ISMS Copilot

Free tool

ISO 42001 readiness checker (Clauses 4 to 10)

Self-score your AI management system against the core requirement areas of ISO/IEC 42001:2023 management-system clauses 4 to 10, including the AI-specific work the standard adds: setting a responsible-AI direction, managing AI risks and their effects on people, controlling how AI systems are built and run, and governing the data behind them. You get a maturity heatmap and a prioritised focus list. A starting point for your gap analysis, not an audit.

Structured around ISO/IEC 42001:2023 management-system clauses 4 to 10. Requirement-area descriptions are original editorial content; refer to the standard from your national standards body for official titles and normative requirements.

This is a self-assessment aid, not a certification, audit, or conformity statement. It does not reproduce ISO/IEC 42001:2023 clause titles, Annex A control titles, or normative requirements. For those, refer to the standard from your national standards body and confirm conformity with a competent auditor.

Overall readiness: Not answered

0 of 14 areas answered

Clause 4
Not answered
Clause 5
Not answered
Clause 6
Not answered
Clause 7
Not answered
Clause 8
Not answered
Clause 9
Not answered
Clause 10
Not answered

Where to focus first

No weak areas flagged from what you answered. Keep evidencing and reviewing. This is still not a conformity statement.

Rate each area honestly on how established and evidenced it is today.

Clause 4

Your AI setting and who is affected

You have identified the internal and external factors, and the expectations of affected parties, that are specific to developing or using your AI systems, including your role (provider, deployer) in each case.

What your AI management system covers

You have written down which AI systems, activities, teams, and locations the system applies to, and what is deliberately left out.

Clause 5

Leadership commitment and approved AI direction

Top management actively backs the system and has approved a written direction setting the organization's responsible-AI principles.

Who owns AI governance and oversight

Accountable owners are named for AI governance, risk, and human oversight of AI systems, with authority clearly assigned.

Clause 6

Identifying and treating AI risks

You have a repeatable way to find, analyse, and act on the risks your AI systems pose, with a written plan tied to your objectives.

Weighing your AI's effects on people and society

You judge the potential consequences of your AI systems for individuals, groups, and society, and record how you weigh and address them.

AI goals and managing change safely

You set measurable goals for the system and make changes to AI systems in a controlled, planned way.

Clause 7

People, skills, and awareness

The people, skills, and awareness needed to run the system and oversee AI responsibly are in place, with training where needed.

Records and evidence you keep

Policies, procedures, decisions, and evidence for the system are created, version-controlled, and retained.

Clause 8

Controlled AI development and operation

Your AI systems move through controlled stages: requirements, design, verification and validation, release, and ongoing monitoring in production.

Managing the data behind your AI

You manage the data used to build and run AI systems for quality, provenance, and appropriate preparation, and document those choices.

Suppliers and externally-sourced AI

You manage the AI-related risks introduced by suppliers, providers, and other third parties, with responsibilities allocated across the value chain.

Clause 9

Checking whether it is working

You track how the system performs, run internal checks, and hold leadership reviews to judge whether it is effective.

Clause 10

Fixing problems and improving over time

You correct things that go wrong, address their causes, and improve the system based on what you learn.

Important

This tool gives a structured self-assessment to orient a gap analysis for an AI management system. It is not legal advice, not an audit, and not a certification or statement of conformity. ISO 42001 conformity must be confirmed through your own evidence and a competent auditor; some requirements, including the full Annex A controls, are not captured by this questionnaire.

FAQ

Does a good score here mean we are ISO 42001 certified?

No. This is a self-assessment to help you see where to focus. Conformity with ISO/IEC 42001:2023 depends on your actual evidence and is determined by a competent auditor, not by a self-rating tool.

What is ISO 42001?

ISO/IEC 42001:2023 is the international management-system standard for artificial intelligence (an AIMS). It follows the same high-level structure as ISO 27001 (clauses 4 to 10) and adds AI-specific requirements and an Annex A of AI controls, covering things like setting a responsible-AI direction, managing AI risks and their effects on people, controlling how AI systems are built and run, and governing the data behind them.

Does this cover Annex A controls?

Not control by control. This tool self-assesses the management-system clauses 4 to 10, with the most operationally significant AI-specific areas (responsible-AI direction, AI risk, effects on people, how AI is built and run, data, and suppliers) folded into the clauses that govern them. A full Annex A applicability review is a separate exercise driven by your AI risk work.

Are these the official ISO clause titles?

No. We deliberately do not reproduce ISO/IEC 42001:2023 clause titles, Annex A control titles, or normative text. Each area is our own plain-English description of what that part of the standard asks you to do. Consult the standard via your national standards body for the official wording.

Do you store my answers?

No. Scoring runs entirely in your browser. There is no form gate; JSON/CSV export and the printable report are generated locally.

By ISMS Copilot.

Ready to do compliance work faster?

Built for speed, accuracy, and audit-ready output.

Try ISMS Copilot 2.0