including
any concerns;
<br> d) the
adequacy of
resources; <br>
e) the
effectiveness of
actions taken to
address risks and
opportunities (see
6.1); <br> f)
opportunities for
improvement?
<br> - Does the
organization retain
documented
information as
evidence of the
results of
management
reviews?

10. Improvement
Clause Requirement Questions/Criteria Guidance/Tips

10.1 Nonconformity and - When a - Establish a

corrective action nonconformity process for
occurs, does the identifying and
organization: <br> addressing
a) react to the nonconformities.
nonconformity This may involve
and, as applicable: establishing clear
<br> 1) take reporting
action to control mechanisms,
and correct it; <br> conducting
2) deal with investigations, and
the consequences; implementing
<br> b) corrective actions.
evaluate the need <br> - Implement
for action to corrective actions
eliminate the to address the root
cause(s) of the cause of
nonconformity, in nonconformities
order that it does and prevent
not recur or occur recurrence. This
elsewhere, by: could involve
<br> 1) revising
reviewing the processes,
nonconformity; providing
<br> 2) additional training,
determining the or updating
cause(s) of the technology.
nonconformity;
<br> 3)
determining if
similar
nonconformities
exist, or could
potentially occur;
<br> c)
implement any
action needed;
<br> d) review
the effectiveness
of any corrective
action taken; <br>
e) make
changes to the AI
 Clause Requirement Questions/Criteria Guidance/Tips

management
system, if
necessary? <br> -
Does the
organization retain
documented
information as
evidence of: <br>
a) the nature of
the
nonconformities
and any
subsequent
actions taken;
<br> b) the
results of any
corrective action?

10.2 Continual - Does the - Foster a culture

improvement organization of continuous
continually improvement
improve the within the
suitability, organization by
adequacy and encouraging
effectiveness of feedback,
the AI innovation, and
management learning from
system? experience. <br> -
Regularly review
the AIMS and
identify
opportunities for
enhancement.
This could involve
conducting
periodic reviews,
analyzing
performance data,
and seeking
feedback from
stakeholders.

After reviewing the main clauses of the standard, it's important to understand the supplementary
 information provided in the annexes.

Annexes
ISO 42001:2023 includes four annexes that provide additional guidance and information to
support the implementation and interpretation of the standard's requirements1.

Annex Description

Annex A Provides a structured set of controls

essential for managing AI-related risks and
achieving organizational objectives1. It
includes a management guide for AI
system development, including a list of
controls2.

Annex B Offers detailed implementation guidance to

support the effective application of AI
controls1. It includes implementation
guidance for the AI controls listed in Annex
A, including data management processes2.

Annex C Highlights potential objectives and risk

sources relevant to managing AI risks1. It
includes potential AI-related organizational
objectives and risk sources2.

Annex D Explores the universal applicability of the

AIMS across diverse organizational
sectors utilizing AI technologies1. It
includes domain- and sector-specific
standards2.

Benefits of Implementing ISO 42001:2023

Implementing ISO 42001:2023 can provide several benefits to organizations, including:
●​ Enhanced Trust and Ethical Assurance: By implementing the standard, organizations
commit to ethical AI use, strengthening trust among stakeholders, customers, and regulatory
bodies4.
●​ Risk Management: ISO 42001:2023 provides a structured framework for identifying,
 assessing, and managing risks associated with AI systems, including ethical risks and
biases4.
●​ Competitive Advantage: Companies that comply with the standard can distinguish
themselves in the marketplace, showcasing their leadership in responsible AI development
and use4.
●​ Cost Savings and Improved Efficiency: By incorporating ISO 42001's best practices,
organizations can streamline their AI processes, identify and rectify vulnerabilities earlier, and
reduce the potential financial and reputational costs associated with AI failures2.

Conclusion
ISO 42001:2023 provides a comprehensive framework for managing AI systems responsibly
and ethically. By implementing the requirements of this standard and utilizing this checklist,
organizations can demonstrate their commitment to AI governance, mitigate risks, and foster
trust among stakeholders. ISO 42001:2023 emphasizes a process-based approach and
continuous improvement1. Regularly review and update your AIMS to ensure it remains aligned
with evolving AI technologies and organizational objectives.

This checklist serves as a starting point for your ISO 42001:2023 implementation journey. It is
crucial to tailor the checklist to your specific organizational context and AI applications.
Remember that achieving and maintaining compliance with ISO 42001:2023 is an ongoing
process that requires commitment, resources, and a proactive approach to AI governance.

Works cited

1. ISO 42001: How to Implement an AIMS for Strong AI Governance | Secureframe, accessed
January 30, 2025, [Link]
2. Understanding ISO 42001: The World's First AI Management System Standard | A-LIGN,
accessed January 30, 2025, [Link]
3. An extensive guide to ISO 42001 - Vanta, accessed January 30, 2025,
[Link]
4. ISO/IEC 42001:2023 Implementation Guide 2025 - Iterasec, accessed January 30, 2025,
[Link]
5. ISO/IEC 42001: Artificial Intelligence Management Systems - ANAB, accessed January 30,
2025,
[Link]
6. ISO/IEC 42001: What You Need to Know - Centraleyes, accessed January 30, 2025,
[Link]
7. ISO 42001 Checklist | Rhymetec, accessed January 30, 2025,
[Link]