Understanding the Organisation and Its Context Explained for ISO 42001

ISO 42001 Clause 4.1

Before you do anything else with ISO 42001, work out where you sit. Are you building AI systems, providing them, or just using them? That single decision shapes everything that follows.

ISO 42001 Clause 4.1 - Understanding the Organisation and Its Context Explained

Clause 4.1 is the entry point to ISO 42001. It establishes the issues, factors and circumstances that surround the organisation and its AI management system, and asks the organisation to be clear about how AI fits into its purpose and operations. It carries the same intent as the equivalent clause in ISO 9001, ISO 14001 or ISO 27001, but adds two AI-specific elements.

What ISO 42001 Clause 4.1 requires

The clause has three connected requirements. First, the organisation must determine the external and internal issues relevant to its purpose and that affect its ability to achieve the intended results of the AI management system. Second, it must determine whether climate change is a relevant issue. Third, it must consider the intended purpose of any AI systems it develops, provides or uses, and determine its role with respect to those AI systems.

External issues for an AI management system commonly include applicable legal requirements (such as the EU AI Act for organisations selling into European markets, or the UK GDPR for any processing of personal data), guidance and policy from regulators, the competitive landscape for AI products and services, and societal expectations about transparency, fairness and accountability. Internal issues typically cover organisational governance and structure, contractual obligations, and the intended purposes of the AI systems already in use or in development.

Determining the organisation's AI roles

The clause requires a deliberate decision about the organisation's role in relation to its AI systems. This is one of the most important early decisions in the management system, because the controls that apply to a developer are different from those that apply to a deployer, and most organisations end up holding more than one role.

The standard recognises several roles. An AI provider places AI products or services on the market, including platform providers and AI service providers. An AI producer develops, designs, operates, tests or deploys AI systems. An AI customer or user uses AI products or services in its own operations. An AI partner supplies data or integrates AI systems on behalf of others. AI subjects are the individuals or groups affected by AI decisions. The same organisation can be a developer of one AI system, a deployer of another, and a partner for a third, and each role attracts a different set of Annex A controls.

Climate change as a relevant issue

The 2024 ISO climate change amendment applies to ISO 42001 as it does to all the modern management system standards. The organisation must determine whether climate change is a relevant issue, and where it is, must factor that consideration into the management system. For AI systems, this is a more direct connection than it might appear, because large-scale model training and inference are computationally intensive activities with material energy and emissions implications. AI providers and deployers should consider both the direct environmental footprint of the AI systems they operate and any indirect effects on the organisation's wider environmental performance.

How ISO 42001 Clause 4.1 connects to the rest of the standard

The issues identified under Clause 4.1 feed directly into Clause 4.3 (scope), Clause 6.1 (risks and opportunities) and Clause 6.1.4 (AI system impact assessment). A poorly developed context analysis will produce a thin scope, an incomplete risk picture and a weak impact assessment, so the work done at this clause shapes the rest of the management system.

Most organisations adopting ISO 42001 are AI deployers rather than developers. They are buying tools from large providers and embedding them in their own operations. That is a perfectly valid role, but the management system has to reflect it. The internal and external issues you record will look very different from those of a company training its own foundation models.

For deployers, the external issues that matter most tend to be the legal and regulatory landscape, the contractual terms of the AI tools being used, and the expectations of customers and end users about how AI is being applied. For developers, the picture extends to model performance, data sourcing, and the downstream uses to which the AI systems will be put.

We use AI in two ways at the factory. There is an off-the-shelf inspection system that flags defects on the line, and there is a generative tool the office team uses for drafting. Different roles, different risks, both inside the same scope. Documenting that distinction in the context analysis was the first thing we did, and it has shaped every conversation about AI since.

When auditing Clause 4.1, I look for evidence that the organisation has actively determined its roles rather than just listed them. The auditor wants to see a register of AI systems, the role the organisation holds for each, and how those roles flow through into the scope, the risk assessment and the controls selected. A list of AI tools without role determination is not enough.

I also expect the climate change consideration to be addressed visibly. A note in the management review or the issues register confirming that the organisation has assessed whether climate change is relevant, and recording the conclusion either way, is what the standard requires.

Practical Compliance Guidance

The IMS1 Manual Section 1.3 Context, Company Profile and Scope of Operations/IMS1-1-3-1 Context and Scope can be used to consider relevant internal and external issues to the management system. The same section is used to capture the organisation's AI roles and the AI systems within scope, which then feed forward into the scope statement at Clause 4.3.

The following alphaZ documents support compliance with ISO 42001 Clause 4.1. Most of these are part of the AI management system toolkit, with the AI-specific documents being the new additions for ISO 42001.

alphaZ document	How to use it
ISO 42001 AI Management System Toolkit	The full toolkit containing the AI management system documentation including the P-120 AI Policy and the AI-specific registers, assessments and forms.
F-IMS22 Interested Parties Register	Records the internal and external issues that affect the management system and the interested parties identified.
F-IMS23 Opportunities and Risks Register	The opportunities and risks register can be used to identify internal/external issues relevant to the organisation, as well as potential controls and opportunities for improvment.
F-IMS40 AI Process Register	Records the AI systems within scope of the management system, the role the organisation holds for each, and the processes that involve AI.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Does Clause 4.1 require us to formally classify ourselves as a developer or deployer?

The clause requires the organisation to determine its roles with respect to its AI systems. The roles in ISO 42001 are not mutually exclusive, and the same organisation will often hold more than one role across different AI systems. What matters is that the determination is made and documented, and that the chosen role for each AI system is consistent with how the organisation actually uses or develops that system.

Do we need a separate context analysis for AI, or can we extend our existing one?

An existing context analysis from ISO 9001, ISO 27001 or another standard can be extended to cover the AI management system rather than duplicated. The standard is designed to integrate with existing management systems. The extension should add the AI-specific issues, the AI roles, and any new interested parties relevant to the AI systems within scope.

What if we use AI tools but have not formally identified them?

An AI inventory is the foundation of ISO 42001. Until the organisation knows which AI systems are in use, it cannot determine its roles, set the scope of the management system, or assess the risks and impacts. Many organisations are surprised by how many AI features are embedded in tools they already use, from email and document software to customer service platforms. The first step is a structured exercise to identify all AI systems in use across the business, with the AI Process Register as the working document.

How does climate change relate to AI?

Large AI systems have material energy demands during training and inference, with associated greenhouse gas emissions. The organisation must determine whether climate change is a relevant issue under Clause 4.1 and act accordingly. For AI providers running their own infrastructure, this is a direct concern. For AI deployers using cloud-based services, the relevance is typically indirect but still worth recording, particularly where the organisation has wider environmental commitments under ISO 14001 or sustainability reporting obligations.

UK Legislation

The following UK legislation is directly relevant to the context of an AI management system. Organisations outside the UK should identify the equivalent legislation applicable in their jurisdiction. Organisations selling AI products or services into the European Union should also consider the EU AI Act, which is not UK law but applies extraterritorially.

Further Resources