Determining the Scope of the AI Management System Under ISO 42001
ISO 42001 Clause 4.3
The scope statement is short but consequential. It defines exactly what the AI management system covers and, by implication, what it does not.
ISO 42001 Clause 4.3 - Determining the Scope of the AI Management System
Clause 4.3 is the moment in the management system where the organisation commits to a defined scope. The scope statement is documented information and serves as the public boundary of the AI management system - certification bodies certify against it, auditors audit against it, and interested parties rely on it as the authoritative description of what the management system covers.
What ISO 42001 Clause 4.3 requires
The clause has four requirements. The organisation must determine the boundaries and applicability of the AI management system. When doing so, it must consider the external and internal issues identified at Clause 4.1 and the requirements identified at Clause 4.2. The scope must be available as documented information. The scope must determine the organisation's activities with respect to leadership, planning, support, operation, performance evaluation, improvement, controls and objectives.
What the scope statement should cover
A workable scope statement for an AI management system identifies the organisation, the AI systems within scope, the organisation's role with respect to those AI systems, the locations or business units covered, and any specific exclusions and the rationale for them.
For an AI deployer, the scope often reads something like the use of artificial intelligence systems in named business activities at named locations, with the organisation acting as deployer for off-the-shelf AI products. For an AI developer, the scope typically identifies the AI products developed and provided, the locations where development takes place, and the organisation's role as developer and provider. Many organisations end up with mixed scopes that capture both deployer and developer activities, with the relevant role specified for each AI system.
Including AI systems in scope
One of the practical decisions at Clause 4.3 is whether to include all AI systems used by the organisation or only the most significant ones. The standard does not require all AI systems to be in scope. It does require the scope decision to be deliberate, documented and informed by the issues, requirements and risks the organisation has identified.
Excluding low-impact AI systems from scope is a legitimate choice provided the exclusions are explicit and the rationale stands up to scrutiny. A spell-checker that uses AI to suggest corrections is unlikely to need to be inside the scope of a formal AI management system. An AI tool used to filter job applications almost certainly does. The Statement of Applicability under Clause 6.1.3 is where the controls applied to in-scope AI systems are documented.
The scope and the AI Process Register
The scope statement is supported by the AI Process Register, which records the AI systems within scope, the organisation's role for each, the business processes that involve AI, and the controls that apply. The register is the operational counterpart to the scope statement and makes the scope visible at the level of individual AI systems rather than at the level of the organisation as a whole.
The scope is the document the certification body looks at first. It needs to be defensible. If the scope says the organisation deploys AI systems in named business areas, the auditor will check that those areas are correctly described, that no significant AI use has been left out, and that the scope is consistent with the AI Process Register and the risk assessment.
Be specific about the AI systems within scope. A scope that simply says artificial intelligence systems used by the organisation is too vague and gives the auditor nothing to anchor against. Naming the AI systems, or at least the categories of AI systems and the business activities they support, makes the scope auditable.
When auditing Clause 4.3, I look for a scope statement that is documented, dated, version controlled, and consistent with the AI Process Register, the Statement of Applicability and the risk assessment. Inconsistencies between these documents are a common finding because the scope is set early but the management system continues to evolve. I also expect any exclusions to be explicit and justified, with a clear rationale that holds up against the issues, requirements and risks identified at Clauses 4.1 and 4.2.
Practical Compliance Guidance
IMS1 Section 1.2 Integrated Management System - Overview, Scope and Context/IMS1-1-3-1 Context-Scope is the place where the scope of the AI management system is set out alongside the scope of the wider integrated management system. The scope statement is supported operationally by the AI Process Register, which maps the AI systems within scope to the controls and processes that apply.
The following alphaZ documents support compliance with ISO 42001 Clause 4.3.
| alphaZ document | How to use it |
|---|---|
| ISO 42001 AI Management System Toolkit | The full toolkit containing the AI management system documentation including the IMS1 Manual where the scope is defined. |
| F-IMS40 AI Process Register | Records the AI systems within scope of the management system, the organisation's role for each, and the processes that involve AI. |
| F-IMS70 Annex A Controls | Records the Statement of Applicability identifying which Annex A controls apply within the scope of the management system. |
Note - all the above files can be downloaded with an alphaZ subscription.
