The management systems for artificial intelligence ISO 42001:2023 and risk treatment according the Annex A

19 Mar 2025 07:00 AM - By itSMF Staff

Reading time: ~ 2 min.

The management systems for AI and risk treatment: the ISO 42001 standard

In our previous post, we took a look at the ISO 42001:2023 standard focusing on the tools that organizations can use to implement security, protection, equity, transparency and data quality for AI based products or services.

Today we're going to consider in particular the «Annex A» of the latest version of the ISO standard on management systems for AI: the document reports a series of control objectives and operational controls that as an organization we can apply to address risks.

The ISO 42001 standard and the Annex A: control objectives and operational controls

On the ISO/IEC 42001:2023 standard «ANNEX A» we have a series of controls objectives and operational controls useful to support an organization that needs to manage and mitigate AI systems related risks (risk treatment and management).

This is the structure of the Annex A:

A.2 «Policies related to AI»
A.3 «Internal Organization»
A.4 «Resources for AI Systems»
A.5 «Assessing Impact of AI Systems»
A.6 «AI System Life Cycle»
A.7 «Data for AI System»
A.8 «Information for parties interested in AI systems»
A.9 «Use of AI systems»
A.10 «Third parties and customer relationships».

In the nex lines, let's have a quick overview on the controls, one by one.

Annex A, Control A.2 «Policies related to AI»

According to the ISO 42001 standard control A.2, the policy for AI systems development and use is the pillar on the approach that an organization can adopt for AI governance.

Annex A, Control A.3 «Internal organization»

The control A.3 is focused on the requirement for an organization to define and allocate teams or professionals (role and responsability) in charge of the oversight of every aspects of AI system management.

Annex A, Control A.4 «Resources for AI systems»

The control A.4 sets the need to identify and document every AI system essential resource, such as data, tools, computing resources and team expertise.

Annex A, Control A.5 «Assessing impact of AI systems»

The control A.5 is focused on the need to identify, analyse, evalute and treat the AI system impacts on individuals and the society, adopting a well structured approach for the assessment.

Annex A, Control A.6 «AI system Life Cycle»

According to the Annex A control A.6, the every stage of AI system life cycle has to be managed through an approach (framework) that helps to ensure responsability and effectiveness on design, implementation and use of AI system.

Annex A, Control A.7 «Data for AI sytem»

The data quality and the source it comes from are very relevant for AI system: every organization has to manage carefully the definition and documentationabout requirements and standards.

Annex A, Control A.8 «Information for parts interested in AI systems»

According to the Annex A control A.8, organizations have to determine and share AI systems essential informations (purpose, instructions, limitations, capabilities,...) to users and other stakeholders.

Annex A, Control A.9 «Use of AI systems»

The Annex A control A.9 requires to define and document the process for the AI systems responsible use, in particular according to ethics, legal requirements and policies of the organization.

Annex A, Control A.10 «Thir parties and customer relationships»

According to the Annex A control A.10, organizations have to delineate internal and external responsabilities on AI systems, in particular among partners, suppliers and other third parties.