Awareness Explained for ISO 42001
ISO 42001 Clause 7.3
Awareness is broader than competence. Everyone affected by the AI management system needs to know it exists and what it asks of them.
ISO 42001 Clause 7.3 - Awareness Explained
Clause 7.3 applies to a wider population than the competence requirements at Clause 7.2. Competence is about specific skills for specific roles. Awareness is about the basic knowledge that everyone working under the organisation's control needs to have.
What ISO 42001 Clause 7.3 requires
People doing work under the organisation's control must be aware of three things. The AI policy. Their contribution to the effectiveness of the AI management system, including the benefits of improved AI performance. The implications of not conforming with the AI management system requirements.
The clause uses the phrase work under the organisation's control deliberately. It captures employees, but it also captures contractors, agency staff, consultants and anyone else whose work affects or is affected by the AI management system. The awareness obligation is the same for all of them, although the way it is delivered may differ.
Awareness of the AI policy
Staff need to know the AI policy exists, where to find it, and what it commits the organisation to. The level of detail expected is that staff should be able to describe in their own words what the organisation is and is not willing to do with AI, the principles the organisation applies, and how to raise concerns. This does not require staff to have memorised the policy. It does require the policy to be visible, accessible and explained.
Contribution to the management system
Staff need to understand how their own role contributes to the AI management system. For someone using a generative AI tool to draft content, this might be understanding the tool's intended uses and limitations, the requirement to review outputs before sharing them externally, and the channels for reporting concerns. For someone procuring AI services, this might be the requirement to put suppliers through the AI supplier assessment. For someone managing a team, this might be the responsibility to make sure their team has completed the relevant awareness training and is following the AI policy.
Implications of not conforming
Staff need to understand the implications of not conforming. These can be operational (incidents, errors, poor decisions), reputational (loss of customer trust, regulatory attention), legal (breach of data protection, equality or sector-specific law), or contractual (breach of customer commitments). The level of detail does not need to be exhaustive, but staff should know that not following the AI policy and procedures has real consequences for the organisation and for the people affected by the AI systems.
The most efficient way to deliver awareness is through induction for new starters and a short annual refresher for everyone else, supplemented by communication when something significant changes. The induction covers the management system, the AI policy, the responsibilities, and the channels for raising concerns. The annual refresher reinforces the message and updates staff on any changes.
For organisations with large workforces, an online module that records completion is the simplest way to evidence awareness. For smaller organisations, a briefing and a sign-off sheet works just as well. The format matters less than the substance and the record.
When auditing Clause 7.3, I sample staff across different roles and ask them to describe the AI policy, their contribution to the management system, and what would happen if the management system was not followed. The answers I get tell me whether awareness is real or paper-only.
I also check that contractors and agency staff have been included. Awareness obligations apply to anyone working under the organisation's control. A management system that has only briefed permanent employees has a gap.
We added a single page to the existing induction pack. AI policy, what we use, what we do not, and the line to raise a concern. Annual refresher built into the existing toolbox talk schedule. No new system, no new training platform, just an extension of what we already do.
Practical Compliance Guidance
IMS1 Section 3.1 Staff Training, Awareness and Competence sets out the awareness expectations for all staff, supported by induction training, ongoing communication and the AI policy itself. Awareness is evidenced through induction records, attendance at briefings, and the visible presence of the AI policy in shared workspaces and the management system documentation.
The following alphaZ documents support compliance with ISO 42001 Clause 7.3.
| alphaZ document | How to use it |
|---|---|
| ISO 42001 AI Management System Toolkit | The full toolkit containing the AI management system documentation including the AI policy and IMS1 awareness content. |
| GEN1-1 Staff Handbook | The consolidated staff handbook setting out awareness content for all staff, which can be extended to cover AI policy awareness. |
| P-120 Artificial Intelligence Policy | The AI policy that staff must be aware of, made available through the management system documentation and visible communication channels. |
Note - all the above files can be downloaded with an alphaZ subscription.
