Webinar – ISO/IEC 42001 Implementation Part 2 of 3

Implementing Clauses and Controls of the World’s First AI Management System Standard

Last week, Risk Professionals delivered the second session in our three-part webinar series on ISO/IEC 42001, the world’s first Artificial Intelligence Management System (AIMS) standard. This session, led by our CEO Wasim Malik, focused on translating ISO/IEC 42001 requirements into practical, real-world implementation steps that organisations can follow as they build or mature their AIMS.

We were also joined by GCC (Global Compliance Certification), who contributed insights from the certification and audit perspective.

This session took participants beyond the foundations that were covered in Part 1. It concentrated on how an AIMS should be designed, documented, and operationalised in a way that satisfies the standard and prepares an organisation for certification.

Clause-by-Clause Breakdown: Turning Requirements into Practice

In this session, we walked through Clauses 4 to 10 of ISO/IEC 42001 and explained what each requirement means in practical terms.

• Clause 4 – Context: Identifying stakeholders, AI system boundaries, use cases, and internal and external factors
• Clause 5 – Leadership: Establishing AI governance roles, responsibilities, accountability structures, and decision-making authority
• Clause 6 – Planning: Conducting AI risk assessments, setting governance objectives, and creating the Statement of Applicability (SoA)
• Clause 7 – Support: Competence, training, documented information, and resource requirements
• Clause 8 – Operation: Implementing lifecycle controls for data, models, development, testing, deployment, monitoring, and human oversight
• Clause 9 – Performance Evaluation: KPIs, audits, monitoring, measurement, and management reviews
• Clause 10 – Improvement: Managing nonconformities and implementing continual improvement processes

Participants were shown how to transform these requirements into practical policies, procedures, records, and governance workflows.

Insights from GCC: How Auditors Assess ISO/IEC 42001

GCC (Global Compliance Certification), our guest contributors for this session, shared their experience from the perspective of a certification body.

1. What Auditors Expect to See

• Clear governance and defined responsibilities
• Accurate scoping and identification of AI systems
• A robust, well-justified Statement of Applicability
• Evidence of lifecycle controls that are aligned to actual AI use cases

2. Common Gaps Observed

• Missing or inconsistent AI use case registers
• Incomplete or shallow AI risk assessments
• Insufficient awareness and training
• Controls implemented in practice but not captured or evidenced

3. Integration with ISO/IEC 27001

GCC highlighted that organisations with an established ISMS already have a strong foundation for their AIMS. Shared governance processes, risk structures, and documentation can significantly accelerate implementation and reduce overall effort.

Practical AIMS Implementation Roadmap

Risk Professionals shared a structured and efficient approach to implementing an AIMS. The recommended roadmap includes:

• Developing the AIMS Manual early and securing ownership across the organisation
• Completing the Statement of Applicability and confirming control decisions
• Building the AI use case inventory and conducting detailed risk assessments
• Establishing governance meetings and defining measurable KPIs
• Implementing SOPs that support the AI lifecycle
• Keeping both the SoA and AIMS Manual active and updated
• Preparing evidence for audit, including logs, minutes, version controls, and training records

What’s Coming Next

Our third and final session in this series will focus on the certification journey. This will include audit expectations, documentation and evidence requirements, and practical guidance for organisations preparing for Stage 1 and Stage 2 audits.

Free Resources and Support

Participants received access to:

• The full session recording
• Presentation slides
• Clause 4 to 10 checklist

Key Message

Organisations that succeed with ISO/IEC 42001 focus on three core areas. These areas are clear scoping, strong governance, and reliable evidence. As AI adoption accelerates across industries, structured governance is becoming essential. ISO/IEC 42001 establishes the foundation for trustworthy and responsible AI and enables organisations to operate AI systems with confidence.

Risk Professionals is supporting organisations across Australia and internationally as they prepare for ISO/IEC 42001 certification. Organisations seeking support with implementation, integration with ISO/IEC 27001, or PECB-accredited training can contact us at info@riskprofs.com