AI Objectives and Planning to Achieve Them for ISO 42001
ISO 42001 Clause 6.2
AI objectives turn the policy from words into measurable targets. They are what the management system is actually trying to achieve.
ISO 42001 Clause 6.2 - AI Objectives and Planning to Achieve Them
Clause 6.2 follows directly from the AI policy at Clause 5.2. The policy provides the framework, and the objectives are the measurable commitments that operationalise the framework. Annex A.6.1 and A.9.3 provide additional controls relating to objectives for responsible development and responsible use of AI systems.
What ISO 42001 Clause 6.2 requires
The AI objectives must be consistent with the AI policy, measurable where practicable, take into account applicable requirements, monitored, communicated, updated as appropriate, and available as documented information. When planning how to achieve the objectives, the organisation must determine what will be done, what resources will be required, who will be responsible, when each objective will be completed, and how the results will be evaluated.
Setting AI objectives that are meaningful
Useful AI objectives have two characteristics that distinguish them from generic management system objectives. First, they reflect the AI-specific concerns the organisation has identified through the risk assessment and impact assessment. Second, they are measurable in a way that the organisation can actually evidence.
For an AI deployer, common objectives include the proportion of in-scope AI systems with a current impact assessment, the time to closure of AI incidents, the proportion of AI procurement that has been through the supplier assessment, and the proportion of staff completing AI awareness training. For an AI developer, objectives often extend to model performance metrics, training data quality measures, the proportion of AI systems with documented release criteria met before deployment, and customer-facing transparency commitments.
The standard does not prescribe specific objectives. Annex C lists potential AI-related organisational objectives such as accountability, AI expertise, fairness, privacy, robustness, safety, security and transparency. These are starting points for the organisation's own objective-setting, not a checklist.
Consistency with the policy
The objectives must be consistent with the AI policy. If the policy commits to fairness, at least one objective should address how fairness will be tested and demonstrated. If the policy commits to human oversight of high-impact AI decisions, at least one objective should address how oversight is implemented and verified. The policy and the objectives are part of the same governance system, and they need to point in the same direction.
Monitoring and updating objectives
Objectives are monitored against their measurement criteria and target completion dates. Progress is reviewed at the management review under Clause 9.3 and at intervals appropriate to each objective. Objectives are updated as appropriate - typically when an objective has been achieved, when circumstances have changed, or when monitoring shows that the objective is no longer the right target. Updated objectives are recorded with the same rigour as the original objectives.
When auditing Clause 6.2, I look at the objectives register and check three things. First, are the objectives consistent with the AI policy? Second, are they measurable in a way that can actually be evidenced? Third, has progress been monitored and reported to top management?
Generic objectives such as improve AI governance or strengthen AI capability are difficult to audit because they have no measurable target and no clear endpoint. Specific objectives such as complete impact assessments for all in-scope AI systems by end of Q3 are easier to audit because they have a target, a date and a clear definition of done.
The objectives also need to be planned, not just set. Clause 6.2 requires the organisation to identify what will be done, what resources are needed, who is responsible, when it will be completed and how the results will be evaluated. An objective without an owner and a date is not a planned objective, it is an aspiration.
The objectives register is the natural home for all this. Each objective gets a row, with the owner, target date, resources, monitoring frequency and evaluation method recorded. The same register can be used at the management review to report progress.
Our two AI objectives this year are completing impact assessments for both AI systems by Q2 and getting all line managers through the AI awareness training by year end. Both have clear owners, both are tracked monthly, and both feed into the management review. That is what the auditor saw and that is what passed.
Practical Compliance Guidance
IMS1 Section 1.7 Business Objectives provides the framework for setting and tracking objectives across the management system, including the AI objectives required by Clause 6.2. The dedicated F-Q11 Company Objectives form is used to record each objective, the owner, the resources, the target date and the monitoring approach.
The following alphaZ documents support compliance with ISO 42001 Clause 6.2.
| alphaZ document | How to use it |
|---|---|
| ISO 42001 AI Management System Toolkit | The full toolkit containing the AI management system documentation including the objectives template and the IMS1 Manual. |
| F-Q11 Company Objectives | Records each AI objective with owner, resources, target date, measurement method and monitoring approach, supporting compliance with the planning requirements of Clause 6.2. |
| F-Q3 Management Review | Provides the format for reporting AI objective progress to top management at the management review. |
Note - all the above files can be downloaded with an alphaZ subscription.
