2.2 — Core Clauses (4–10)
ISO 42001 follows the Harmonized Structure (HS), meaning Clauses 4 through 10 mirror the same structure found in ISO 27001, ISO 9001, and other management system standards. This deliberate alignment makes it possible to integrate AIMS with existing management systems without duplicating effort.
| Clause | Title | Key Requirement |
|---|---|---|
| 4 | Context of the Organization | Determine internal/external issues, stakeholder needs, AIMS scope, and AI system lifecycle boundaries. |
| 5 | Leadership | Top management commitment, AI policy establishment, and assignment of roles/responsibilities. |
| 6 | Planning | Address risks and opportunities, set AI objectives, conduct AI risk assessment including societal impacts. |
| 7 | Support | Provide resources, ensure competence (education/training), manage awareness, communication, and documentation. |
| 8 | Operation | Implement AI risk management, conduct AI impact assessments, manage lifecycle, apply Annex A controls. |
| 9 | Performance Evaluation | Monitor, measure, analyze, and evaluate AIMS. Conduct internal audits and management reviews. |
| 10 | Improvement | Address nonconformities, take corrective actions, drive continual improvement of the AIMS. |
Clause-by-Clause Detail
Clause 4 (Context) requires organizations to understand the internal and external issues relevant to their AI systems, identify stakeholders and their requirements, and define the scope of the AIMS. Organizations must determine which AI systems fall within scope and document the context in which they operate, including applicable regulations and industry standards.
Clause 5 (Leadership) requires top management to demonstrate commitment to the AIMS by establishing an AI policy, assigning roles and responsibilities, and ensuring the AIMS achieves its intended outcomes. The AI policy must be appropriate to the organization's purpose, include commitment to compliance and continual improvement, and be communicated to all relevant parties.
Clause 6 (Planning) requires organizations to address risks and opportunities, set measurable AI objectives, and plan how to achieve them. Critically, the AI risk assessment must consider impacts on individuals, groups, and society — not just organizational/business risks. This is a key differentiator from traditional risk assessments.
Clause 7 (Support) ensures the organization provides necessary resources, including competent personnel. Staff working on AI systems must have appropriate competence through education, training, or experience. Documentation requirements are comprehensive and must be controlled.
Clause 8 (Operation) is the implementation clause where planned processes are executed. This is where Annex A controls are applied, AI impact assessments are conducted, and AI system lifecycle activities (design, development, testing, deployment, operation, retirement) are managed. Third-party AI system relationships are also governed here.
Clause 9 (Performance Evaluation) requires monitoring both AI system performance and AIMS effectiveness. Internal audits must be planned and conducted at regular intervals. Management reviews must evaluate the continuing suitability, adequacy, and effectiveness of the AIMS.
Clause 10 (Improvement) closes the PDCA loop by requiring organizations to address nonconformities with corrective actions and continually improve the AIMS's suitability, adequacy, and effectiveness.
Because ISO 42001 uses the same Harmonized Structure as ISO 27001 and ISO 9001, exam questions may ask about integration benefits. Key point: Clauses 4-10 have the same numbering and general purpose across all HS-based standards. An organization already certified to ISO 27001 can leverage existing processes for leadership commitment (Clause 5), internal audits (Clause 9), and corrective actions (Clause 10).