Planning of Changes for ISO 42001 AI Management
ISO 42001 Clause 6.3
Changes to the AI management system must be planned, not improvised. The clause is short, but the discipline it asks for is what keeps the system coherent over time.
ISO 42001 Clause 6.3 - Planning of Changes
Clause 6.3 applies to changes the organisation determines are needed to the AI management system itself. It is the management system's own change control requirement, distinct from the change control that applies to AI systems within the management system, which falls under Clause 8 and the Annex A.6 life cycle controls.
What ISO 42001 Clause 6.3 requires
The clause is brief. When the organisation determines a need for changes to the AI management system, the changes must be carried out in a planned manner. The standard does not specify what planning is required, but the implication is that changes are not made ad-hoc, that the consequences of changes are considered, and that the management system continues to be coherent and conformant after the change.
What kind of changes does this cover?
Changes to the AI management system include changes to the scope, the AI policy, the AI objectives, the assignment of roles and responsibilities, the risk and impact assessment processes, the Statement of Applicability, the controls applied, and the documented information that supports the management system. Adding a new AI system into scope is a change. Decommissioning an AI system is a change. Reorganising AI accountability is a change. Adopting a new control or excluding a previously included control is a change.
Routine activities such as updating a register, completing an internal audit or holding a management review are not changes to the management system. They are operations of the management system.
Planning a change
Planning a change typically involves identifying the change, considering its purpose and the consequences for the management system, identifying the actions needed to implement the change, identifying any controls or interested party requirements affected, identifying responsibilities and resources for the change, and recording the change in a way that can be audited later. The standard does not require a separate change procedure, but most organisations find that the issues and actions register or the management review provides a natural place to record significant changes.
Changes that affect the scope, the policy or the Statement of Applicability are typically reviewed and approved at the management review. Smaller changes can be authorised at a lower level provided the authority to do so is clearly assigned.
The most common changes during the first eighteen months of certification are adding new AI systems into scope and updating the Statement of Applicability accordingly. These changes need to be planned, not just made. The risk assessment, impact assessment and Statement of Applicability all need to be updated, the relevant interested parties need to be considered, the AI Process Register needs to be extended, and the change needs to be recorded with the rationale and the approval visible.
Treating the issues and actions register as the change log works well in practice. Each significant change gets logged with the date, the description, the responsibilities and the documents updated. That gives the auditor a single place to look at how the management system has evolved over time, alongside the operational issues and corrective actions that the register also tracks.
When auditing Clause 6.3, I look at how the management system has changed since the last audit and check that the changes have been planned. If the scope has expanded, I want to see the updated scope statement, the updated risk assessment and the updated Statement of Applicability. If a new AI system has been adopted, I want to see the impact assessment and the integration into the AI Process Register.
Changes that have happened in operation but have not been reflected in the management system documentation are a finding. The management system has to keep up with the operation, not lag behind it.
Practical Compliance Guidance
IMS1 Section 1.1 Management System Updates is the place where significant changes to the management system are logged. The Issues and Actions Register provides the operational log of changes alongside the other actions managed by the management system.
The following alphaZ documents support compliance with ISO 42001 Clause 6.3.
| alphaZ document | How to use it |
|---|---|
| ISO 42001 AI Management System Toolkit | The full toolkit containing the AI management system documentation including IMS1 where management system changes are logged. |
| ER1 Issues and Actions Register | Used to log significant changes to the AI management system alongside the other actions and issues managed by the system. |
| F-Q3 Management Review | Provides the format for reviewing and approving significant changes to the AI management system at the management review. |
Note - all the above files can be downloaded with an alphaZ subscription.
