Back to Details

iso42001-ai-management

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

ISO 42001 AI Management System

ISO 42001 AI管理体系

Tools and guidance for ISO/IEC 42001:2023 — the first international standard for AI Management Systems (AIMS).
针对ISO/IEC 42001:2023——全球首个AI管理体系(AIMS)国际标准的工具与指南。

Table of Contents

目录

Tools

工具

AIMS Readiness Checker

AIMS就绪状态检查工具

Assesses organizational readiness against all ISO 42001 clauses and Annex A controls. Scores each clause on a 0-100 scale and identifies gaps for certification preparation.
bash
undefined
对照ISO 42001所有条款及附录A控制项,评估组织的认证就绪状态。对每个条款进行0-100分的评分,并识别认证筹备中的差距。
bash
undefined

Assess readiness from a JSON profile

通过JSON配置文件评估就绪状态

python scripts/aims_readiness_checker.py --input org_profile.json
python scripts/aims_readiness_checker.py --input org_profile.json

Generate a blank input template

生成空白输入模板

python scripts/aims_readiness_checker.py --template > org_profile.json
python scripts/aims_readiness_checker.py --template > org_profile.json

JSON output for automation

输出JSON格式结果用于自动化流程

python scripts/aims_readiness_checker.py --input org_profile.json --json
python scripts/aims_readiness_checker.py --input org_profile.json --json

Export report to file

将报告导出至文件

python scripts/aims_readiness_checker.py --input org_profile.json --output report.json

**Assessment Areas:**

| Clause | Area | Key Checks |
|--------|------|-----------|
| Clause 4 | Context | Scope defined, interested parties, AIMS boundaries |
| Clause 5 | Leadership | AI policy, governance structure, management commitment |
| Clause 6 | Planning | Risk assessment methodology, AI objectives, impact assessments |
| Clause 7 | Support | Resources, competence, awareness, documentation |
| Clause 8 | Operation | AI lifecycle, data management, risk treatment, third-party controls |
| Clause 9 | Performance | Monitoring, internal audit, management review |
| Clause 10 | Improvement | Corrective actions, continual improvement, incident management |
| Annex A | Controls | A.2-A.10 control implementation status |

**Output:**
- Overall readiness score (0-100)
- Per-clause scores with maturity level (Initial/Developing/Defined/Managed/Optimized)
- Annex A control implementation status (Implemented/Partial/Not Implemented/Not Applicable)
- Gap analysis with prioritized recommendations
- Certification readiness assessment (Ready/Near Ready/Significant Gaps)

---
python scripts/aims_readiness_checker.py --input org_profile.json --output report.json

**评估领域:**

| 条款 | 领域 | 核心检查项 |
|--------|------|-----------|
| 条款4 | 组织环境 | 确定范围、相关方、AIMS边界 |
| 条款5 | 领导力 | AI政策、治理结构、管理层承诺 |
| 条款6 | 规划 | 风险评估方法论、AI目标、影响评估 |
| 条款7 | 支持 | 资源、能力、意识、文档管理 |
| 条款8 | 运行 | AI生命周期、数据管理、风险处置、第三方控制 |
| 条款9 | 绩效 | 监控、内部审核、管理评审 |
| 条款10 | 改进 | 纠正措施、持续改进、事件管理 |
| 附录A | 控制项 | A.2-A.10控制项的实施状态 |

**输出内容:**
- 整体就绪状态评分(0-100)
- 各条款评分及成熟度等级(初始级/发展级/已定义/已管理/优化级)
- 附录A控制项实施状态(已实施/部分实施/未实施/不适用)
- 含优先级建议的差距分析
- 认证就绪状态评估(已就绪/接近就绪/存在重大差距)

---

AI Impact Assessor

AI影响评估工具

Generates comprehensive AI impact assessments evaluating fairness, transparency, safety, privacy, and security dimensions. Maps impacts to interested parties and provides risk treatment recommendations.
bash
undefined
生成全面的AI影响评估报告,评估公平性、透明度、安全性、隐私性和安全性维度。将影响映射到相关方,并提供风险处置建议。
bash
undefined

Assess an AI system from a JSON description

通过JSON描述文件评估AI系统

python scripts/ai_impact_assessor.py --input ai_system.json
python scripts/ai_impact_assessor.py --input ai_system.json

Generate a blank input template

生成空白输入模板

python scripts/ai_impact_assessor.py --template > ai_system.json
python scripts/ai_impact_assessor.py --template > ai_system.json

Export assessment report

导出评估报告

python scripts/ai_impact_assessor.py --input ai_system.json --output assessment.json
python scripts/ai_impact_assessor.py --input ai_system.json --output assessment.json

Generate markdown report

生成Markdown格式报告

python scripts/ai_impact_assessor.py --input ai_system.json --format markdown --output assessment.md

**Assessment Dimensions:**

| Dimension | Evaluates | Key Factors |
|-----------|----------|-------------|
| Fairness | Bias, discrimination, equity | Training data diversity, protected attributes, outcome parity |
| Transparency | Explainability, interpretability | Model complexity, decision documentation, user disclosure |
| Safety | Reliability, robustness, harm prevention | Failure modes, edge cases, human oversight, fallback mechanisms |
| Privacy | Data protection, consent, minimization | PI processing, consent mechanisms, data retention, anonymization |
| Security | Adversarial resilience, access control | Attack vectors, model integrity, access management, audit logging |
| Accountability | Governance, responsibility, auditability | Decision ownership, audit trails, escalation procedures |

**Features:**
- Risk scoring per dimension (Low/Medium/High/Critical)
- Interested party impact mapping (users, affected individuals, society, regulators)
- Risk treatment options (Avoid, Mitigate, Transfer, Accept)
- Regulatory mapping (EU AI Act risk tier, ISO 42001 Annex A controls)
- Residual risk calculation after treatment
- Markdown and JSON report generation

---
python scripts/ai_impact_assessor.py --input ai_system.json --format markdown --output assessment.md

**评估维度:**

| 维度 | 评估内容 | 核心因素 |
|-----------|----------|-------------|
| 公平性 | 偏见、歧视、公平性 | 训练数据多样性、受保护属性、结果一致性 |
| 透明度 | 可解释性、可理解性 | 模型复杂度、决策文档、用户披露 |
| 安全性 | 可靠性、鲁棒性、伤害预防 | 故障模式、边缘场景、人工监督、 fallback机制 |
| 隐私性 | 数据保护、 consent、最小化 | 个人信息处理、授权机制、数据留存、匿名化 |
| 安全性 | 对抗性韧性、访问控制 | 攻击向量、模型完整性、访问管理、审计日志 |
| 可问责性 | 治理、责任、可审计性 | 决策所有权、审计追踪、升级流程 |

**功能特性:**
- 各维度风险评分(低/中/高/严重)
- 相关方影响映射(用户、受影响个体、社会、监管机构)
- 风险处置选项(避免、缓解、转移、接受)
- 监管映射(欧盟AI法案风险等级、ISO 42001附录A控制项)
- 处置后的残余风险计算
- Markdown和JSON格式报告生成

---

Reference Guides

参考指南

ISO 42001 Clause Guide

ISO 42001条款指南

references/iso42001-clause-guide.md
Comprehensive clause-by-clause guidance:
  • All clauses (4-10) with requirements and implementation steps
  • Annex A controls (A.2-A.10) detailed with evidence requirements
  • Audit questions per clause for internal audit preparation
  • Common nonconformity findings and how to avoid them
  • Required documented information per clause
  • Cross-references to ISO 27001, ISO 9001, and EU AI Act
references/iso42001-clause-guide.md
全面的条款逐条指南:
  • 所有条款(4-10)的要求及实施步骤
  • 附录A控制项(A.2-A.10)的详细证据要求
  • 各条款的内部审核问题,用于内审筹备
  • 常见不符合项及规避方法
  • 各条款所需的文件化信息
  • 与ISO 27001、ISO 9001和欧盟AI法案的交叉引用

AI Lifecycle Management

AI全生命周期管理

references/ai-lifecycle-management.md
End-to-end AI system lifecycle guidance:
  • Lifecycle stages: design, development, testing, deployment, monitoring, retirement
  • Design and development controls (requirements, architecture, coding standards)
  • Testing and validation requirements (functional, bias, robustness, performance)
  • Deployment procedures (staging, canary, rollback, approval gates)
  • Monitoring and maintenance (drift detection, performance degradation, retraining)
  • Retirement and decommissioning (data disposal, model archival, stakeholder notification)
  • Data management across lifecycle (quality, provenance, bias assessment, lineage)
  • Model versioning and change management (version control, change impact, approval workflows)
references/ai-lifecycle-management.md
端到端AI系统生命周期指南:
  • 生命周期阶段:设计、开发、测试、部署、监控、退役
  • 设计与开发控制(需求、架构、编码标准)
  • 测试与验证要求(功能、偏见、鲁棒性、性能)
  • 部署流程(预发布、金丝雀发布、回滚、审批 gates)
  • 监控与维护(漂移检测、性能退化、再训练)
  • 退役与停用(数据处置、模型归档、利益相关方通知)
  • 全生命周期数据管理(质量、溯源、偏见评估、 lineage)
  • 模型版本控制与变更管理(版本控制、变更影响、审批工作流)

Workflows

工作流

Workflow 1: ISO 42001 Readiness Assessment

工作流1:ISO 42001就绪状态评估

Step 1: Define AIMS scope
        → Identify AI systems in scope
        → Determine organizational boundaries
        → Document interested parties and requirements

Step 2: Generate assessment template
        → python scripts/aims_readiness_checker.py --template > org_profile.json
        → Fill in organizational details and current state

Step 3: Run readiness assessment
        → python scripts/aims_readiness_checker.py --input org_profile.json

Step 4: Review results
        → Address critical gaps (Clauses 5, 6, 8 typically weakest)
        → Prioritize Annex A controls by risk
        → Develop remediation roadmap

Step 5: Conduct AI impact assessments
        → python scripts/ai_impact_assessor.py --template > ai_system.json
        → Assess each in-scope AI system
        → python scripts/ai_impact_assessor.py --input ai_system.json

Step 6: Plan implementation
        → See references/iso42001-clause-guide.md for requirements
        → See references/ai-lifecycle-management.md for operational controls
步骤1:定义AIMS范围
        → 识别范围内的AI系统
        → 确定组织边界
        → 记录相关方及其需求

步骤2:生成评估模板
        → python scripts/aims_readiness_checker.py --template > org_profile.json
        → 填写组织详情及当前状态

步骤3:运行就绪状态评估
        → python scripts/aims_readiness_checker.py --input org_profile.json

步骤4:评审结果
        → 解决关键差距(条款5、6、8通常是薄弱环节)
        → 按风险优先级排序附录A控制项
        → 制定整改路线图

步骤5:开展AI影响评估
        → python scripts/ai_impact_assessor.py --template > ai_system.json
        → 评估每个范围内的AI系统
        → python scripts/ai_impact_assessor.py --input ai_system.json

步骤6:规划实施
        → 参考references/iso42001-clause-guide.md获取要求
        → 参考references/ai-lifecycle-management.md获取运行控制措施

Workflow 2: AI System Impact Assessment

工作流2:AI系统影响评估

Step 1: Identify AI system for assessment
        → Document system purpose, inputs, outputs, and decisions
        → Identify affected individuals and groups

Step 2: Generate assessment template
        → python scripts/ai_impact_assessor.py --template > ai_system.json
        → Complete all sections (model details, data sources, deployment context)

Step 3: Conduct assessment
        → python scripts/ai_impact_assessor.py --input ai_system.json --format markdown --output report.md

Step 4: Review dimension scores
        → Fairness: check for bias in training data and outcomes
        → Transparency: verify explainability mechanisms
        → Safety: validate failure modes and human oversight
        → Privacy: confirm data protection measures
        → Security: assess adversarial resilience

Step 5: Implement risk treatments
        → Apply recommended mitigations per dimension
        → Document residual risk acceptance decisions
        → Assign treatment owners and timelines

Step 6: Monitor and review
        → Schedule periodic reassessment (quarterly minimum)
        → Track treatment implementation progress
        → Update assessment when system changes materially
步骤1:确定待评估的AI系统
        → 记录系统用途、输入、输出及决策逻辑
        → 识别受影响的个体和群体

步骤2:生成评估模板
        → python scripts/ai_impact_assessor.py --template > ai_system.json
        → 完成所有章节(模型详情、数据源、部署环境)

步骤3:开展评估
        → python scripts/ai_impact_assessor.py --input ai_system.json --format markdown --output report.md

步骤4:评审维度评分
        → 公平性:检查训练数据和结果中的偏见
        → 透明度:验证可解释性机制
        → 安全性:验证故障模式和人工监督措施
        → 隐私性:确认数据保护措施
        → 安全性:评估对抗性韧性

步骤5:实施风险处置
        → 按各维度应用推荐的缓解措施
        → 记录残余风险接受决策
        → 分配处置负责人和时间线

步骤6:监控与评审
        → 安排定期重新评估(至少每季度一次)
        → 跟踪处置措施的实施进度
        → 当系统发生重大变更时更新评估报告

Workflow 3: AIMS Certification Preparation

工作流3:AIMS认证筹备

Step 1: Gap analysis
        → python scripts/aims_readiness_checker.py --input org_profile.json
        → Target overall score of 80+ for certification readiness

Step 2: Document AIMS
        → AI policy (Clause 5.2)
        → AIMS scope (Clause 4.3)
        → Risk assessment methodology (Clause 6.1)
        → Statement of Applicability for Annex A controls
        → AI objectives (Clause 6.2)

Step 3: Implement operational controls
        → AI lifecycle procedures (Clause 8)
        → Data management processes (Annex A.7)
        → Third-party management (Annex A.10)
        → Impact assessments for all AI systems (Annex A.5)

Step 4: Conduct internal audit
        → Use references/iso42001-clause-guide.md audit questions
        → Document findings and corrective actions
        → Verify closure of nonconformities

Step 5: Management review
        → Present AIMS performance to top management
        → Review AI objectives achievement
        → Obtain commitment for continual improvement

Step 6: Stage 1 and Stage 2 audits
        → Stage 1: Documentation review (readiness check)
        → Stage 2: Implementation effectiveness audit
        → Address any nonconformities from audit
步骤1:差距分析
        → python scripts/aims_readiness_checker.py --input org_profile.json
        → 目标总体评分80+以满足认证就绪要求

步骤2:文档化AIMS
        → AI政策(条款5.2)
        → AIMS范围(条款4.3)
        → 风险评估方法论(条款6.1)
        → 附录A控制项的适用性声明
        → AI目标(条款6.2)

步骤3:实施运行控制措施
        → AI生命周期流程(条款8)
        → 数据管理流程(附录A.7)
        → 第三方管理(附录A.10)
        → 所有AI系统的影响评估(附录A.5)

步骤4:开展内部审核
        → 使用references/iso42001-clause-guide.md中的审核问题
        → 记录发现的问题和纠正措施
        → 验证不符合项的关闭情况

步骤5:管理评审
        → 向最高管理层汇报AIMS绩效
        → 评审AI目标的达成情况
        → 获取持续改进的承诺

步骤6:第一阶段和第二阶段审核
        → 第一阶段:文档评审(就绪状态检查)
        → 第二阶段:实施有效性审核
        → 解决审核中发现的任何不符合项

Standard Overview

标准概述

ISO 42001:2023 Overview

ISO 42001:2023概述

ISO/IEC 42001:2023 is the world's first international standard for AI Management Systems (AIMS). Published in December 2023, it provides a framework for organizations to responsibly develop, provide, and use AI systems. The standard follows the ISO Harmonized Structure (Annex SL) for management system standards, enabling integration with ISO 27001, ISO 9001, and ISO 14001.
Key Characteristics:
  • Certifiable management system standard
  • Technology-neutral (applies to any AI approach)
  • Risk-based approach to AI governance
  • PDCA (Plan-Do-Check-Act) cycle
  • Applicable to organizations of any size and sector
ISO/IEC 42001:2023是全球首个针对**AI管理体系(AIMS)**的国际标准。于2023年12月发布,为组织提供负责任地开发、提供和使用AI系统的框架。该标准遵循ISO协调结构(附录SL),可与ISO 27001、ISO 9001和ISO 14001集成。
核心特性:
  • 可认证的管理体系标准
  • 技术中立(适用于任何AI方法)
  • 基于风险的AI治理方法
  • PDCA(策划-实施-检查-改进)循环
  • 适用于任何规模和行业的组织

AIMS Framework (Plan-Do-Check-Act)

AIMS框架(策划-实施-检查-改进)

Context of the Organization (Clause 4)

组织环境(条款4)

RequirementSectionDescription
Organization context4.1Internal/external issues relevant to AI objectives
Interested parties4.2Stakeholders, their requirements, and expectations
AIMS scope4.3Boundaries and applicability of the AIMS
AIMS establishment4.4Establish, implement, maintain, and improve the AIMS
要求章节描述
组织环境4.1与AI目标相关的内外部问题
相关方4.2利益相关方及其需求和期望
AIMS范围4.3AIMS的边界和适用性
AIMS建立4.4建立、实施、保持和改进AIMS

Leadership (Clause 5)

领导力(条款5)

RequirementSectionDescription
Leadership commitment5.1Top management demonstrates commitment to AIMS
AI policy5.2Responsible AI principles, ethical guidelines, organizational values
Roles and responsibilities5.3Clear assignment of AIMS roles, authority, and accountability
AI Policy Must Include:
  • Commitment to responsible AI development and use
  • Ethical principles guiding AI decisions
  • Alignment with applicable legal and regulatory requirements
  • Commitment to continual improvement of the AIMS
  • Framework for setting AI objectives
AI Governance Structure:
  • AI governance board or committee
  • AI system owners with defined accountability
  • Data stewards for AI data management
  • Ethics review function
  • Incident response roles
要求章节描述
领导力承诺5.1最高管理层展示对AIMS的承诺
AI政策5.2负责任AI原则、道德准则、组织价值观
角色与职责5.3明确分配AIMS角色、权限和问责制
AI政策必须包含:
  • 负责任AI开发和使用的承诺
  • 指导AI决策的道德原则
  • 与适用法律法规的一致性
  • 持续改进AIMS的承诺
  • 设定AI目标的框架
AI治理结构:
  • AI治理委员会
  • 具有明确问责制的AI系统所有者
  • AI数据管理的数据管家
  • 伦理评审职能
  • 事件响应角色

Planning (Clause 6)

规划(条款6)

RequirementSectionDescription
Risks and opportunities6.1Actions to address AI-specific risks and opportunities
AI risk assessment6.1.2Methodology for identifying and evaluating AI risks
AI objectives6.2Measurable objectives for responsible AI
Impact assessment6.1.4Assessment of AI system impacts on individuals and society
AI Risk Assessment Must Cover:
  • Fairness and non-discrimination risks
  • Transparency and explainability gaps
  • Safety and reliability concerns
  • Privacy and data protection risks
  • Security vulnerabilities
  • Accountability gaps
  • Societal and environmental impacts
要求章节描述
风险与机遇6.1应对AI特定风险和机遇的措施
AI风险评估6.1.2识别和评估AI风险的方法论
AI目标6.2负责任AI的可衡量目标
影响评估6.1.4AI系统对个体和社会的影响评估
AI风险评估必须涵盖:
  • 公平性和非歧视风险
  • 透明度和可解释性差距
  • 安全性和可靠性问题
  • 隐私和数据保护风险
  • 安全漏洞
  • 可问责性差距
  • 社会和环境影响

Support (Clause 7)

支持(条款7)

RequirementSectionDescription
Resources7.1Compute, data, expertise, and infrastructure
Competence7.2Required skills for AI roles, training plans
Awareness7.3AI literacy across the organization
Communication7.4Internal/external communication on AI matters
Documented information7.5Document creation, control, and retention
要求章节描述
资源7.1计算资源、数据、专业知识和基础设施
能力7.2AI角色所需技能、培训计划
意识7.3全组织的AI素养
沟通7.4AI相关事宜的内外部沟通
文件化信息7.5文件创建、控制和留存

Operation (Clause 8)

运行(条款8)

RequirementSectionDescription
Operational planning8.1Planning and controlling AI processes
AI risk assessment8.2Executing risk assessments per methodology
AI risk treatment8.3Implementing risk treatment plans
AI system lifecycle8.4Managing AI systems through all lifecycle stages
AI System Lifecycle Stages:
  1. Design: Requirements, architecture, ethical review
  2. Development: Data preparation, model training, coding standards
  3. Testing: Functional, bias, robustness, performance validation
  4. Deployment: Staging, approval, monitoring setup
  5. Operation: Performance monitoring, drift detection, incident response
  6. Retirement: Decommissioning, data disposal, stakeholder notification
Data Management for AI:
  • Data quality assessment and improvement
  • Data provenance and lineage tracking
  • Bias assessment in training and evaluation data
  • Data governance and access controls
  • Personal data protection measures
  • Data retention and disposal procedures
Third-Party and Supplier Management:
  • AI component supplier evaluation
  • Third-party AI service agreements
  • Supply chain risk assessment
  • Ongoing supplier monitoring
要求章节描述
运行规划8.1规划和控制AI流程
AI风险评估8.2按方法论执行风险评估
AI风险处置8.3实施风险处置计划
AI系统生命周期8.4管理AI系统的所有生命周期阶段
AI系统生命周期阶段:
  1. 设计:需求、架构、伦理评审
  2. 开发:数据准备、模型训练、编码标准
  3. 测试:功能、偏见、鲁棒性、性能验证
  4. 部署:预发布、审批、监控设置
  5. 运行:性能监控、漂移检测、事件响应
  6. 退役:停用、数据处置、利益相关方通知
AI数据管理:
  • 数据质量评估和改进
  • 数据溯源和 lineage追踪
  • 训练和评估数据中的偏见评估
  • 数据治理和访问控制
  • 个人数据保护措施
  • 数据留存和处置流程
第三方与供应商管理:
  • AI组件供应商评估
  • 第三方AI服务协议
  • 供应链风险评估
  • 持续供应商监控

Performance Evaluation (Clause 9)

绩效评价(条款9)

RequirementSectionDescription
Monitoring and measurement9.1AI system performance metrics and KPIs
Internal audit9.2Planned audits of the AIMS
Management review9.3Top management review of AIMS effectiveness
AI Performance Metrics:
  • Model accuracy, precision, recall
  • Fairness metrics (demographic parity, equalized odds)
  • Latency and availability
  • Drift indicators (data drift, concept drift)
  • Incident frequency and severity
  • Consumer complaint rates
要求章节描述
监控与测量9.1AI系统绩效指标和KPI
内部审核9.2有计划的AIMS审核
管理评审9.3最高管理层对AIMS有效性的评审
AI绩效指标:
  • 模型准确率、精确率、召回率
  • 公平性指标(人口统计 parity、均等赔率)
  • 延迟和可用性
  • 漂移指标(数据漂移、概念漂移)
  • 事件频率和严重程度
  • 用户投诉率

Improvement (Clause 10)

改进(条款10)

RequirementSectionDescription
Nonconformity10.1Corrective actions for nonconformities
Continual improvement10.2Ongoing enhancement of the AIMS
AI incident management10.3Handling AI system incidents and near-misses
要求章节描述
不符合项10.1不符合项的纠正措施
持续改进10.2AIMS的持续增强
AI事件管理10.3AI系统事件和未遂事件的处理

Annex A Controls

附录A控制项

ControlTitleDescription
A.2AI PoliciesPolicies for responsible AI aligned with organizational objectives
A.3Internal OrganizationRoles, responsibilities, segregation of duties for AI
A.4Resources for AI SystemsCompute, data, tools, and expertise management
A.5Assessing AI System ImpactImpact assessment processes for AI systems
A.6AI System LifecycleControls across design, development, deployment, retirement
A.7Data for AI SystemsData quality, provenance, bias, governance, protection
A.8Information for Interested PartiesTransparency, disclosure, and communication
A.9Use of AI SystemsAcceptable use policies, human oversight, user guidance
A.10Third-Party RelationshipsSupplier management, outsourced AI, component evaluation
控制项标题描述
A.2AI政策与组织目标一致的负责任AI政策
A.3内部组织AI相关的角色、职责、职责分离
A.4AI系统资源计算、数据、工具和专业知识管理
A.5AI系统影响评估AI系统的影响评估流程
A.6AI系统生命周期设计、开发、部署、退役全流程控制
A.7AI系统数据数据质量、溯源、偏见、治理、保护
A.8相关方信息透明度、披露和沟通
A.9AI系统使用可接受使用政策、人工监督、用户指南
A.10第三方关系供应商管理、外包AI、组件评估

Annex B — Implementation Guidance

附录B — 实施指南

Annex B provides non-normative guidance for implementing Annex A controls:
  • Practical examples for each control objective
  • Scalability guidance for different organization sizes
  • Sector-specific considerations
  • Integration points with existing management systems
附录B为附录A控制项的实施提供非规范性指南:
  • 每个控制目标的实际示例
  • 针对不同组织规模的可扩展性指南
  • 行业特定考虑因素
  • 与现有管理体系的集成点

Annex C — AI Risk Sources and Objectives

附录C — AI风险来源与目标

AI-specific risk sources organized by category:
  • Technical risks: Model failure, data quality, adversarial attacks, drift
  • Ethical risks: Bias, discrimination, lack of transparency, autonomy erosion
  • Legal risks: Regulatory non-compliance, liability, intellectual property
  • Societal risks: Job displacement, misinformation, environmental impact
  • Organizational risks: Skill gaps, dependency, reputation damage
AI-specific control objectives:
  • Ensure fairness and non-discrimination
  • Maintain transparency and explainability
  • Guarantee safety and reliability
  • Protect privacy and data
  • Secure AI systems against threats
  • Enable accountability and governance
按类别划分的AI特定风险来源:
  • 技术风险:模型故障、数据质量、对抗性攻击、漂移
  • 伦理风险:偏见、歧视、缺乏透明度、自主性侵蚀
  • 法律风险:监管不合规、责任、知识产权
  • 社会风险:就业替代、错误信息、环境影响
  • 组织风险:技能差距、依赖、声誉损害
AI特定控制目标:
  • 确保公平性和非歧视
  • 保持透明度和可解释性
  • 保障安全性和可靠性
  • 保护隐私和数据
  • 保护AI系统免受威胁
  • 实现可问责性和治理

Annex D — Use of AIMS Across Domains

附录D — 跨领域AIMS应用

Sector-specific considerations:
  • Healthcare: Patient safety, clinical validation, regulatory approval (FDA, MDR)
  • Finance: Algorithmic trading, credit scoring, anti-money laundering
  • Autonomous systems: Safety-critical decisions, human override, fail-safe design
  • Human resources: Hiring bias, employee monitoring, fairness
  • Public sector: Citizen impact, democratic values, public trust
行业特定考虑因素:
  • 医疗保健:患者安全、临床验证、监管批准(FDA、MDR)
  • 金融:算法交易、信用评分、反洗钱
  • 自主系统:安全关键决策、人工 override、故障安全设计
  • 人力资源:招聘偏见、员工监控、公平性
  • 公共部门:公民影响、民主价值观、公众信任

Relationship to Other Standards

与其他标准的关系

StandardRelationshipIntegration Points
ISO 27001Information securityRisk assessment, access controls, incident management
ISO 9001Quality managementProcess approach, document control, continual improvement
ISO 14001Environmental managementImpact assessment, lifecycle thinking
ISO 31000Risk managementRisk framework, assessment methodology
ISO 22989AI concepts/terminologyFoundational definitions
ISO 23894AI risk managementRisk management guidance
标准关系集成点
ISO 27001信息安全风险评估、访问控制、事件管理
ISO 9001质量管理过程方法、文档控制、持续改进
ISO 14001环境管理影响评估、生命周期思维
ISO 31000风险管理风险框架、评估方法论
ISO 22989AI概念/术语基础定义
ISO 23894AI风险管理风险管理指南

Relationship to EU AI Act

与欧盟AI法案的关系

EU AI Act RequirementISO 42001 Mapping
Risk management system (Art. 9)Clause 6.1, 8.2, 8.3, Annex A.5
Data governance (Art. 10)Clause 8.4, Annex A.7
Technical documentation (Art. 11)Clause 7.5, Annex A.6
Transparency (Art. 13)Annex A.8
Human oversight (Art. 14)Annex A.9
Accuracy, robustness, security (Art. 15)Clause 9.1, Annex A.6
Quality management system (Art. 17)Full AIMS (Clauses 4-10)
Conformity assessmentCertification process
欧盟AI法案要求ISO 42001映射
风险管理体系(第9条)条款6.1、8.2、8.3、附录A.5
数据治理(第10条)条款8.4、附录A.7
技术文档(第11条)条款7.5、附录A.6
透明度(第13条)附录A.8
人工监督(第14条)附录A.9
准确性、鲁棒性、安全性(第15条)条款9.1、附录A.6
质量管理体系(第17条)完整AIMS(条款4-10)
合规性评估认证流程

Certification Process

认证流程

PhaseActivityDuration
PreparationGap analysis, implementation, internal audit6-12 months
Stage 1 AuditDocumentation review, readiness assessment1-2 days
Gap RemediationAddress Stage 1 findings1-3 months
Stage 2 AuditImplementation effectiveness assessment2-5 days
CertificationCertificate issued (3-year validity)Upon passing
SurveillanceAnnual surveillance audits1-2 days/year
RecertificationFull reassessment every 3 years2-4 days
阶段活动时长
筹备差距分析、实施、内部审核6-12个月
第一阶段审核文档评审、就绪状态检查1-2天
差距整改解决第一阶段发现的问题1-3个月
第二阶段审核实施有效性评估2-5天
认证颁发证书(有效期3年)通过审核后
监督年度监督审核1-2天/年
再认证每3年全面重新评估2-4天

Implementation Roadmap

实施路线图

Phase 1 — Foundation (Months 1-3):
  • Define AIMS scope and boundaries
  • Establish AI governance structure
  • Develop AI policy
  • Conduct initial AI system inventory
  • Define risk assessment methodology
Phase 2 — Core Implementation (Months 4-6):
  • Conduct AI risk assessments for all in-scope systems
  • Perform impact assessments (Annex A.5)
  • Implement AI lifecycle controls (Annex A.6)
  • Establish data management processes (Annex A.7)
  • Develop third-party management procedures (Annex A.10)
Phase 3 — Operationalize (Months 7-9):
  • Deploy monitoring and measurement (Clause 9.1)
  • Train personnel on AIMS roles and responsibilities
  • Implement incident management procedures
  • Conduct awareness programs for AI literacy
  • Establish communication processes
Phase 4 — Verify and Certify (Months 10-12):
  • Conduct internal audit (Clause 9.2)
  • Hold management review (Clause 9.3)
  • Address nonconformities
  • Prepare for Stage 1 certification audit
  • Compile evidence packages per clause
阶段1 — 基础(第1-3个月):
  • 定义AIMS范围和边界
  • 建立AI治理结构
  • 制定AI政策
  • 开展初始AI系统盘点
  • 定义风险评估方法论
阶段2 — 核心实施(第4-6个月):
  • 对所有范围内的系统开展AI风险评估
  • 执行影响评估(附录A.5)
  • 实施AI生命周期控制(附录A.6)
  • 建立数据管理流程(附录A.7)
  • 制定第三方管理流程(附录A.10)
阶段3 — 运行化(第7-9个月):
  • 部署监控与测量(条款9.1)
  • 培训人员了解AIMS角色和职责
  • 实施事件管理流程
  • 开展AI素养意识培训
  • 建立沟通流程
阶段4 — 验证与认证(第10-12个月):
  • 开展内部审核(条款9.2)
  • 召开管理评审(条款9.3)
  • 解决不符合项
  • 筹备第一阶段认证审核
  • 按条款整理证据包