ISO/IEC 42001:2023 is a standard that specifies the requirements and provides guidance for establishing, implementing, maintaining and continually improving an AI (artificial intelligence) management system within the context of an organization. The standard is intended for use by any organization, regardless of size, type and nature, that provides or uses products or services that utilize AI systems.
ISO:42001 aims to help organizations develop, provide or use AI systems responsibly in pursuing their objectives and meeting applicable requirements, obligations related to interested parties and expectations from them. The standard also aims to help organizations improve the quality, security, traceability, transparency and reliability of AI applications, as well as solve some implementation challenges. Moreover, the standard aims to help organizations build greater confidence in AI systems, reduce the costs of AI development, maintain regulatory compliance, meet customer, staff and other stakeholder expectations around the ethical and responsible use of AI, and improve efficiency and risk management.
The standard covers the following topics:
- Scope: defines the scope and applicability of the standard, as well as the terms and definitions used in the standard.
- Normative references: lists the normative references that are indispensable for the application of the standard.
- Context of the organization: describes the requirements and guidance for understanding the organization and its context, understanding the needs and expectations of interested parties, determining the scope of the AI management system, and establishing the AI management system.
- Leadership: describes the requirements and guidance for leadership and commitment, policy, roles, responsibilities and authorities related to the AI management system.
- Planning: describes the requirements and guidance for addressing risks and opportunities, establishing objectives and plans, and managing changes related to the AI management system.
- Support: describes the requirements and guidance for providing resources, competence, awareness, communication and documented information related to the AI management system.
- Operation: describes the requirements and guidance for planning and control, design and development, procurement, operation and maintenance, monitoring and evaluation, and improvement of AI systems within the AI management system.
- Performance evaluation: describes the requirements and guidance for monitoring, measurement, analysis and evaluation, internal audit, and management review of the AI management system.
- Improvement: describes the requirements and guidance for nonconformity and corrective action, continual improvement, and learning and innovation of the AI management system.
Core components to the standard are principles of AI ethics, such as fairness, accountability, transparency, privacy, security, human dignity, human agency, and social and environmental well-being. The standard also follows the Plan-Do-Check-Act (PDCA) cycle, which is a common approach for managing processes and systems.
This release was developed by the ISO/IEC Joint Technical Committee 1 (JTC 1), which is responsible for information technology standards, and its subcommittee 42 (SC 42), which is responsible for artificial intelligence standards.
The framework is part of the overall ISO/IEC 42000 series, which covers various aspects of AI, such as terminology, reference architecture, trustworthiness, governance, use cases and applications, and assessment. The standard is also aligned with other relevant standards, such as ISO 9001 (quality management), ISO 14001 (environmental management), ISO 27001 (information security management), ISO 31000 (risk management), and ISO 37001 (anti-bribery management).