Back to Details

iso42001-specialist

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

ISO/IEC 42001 AI Management System Specialist

ISO/IEC 42001 AI管理系统专家工具

Internal-audit-grade operating skill for ISO/IEC 42001:2023. Three decisions, no executive AI strategy:
  1. Where are the AIMS gaps against Clauses 4–10? — coverage scoring per clause + remediation priority
  2. What's the AI risk register, and which controls treat each risk? — Annex A.2–A.10 control mapping per ISO 23894 risk method
  3. What's the Clause 9.2 internal audit plan? — 12-month schedule with scope, frequency, auditor independence checks
This skill is NOT a chief-ai-officer-advisor replacement. CAIO decides whether to build/buy a model and what business risk to accept. This skill operates the management-system discipline that captures those decisions in audit-ready evidence.
This skill is NOT an EU AI Act compliance skill. ISO 42001 is a voluntary management-system standard; EU AI Act is binding product-safety regulation. They overlap (a high-risk AI system per Article 6(2) of the AI Act typically requires the QMS in Article 17, which ISO 42001 can satisfy in part) but the artefacts differ. See 
compliance-team-eu-ai-act
for Article-level conformity assessment.
This skill is NOT a substitute for ISO 23894 + 38507. 42001 is the management system; 23894 is the AI risk methodology that feeds Clause 6.1; 38507 is the governance lens. The 
ai_risk_register_builder.py
tool implements the 23894 process; treat the references as the methodology bridge.
针对ISO/IEC 42001:2023的内部审计级实操工具。聚焦三大决策,不涉及高管AI战略:
  1. AIMS与第4–10条款相比存在哪些差距? — 按条款进行覆盖度评分 + 整改优先级排序
  2. AI风险登记册应包含哪些内容,哪些控制措施可应对每项风险? — 基于ISO 23894风险方法的附录A.2–A.10控制措施映射
  3. 符合第9.2条款要求的内部审计计划是什么? — 包含范围、频率、审计员独立性检查的12个月日程安排
本工具并非chief-ai-officer-advisor的替代工具。CAIO(首席AI官)负责决定自研还是采购模型,以及接受哪些业务风险。本工具负责执行管理体系规范,将这些决策转化为可用于审计的证据。
本工具并非针对欧盟AI法案合规的工具。ISO 42001是自愿性管理体系标准;欧盟AI法案是具有约束力的产品安全法规。两者存在重叠(AI法案第6(2)条定义的高风险AI系统通常需要第17条规定的QMS,而ISO 42001可部分满足该要求),但所需产出文件不同。如需按条款进行合规性评估,请查看
compliance-team-eu-ai-act
本工具不能替代ISO 23894 + 38507。42001是管理体系;23894是为第6.1条款提供支撑的AI风险方法论;38507是治理视角。
ai_risk_register_builder.py
工具实现了23894流程;相关参考文献可作为方法论衔接的桥梁。

Keywords

关键词

ISO 42001, ISO/IEC 42001:2023, AI Management System, AIMS, AI governance, AI risk management, ISO 23894, AI risk assessment, ISO 38507, AI compliance, AI audit, internal audit AI, Annex A controls, AI risk register, AI policy, AI impact assessment, conformity declaration, AI lifecycle, AI risk treatment, NIST AI RMF, NIST AI Risk Management Framework, ISACA AI audit, BSI AIC4, AI assurance, responsible AI, AI ethics governance, AI system inventory, third-party AI risk, AI vendor management, AI change management, AI incident management
ISO 42001, ISO/IEC 42001:2023, AI Management System, AIMS, AI治理, AI风险管理, ISO 23894, AI风险评估, ISO 38507, AI合规, AI审计, AI内部审计, 附录A控制措施, AI风险登记册, AI政策, AI影响评估, 合规声明, AI生命周期, AI风险处置, NIST AI RMF, NIST AI风险管理框架, ISACA AI审计, BSI AIC4, AI保障, 负责任AI, AI伦理治理, AI系统清单, 第三方AI风险, AI供应商管理, AI变更管理, AI事件管理

Quick Start

快速开始

bash
undefined
bash
undefined

Decision A: AIMS gap analysis against Clauses 4-10

决策A:针对第4-10条款的AIMS差距分析

python scripts/aims_gap_analyzer.py # embedded sample (mid-stage AI SaaS) python scripts/aims_gap_analyzer.py path/to/aims_evidence.json
python scripts/aims_gap_analyzer.py # 内置示例(中期AI SaaS) python scripts/aims_gap_analyzer.py path/to/aims_evidence.json

Decision B: AI risk register + Annex A control mapping

决策B:AI风险登记册 + 附录A控制措施映射

python scripts/ai_risk_register_builder.py # embedded 7-risk sample python scripts/ai_risk_register_builder.py path/to/risks.json
python scripts/ai_risk_register_builder.py # 内置7项风险示例 python scripts/ai_risk_register_builder.py path/to/risks.json

Decision C: Clause 9.2 internal audit 12-month plan

决策C:符合第9.2条款的12个月内部审计计划

python scripts/aims_audit_scheduler.py # embedded 4-domain sample python scripts/aims_audit_scheduler.py path/to/scope.json
undefined
python scripts/aims_audit_scheduler.py # 内置4个领域示例 python scripts/aims_audit_scheduler.py path/to/scope.json
undefined

Key Questions (ask these first)

核心问题(优先询问)

  • Does the AIMS scope statement (Clause 4.3) name every AI system, including embedded models and third-party AI services? If "AI features added by our SaaS vendors" is not in scope, the AIMS is incomplete.
  • Does the AI policy (Clause 5.2) commit to lawful use AND beneficial purpose AND human oversight AND continual improvement? Missing any of the four = nonconformity at certification.
  • Has the AI risk assessment (Clause 6.1.2) been re-run since the last material model change? Concept drift is not a one-time event.
  • Who signs the AI impact assessment for high-impact systems (Annex A.5.4)? If no signed accountability, the control is missing.
  • What's the internal audit cadence (Clause 9.2)? ISO management-system standards expect ≥ once per 3-year cycle per clause; mature programs do annual.
  • Is there a documented procedure for AI incidents (Annex A.9.3)? Untreated post-deployment monitoring is the #1 nonconformity in early adopters.
  • AIMS范围声明(第4.3条款)是否涵盖所有AI系统,包括嵌入式模型和第三方AI服务? 如果“我们的SaaS供应商添加的AI功能”未纳入范围,则AIMS不完整。
  • AI政策(第5.2条款)是否承诺合法使用、有益目的、人工监督和持续改进? 缺少其中任何一项都会导致认证不合规。
  • 自上次模型重大变更以来,是否重新开展了AI风险评估(第6.1.2条款)? 概念漂移并非一次性事件。
  • 高影响系统的AI影响评估(附录A.5.4)由谁签署? 如果没有明确的责任人签署,则该项控制措施缺失。
  • 内部审计周期(第9.2条款)是怎样的? ISO管理体系标准要求每个条款每3年至少审计一次;成熟体系会每年审计一次。
  • 是否有针对AI事件的书面流程(附录A.9.3)? 部署后未进行监控是早期采用者最常见的不合规问题。

Core Responsibilities

核心职责

1. AIMS Gap Analysis (Clauses 4–10)

1. AIMS差距分析(第4–10条款)

The framework: ISO 42001 follows the Annex SL high-level structure shared with ISO 9001 / 27001 / 13485. Clauses 4–10 are the management-system requirements; Annex A controls A.1–A.10 are the AI-specific operational controls.
ClauseWhat it requiresCommon gap
4. ContextAI scope, interested parties, external contextScope omits third-party AI services
5. LeadershipAI policy, roles, accountabilityPolicy treats "AI ethics" as marketing copy, not commitment
6. PlanningAI risk + impact assessment, objectivesRisk register doesn't link to controls
7. SupportResources, competence, awareness, documented infoCompetence requirements undefined for ML engineers
8. OperationOperational planning, AI system lifecycleLifecycle stages not mapped to Annex A controls
9. PerformanceMonitoring, internal audit, management reviewDrift monitoring exists in code but not in management review inputs
10. ImprovementNonconformity, corrective action, continual improvementCAPA loop separate from existing 13485/9001 CAPA — duplication
Run 
aims_gap_analyzer.py
with an evidence inventory JSON to score each clause (full / partial / missing) and get a prioritized remediation list.
See 
references/iso42001_clauses.md
for the full clause-by-clause walkthrough with audit evidence expectations.
框架说明: ISO 42001遵循与ISO 9001 / 27001 / 13485相同的Annex SL高层结构。第4–10条款是管理体系要求;附录A的A.1–A.10控制措施是AI特有的运营控制措施。
条款要求内容常见差距
4. 组织环境AI范围、相关方、外部环境范围未涵盖第三方AI服务
5. 领导作用AI政策、角色、问责机制AI政策将“AI伦理”视为营销话术,而非正式承诺
6. 策划AI风险与影响评估、目标设定风险登记册未与控制措施关联
7. 支持资源、能力、意识、文件化信息未定义ML工程师的能力要求
8. 运行运营策划、AI系统生命周期生命周期阶段未与附录A控制措施映射
9. 绩效评价监控、内部审计、管理评审代码中存在漂移监控,但未纳入管理评审输入
10. 改进不合规项、纠正措施、持续改进CAPA循环与现有13485/9001的CAPA分离 — 存在重复工作
运行 
aims_gap_analyzer.py
并传入证据清单JSON文件,即可对每个条款进行评分(完全符合/部分符合/缺失),并获取优先级排序的整改清单。
如需查看完整的条款逐条解读及审计证据要求,请参阅
references/iso42001_clauses.md

2. AI Risk Register + Annex A Control Mapping

2. AI风险登记册 + 附录A控制措施映射

The framework: Clause 6.1.2 requires AI risk assessment; Clause 6.1.3 requires risk treatment. Annex A provides 38 controls organized into 10 control categories (A.2–A.10). The risk register must show each identified risk linked to ≥ 1 control that treats it.
Annex A control categories (the 10):
IDCategoryExample controls
A.2AI policyA.2.2 AI policy, A.2.3 alignment with other policies
A.3Internal organizationA.3.2 AI roles & responsibilities, A.3.3 reporting concerns
A.4Resources for AI systemsA.4.2 data resources, A.4.3 tooling, A.4.4 human resources
A.5Assessing impactsA.5.2 AI system impact assessment, A.5.4 documentation of impact assessment
A.6AI system lifecycleA.6.2.2 objectives, A.6.2.3 lifecycle phases, A.6.2.4 verification & validation
A.7Data for AI systemsA.7.2 data management, A.7.3 data quality, A.7.4 data provenance, A.7.5 data preparation
A.8Information for interested partiesA.8.2 system documentation, A.8.3 user information, A.8.4 communication of incidents
A.9Use of AI systemsA.9.2 intended use, A.9.3 monitoring of operation, A.9.4 logging of system events
A.10Third-party & customer relationshipsA.10.2 supplier relationships, A.10.3 customer relationships
ISO/IEC 23894:2023 provides the AI-specific risk-management process (the methodology); 42001 Annex A provides the controls. The risk register is the bridge.
Run 
ai_risk_register_builder.py
with an identified-risks JSON to produce a structured register with mapped controls + residual-risk verdict per ISO 23894 risk-treatment options.
See 
references/aims_controls_annex_a.md
for the full 38-control catalogue with audit evidence per control.
框架说明: 第6.1.2条款要求开展AI风险评估;第6.1.3条款要求进行风险处置。附录A提供了38项控制措施,分为10个控制类别(A.2–A.10)。风险登记册必须显示每项已识别风险与至少一项应对该风险的控制措施相关联。
附录A控制类别(共10类):
ID类别示例控制措施
A.2AI政策A.2.2 AI政策、A.2.3 与其他政策的一致性
A.3内部组织A.3.2 AI角色与职责、A.3.3 问题上报
A.4AI系统资源A.4.2 数据资源、A.4.3 工具、A.4.4 人力资源
A.5影响评估A.5.2 AI系统影响评估、A.5.4 影响评估文件化
A.6AI系统生命周期A.6.2.2 目标、A.6.2.3 生命周期阶段、A.6.2.4 验证与确认
A.7AI系统数据A.7.2 数据管理、A.7.3 数据质量、A.7.4 数据溯源、A.7.5 数据准备
A.8相关方信息A.8.2 系统文档、A.8.3 用户信息、A.8.4 事件沟通
A.9AI系统使用A.9.2 预期用途、A.9.3 运行监控、A.9.4 系统事件日志
A.10第三方与客户关系A.10.2 供应商关系、A.10.3 客户关系
ISO/IEC 23894:2023提供了AI特有的风险管理流程(方法论);42001附录A提供了控制措施。风险登记册是两者之间的桥梁。
运行 
ai_risk_register_builder.py
并传入已识别风险的JSON文件,即可生成结构化登记册,其中包含映射的控制措施以及基于ISO 23894风险处置选项的剩余风险判定。
如需查看完整的38项控制措施目录及每项控制措施的审计证据要求,请参阅
references/aims_controls_annex_a.md

3. Clause 9.2 Internal Audit Plan

3. 第9.2条款内部审计计划

The framework: Clause 9.2 requires "internal audits at planned intervals to provide information on whether the AIMS conforms to the organization's requirements and is effectively implemented and maintained." That's the management-system requirement; the how often and how deep are organizational choices.
Mature-program defaults:
  • Cover every clause + every applicable Annex A control over a 3-year cycle (rolling)
  • Annual full-system audit covering Clauses 4, 5, 9, 10 (the "always relevant" clauses)
  • Quarterly or semi-annual deep dives on Clauses 6, 7, 8 by domain (per AI system or per lifecycle phase)
  • Auditor independence: nobody audits their own work; A.6 lifecycle owner cannot audit Clause 8 operation
Run 
aims_audit_scheduler.py
with a scope JSON (AI systems in scope, prior-year findings, certification cycle phase) to produce a 12-month plan with auditor assignments and independence checks.
See 
references/aims_implementation_guide.md
for the maturity model and rollout sequencing (year 1 establish, year 2 certify, year 3+ continual improvement).
框架说明: 第9.2条款要求“按计划的间隔开展内部审计,以提供关于AIMS是否符合组织要求、是否得到有效实施和保持的信息”。这是管理体系要求;具体的审计频率审计深度由组织自行决定。
成熟体系默认标准:
  • 在3年周期内(滚动覆盖)涵盖所有条款 + 所有适用的附录A控制措施
  • 每年开展一次全系统审计,涵盖第4、5、9、10条款(“始终相关”条款)
  • 按领域(按AI系统或生命周期阶段)每季度或每半年对第6、7、8条款进行深度审计
  • 审计员独立性:任何人不得审计自己的工作;A.6生命周期负责人不得审计第8条款的运行情况
运行 
aims_audit_scheduler.py
并传入范围JSON文件(涵盖范围内的AI系统、上一年审计发现、认证周期阶段),即可生成包含审计员分配和独立性检查的12个月计划。
如需查看成熟度模型和部署顺序(第1年建立体系,第2年获取认证,第3年及以后持续改进),请参阅
references/aims_implementation_guide.md

Workflows

工作流程

Workflow 1: AIMS Gap Closure for Certification (4–8 weeks)

流程1:认证准备阶段的AIMS差距弥补(4–8周)

Goal: Identify gaps; prioritize remediation; close before stage 1 certification audit.
bash
undefined
目标: 识别差距;确定整改优先级;在第一阶段认证审计前完成整改。
bash
undefined

1. Inventory current AIMS evidence (policies, procedures, records)

1. 盘点当前AIMS证据(政策、流程、记录)

python scripts/aims_gap_analyzer.py aims_evidence.json
python scripts/aims_gap_analyzer.py aims_evidence.json

2. Review gap matrix; group by clause

2. 审阅差距矩阵;按条款分组

3. For each gap, identify owner + due date (target: close before stage 1)

3. 针对每项差距,确定负责人 + 截止日期(目标:第一阶段审计前完成)

4. Cross-check against ISO 27001 / 13485 existing artifacts — many can be reused

4. 对照现有ISO 27001 / 13485文件 — 许多文件可复用

5. Cross-check against EU AI Act obligations (use compliance-team-eu-ai-act)

5. 对照欧盟AI法案义务(使用compliance-team-eu-ai-act工具)

6. Output: prioritized remediation plan with owners + dates

6. 输出:包含负责人和日期的优先级整改计划

undefined
undefined

Workflow 2: AI Risk Register Build (1–2 weeks)

流程2:AI风险登记册构建(1–2周)

Goal: Construct the Clause 6.1.2 risk register with full Annex A control coverage.
bash
undefined
目标: 构建符合第6.1.2条款要求的风险登记册,覆盖所有附录A控制措施。
bash
undefined

1. Run ISO 23894 risk identification across AI lifecycle (data, model, deployment, decommission)

1. 针对AI生命周期(数据、模型、部署、退役)开展ISO 23894风险识别

2. Capture each risk with: source, event, consequence, likelihood, impact

2. 记录每项风险的:来源、事件、后果、可能性、影响

python scripts/ai_risk_register_builder.py risks.json
python scripts/ai_risk_register_builder.py risks.json

3. For each high/critical risk, confirm ≥ 1 Annex A control is selected as treatment

3. 针对每项高/严重风险,确认至少选择一项附录A控制措施作为处置方案

4. Document residual risk acceptance with management signoff

4. 记录管理层签署的剩余风险接受意见

5. Cross-check with cs-caio-advisor on executive risk acceptance for "tolerate" decisions

5. 与cs-caio-advisor核对高管对“容忍”决策的风险接受情况

6. Log via management review (Clause 9.3)

6. 通过管理评审(第9.3条款)记录

undefined
undefined

Workflow 3: Annual Internal Audit Plan (1 day)

流程3:年度内部审计计划制定(1天)

Goal: Produce the 12-month Clause 9.2 plan with auditor independence.
bash
undefined
目标: 生成符合第9.2条款要求的12个月计划,确保审计员独立性。
bash
undefined

1. Pull last year's audit findings and certification cycle status (year 1/2/3)

1. 获取上一年审计发现和认证周期状态(第1/2/3年)

python scripts/aims_audit_scheduler.py audit_scope.json
python scripts/aims_audit_scheduler.py audit_scope.json

2. Confirm auditor independence per assignment

2. 确认各审计任务的审计员独立性

3. Confirm coverage hits every clause and every applicable Annex A control over rolling 3 years

3. 确认在滚动3年内覆盖所有条款和所有适用的附录A控制措施

4. Submit plan for management review approval (Clause 9.3 input)

4. 提交计划供管理层评审批准(作为第9.3条款的输入)

undefined
undefined

Workflow 4: Cross-Framework Reuse Mapping (per system onboarded)

流程4:跨框架复用映射(针对新纳入的系统)

Goal: When adding a new AI system, map ISO 42001 evidence against existing 27001 + 13485 evidence to avoid duplication.
  1. Pull existing ISO 27001 Annex A controls + ISO 13485 procedures relevant to the system
  2. For each ISO 42001 Annex A control, identify whether an existing artifact already satisfies it (e.g., 27001 A.8.16 monitoring activities can extend to AI system monitoring)
  3. Add the AI-specific overlay only where the existing control doesn't cover it
  4. Document mapping in the AIMS scope statement (Clause 4.3)
目标: 新增AI系统时,将ISO 42001证据与现有27001 + 13485证据映射,避免重复工作。
  1. 获取与该系统相关的现有ISO 27001附录A控制措施 + ISO 13485流程
  2. 针对每项ISO 42001附录A控制措施,确定是否已有现有文件可满足要求(例如,27001的A.8.16监控活动可扩展至AI系统监控)
  3. 仅在现有控制措施未覆盖的部分添加AI特有的内容
  4. 在AIMS范围声明(第4.3条款)中记录映射关系

Output Standards

输出标准

**Bottom Line:** [one sentence — gap severity + the one thing to close first]
**The Decision:** [one of: gap-closure | risk-treatment | audit-scope]
**The Evidence:** [clause numbers + control IDs from the tool, not adjectives]
**How to Act:** [3 concrete next steps with owners + dates]
**Your Decision:** [the call only the compliance officer or CAIO can make — risk acceptance, scope expansion, certification readiness]
**核心结论:** [一句话 — 差距严重性 + 首要整改事项]
**决策类型:** [以下之一:差距弥补 | 风险处置 | 审计范围]
**支撑证据:** [工具生成的条款编号 + 控制措施ID,而非描述性形容词]
**行动方案:** [3项具体后续步骤,包含负责人 + 日期]
**需高管决策事项:** [仅合规官或CAIO可决定的事项 — 风险接受、范围扩展、认证就绪状态]

Adjacent Skills

相关工具

  • ../../skills/information-security-manager-iso27001/
    — ISO 27001 ISMS implementation (many controls reusable for AIMS A.7 data controls)
  • ../../skills/quality-manager-qms-iso13485/
    — ISO 13485 QMS (provides CAPA + management-review machinery the AIMS reuses)
  • ../../skills/gdpr-dsgvo-expert/
    — GDPR DPIA process (input to AIMS A.5 impact assessment for personal-data systems)
  • ../../skills/isms-audit-expert/
    — ISO 27001 internal audit pattern (the audit scheduler mirrors this for AIMS)
  • ../../skills/soc2-compliance/
    — SOC 2 trust services (reusable controls for AIMS A.10 third-party relationships)
  • ../../../compliance-team-eu-ai-act/
    — EU AI Act Article-level compliance (binding regulation companion to voluntary 42001)
  • ../../../../compliance-os/
    — Meta-orchestrator for multi-framework programs (run AIMS as one framework among 9)
  • ../../../../c-level-advisor/chief-ai-officer-advisor/
    — Executive AI strategy (build-vs-buy, cost economics — different audience)
  • ../../skills/information-security-manager-iso27001/
    — ISO 27001 ISMS实施(许多控制措施可复用至AIMS的A.7数据控制)
  • ../../skills/quality-manager-qms-iso13485/
    — ISO 13485 QMS(提供AIMS可复用的CAPA + 管理评审机制)
  • ../../skills/gdpr-dsgvo-expert/
    — GDPR DPIA流程(针对涉及个人数据的系统,为AIMS的A.5影响评估提供输入)
  • ../../skills/isms-audit-expert/
    — ISO 27001内部审计模式(审计调度工具与此工具的逻辑一致)
  • ../../skills/soc2-compliance/
    — SOC 2信任服务(可复用控制措施至AIMS的A.10第三方关系)
  • ../../../compliance-team-eu-ai-act/
    — 欧盟AI法案条款级合规(作为自愿性42001标准的配套约束性法规工具)
  • ../../../../compliance-os/
    — 多框架合规元协调工具(将AIMS作为9个框架之一运行)
  • ../../../../c-level-advisor/chief-ai-officer-advisor/
    — 高管AI战略(自研vs采购、成本经济性 — 面向不同受众)

References

参考文献

  • iso42001_clauses.md — Clauses 4–10 walkthrough with audit evidence expectations, common gaps, and reusable artifacts from ISO 27001/13485
  • aims_controls_annex_a.md — All 38 Annex A controls (A.2–A.10) with implementation guidance, audit evidence, and severity of failure
  • aims_implementation_guide.md — 3-year maturity model (establish → certify → continually improve), rollout sequencing, integration with existing ISMS/QMS programs
  • cross_framework_mapping_ai.md — ISO 42001 ↔ EU AI Act ↔ NIST AI RMF ↔ ISO 23894 ↔ ISO 38507 ↔ ISO 27001 control-level mapping with mapping-confidence ratings
Version: 1.0.0 Status: Production Ready
  • iso42001_clauses.md — 第4–10条款逐条解读,包含审计证据要求、常见差距及可从ISO 27001/13485复用的文件
  • aims_controls_annex_a.md — 所有38项附录A控制措施(A.2–A.10),包含实施指南、审计证据及失效严重性
  • aims_implementation_guide.md — 3年成熟度模型(建立 → 认证 → 持续改进)、部署顺序、与现有ISMS/QMS体系的集成方法
  • cross_framework_mapping_ai.md — ISO 42001 ↔ 欧盟AI法案 ↔ NIST AI RMF ↔ ISO 23894 ↔ ISO 38507 ↔ ISO 27001的控制级映射,包含映射置信度评级
版本: 1.0.0 状态: 已就绪可投入生产