Docs

Appearance

ISO/IEC 42001:2023 — Clauses 4–10 implementation guide

ISO/IEC 42001 follows the Annex SL harmonized structure. Clauses 4–10 describe how to run an AI management system; the AIMS-specific additions (AI policy in 5.2, AI risk and impact in 6.1.2 / 6.1.3 / 6.1.4, AI lifecycle controls in Clause 8 + Annex A) sit on top of the shared backbone. This page is the implementation playbook — not a restatement of the standard text.

Quick decision

  • You already operate ISO 27001 → Clauses 4–10 are mostly in place; focus on the AIMS-specific additions (5.2 AI policy, 6.1.2/3/4 risk + impact, 8 lifecycle, Annex A controls).
  • You are starting from scratch → stand up the Annex SL backbone (4 Context, 5 Leadership, 6 Planning, 7 Support, 8 Operation, 9 Performance evaluation, 10 Improvement) before layering the AIMS-specific work.
  • You need to write the AI risk assessment (6.1.2) → define criteria, thresholds, cadence and approval authority. Lifecycle, not one-shot.
  • You need to perform the AI impact assessment (6.1.4) → describe potential consequences for individuals, groups and society. Distinct from 6.1.2 risk assessment.
  • You need to track Annex A control selection → an SoA-equivalent record, produced as part of AI risk treatment under 6.1.3, records what is in, what is out and why. ISO 42001 Annex A remains informative, not normative.

TL;DR

  • Annex SL backbone shared with ISO 27001 / 27701 / 9001 — Clauses 4 (Context), 5 (Leadership), 6 (Planning), 7 (Support), 8 (Operation), 9 (Performance evaluation), 10 (Improvement).
  • AIMS-specific additions inside the shared clauses: AI policy (5.2), AI risk assessment (6.1.2), AI risk treatment (6.1.3), AI impact assessment (6.1.4), AI lifecycle operational control (Clause 8 + Annex A.6).
  • Risk assessment ≠ impact assessment. 6.1.2 = risks to the organisation; 6.1.4 = consequences for individuals, groups, society.
  • SoA-equivalent control-selection record documents Annex A selection based on 6.1.2 / 6.1.4 inputs; ISO 42001 Annex A remains informative.
  • Internal audit (9.2) + management review (9.3) + corrective action (10.2) = the operating loop that supports a conformity and effectiveness finding.
  • Modulos models Clauses 4–10 via OFF-7 / MFF-7 (legacy) and OFF-10 / MFF-10 (clause-aligned) requirement pairs.

Primary source

ISO/IEC 42001:2023Information technology — Artificial intelligence — Management system, Clauses 4 through 10. Available via the ISO Online Browsing Platform. © ISO.

Annex SL backbone

ClauseHeadlineWhat you put in placeTypical evidence
4 ContextBoundaries the AIMS operates inAIMS scope statement, interested-parties register, role determination under 4.1Scope document, stakeholder map, AIMS description
5 LeadershipAccountability and directionAI policy, roles, authorities, escalationApproved AI policy, RACI, governance-meeting minutes
6 PlanningObjectives, risk/impact logic, change planningAI objectives, AI risk + impact + treatment recordsRisk register, impact assessments, treatment plans, change log
7 SupportPeople, resources, documented informationCompetence plan, training, document controlCompetence matrix, training records, document register
8 OperationRepeatable lifecycle executionOperational planning, AI lifecycle procedures, supplier governanceRunbooks, lifecycle records, supplier assessments
9 Performance evaluationMeasurement + governance cadenceMonitoring metrics, internal audit, management reviewMetric reports, audit findings, review minutes
10 ImprovementFix and learnNonconformity + corrective action, continual improvementCorrective-action records, improvement backlog

Clause 4 — Context of the organization

Goal: define the AIMS boundaries and the reality it operates in.

What to implement:

  • An AIMS scope statement (Clause 4.3) — what is in, what is out, where AI is used, which functions are covered.
  • An interested-parties register (4.2) — regulators, customers, users, staff, vendors, AI subjects.
  • An AIMS description (4.4) — how it interacts with existing management systems (security, privacy, quality).
  • Role determination under 4.1 — provider, producer, customer, partner, subject, regulator (or several).

Common pitfalls:

  • Scope creep — starts with one AI system, silently expands to "all AI".
  • Treating scope as static instead of revisiting it as systems and suppliers change.

Evidence patterns:

  • Approved scope statement with exclusions and rationale.
  • Living interested-parties register, often maintained alongside risk and compliance obligations.
  • Governance structure diagram or operating-model document.

Clause 5 — Leadership

Goal: make accountability real — leadership commitment, policy direction, explicit responsibilities.

What to implement:

  • An AI policy (5.2) — short enough to be used, specific enough to be audited.
  • Roles and authorities (5.3) — who can approve, who can override, who owns risk decisions.
  • A governance cadence — steering meetings, reviews, escalation for incidents and nonconformities.

Common pitfalls:

  • A policy that reads like marketing ("we do ethical AI") but doesn't bind decisions.
  • Ambiguous authority — "everyone is responsible" usually means "no one is accountable".

Evidence patterns:

  • AI policy with approval record and review cadence.
  • RACI-style role descriptions or equivalent.
  • Minutes and decision records from governance meetings.

Clause 6 — Planning

Goal: turn intent into a plan — objectives, risk/impact discipline, change planning.

What to implement:

  • A consistent method for AI risk assessment (6.1.2) — criteria, thresholds, cadence, approval authority.
  • A method for AI risk treatment (6.1.3) — treatment options, ownership, timeline, residual-risk acceptance.
  • An AI system impact assessment (6.1.4) — consequences for individuals, groups, society.
  • Measurable AI objectives (6.2) — not just principles.
  • Planning of changes (6.3) — what triggers reassessment (model change, data change, deployment change, supplier change).

The 6.1.2 / 6.1.4 distinction:

  • Risk assessment (6.1.2) = organisational risks to the AIMS and its objectives.
  • Impact assessment (6.1.4) = consequences for individuals, groups and society from AI deployment.
  • The two feed each other but are distinct artefacts. 6.1.4 is the AIMS analogue of the EU AI Act Article 27 FRIA.

Common pitfalls:

  • Treating risk assessment as a one-time exercise rather than a lifecycle mechanism.
  • Confusing tests with assurance — test results are inputs; governance decisions are separate and must be recorded.

Clause 7 — Support

Goal: ensure people, resources, competence, awareness and controlled documentation to run the AIMS reliably.

What to implement:

  • Resource planning — time and expertise for risk, testing, documentation, review.
  • Role-based competence and training, including reviewers and approvers.
  • Communication — who needs to know what, when (internal and external).
  • Documented-information discipline (7.5) — versioning, review cadence, access control.

Common pitfalls:

  • Documentation debt — artefacts exist but no one owns them; they silently rot.
  • Uncontrolled working docs — critical decisions live in chat threads and get lost.

Clause 8 — Operation

Goal: run AI governance as an operational system — lifecycle controls, supplier management, repeatable execution.

What to implement:

  • Operational planning and control (8.1) for the AI system lifecycle — build, deploy, monitor, change, retire.
  • Operational cadence for AI risk assessment (8.2) and AI risk treatment (8.3) — not only during planning.
  • AI system impact assessment (8.4) operationalised through Annex A.5 controls.
  • Supplier and third-party governance for model providers, data providers and critical infrastructure (Annex A.10).
  • Controls for data quality, transparency, oversight, monitoring and incident handling — tailored by risk (Annex A.6 lifecycle controls).

Common pitfalls:

  • Governance stops at "go-live" — most failures happen after deployment.
  • Monitoring exists but isn't connected to governance decisions or corrective actions.

Clause 9 — Performance evaluation

Goal: prove the AIMS works — monitoring, internal audit, management review.

What to implement:

  • Monitoring and measurement (9.1) — what signals indicate the AIMS controls are working (or failing).
  • Internal audit programme (9.2) — scope, cadence, sampling approach, auditor competence.
  • Management review (9.3) — what leadership reviews, how often, what outcomes are expected. Inputs include internal-audit findings, monitoring results, supplier evaluations, nonconformities and resourcing.

Common pitfalls:

  • "Internal audit" treated as document review only — weak signal that doesn't catch operational gaps.
  • Management review becomes a status meeting, not a decision point.

Clause 10 — Improvement

Goal: make failures productive — fix nonconformities and continually improve the system.

What to implement:

  • Nonconformity and corrective action (10.2) — ownership, deadlines, root cause analysis, effectiveness verification.
  • Continual improvement (10.1) — driven by audits, incidents, monitoring, stakeholder feedback.

Common pitfalls:

  • Corrective actions closed without verifying effectiveness.
  • Improvements tracked informally without traceability back to the trigger (audit finding, incident, measurement).

How to operationalise Clauses 4–10 in Modulos

Two framework template pairs record and link ISO 42001 requirements:

TemplateScopeMapped requirements
OFF-7 / MFF-7 (legacy)Paraphrased Clauses 4–10 + Annex A control mixORF-65…ORF-94 + MRF-66…MRF-110
OFF-10 / MFF-10 (clause-aligned)OBP clause titles + full Clauses 4–10 inventoryORF-162…ORF-195 + MRF-213…MRF-220

The OFF-10 / MFF-10 clause mapping (showing the clean Annex SL coverage):

RequirementISO 42001 clauseTopic
ORF-1624.1Understanding the organisation and its context
ORF-1634.2Understanding the needs and expectations of interested parties
ORF-1644.3Determining the scope of the AI management system
ORF-1654.4AI management system
ORF-1665.1Leadership and commitment
ORF-1675.2AI Policy
ORF-1685.3Organisational roles, responsibilities and authorities
ORF-1696.1.1Actions to address risks and opportunities — general
ORF-1706.1.2AI risk assessment
ORF-1716.1.3AI risk treatment
ORF-1726.1.4AI system impact assessment
ORF-1736.2AI objectives and planning to achieve them
ORF-1746.3Planning of changes
ORF-1757.1Resources
ORF-1767.2Competence
ORF-1777.3Awareness
ORF-1787.4Communication
ORF-179 / ORF-180 / ORF-1817.5.1 / 7.5.2 / 7.5.3Documented information
ORF-1828.1Operational planning and control
ORF-1839.1Monitoring, measurement, analysis and evaluation
ORF-184 / ORF-1859.2.1 / 9.2.2Internal audit
ORF-186 / ORF-187 / ORF-1889.3.1 / 9.3.2 / 9.3.3Management review
ORF-18910.1Continual improvement
ORF-19010.2Nonconformity and corrective action
ORF-191ORF-194A.2…A.5Annex A reference control areas (org-side scope)

App-side (MFF-10) records and links the operational AI-system lifecycle requirements:

RequirementISO 42001 clauseTopic
MRF-2138.2AI risk assessment (operational)
MRF-2148.3AI risk treatment (operational)
MRF-2158.4AI system impact assessment (operational)
MRF-216A.6.2AI system life cycle
MRF-217A.7Data for AI systems
MRF-218A.8Information for interested parties of AI systems
MRF-219A.9Use of AI systems
MRF-220A.10Third-party and customer relationships

Operating rules:

  • Scope statement, AI policy, internal audit, management review live on OFF-10 (or OFF-7). One org-level project per organisation.
  • AI risk + impact assessments + lifecycle + data controls live on MFF-10 (or MFF-7). One app-level project per AI system in scope.
  • Control-level evidence backs each requirement. Modulos does not provide a dedicated Statement of Applicability surface — the SoA-equivalent record is owner-authored documentation stored as evidence on the relevant Annex A requirements.

Integrated Management System (IMS) with ISO 27001 / 27701

The management-system layer (Clauses 4–10) is designed to integrate across ISO standards. Many organisations operate ISO/IEC 42001 alongside:

  • ISO/IEC 27001 (ISMS) — shares Annex SL clauses; the AIMS adds AI-specific Clauses 5.2 / 6.1.2 / 6.1.3 / 6.1.4 + Annex A.
  • ISO/IEC 27701 (PIMS) — shares Annex SL clauses; adds privacy-specific risk and processing-role obligations.

The practical pattern: share the management-system processes (document control, internal audit, management review, corrective action) while keeping the standard-specific risk and impact mechanisms explicit and auditable on their own.

Related: ISO 27001 integration with AI governance · ISO 42001 vs ISO 27001 comparison.

Cross-framework mapping (preview)

ISO 42001 clauseAdjacent provision
Clause 4.3 AIMS scopeISO 27001 Clause 4.3 ISMS scope; ISO 27701 Clause 4.3 PIMS scope
Clause 5.2 AI policyISO 27001 Clause 5.2 information-security policy; EU AI Act Article 17 QMS
Clause 6.1.2 AI risk assessmentEU AI Act Article 9 RMS; NIST AI RMF MAP / MEASURE / MANAGE; ISO 31000
Clause 6.1.3 AI risk treatmentISO 31000 risk-treatment process
Clause 6.1.4 AI impact assessmentEU AI Act Article 27 FRIA; algorithmic-impact-assessment frameworks
Clause 8 operational planning + controlEU AI Act Articles 8–15 substantive obligations
Clause 9.1 monitoringEU AI Act Article 72 post-market monitoring; ISO 27001 Clause 9.1
Clause 9.2 internal auditISO 27001 Clause 9.2; ISO 9001 Clause 9.2
Clause 10.2 corrective actionISO 27001 Clause 10.2; EU AI Act Article 20 corrective actions
ISO 42001 overview

Hub: AIMS structure, Annex SL backbone, certification path

Scope and certification

AIMS scope, Statement of Applicability, Stage 1 / Stage 2 / surveillance / recertification

Annex A and informative annexes

How to use the Annex A reference controls and informative Annexes B / C / D

Operationalizing in Modulos

OFF-7 / MFF-7 (legacy) and OFF-10 / MFF-10 (clause-aligned) rollout

Source attribution

ISO/IEC 42001:2023Information technology — Artificial intelligence — Management system, Clauses 4 through 10 + Annex A.2 through A.10. © ISO/IEC. Available via the ISO Online Browsing Platform.

Disclaimer

This page is for general informational purposes and does not constitute legal or certification advice.