Question 1

1. Foundational / Governance Policies & Documentation

Accepted Answer

These are the “must-have” artefacts to set up governance of AI.
 • AI Management System Scope & Boundaries: document what parts of the organisation, what AI systems, what lifecycle phases are included.
 • Context of the Organization: formal assessment of internal/external issues, interested parties (stakeholders), requirements, constraints.  
 • Leadership commitment & AI policy: top management must show leadership, commit to the AIMS, establish an overarching AI policy aligned with strategic direction.  
 • Roles, Responsibilities & Authorities: assign accountable owners, define authorities for AI-governance, risk, operations.  
 • AI policy (more specific): A documented policy addressing responsible use of AI, aligning with ethics, transparency, accountability, fairness.  
 • Integration with existing management systems: e.g., if you already have ISO 27001, integrate the AIMS rather than build in isolation.

Question 2

2. Planning / Risk & Opportunity Management

Accepted Answer

Periodic items and procedures around planning and risk.
 • AI-specific Risk Criteria & Appetite: define what constitutes acceptable AI risk (ethical, legal, operational, safety, bias).  
 • AI Impact Assessment Procedure: evaluate potential consequences of AI systems on individuals, groups, society.  
 • Risk Assessment for AI Systems: identify, assess, prioritise risks specific to AI (data quality, bias, model drift, misuse, safety).  
 • Risk Treatment / Mitigation Planning: for each identified risk, define and document controls, mitigation, residual risk.
 • Objectives & Targets for AI management: set measurable objectives (e.g., bias reduction target, accuracy threshold, transparency metrics).  
 • Planning of Changes: process to handle changes in context, in AI systems, in regulatory environment.

Question 3

3. Support / Enabling Procedures

Accepted Answer

Procedures, training, documentation, resources that support the AIMS.
 • Resource Allocation: ensure human, technical, data, tool resources for AI governance and operations.  
 • Competence, Training & Awareness: train staff on AI policy, risk, ethics, system lifecycle, their specific roles.  
 • Communication: internal and external communication regarding AI management system, stakeholders, interested parties.  
 • Documented Information (Policies, Procedures, Records): maintain, control, update, store documentation supporting the AIMS.  
 • Infrastructure/Data/Technology Support: ensure data governance, infrastructure to support AI lifecycle (data quality, access, model management) as part of support.

Question 4

4. Operation / Lifecycle of AI Systems

Accepted Answer

Procedures & periodic activities for the actual development, deployment, monitoring of AI systems.
 • Operational Planning & Control: define how AI systems are designed, developed, deployed, monitored, maintained.
 • AI System Lifecycle Management: covering from concept to retirement: design, build, test, deploy, maintain, retire.  
 • Data Governance for AI Systems: data quality, data selection, bias check, traceability of data used in AI.  
 • Monitoring & Control of AI System Use: procedures for use, third-party components, monitoring model drift, unintended outcomes.  
 • Supplier/Third-Party Management: if you use external models, data, services – controls over those relationships.  
 • Change Control: controlling planned changes to AI systems, handling unintended changes, verifying outcomes.  
 • Incident & Deviation Handling: detect, document, handle non-conformities, unintended negative impacts of AI systems, corrective actions.

Question 5

6. Improvement / Continuous Improvement & Compliance Monitoring

Accepted Answer

Procedures and periodic items to ensure the AIMS remains effective, relevant, and compliant.
 • Non-conformity Response & Corrective/Preventive Actions: process to address deviations, document and correct them, prevent recurrence.
 • Continual Improvement of AIMS: seek opportunities to improve the AI management system, adapt to new technologies, new risks, regulatory changes.
 • Review & Update of Risk, Impact Assessments & Treatment Plans: at planned intervals and whenever significant changes occur.
 • Compliance Monitoring & Review of External Requirements: keep track of new AI regulations, market developments, update policies and controls accordingly.

Question 6

7. Periodic Items / Activities (summary)

Accepted Answer

Here are the items that recur on a periodic basis (e.g., quarterly, annually, on-change) and should be part of your monitoring cadence:
 • Review of internal/external context, stakeholder requirements (annually or when change)
 • Review of AI policy alignment, objectives and targets (annually)
 • Competency and awareness training refresh (at least annually, ideally more frequently)
 • Data and model quality performance review (quarterly or aligned with model release cycles)
 • Risk assessment refresh (annually and when AI systems or context change)
 • Impact assessment updates (when new systems or major changes)
 • Internal audits of AIMS (semi‐annual or annual)
 • Management review meetings (at least annually)
 • Supplier/third-party reviews (annually or per contract)
 • Monitoring model drift, bias, accuracy metrics (continuous/ongoing)
 • Non-conformity/corrective action reviews (ongoing)
 • Improvement initiatives implementation and tracking (ongoing)
 • Compliance/regulation watch and update of controls (ongoing)

Question 7

8. Mapping to Annex A (Controls)

Accepted Answer

According to multiple sources, ISO 42001 also includes a set of controls in Annex A which organizations must implement.   Typical control areas include:
 • Policies related to AI systems
 • Internal organization
 • Resources for AI systems
 • Assessing impacts of AI systems
 • AI system lifecycle
 • Data for AI systems
 • Information for interested parties of AI systems
 • Use of AI systems
 • Third-party and customer relationships

ISO 42001 - List of Deliverables