search account download cart
static-aside-menu-toggler

AI Policy Explained for ISO 42001

ISO 42001 Clause 5.2

The AI policy is top management's formal statement of intent on AI. It is the document an auditor expects to see signed, current and visible across the organisation.

ISO 42001 Clause 5.2 - AI Policy Explained

The AI policy is the foundation on which the rest of the AI management system is built. Clause 5.2 sets out what the policy must contain, how it must be made available, and the leadership responsibility for establishing it.

What ISO 42001 Clause 5.2 requires

Top management must establish an AI policy that has four characteristics. The policy must be appropriate to the purpose of the organisation. It must provide a framework for setting AI objectives. It must include a commitment to meet applicable requirements. And it must include a commitment to continual improvement of the AI management system.

The policy must also meet four availability and communication requirements. It must be available as documented information. It must refer as relevant to other organisational policies. It must be communicated within the organisation. And it must be available to interested parties as appropriate.

Implementation guidance for additional content is set out in Annex B.2.2 and the controls in Annex A.2.

Appropriate to the purpose of the organisation

An AI policy that is generic and could apply to any organisation is unlikely to satisfy the appropriateness requirement. The policy needs to reflect what the organisation actually does with AI, the risk environment it operates in, and the principles it expects to follow. For an AI deployer in financial services, this means addressing the responsible use of AI in regulated decisions. For a developer of medical AI software, the focus is on safety and clinical effectiveness. The policy is a leadership statement, and it should sound like one written by the leadership of this specific organisation.

Framework for AI objectives

The policy must provide the framework against which AI objectives are set. AI objectives under Clause 6.2 are measurable and time-bound, but they need to relate to something. The policy is what they relate to. A policy that commits to fairness, transparency, accountability and safety in AI gives the organisation the basis to set objectives such as periodic bias testing of high-impact AI systems, public-facing transparency notices for customer-facing AI, formal accountability assignment for each AI system in scope, and pre-deployment safety review for new AI systems.

Commitment to applicable requirements

Applicable requirements include legal requirements, contractual requirements, and any other requirements the organisation has committed to. For AI specifically, applicable requirements often include data protection law, equality law, sector-specific regulation, and any voluntary commitments the organisation has made (such as adherence to industry codes of practice or AI ethics frameworks). The policy must commit to meeting them, even if it does not enumerate them.

Commitment to continual improvement

The fourth content requirement is the standard commitment to continual improvement of the AI management system. This is shared across all Annex SL standards and means the same thing here as elsewhere - the organisation will keep improving the suitability, adequacy and effectiveness of the management system over time.

Communication and availability

The policy must be communicated within the organisation. In practice this means making it visible to staff through the usual channels - the management system documentation, intranet, induction materials and ongoing awareness activities. The policy must also be available to interested parties as appropriate. For most organisations, this is satisfied by publishing the policy on the public website or providing it on request to customers, regulators and other interested parties.

The AI policy is one of the documents that gets the most attention from auditors and the least attention from organisations. A short, current, well-structured policy that reflects what the organisation actually does is far more useful than a long policy that nobody reads.

Cross-referencing other policies is sensible. The data protection policy already covers personal data, the information security policy covers security, and the procurement policy covers supplier selection. The AI policy can refer to these rather than duplicating their content, while making the AI-specific commitments that the other policies do not address.

When auditing Clause 5.2, I look for the policy as documented information, dated, version controlled, and approved or signed by top management. I check that it covers the four content requirements and that it has been communicated. Communication is often evidenced through induction records, the intranet, and visible display of the policy in shared workspaces.

I also expect the policy to align with the AI objectives at Clause 6.2. If the policy commits to fairness but no AI objective addresses fairness, that is a gap. The policy and the objectives need to point in the same direction.

Our AI policy is a single page. It sets out what we use AI for, what we do not use AI for, the principles we apply, and how staff raise concerns. It is signed by the MD and reviewed every year at management review. The IMS lead briefs new starters on it during induction. That is what the auditor saw and that is what we needed.

Practical Compliance Guidance

The IMS1 Manual Section 2.1 Company Policies/IMS1-1-3-1 Scope and Context sets out the framework of top-level policies for the management system, with the AI policy listed alongside the other organisational policies and approved by top management. The standalone P-120 Artificial Intelligence Policy template provides the AI-specific policy content covering the requirements of Clause 5.2 and the implementation guidance in Annex B.2.2.

The following alphaZ documents support compliance with ISO 42001 Clause 5.2.

alphaZ document How to use it
ISO 42001 AI Management System Toolkit The full toolkit containing the AI management system documentation including the P-120 AI Policy and the AI-specific registers, assessments and forms. 
P-120 Artificial Intelligence Policy The AI policy template covering the requirements of Clause 5.2 and the elements set out in the Annex B.2.2 implementation guidance.
F-Q11 Company Objectives Records the AI objectives that flow from the AI policy framework and provides evidence of alignment between policy and objectives.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

The standard requires top management to establish the policy and does not specify a signature. In practice, signed approval by the most senior accountable person is the most defensible approach because it demonstrates the leadership commitment that Clause 5.1 requires. Where top management is a board or committee, formal minuted approval serves the same purpose as a signature.
Yes. The AI policy can be a standalone document, a section within an integrated policy document, or a combination of references and AI-specific provisions. The standard requires the four content elements to be present and the policy to be available as documented information. How that is achieved is for the organisation to decide.
As short as it can be while still meeting the content and availability requirements. A single page is enough for most organisations. The policy is a statement of intent, not a detailed manual. The detail belongs in the procedures, registers and assessments that the policy authorises.
Annex A.2.4 requires the policy to be reviewed at planned intervals or when needed. Annual review at the management review under Clause 9.3 is the standard cadence. Interim review is appropriate when there is a significant change in the AI systems used, the regulatory landscape or the organisation's strategic direction.

Further Resources

payment logos