Konfirmity

ISO 42001 Requirements: A Clause-by-Clause Guide to the Standard

Satyam Bajpai

Satyam Bajpai

2026-07-09

ISO 42001 Requirements: A Clause-by-Clause Guide to the Standard

The ISO 42001 requirements are the certifiable clauses of the standard, numbered 4 through 10. They mandate that an organization define the context of its AI management system, show leadership, plan and assess AI risk, provide support and documented information, operate its processes, evaluate performance, and improve. Satisfy every clause and you hold a working AIMS that an accredited auditor can certify.

This guide walks those clauses one at a time, in the order an auditor tests them. It is not an implementation checklist and not a list of the 38 Annex A controls; both have their own place. The focus here is the normative text of ISO/IEC 42001, published in December 2023, and what it obliges you to build into an AI management system. If you want the wider context first, our ISO 42001 guide covers cost, certification, and how the standard fits the EU AI Act.

TL;DR

  • The requirements sit in Clauses 4 to 10 of ISO/IEC 42001:2023; Clauses 1 to 3 are scope, references, and terms, and certify nothing.
  • The clauses follow Plan-Do-Check-Act: context and leadership, planning, support and operation, evaluation, then improvement.
  • The AI system impact assessment (established at 6.1.4, performed at 8.4) is the requirement with no equivalent in ISO 27001.
  • Certain documented information is mandatory, and it is the first evidence an auditor asks for.
  • The clauses are separate from the 38 Annex A controls and from any build checklist.

The ISO 42001 Requirements: Clauses 4 to 10

Like every current ISO management system standard, ISO/IEC 42001 is written on the Harmonized Structure, the common clause skeleton ISO applies across ISO 9001, ISO 27001, and the rest. That is why the requirements sit in a familiar place. Clauses 1 to 3 cover scope, normative references, and terms, and carry nothing an auditor certifies. The obligations begin at Clause 4 and run through Clause 10.

Those seven clauses follow the Plan-Do-Check-Act cycle. Clauses 4 and 5 set the foundation, Clause 6 plans, Clauses 7 and 8 support and operate the system, Clause 9 checks it, and Clause 10 corrects and improves it. Read together they describe a system that has to keep running, not a project you finish once. You can buy the normative text from the ISO/IEC 42001:2023 standard page, and ISO publishes a plain-language overview of AI management systems. The sections below take each clause in turn.

Clause 4: Context and the AI Management System

Clause 4 asks a plain question with an easy-to-botch answer: what is your AI management system for, and where does it stop? Sub-clause 4.1 requires you to determine the internal and external issues relevant to your AI, from the regulations you fall under to the risk appetite of your board. Sub-clause 4.2 requires you to identify interested parties, meaning the users, customers, regulators, and affected individuals whose needs the AIMS has to account for, and to decide which of their expectations you will treat as requirements.

Sub-clause 4.3 is where you draw the boundary. You define the scope of the AIMS in a documented statement: which AI systems, which business units, and which roles fall inside it. This is a deliberate choice, not a default of everything you own. Sub-clause 4.4 then requires the management system itself to exist as a set of connected processes rather than a filing cabinet of policies. Scope errors here, either too broad to evidence or too narrow to be credible, are among the most common reasons a first audit stalls.

Clauses 5 and 6: Leadership and Planning

Clauses 5 and 6 are where an AIMS gets its authority and its direction. Leadership supplies the mandate; planning turns that mandate into concrete risk decisions, objectives, and the impact assessment that defines the standard.

Clause 5: Leadership and the AI Policy

Clause 5 puts responsibility for AI where the standard insists it belongs, with top management. Sub-clause 5.1 requires leaders to demonstrate commitment by making the AI policy compatible with the organization's direction, integrating the AIMS into business processes, and providing resources. Sub-clause 5.2 requires a documented AI policy: an approved statement of intent that sets the organization's stance on responsible AI and frames its objectives. Sub-clause 5.3 requires assigned roles, responsibilities, and authorities, so accountability for the AIMS is named rather than assumed. The recurring audit finding here is a policy signed by an executive who cannot explain how it operates. The standard treats leadership as an activity to evidence, not a signature to collect.

Clause 6: Planning and Risk Assessment

Clause 6 is the analytical core. Sub-clause 6.1.2 requires a defined AI risk assessment process: how you identify, analyse, and evaluate the risks your AI systems create, with consistent and repeatable criteria. Sub-clause 6.1.3 requires AI risk treatment, meaning you select how to address each risk and produce a Statement of Applicability recording which Annex A controls apply and why. Sub-clause 6.1.4 introduces the requirement with no equivalent in ISO 27001, the AI system impact assessment, covered next. Sub-clause 6.2 requires measurable AI objectives with plans to reach them, and 6.3 requires you to plan changes to the AIMS deliberately rather than let it drift. Planning is also where the standard first forces you to look outward, at consequences beyond your own walls.

The AI System Impact Assessment at Clause 6.1.4

The AI system impact assessment is the requirement that separates ISO 42001 from an information-security standard. Sub-clause 6.1.4 requires you to establish a process for assessing the potential consequences of an AI system for individuals, groups of individuals, and society, and not only for the organization itself. It is a standing process, defined once and applied repeatedly. Where the risk assessment asks what could go wrong for you, the impact assessment asks who could be harmed and how, covering fairness, safety, transparency, and effects on people who never chose to interact with the system. The process defined at 6.1.4 is operated under Clause 8.4, where you perform assessments and keep the results. Treating it as an optional extra is the fastest way to fail a Stage 2 audit, because it is the clause that makes the standard about AI.

The clauses are quick to read and slow to operate.

Drop your work email and we will map your AI systems to Clauses 4 to 10 and run the AIMS with you.

Clause 7: Support and Mandatory Documented Information

Clause 7 supplies everything the AIMS needs to run. Sub-clause 7.1 requires adequate resources. Sub-clause 7.2 requires competence, meaning the people making AI decisions have the skills to make them, evidenced by training or experience records. Sub-clause 7.3 requires awareness across the organization, and 7.4 requires you to plan internal and external communication about the AIMS.

Sub-clause 7.5 governs documented information, the Harmonized Structure term that replaced documents and records. Some of it is mandatory. The standard tells you to maintain documented information for things you must keep current, such as the scope statement and the AI policy, and to retain documented information for evidence you must preserve, such as completed risk and impact assessments. Sub-clause 7.5.3 adds control of documented information: version control, access, and protection. The mandatory documented information is what an auditor asks for first, because it is the objective evidence that a clause was met rather than merely described.

Clause 8: Operation

Clause 8 is where the plans from Clause 6 meet production. Sub-clause 8.1 requires you to plan, implement, and control the processes the AIMS needs, and to control planned changes. Sub-clause 8.2 requires you to actually perform the AI risk assessment at planned intervals and when significant changes occur, not merely to have defined it. Sub-clause 8.3 requires you to implement the AI risk treatment. Sub-clause 8.4 requires you to perform the AI system impact assessment and to keep documented results.

The line between Clause 6 and Clause 8 catches teams out. Clause 6 requires the process to exist; Clause 8 requires it to run and to produce records over time. An AIMS that is fully planned but has never operated will clear the Stage 1 documentation review and then fail Stage 2, where the auditor samples evidence of the processes working in practice.

Clause 9: Performance Evaluation

Clause 9 is the check in Plan-Do-Check-Act. Sub-clause 9.1 requires you to determine what to monitor and measure about the AIMS and its AI systems, and to evaluate the results, so performance is judged against evidence rather than impression. Sub-clause 9.2 requires internal audits at planned intervals, run by people independent of the work they assess, to confirm the AIMS conforms to both the standard and your own requirements and is effectively implemented. The mechanics mirror ISO 27001, so our ISO 27001 internal audit guide transfers almost directly. Sub-clause 9.3 requires management review: leadership formally examines the AIMS at planned intervals, weighs audit results, risk and impact changes, and objectives, and decides what to change. These three sub-clauses are what stop the system from quietly decaying between certificates.

Clause 10: Improvement

Clause 10 closes the loop. Sub-clause 10.2 requires that when a nonconformity occurs, whether a failed control, a missed assessment, or an audit finding, you react to it, correct it, analyse its cause, and act to stop it recurring, keeping documented evidence of the whole chain. Sub-clause 10.1 requires continual improvement of the AIMS's suitability, adequacy, and effectiveness. Neither is optional. An auditor reads your nonconformity records as a health check: a system with none logged is usually one that is not really looking, and a mature AIMS shows a steady trail of issues found, fixed, and prevented.

Clauses Versus Controls: What This Article Is Not

Everything above is a clause requirement, the management-system machinery of ISO 42001. It is worth being explicit about what these clauses are not, because the terms get blurred. They are not the Annex A controls. Annex A lists 38 reference controls grouped under nine objectives numbered A.2 to A.10, covering areas such as the AI policy, impact assessment, the AI system life cycle, and data governance. Those controls are selected through the Clause 6 risk and treatment process and recorded in your Statement of Applicability; our ISO 42001 controls guide walks all of them. The clauses are also not an implementation plan. Knowing that Clause 8.4 requires an impact assessment does not tell you how to build one, which is the job of our ISO 42001 checklist. Read in sequence, the clauses tell you what must be true; the controls and the checklist tell you how to make it true.

Conclusion

The ISO 42001 requirements come down to seven clauses that turn responsible AI from an intention into an operating system: context, leadership, planning, support, operation, evaluation, and improvement, with the AI system impact assessment as the piece unique to AI. An auditor certifies the clauses; the controls and a build checklist help you satisfy them. Konfirmity stands up and runs the AIMS inside your stack the way we run managed compliance for ISO 27001, SOC 2, and HIPAA, so the clauses are met in practice and not only on paper. Book a walkthrough and we will map your AI systems to Clauses 4 to 10.

Frequently Asked Questions

Which ISO 42001 clauses are mandatory?

Clauses 4 through 10 are the certifiable requirements, and an auditor tests all of them. Clauses 1 to 3 cover scope, normative references, and vocabulary, and are not audited. Annex A is a reference set of controls you select through your risk assessment, so its 38 controls are not all mandatory in the way the clauses are.

Is the AI system impact assessment mandatory?

Yes. Sub-clause 6.1.4 requires you to establish the impact-assessment process, and Clause 8.4 requires you to perform it and retain the results. It assesses consequences for individuals and society, which is what makes ISO 42001 an AI standard rather than a second information-security standard. Skipping it is a reliable way to fail Stage 2.

What documented information does ISO 42001 require?

Sub-clause 7.5 requires you to maintain documented information such as the AIMS scope and the AI policy, and to retain documented information such as completed risk assessments, impact assessments, internal audit results, and management reviews. This mandatory documented information is the evidence an auditor samples to confirm the clauses actually operate.

Do Clauses 4 to 10 differ from ISO 27001's clauses?

The clause numbers and structure are shared, because both standards use the Harmonized Structure. The subject differs. ISO 42001's Clause 6 adds the AI system impact assessment at 6.1.4, and every clause is scoped to AI systems and their effects rather than to information security alone.

Does meeting the clauses mean I have implemented the Annex A controls?

No. The clauses require you to run a risk and treatment process that decides which Annex A controls apply, but the controls themselves are a separate exercise. You record your choices in a Statement of Applicability and implement the applicable controls in your actual workflow.

How Real Security Becomes Compliance

Built by the CTO who scaled NIUM to $2 billion. 10 years building security and compliance for regulated fintechs. 4.5 years running Konfirmity profitably.

Book a call