What do Clauses 4 to 10 of ISO/IEC 42001 require?

Clauses 4 to 10 of ISO/IEC 42001 outline the requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS). These clauses follow a Plan-Do-Check-Act structure, covering foundational management system elements.

• Clause 4: Context of the organization requires the organization to determine its internal and external context, identify interested parties, and define the scope of its AIMS.
• Clause 5: Leadership mandates that top management demonstrate leadership by establishing an AI policy, documenting the AIMS, and assigning roles, responsibilities, and authorities for AI governance. This cross-maps to NIST-GOVERN-1/2.
• Clause 6: Planning involves addressing risks and opportunities, establishing an AI risk assessment and AI impact assessment process, and setting AI objectives. This cross-maps to NIST MAP/MANAGE.
• Clause 7: Support focuses on providing necessary resources, competence, awareness, communication, and control over documented information to effectively operate the AIMS.
• Clause 8: Operation requires operational planning and control, ensuring that AI risk and impact assessments are implemented, and AI systems are operated under defined controls.
• Clause 9: Performance evaluation involves monitoring, measurement, analysis, and evaluation of the AIMS, including internal audits and management reviews. This cross-maps to NIST-MEASURE-3.1 and OWASP LLM10 (abuse/consumption monitoring).
• Clause 10: Improvement mandates continual improvement and corrective actions, addressing nonconformities, and enhancing the AIMS over time.