Requirements of ISO 42001 - Chapter 6: Planning

ISO/IEC 42001 – Chapter 6: Planning

Planning for AI Management

After establishing the context (Chapter 4: Strategic Analysis, Stakeholders, Scope) and defining the objectives and vision—as well as leadership (Chapter 5: AI Policy, Roles, Responsibilities)—Chapter 6 serves to translate the strategy into an action plan.

This chapter asks:

- identify, assess, and address risks in order to prioritize actions

- conducting impact assessments

- the definition of operational safety objectives

‍

6.1 – Actions in Response to Risks and Opportunities

6.1.1 – General Information

Requirements (revised).‍

When planning the SMIA, the organization uses the context (4.1) and the requirements of interested parties (4.2) to identify risks and opportunities to be addressed, in order to:

• ensure that the SMIA achieves its expected results
• prevent or reduce side effects
• support continuous improvement

The organization defines and maintains AI risk criteria to distinguish between acceptable and unacceptable risks, to guide risk assessment and mitigation, and to evaluate the impacts.

Risks and opportunities are identified based on the field and context of application,the intended use, and the internal and external context. The organization plans actions to address these risks and opportunities, integrates them into the EMS processes, andevaluates their effectiveness. It maintains documented traceability of these actions.

Explanation.

You must conduct an AI risk analysis. This begins with selecting risk categories (the risk sources listed in Appendix C must be used) based on the selected scope and high-level objectives.

We recommend using the same methods as in security risk analyses, even though there may be specific considerations related to the risk scenarios.

You will need to document this method in order to produce reproducible risk analyses.

Examples & practical tips.

• Define a method for risk analysis&
• Link each risk to a process or an owner.
• Use Appendix C for risk sources

6.1.2 – AI Risk Assessment

Requirements (revised)

‍
The organization establishes an AI risk assessment process:
a) aligned with the AI policy (5.2) and AI objectives (6.2);
b) reproducible, to ensure consistent and comparable results;
c) identifying risks that facilitate or hinder the achievement of objectives;
d) analyzing consequences for the organization, individuals, and society, likelihood (if applicable), and risk level;
e) assessing risks against the criteria (6.1.1) to prioritize handling.
Documentary evidence isrequired
Note (summary). The analysis of consequences may usethe AI impact assessment (6.1.4).

‍

Explanation

We expect a methodical and reproducible process that must be formalized.

The risks are not limited to “technical” risks; they also include bias, rights violations, security, robustness, reputation, and compliance.

‍

6.1.3 – AI Risk Management

Requirements (revised).

Based on the assessment, the organization defines a process to:
a) select options (avoid, reduce, transfer, accept);
b) determine all necessary controls, compare them to Annex A to verify that no required controls are omitted;
c) consider the relevant controls in Appendix A;
d) identify additional controls if necessary;
e) useAppendix B as an implementation guide;
f) produce a Statement of Applicability (SoA) listing the necessary controls, with justification for inclusions/exclusions;
g) formalize a processing plan.
‍

Management approves the plan andthe acceptance of residual risks. Controls are aligned with objectives (6.2), documented, communicated, and made available to interested parties as needed. Traceability required.
Notes (summary). The controls in Annex A are for reference only and are not exhaustive; the organization may design its own controls; IA risk management may be integrated into other SMSs.

‍

Explanations & Tips

Once the risk assessments have been completed, you will select which risks to address and how to address them.

Not all risks need to be addressed. You will choose which controls to implement based on Appendix A or other guidelines.

All tests will be documented in the SoA (Statement of Applicability), along with their progress.

‍

6.1.4 – Impact Assessment of AI Systems

Requirements (revised)

The organizationestablishes a process to assess the impact of AI systems on individuals, groups, and society, taking into account deployment,intended use, and foreseeable misuse, while considering the technical and societal context and applicable jurisdictions. The results are documented and, where appropriate, shared with relevant stakeholders. They are taken into account in the risk assessment (6.1.2).
Note (summary). In certain contexts (security, privacy, etc.), disciplinary impact assessments may be required.

‍

Explanation & Tips

This is the link between technical risk and human and societal impacts. It also covers foreseeable misuse. This analysis directly informs risk prioritization as well as regulatory impacts and requirements.

This field is closely related to the AI ACT, which must be verified under ISO 42001.

6.2 – AI Objectives and Planning to Achieve Them

Requirements (revised)

The organizationestablishes AI objectives at the relevant levels/functions, which are:
a) consistent with the AI policy (5.2);

b) measurable (if possible);

(c) taking into account the applicable requirements;

d) follow-ups;

e) press releases;

(f) updated as necessary;

(g) documented.

To achieve these objectives, it specifies: how to proceed, necessary resources, responsible parties, deadlines, and methods for evaluating results.
Note (summary). Appendix C proposes risk-related objectives; A.6.1 and A.9.3 (and B.6.1/B.9.3) provide guidance on objectives and measures for responsible development and use.

‍

Explanations

Objectivesserve as the link between strategy and execution: they translate policy requirements and risk analysis priorities into operational targets.

The idea is to identify one or two key objectives for each risk category, which helps translate these into operational objectives and guide action.

‍

6.3 – Change Planning

Requirements (revised)

: Changes to the SMIA are being implemented in a planned manner.

Explanation.
The SMIA is constantly evolving (new use cases, new requirements, incidents, lessons learned). Every change must be planned, assessed (impacts/risks), approved, documented, and then communicated.

Examples & practical tips.

• Establish a change management process (RFC) that includes: description, justification, impact assessment (including EIA if necessary), decisions, deployment/rollback plan, and communication.
• Versioned change log, reviewed periodically by the AI committee.

Conclusion

The purpose of Chapter 6 is to prioritize the actions to be taken, whether in the form of projects or controls to be implemented. Following this step, you have defined the operational security objectives and controls.

The following sections (Chapters 7 and 8) will focus on how to implement these actions and objectives and provide the necessary resources.

Next chapters: Chapters 7 and 8 - Resources and Operations

Chapters 7 and 8 focus on resources (Chapter 7: resources, skills, awareness, documentation) and operations (Chapter 8: lifecycle, implementation, monitoring). These two chapters will be covered together to illustrate how the plan should be implemented.

To systematically develop your risk analysis, your SoA, and your AI objectives, learn more about our ISO 42001 certification support services.

‍

‍