Operation, AI Risk Assessment, AI Risk Treatment and AI System Impact Assessment for ISO 42001
ISO 42001 Clause 8
Clause 8 is the operational counterpart to Clause 6. The same risk assessment, risk treatment and impact assessment processes, performed at planned intervals during operation rather than at the planning stage.
ISO 42001 Clause 8 - Operation, AI Risk Assessment, AI Risk Treatment and AI System Impact Assessment
Clause 8 contains four sub-clauses that together establish the operational practice of the AI management system. The four sub-clauses are tightly linked and are covered together because they describe the same activities performed at planned intervals during operation rather than during initial planning.
ISO 42001 Clause 8.1 - Operational planning and control
The organisation must plan, implement and control the processes needed to meet AI management system requirements and to implement the actions determined in Clause 6. This means establishing criteria for the processes, implementing control of the processes in line with those criteria, and implementing the controls determined under Clause 6.1.3 that relate to the operation of the AI management system.
The effectiveness of operational controls must be monitored, and corrective action must be considered if the intended results are not achieved. Documented information must be available to the extent necessary to have confidence that the processes have been carried out as planned. Planned changes must be controlled, and unintended changes must be reviewed with action taken to mitigate any adverse effects. Externally provided processes, products and services relevant to the AI management system must also be controlled.
For an AI deployer, operational controls typically include the operational use of the AI system within its intended purpose, the human oversight measures specified at the design stage, monitoring of AI system performance against the criteria set during planning, change control for updates and modifications, supplier relationship management, and incident handling. For an AI developer, the operational controls extend to the development life cycle controls in Annex A.6, including verification, validation, deployment and the ongoing operation and monitoring of AI systems delivered to customers.
ISO 42001 Clause 8.2 - AI risk assessment
The organisation must perform AI risk assessments in line with Clause 6.1.2 at planned intervals or when significant changes are proposed or occur. Documented information of the results of all AI risk assessments must be retained.
The operational risk assessment uses the same process and produces the same kind of output as the initial risk assessment under Clause 6.1.2. The difference is timing - Clause 8.2 is the requirement to keep doing it. Most organisations align the operational AI risk assessment with the annual management review cycle, with interim reviews triggered by significant changes such as a new AI system being adopted, a change in the use of an existing AI system, or an AI-related incident.
ISO 42001 Clause 8.3 - AI risk treatment
The organisation must implement the AI risk treatment plan according to Clause 6.1.3 and verify its effectiveness. When risk assessments identify new risks that require treatment, a risk treatment process must be performed for those risks. When risk treatment options are not effective, they must be reviewed and revalidated, and the risk treatment plan must be updated. Documented information of the results of all AI risk treatments must be retained.
The verification of risk treatment effectiveness is the most demanding part of Clause 8.3 in practice. It is not enough for controls to be implemented. They must be shown to work. Verification can take the form of internal audit, monitoring data, incident analysis, supplier assurance reviews, or other evidence appropriate to the control. Where verification shows that a control is not effective, the organisation must update the treatment plan rather than simply note the finding.
ISO 42001 Clause 8.4 - AI system impact assessment
The organisation must perform AI system impact assessments according to Clause 6.1.4 at planned intervals or when significant changes are proposed to occur. Documented information of the results of all AI system impact assessments must be retained.
The triggers for re-performing an impact assessment are similar to those for the risk assessment - planned periodic review, significant changes to the AI system or its use, regulatory changes that affect the impact picture, and incidents or feedback that suggest the original assessment was incomplete or out of date. The output of the operational impact assessment feeds back into the risk assessment under Clause 8.2 and may require updates to the controls applied under Clause 8.3.
The relationship between Clauses 6 and 8
Clause 6 is the planning stage. The risk assessment, risk treatment and impact assessment are performed for the first time, the Statement of Applicability is produced, and the controls are designed and put in place. Clause 8 is the operational stage. The same processes are performed again at intervals, the controls are applied in operation, their effectiveness is verified, and the management system is updated as the AI environment evolves.
This is why the four sub-clauses of Clause 8 are covered in a single article. The detail of how to perform each activity is in the Clause 6.1 article. Clause 8 is the discipline of doing it again, and again, and again, as part of the live management system.
The integration with internal audit and management review is what keeps Clause 8 manageable. Internal audit gives the organisation independent evidence that operational controls are working. Management review aggregates the evidence and triggers updates where they are needed. Without this discipline, the operational re-performance of risk assessment, risk treatment and impact assessment becomes a tick-box exercise.
The verification of risk treatment effectiveness deserves particular attention. Many organisations struggle here because they have controls in place but no clear evidence that the controls are working. Building verification into the design of each control, with a clear method for evidencing effectiveness, makes Clause 8.3 much easier to satisfy at audit.
When auditing Clause 8, I look for the operational rhythm. The auditor wants to see that the risk assessment has been re-performed, that the impact assessments are current, that the controls are being applied and verified, and that significant changes have triggered the right management system response.
The most common finding is documents that show the initial risk assessment from eighteen months ago and no evidence of subsequent re-performance. The standard requires the assessments to be repeated at planned intervals or when significant changes occur. Without that evidence, Clause 8.2 and Clause 8.4 cannot be satisfied.
We re-do the risk assessment for both AI systems annually, with interim reviews when something changes. The interim review for the inspection AI was triggered by a model update from the supplier. We re-ran the impact assessment, updated the risk register, confirmed the Statement of Applicability still held, and recorded the whole thing in the issues and actions register. That gave the auditor a clear trail.
Practical Compliance Guidance
The IMS1 Manual Section 4 Operational Processes/IMS1-4-3-3 Control of Operations documents the operational controls and processes for the management system, with criteria and checks built into each process. The operational re-performance of risk assessment, risk treatment and impact assessment is supported by the dedicated AI assessment templates listed below.
The following alphaZ documents support compliance with ISO 42001 Clause 8.
| alphaZ document | How to use it |
|---|---|
| ISO 42001 AI Management System Toolkit | The full toolkit containing the AI management system documentation including the operational templates for risk assessment, risk treatment and impact assessment. |
| RA-AI Risk Assessment | The dedicated AI risk assessment document re-performed at planned intervals or when significant changes occur, providing the documented evidence required by Clause 8.2 and Clause 8.3. |
| F-IMS70 Annex A Controls | Records the Statement of Applicability and the implementation status of each Annex A control, supporting the operational implementation of risk treatment under Clause 8.3. |
| F-Q113 AI System Impact Assessment | The AI system impact assessment template re-performed at planned intervals or when significant changes occur, providing the documented evidence required by Clause 8.4. |
| F-IMS40 AI Process Register | Records the AI systems within scope and supports the operational re-performance of assessment activities by maintaining the AI system inventory. |
| ER1 Issues and Actions Register | Records the actions arising from operational risk assessment, risk treatment verification and impact assessment, providing the audit trail of operational management system activity. |
Note - all the above files can be downloaded with an alphaZ subscription.
