42K

Implementation workflow

ISO/IEC 42001 — from foundation to continual improvement

A practical 10-step sequence for implementing an AI management system: build the foundation, assess risk and impact, select controls, implement Annex B-guided controls, then monitor and improve.

ISO/IEC 42001 AIMS implementation workflow diagram with 10 steps grouped in Plan 1, Plan 2, Do and Check/Act phases.
Implementation workflow — not ISO clause order. Revisit after significant change, incident, monitoring failure, supplier change or new legal/customer requirement.
Plan 1

AIMS foundation and governance baseline

1Clauses 4.1-4.4

Understand context, AI roles and scope

Key output: AIMS scope, AI roles, interested parties, legal/context assumptions and process map.

2Clauses 5.1-5.3; Annex B.2-B.3

Establish leadership, policy and authority

Key output: AI policy, RACI, approval authority, concern reporting and accountability model.

3Clause 6.2; Clauses 7.1-7.5

Set objectives, support and document control

Key output: AI objectives, resources, competence, awareness, communication and controlled documentation.

Plan 2

Risk-based design and control selection

4Clauses 4.4 and 8.1; Annex B.4/B.9

Inventory AI systems and intended uses

Key output: AI system register, tool register, lifecycle stage, approved use and ownership.

5Clauses 6.1.1-6.1.4; 8.2; 8.4; Annex B.5

Assess AI risks, opportunities and impacts

Key output: Risk criteria, risk/impact assessment, opportunity log and affected-party analysis.

6Clause 6.1.3; Clause 8.3; Annex A+B

Select controls, SoA and treatment plan

Key output: Statement of Applicability, treatment plan, residual risk decision and evidence plan.

Do

Implement and operate selected controls

7Clause 8.1; Annex B.6-B.7

Implement lifecycle and data controls

Key output: Requirements, design, V&V, deployment, monitoring, event logs and dataset evidence.

8Clause 8.1; Annex B.8-B.10

Implement use, transparency and third-party controls

Key output: User information, human oversight, intended-use records and supplier/customer responsibilities.

Check / Act

Assurance and continual improvement loop

9Clauses 9.1-9.3; Clauses 8.2-8.4

Monitor, audit and review effectiveness

Key output: Monitoring evidence, audit findings, management review decisions and updated risk evidence.

10Clauses 10.1-10.2

Correct, improve and update the AIMS

Key output: CAPA, lessons learned, improved controls and updated scope, policy, risk, SoA and lifecycle records.

Annex B

Annex B control guidance spine

Use Annex B to translate selected Annex A controls into practical implementation actions. Adapt to the organization scope, AI role, risk profile and use case.

Outputs become controlled documented information and audit evidence.

  • B.2AI policies
  • B.3Internal organization
  • B.4AI resources
  • B.5Impact assessment
  • B.6AI system lifecycle
  • B.7Data for AI systems
  • B.8Information for interested parties
  • B.9Use of AI systems
  • B.10Third-party/customer relationships

Event-driven trigger

New AI use case, significant change, incident, monitoring breach, supplier change, or new legal/customer requirement — return to risk, impact, SoA and control implementation steps.

This visual summarizes the implementation workflow using clause/control references only. It does not reproduce ISO/IEC 42001 protected requirement text.

Want to implement this workflow with ready-made templates?

Every output above maps to a Word policy or Excel sheet inside the package.

View the package