DRAFT INTERNATIONAL STANDARD

ISO/IEC DIS 42006

ISO/IEC JTC 1/SC 42 Secretariat: ANSI

Voting begins on: Voting terminates on:
2023-10-25 2024-01-17

Information technology — Artificial intelligence —

Requirements for bodies providing audit and certification
of artificial intelligence management systems

ICS: 03.120.20; 35.020

Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

THIS DOCUMENT IS A DRAFT CIRCULATED

FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY This document is circulated as received from the committee secretariat.
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN Reference number
NATIONAL REGULATIONS.
ISO/IEC DIS 42006:2023(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION. © ISO/IEC 2023
 ISO/IEC DIS 42006:2023(E)
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

COPYRIGHT PROTECTED DOCUMENT

© ISO/IEC 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland

ii  © ISO/IEC 2023 – All rights reserved


 ISO/IEC
ISO/IECDIS 42006:2023(E)
42006:####(X)

1 © ISO 2023
2 All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this
3 publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical,
4 including photocopying, or posting on the internet or an intranet, without prior written permission. Permission
5 can be requested from either ISO at the address below or ISO’s member body in the country of the requester.
6 ISO copyright office
7 CP 401 • Ch. de Blandonnet 8
8 CH-1214 Vernier, Geneva
9 Phone: +41 22 749 01 11
10 Email: copyright@iso.org
11 Website: www.iso.org
12 Published in Switzerland
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

© ISO/IEC 2023 – All rights reserved iii

 ISO/IEC DIS42006-:####(X)
ISO/IEC 42006:2023(E)

13 Contents

14 To update the Table of Contents please select it and press "F9".

15

16 Foreword................................................................................................................................................................................. vii
17 Introduction ......................................................................................................................................................................... viii
18 1 Scope....................................................................................................................................................................................1
19 2 Normative references ..................................................................................................................................................1
20 3 Terms, definitions, symbols and abbreviated terms .....................................................................................2
21 4 Principles...........................................................................................................................................................................3
22 5 General requirements .................................................................................................................................................3
23 5.1 Legal and contractual matters .................................................................................................................................3
24 5.2 Management of impartiality .....................................................................................................................................3
25 5.2.1 General.........................................................................................................................................................................3
26 5.2.2 Conflicts of interest ................................................................................................................................................3
27 5.3 Liability and financing .................................................................................................................................................3
28 5.3.1 General.........................................................................................................................................................................3
29 5.3.2 Liability........................................................................................................................................................................4
30 6 Structural requirements.............................................................................................................................................4
31 7 Resource Requirements .............................................................................................................................................4
32 7.1 Competence of personnel...........................................................................................................................................4
33 7.1.1 General.........................................................................................................................................................................4
34 7.1.2 Generic competence requirements.................................................................................................................4
35 7.1.3 Determination of competence criteria..........................................................................................................4
36 7.2 Personnel involved in the certification activities ...........................................................................................9
37 7.2.1 General.........................................................................................................................................................................9
38 7.2.2 Selecting auditors and personnel reviewing the audit reports .........................................................9
39 7.2.3 Selecting an individual auditor for leading the personnel fulfilling the function of
40 “auditor” ......................................................................................................................................................................9
41 7.3 Use of individual external technical experts.................................................................................................. 10
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

42 7.3.1 General...................................................................................................................................................................... 10
43 7.3.2 Use of individual external technical within the certification process ......................................... 10
44 7.4 Personnel records ...................................................................................................................................................... 10
45 7.5 Outsourcing ................................................................................................................................................................... 10
46 8 Information requirements ..................................................................................................................................... 10
47 8.1 Public information ..................................................................................................................................................... 10
48 8.2 Certification documents .......................................................................................................................................... 10
49 8.2.1 General...................................................................................................................................................................... 10
50 8.2.2 AIMS certification documents ........................................................................................................................ 10
51 8.3 Reference to certification and use of marks................................................................................................... 10
52 8.4 Confidentiality.............................................................................................................................................................. 10
53 8.4.1 General...................................................................................................................................................................... 10
54 8.4.2 Access to the documentation of the organization ................................................................................. 10
55 8.5 Information exchange between a certification body and its clients.................................................... 11
56 9 Process requirements............................................................................................................................................... 11
57 9.1 Pre-certification activities ...................................................................................................................................... 11
58 9.1.1 Application .............................................................................................................................................................. 11

iv © ISO/IEC 2023 – All rights reserved

 ISO/IEC
ISO/IECDIS 42006:2023(E)
42006:####(X)

59 9.1.2 Application review .............................................................................................................................................. 11

60 9.1.3 Audit programme................................................................................................................................................. 11
61 9.1.4 Audit methodology .............................................................................................................................................. 11
62 9.1.5 Determining audit time ..................................................................................................................................... 12
63 9.1.6 Multi-site sampling.............................................................................................................................................. 12
64 9.1.7 Multiple management systems ...................................................................................................................... 13
65 9.2 Planning audits ............................................................................................................................................................ 13
66 9.2.1 Determining audit objectives, scope and criteria ................................................................................. 13
67 9.2.2 Selection and assignment of personnel conducting the AIMS audit ............................................. 14
68 9.2.3 Audit plan ................................................................................................................................................................ 14
69 9.3 Initial certification ..................................................................................................................................................... 14
70 9.3.1 Initial certification audit................................................................................................................................... 14
71 9.4 Conducting audits ....................................................................................................................................................... 15
72 9.4.1 General...................................................................................................................................................................... 15
73 9.4.2 General requirements........................................................................................................................................ 15
74 9.4.3 Specific elements of the AIMS audit ............................................................................................................. 15
75 9.4.4 Audit report ............................................................................................................................................................ 16
76 9.5 Certification decision ................................................................................................................................................ 16
77 9.6 Maintaining certification......................................................................................................................................... 16
78 9.6.1 General...................................................................................................................................................................... 16
79 9.6.2 Surveillance activities ........................................................................................................................................ 17
80 9.6.3 Re-certification ..................................................................................................................................................... 17
81 9.6.4 Special audits ......................................................................................................................................................... 17
82 9.6.5 Suspending, withdrawing or reducing the scope of certification .................................................. 17
83 9.7 Appeals ............................................................................................................................................................................ 18
84 9.8 Complaints ..................................................................................................................................................................... 18
85 9.9 Client records ............................................................................................................................................................... 18
86 10 Management system requirements for certification bodies................................................................... 18
87 10.1 Options...................................................................................................................................................................... 18
88 10.2 Option A: General management system requirements....................................................................... 18
89 10.3 Option B: Management system requirements in accordance with ISO 9001 ............................ 18
90 Annex A (normative) Audit time ................................................................................................................................. 19
91 A.1 Criteria of determining audit time...................................................................................................................... 19
92 A.1.1 General...................................................................................................................................................................... 19
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

93 A.2 Concepts .......................................................................................................................................................................... 19

94 A.2.1 Number of persons under the organization’s control that are involved in the AI life
95 cycle processes ...................................................................................................................................................... 19
96 A.2.2 Auditor day ............................................................................................................................................................. 20
97 A.3 Procedure for determining audit time for initial certification audit .................................................. 20
98 A.3.1 General...................................................................................................................................................................... 20
99 A.3.2 Factors for adjustment of audit time........................................................................................................... 21
100 A.3.3 On-site audit time ................................................................................................................................................ 24
101 A.3.4 Remote methods for conducting audit ....................................................................................................... 24
102 A.4 Audit time for surveillance audit......................................................................................................................... 24
103 A.5 Audit time for re-certification audit................................................................................................................... 24
104 A.6 Deviation from baseline audit time.................................................................................................................... 24

© ISO/IEC 2023 – All rights reserved v

 ISO/IEC DIS42006-:####(X)
ISO/IEC 42006:2023(E)

105 A.7 Audit time of multi-site ............................................................................................................................................ 25

106 A.8 Audit time for scope extensions........................................................................................................................... 25
107 Annex B (normative) Template for certification document ........................................................................... 26
108 B.1 General ............................................................................................................................................................................ 26
109 B.2 Certificate text for this document ....................................................................................................................... 26
110 Annex C (informative) Examples for audit time calculations ........................................................................ 28
111 C.1 General ............................................................................................................................................................................ 28
112 Bibliography .......................................................................................................................................................................... 29
113
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

vi © ISO/IEC 2023 – All rights reserved

 ISO/IEC
ISO/IECDIS 42006:2023(E)
42006:####(X)

114 Foreword
115 ISO (the International Organization for Standardization) is a worldwide federation of national standards
116 bodies (ISO member bodies). The work of preparing International Standards is normally carried out
117 through ISO technical committees. Each member body interested in a subject for which a technical
118 committee has been established has the right to be represented on that committee. International
119 organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO
120 collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
121 electrotechnical standardization.
122 The procedures used to develop this document and those intended for its further maintenance are
123 described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
124 different types of ISO documents should be noted. This document was drafted in accordance with the
125 editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
126 ISO draws attention to the possibility that the implementation of this document may involve the use of
127 (a) patent(s). ISO takes no position concerning the evidence, validity or applicability of any claim ed
128 patent rights in respect thereof. As of the date of publication of this document, ISO had not received notice
129 of (a) patent(s) which may be required to implement this document. However, implementers are
130 cautioned that this may not represent the latest information, which may be obtained from the patent
131 database available at www.iso.org/patents. ISO shall not to be held responsible for identifying any or all
132 such patent rights.
133 Any trade name used in this document is information given for the convenience of users and does not
134 constitute an endorsement.
135 For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
136 expressions related to conformity assessment, as well as information about ISO's adherence to the World
137 Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
138 www.iso.org/iso/foreword.html.
139 This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
140 Subcommittee SC 42, Artificial Intelligence.
141 Any feedback or questions on this document should be directed to the user’s national standards body. A
142 complete listing of these bodies can be found at www.iso.org/members.html.
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

© ISO/IEC 2023 – All rights reserved vii

 ISO/IEC DIS42006-:####(X)
ISO/IEC 42006:2023(E)

143 Introduction
144 A management system for organizations providing, developing or using AI systems or place them on the
145 market as suppliers is set up according to ISO/IEC 42001:—1. It entails, but is not limited to, various
146 special aspects regarding the management of risks, data protection, data quality, information and cyber
147 security, ethics as well as the validation and verification of algorithms. Also, the life cycle processes for
148 traditional software systems need to include AI-specific life cycle characteristics defined in ISO/IEC 5338:
149 —2 [1] which needs to be considered.
150 The object of assessment in ISO/IEC 42001:— and the necessary combination and complex interface
151 functions in a management system according to ISO/IEC 42001:— result in specific requirements for the
152 certification bodies and their processes when they certify such management systems. This document
153 intends to help certification bodies responsibly perform their role with respect to auditing and certifying
154 organizations with AI management systems.
155 The certification of a management system according to ISO/IEC 42001:— can be embedded in a
156 conformity assessment system for products, processes and services according to ISO/IEC 17065 in
157 support of ISO/IEC 17067 [2]. ISO/IEC 17030 [3] applies if it is intended to mark the conformity of the AI
158 systems with conformity marks. The certificate for the confirmation of the conformity of the
159 manufacturer’s, supplier’s or distributor’s AI management system according to ISO/IEC 42001:— should
160 be able to be taken over according to ISO/IEC 17065:2012, 7.4.5 as far as possible to avoid double tests.
161 This standard is also intended to assist accreditation bodies and peer assessors in being able to assess
162 the minimum requirements for personnel competence in certification bodies and the processes of
163 certification in these certification bodies in an efficient and harmonized way.
164 NOTE This document can be used as a criteria document for accreditation and peer assessment.
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

1 Under preparation. Stage at the time of publication: ISO/IEC FDIS 42001:2023.

2 Under preparation. Stage at the time of publication: ISO/IEC FDIS 5338:2023.

viii © ISO/IEC 2023 – All rights reserved

 ISO/IEC
ISO/IECDIS 42006:2023(E)
42006:####(X)

165 Information technology — Artificial intelligence — Requirements

166 for bodies providing audit and certification of artificial
167 intelligence management systems

168 1 Scope
169 This document specifies additional requirements to ISO/IEC 17021-1. The requirements contained in this
170 document, when implemented, support the demonstration of competence, consistency and reliability by
171 the bodies performing auditing and certification of an artificial intelligence management system (AIMS)
172 according to ISO/IEC 42001 for organizations that provide, develop or use AI systems.
173 Certification of AIMS is a third-party conformity assessment activity (as described in ISO/IEC
174 17000:2020, 4.5), and bodies performing this activity are third-party conformity assessment bodies.
175 This document also provides the necessary information and confidence to customers about the way
176 certification has been granted.
177 NOTE This document can be used as a criteria document for accreditation or peer assessment.

178 2 Normative references

179 The following documents are referred to in the text in such a way that some or all of their content
180 constitutes requirements of this document. For dated references, only the edition cited applies. For
181 undated references, the latest edition of the referenced document (including any amendme nts) applies.
182 ISO/IEC 17000, Conformity assessment — Vocabulary and general principles
183 ISO/IEC 17011, Conformity assessment — Requirements for accreditation bodies accrediting conformity
184 assessment bodies
185 ISO/IEC 17021-1, Conformity assessment — Requirements for bodies providing audit and certification of
186 management systems — Part 1: Requirements
187 ISO/IEC 17029, Conformity assessment — General principles and requirements for validation and
188 verification bodies
189 ISO/IEC 17065, Conformity assessment — Requirements for bodies certifying products, processes and
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

190 services
191 ISO/IEC 42001:—, Information technology — Artificial intelligence — Management system
192 ISO/IEC 22989, Information technology — Artificial intelligence — Artificial intelligence concepts and
193 terminology
194 ISO/IEC 5259-3:—3, Information technology - Artificial Intelligence – Data quality for analytics and
195 machine learning (ML) – Part 3: Data quality management requirements and guidelines
196 ISO/IEC 27001, Information technology — Security techniques — Information security management
197 systems — Requirements
198 ISO/IEC 27701, Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy
199 information management - Requirements and guidelines framework

3 Under preparation. Stage at the time of publication: ISO/IEC DIS5259-3:2023.

© ISO/IEC 2023 – All rights reserved 1

 ISO/IEC DIS42006-:####(X)
ISO/IEC 42006:2023(E)

200 3 Terms, definitions, symbols and abbreviated terms

201 For the purposes of this document, the terms and definitions given in ISO/IEC 17000, ISO/IEC 17021-1,
202 ISO/IEC 42001:—, ISO/IEC 17065, ISO/IEC 22989 and the following apply.
203 ISO and IEC maintain terminology databases for use in standardization at the following addresses:
204 — ISO Online browsing platform: available at https://www.iso.org/obp
205 — IEC Electropedia: available at https://www.electropedia.org/
206
207 3.1
208 artificial intelligence management system
209 AIMS
210 set of interrelated or interacting elements of an organization to establish policies and objectives, as well
211 as processes to achieve those objectives, in the provision, development or use of an AI system
212 Note 1 to entry: An AIMS can be applied to mitigate risks related to the provision, development or use of an AI
213 system.

214 3.2
215 statement of applicability
216 SOA
217 documentation of all necessary controls and providing justification for inclusion or exclusion of controls
218 Note 1 to entry: Organizations may not require all controls listed in Annex A of ISO/IEC 42001 or may even exceed
219 the list in Annex A with additional controls established by the organization itself.

220 Note 2 to entry: All identified risks shall be documented by the organization according to the requirements of
221 ISO/IEC 42001. All identified risks and the risk management measures (controls) established to address them shall
222 be reflected in the SOA.

223 Note 3 to entry: In the context of ISO/IEC 42001, performance refers both to results achieved by
224 using AI systems and results related to the AI management system. The correct interpretation of the term
225 is clear from the context of its use.
226 [SOURCE: ISO/IEC 42001:—, 3.11, modified Note 1 to entry, Note 2 to entry and Note 3 to entry by
227 replacing “this document” with “ISO/IEC 42001”.]
228 3.3
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

229 certification document

230 document indicating that an organization’s AIMS conforms to ISO/IEC 42001:—
231 3.4
232 site
233 physical location where the organization to be certified operates with its own resources
234 Note 1 to entry: A site can also be the location of another legal entity that is part of a network of legal entities of the
235 client that are linked by ownership or control of the management and control body (unified management). The
236 organization to be certified controls the legal entities in the network and exercises ultimate direction as defined in
237 ISO 9000:2015, 3.1.1 [4] for the AI management system

238 3.5
239 sector-specific standard
240 international standard that extends Annex A of ISO/IEC 42001:— to support a specific sector
241 Note 1 to entry: A sector-specific standard can provide additions to the controls in ISO/IEC 42001:— , provide
242 guidance on control implementation, or provide guidance on elements to consider based on organizational context
243 and the expectations of interested parties.

2 © ISO/IEC 2023 – All rights reserved

 ISO/IEC
ISO/IECDIS 42006:2023(E)
42006:####(X)

244 Note 2 to entry: A sector-specific extension of ISO/IEC 42001:—doesn't change the requirements of ISO/IEC
245 42001:—, including any addition and modification.

246 4 Principles
247 The principles from ISO/IEC 17021-1:2015, Clause 4 apply.

248 5 General requirements

249 5.1 Legal and contractual matters
250 The requirements of ISO/IEC 17021-1:2015, 5.1 apply.

251 5.2 Management of impartiality

252 5.2.1 General
253 The requirements of ISO/IEC 17021-1:2015, 5.2 apply. In addition, the following requirements and
254 guidance apply.
255 5.2.2 Conflicts of interest
256 In addition to the requirements of ISO/IEC 17021-1:2015, 5.2.5, certification bodies shall not provide
257 consulting for management systems related to artificial intelligence, information security, data protection
258 (e.g. in the form of an external data protection officer or data protection check) or risk management.
259 Certification bodies may carry out the following activities without them being considered as consultancy
260 or having a potential conflict of interest:
261 a) when arranging and participating as a lecturer in training courses, that relate to artificial
262 intelligence management systems, to management systems or auditing, only generic and publicly
263 available information is provided by certification bodies;
264 b) activities preceding the audit to identify the object of certification, the sole purpose of which is to
265 determine the scope and capability for a certification audit;;
266 c) adding value during certification and surveillance audits, e.g. by identifying opportunities for
267 improvement, as they become evident during the audit.
268 In order to prevent potential conflict of interest when addressing the duties listed above, the certification
269 body shall not
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

270 a) provide company-specific advice;

271 b) conduct activities which themselves take the form of an audit or lead to recommendations or
272 advice that would be contrary to 5.2.2 of this document, or justify a reduction of the ultimate time
273 of the certification audit;
274 c) recommend specific solutions.
275 The certification body shall not carry out any internal audits for the client to be certified. The ban on
276 conducting internal audits shall not be circumvented by renaming the activity as inspection, assessment
277 or similar. Any prior involvement of the certification body with the client related to ISO/IEC 42001 leads
278 to a violation of the ban on self-assessment and shall be avoided.

279 5.3 Liability and financing

280 5.3.1 General
281 The requirements of ISO/IEC 17021-1:2015, 5.3 apply. In addition, the following requirements and
282 guidance apply.

© ISO/IEC 2023 – All rights reserved 3

 ISO/IEC DIS42006-:####(X)
ISO/IEC 42006:2023(E)

283 5.3.2 Liability

284 In addition to the requirements of ISO/IEC 17021-1:2015, 5.3.1, certification bodies shall be able to
285 demonstrate a contract with an insurance company or an alternative mechanism that is fully protected
286 against insolvency. Either option shall cover an appropriate amount of cover for personal injury, property
287 damage and financial loss in relation to the turnover of the clients with AI systems.

288 6 Structural requirements

289 The requirements of ISO/IEC 17021-1:2015, Clause 6 apply.

290 7 Resource Requirements

291 7.1 Competence of personnel
292 7.1.1 General
293 The requirements of ISO/IEC 17021-1:2015, 7.1 apply. In addition, the following requirements and
294 guidance apply.
295 7.1.2 Generic competence requirements
296 The certification body shall ensure that it has competent personnel with knowledge of the technical, legal
297 and regulatory developments relevant to the AIMS of the client that is assessed.
298 The certification body shall describe the competence requirements for each certificati on function
299 according to the functional approach as defined in ISO/IEC 17000:2020, Annex A, and shall comply with
300 them using competence management. This competence management ensures that the required criteria
301 for education as well as for knowledge and experience of the personnel involved in the certification
302 process are verified.
303 Certification of an AIMS is based on multiple, diverse competencies unlikely to be present in one natural
304 person. The certification body shall therefore appoint and deploy competent people that fulfil all the
305 required competence criteria as a competent group , if applicable, and throughout all functions of the
306 certification process. With regard to the criteria definition of the certification body, the criteria for each
307 function of the certification process shall be defined in such a way that the personnel fulfilling the tasks
308 of the function have sufficient knowledge and understanding imparted by training and education, as well
309 as experience, to cover the AIMS scope of the organization to be audited. In this respect, for the
310 certification of an organization running an AIMS, the use of technical experts in accordance with ISO/IEC
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

311 17021-1:2015, 9.2.2.1.3 can be necessary and is permissible within the scope of the audit, but also in
312 other functions of the certification process.
313 7.1.3 Determination of competence criteria
314 7.1.3.1 Competence requirements for personnel conducting the application review
315 Personnel conducting the application review to determine the audit or competences required, to select
316 the personnel for the auditor function and to determine the audit time shall have specific knowledge. See
317 Table 1 on competence criteria for personnel of the certification body for the required competence and
318 knowledge of personnel conducting the application review.
319 7.1.3.2 Competence requirements for personnel conducting AIMS audits
320 Personnel conducting audits shall have specific knowledge. See Table 1 on competence criteria for
321 personnel of the certification body for the required competence and knowledge of personnel conducting
322 audits.

4 © ISO/IEC 2023 – All rights reserved

 ISO/IEC
ISO/IECDIS 42006:2023(E)
42006:####(X)

323 7.1.3.3 Competence requirements for personnel reviewing audit reports

324 The personnel reviewing audit reports independently, and was previously not involved in the auditing
325 process, shall have specific knowledge. See Table 1 on competence criteria for personnel of the
326 certification body for the required competence and knowledge of personnel conducting the independent
327 review of audit reports.

328 7.1.3.4 Competence requirements for personnel making certification decisions

329 The personnel making certification decisions shall have knowledge that enables them to verify the
330 adequacy of the scope of certification, as well as to assess the impact of any scope changes, particularly
331 the continuing validity of the determination of interfaces, dependencies, and associated risks. The
332 personnel making certification decisions shall have specific knowledge. See Table 1 on competence
333 criteria for personnel of the certification body for the required competence and knowledge of personnel
334 making certification decisions.
335 7.1.3.5 Competence requirements for personnel conducting evaluation and making decisions on
336 appeals
337 The certification body shall have a process to receive, evaluate and make decisions on appeals. The
338 personnel involved in evaluation and making decisions on appeals shall have specific knowledge. See
339 Table 1 on competence criteria for personnel of the certification body for the required competence and
340 knowledge of personnel conducting evaluation and making decisions on appeals.

341 7.1.3.6 Competence requirements for personnel conducting evaluation processes for personnel
342 involved in the certification activities
343 The certification body shall have a process for monitoring competence and performance of all persons
344 involved in the certification process in order to be able to identify training needs. Therefore, it needs
345 criteria for the personnel who conduct these processes. The personnel involved in the evaluation
346 processes for personnel involved in the certification activities shall have specific knowledge. See Table 1
347 on competence criteria for personnel of the certification body for the required competence and
348 knowledge of personnel conducting evaluation processes for personnel involved in the certification
349 activities.
350
351 Table 1 — Competence criteria for personnel of the certification body
352
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

Certification function
Application Auditor Audit Certification Appeal Evaluator of
Knowledge reviewer report decision decision certification
(7.1.3.2)
reviewer maker maker personnel
(7.1.3.1)
(7.1.3.3) (7.1.3.4) (7.1.3.5) (7.1.3.6)
Knowledge of business management practices
a) management x x x x x x
systems and
management business
practices, concepts
and the
interrelationship
between policy,
objectives and results.

Knowledge of audit principles, practices and techniques

© ISO/IEC 2023 – All rights reserved 5

 ISO/IEC DIS42006-:####(X)
ISO/IEC 42006:2023(E)

Certification function
Application Auditor Audit Certification Appeal Evaluator of
Knowledge reviewer report decision decision certification
(7.1.3.2)
reviewer maker maker personnel
(7.1.3.1)
(7.1.3.3) (7.1.3.4) (7.1.3.5) (7.1.3.6)
a) principles of - x+ x+ - - x
auditing.

Knowledge of specific management system standards/normative documents

a) legal obligations x x+ x+ x+ x+ x
that apply to artificial
intelligence;
b) ISO/IEC 42001:—
and other normative
documents used in the
certification process;
c) relevant
certification schemes
and necessary
evaluation criteria for
the conformity
assessment.

Knowledge of certification body’s processes

a) requirements of x x+ x+ x+ x+ x
ISO/IEC 17021-1 as (excl. d)) (excl. d)) (incl. d)) (incl. d))
well as the
terminology and
methods of ISO/IEC
17000;
b) ISO/IEC 17029 for
the validation and
verification of claims;
c) statistics for the
calculation of
representative
samples from
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

populations;
d) requirements for
conformity
assessment bodies
according to ISO/IEC
17011 and the
requirements for
reference to the status
of accreditation.

Knowledge of client’s business sector

a) generic terminology, x x+ x+ x x -
processes,
technologies and risks
related to the client
business sector;
b) tools, methods and
techniques related to
artificial intelligence

6 © ISO/IEC 2023 – All rights reserved

 ISO/IEC
ISO/IECDIS 42006:2023(E)
42006:####(X)

Certification function
Application Auditor Audit Certification Appeal Evaluator of
Knowledge reviewer report decision decision certification
(7.1.3.2)
reviewer maker maker personnel
(7.1.3.1)
(7.1.3.3) (7.1.3.4) (7.1.3.5) (7.1.3.6)
management and their
application;
c) artificial intelligence
management and
governance structures
including roles and
responsibilities in the
provision,
development and use
of an AI system;
d) policies and
business requirements
for artificial
intelligence
management;
e) codes of conduct as
well as good practices
and procedures on
trustworthy AI (e.g.
related to ISO/IEC TR
24028:2020 [6])
within the specific
industry;
f) relevant business
sector practices;
g) software developing
processes.

Knowledge of client products, processes and organization

a) the effect of x x+ x+ - x+ -
organization type,
governance, structure,
functions and
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

relationships on
development and
implementation of the
AIMS and certification
activities, including
outsourcing;
b) technologies
(including
algorithms), methods,
processes and tools
that encompass data
science and the
discipline of AI as well
as specific AI
processes such as
machine learning;
c) processes applicable
to AIMS;

© ISO/IEC 2023 – All rights reserved 7

 ISO/IEC DIS42006-:####(X)
ISO/IEC 42006:2023(E)

Certification function
Application Auditor Audit Certification Appeal Evaluator of
Knowledge reviewer report decision decision certification
(7.1.3.2)
reviewer maker maker personnel
(7.1.3.1)
(7.1.3.3) (7.1.3.4) (7.1.3.5) (7.1.3.6)
d) AIMS-specific
documentation
structures, hierarchy
and interrelationships;
e) AIMS monitoring,
measurement, analysis
and evaluation;
f) risk management
processes, including
assessment and
mitigation procedures
(in particular
knowledge of ISO/IEC
23894 [7);
g) information and
data security as well
as impact assessment
and risk assessment
related to artificial
intelligence
management (in
particular knowledge
of ISO/IEC 22989,
ISO/IEC 5259-3:— ,
ISO/IEC TR
24027:2021 [8],
ISO/IEC CD 420054 [9]
as well as ISO/IEC
27001 and, if
applicable, ISO/IEC
27701);
h) track and identify
incidents with serious
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

negative effects on
affected persons
within a client's AIMS.
NOTE Further information on the principles of auditing can be found in ISO 19011 [5].

Key
x+ expert knowledge and major experience required for the function
x knowledge and experience required for the function
- competences not required for the function
353

4 Under preparation. Stage at the time of publication: ISO/IEC CD 42005:2023.

8 © ISO/IEC 2023 – All rights reserved

 ISO/IEC
ISO/IECDIS 42006:2023(E)
42006:####(X)

354 7.2 Personnel involved in the certification activities

355 7.2.1 General
356 The requirements of ISO/IEC 17021-1:2015, 7.2 apply. In addition, the following requirements and
357 guidance apply.
358 7.2.2 Selecting auditors and personnel reviewing the audit reports
359 In addition to 7.1.3.2 of this document, the criteria for selecting personnel that fulfils the function of
360 “auditor” or “reviewer of audit reports” for the certification process shall ensure that the selected
361 personnel:
362 a) has professional education or training to an equivalent level of university education;
363 b) has at least four years of full-time practical professional experience in the field of information
364 technology or data protection, with at least two years related to AI systems;
365 c) has successfully completed at least three days of training that includes AIMS audits and audit
366 management;
367 d) has gained auditing experience prior to acting as an auditor for AIMS, evident by auditing
368 management systems (such as but not limited to ISO 9001 [10], ISO 13485 [11], ISO/IEC 27001)
369 . This experience shall have been gained in at least 30 audit days or of at least three management
370 system audits, and the experience shall be performed in the last five years. This experience shall
371 have been gained as an auditor under the supervision and evaluation of a more experienced
372 auditor (see ISO/IEC 17021-1:2015, 9.2.2.1.4) in the course of participation in at least one initial
373 certification or re-certification audit and at least one surveillance audit. The participation shall
374 include review of documentation and risk assessment, implementation assessment, and audit
375 reporting;
376 e) has relevant and current experience of auditing;
377 f) maintains current knowledge related to AI and audits through ongoing professional development.
378 The personnel making certification decisions (7.1.3.4 of this document) is not required to meet the same
379 competences as the personnel conducting the review of audit reports (7.1.3.3 of this document) as well
380 as the selection criteria in 7.2.3 of this document as long as these functions are conducted by different
381 personnel. If, however, the function of “reviewer of audit report” (7.1.3.3 of this docu ment) and “decision
382 maker” (7.1.3.4 of this document) are fulfilled by the same personnel, the personnel shall fulfil the
383 required competencies for both roles (7.1.3.3 and 7.1.3.4 of this document) as well as for 7.2.3 of this
384 document.
385
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

386 7.2.3 Selecting an individual auditor for leading the personnel fulfilling the function of
387 “auditor”
388 In addition to 7.1.3.2 and 7.2.2 of this document the criteria for selecting an individual auditor for leading
389 the personnel fulfilling the function of “auditor” shall ensure that this individual auditor:
390 a) has actively participated in at least three ISO/IEC 42001 audits. The participation shall include
391 initial planning, review of documentation and risk assessment, formal audit reporting, and, if
392 applicable, implementation assessment of client’s corrective actions;
393 b) has leadership skills in the management of the auditing process and on the ability to mediate
394 when opinions within the personnel conducting the audit diverge in analysis of audit evidence
395 and opinion formation;
396 c) has evidence of effective oral and written communication skills.
397 The individual auditor leading the personnel fulfilling the function of “auditor” shall meet these
398 requirements, through previous experience in supervised audits performed by an experienced AIMS
399 auditor who has conducted at least three ISO/IEC 42001 audits.

© ISO/IEC 2023 – All rights reserved 9

 ISO/IEC DIS42006-:####(X)
ISO/IEC 42006:2023(E)

400 7.3 Use of individual external technical experts

401 7.3.1 General
402 The requirements of ISO/IEC 17021-1:2015, 7.3 apply. In addition, the following requirements and
403 guidance apply.
404 7.3.2 Use of individual external technical within the certification process
405 Technical experts shall work under the supervision of the personnel conducting an audit or the
406 responsible personnel within other steps of the certification process at the certification body. Each
407 technical expert shall have demonstrable expertise through training as defined in 7 .2.3 a) of this
408 document. The technical expert shall have a minimum of three years of professional experience in their
409 own sector of expertise based on 7.2.2 a) of this document and shall have basic knowledge of the
410 terminology of AI systems.

411 7.4 Personnel records

412 The requirements of ISO/IEC 17021-1:2015, 7.4 apply.

413 7.5 Outsourcing

414 Outsourcing in accordance with ISO/IEC 17021-1:2015, 7.5 is not permitted within the scope of
415 certification according to ISO/IEC 42001:—.

416 8 Information requirements

417 8.1 Public information
418 The requirements of ISO/IEC 17021-1, 8.1 apply.

419 8.2 Certification documents

420 8.2.1 General
421 The requirements of ISO/IEC 17021-1:2015, 8.2 apply. In addition, the following requirements and
422 guidance apply.

423 8.2.2 AIMS certification documents

424 The certification documents for an AIMS shall demonstrate conformance with the content of the
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

425 information within the template in Annex B of this document. The certification body can display the
426 information as it suits itself.
427 8.3 Reference to certification and use of marks
428 The requirements of ISO/IEC 17021-1:2015, 8.3 apply.

429 8.4 Confidentiality

430 8.4.1 General
431 The requirements of ISO/IEC 17021-1:2015, 8.4 apply. In addition, the following requirements and
432 guidance apply.

433 8.4.2 Access to the documentation of the organization

434 Prior to the certification audit, the certification body and the client shall mutually establish the necessary
435 actions (contractual, operational and technical) to be implemented for the audit to provide all necessary
436 information and evidence for certification to the certification body. This can include access to source code
437 and raw data.

10 © ISO/IEC 2023 – All rights reserved

 ISO/IEC
ISO/IECDIS 42006:2023(E)
42006:####(X)

438 The certification body and the client shall mutually establish and implement safeguards for protected
439 information or sensitive information, intellectual property, trade secrets and the technical means and
440 infrastructures to be used in the certification agreement in accordance with ISO/IEC 17021 -1:2015, 5.1.2.
441 8.5 Information exchange between a certification body and its clients
442 The requirements of ISO/IEC 17021-1:2015, 8.5 apply.

443 9 Process requirements

444 9.1 Pre-certification activities
445 9.1.1 Application
446 9.1.1.1 General
447 The requirements of ISO/IEC 17021-1:2015, 9.1.1 apply. In addition, the following requirements and
448 guidance apply.
449 9.1.1.2 Readiness for application
450 The certification body shall require that the client has a documented and implemented AIMS that
451 complies with ISO/IEC 42001:— and other documents required for certification.
452 9.1.2 Application review
453 The requirements of ISO/IEC 17021-1:2015, 9.1.2 apply.
454 If the certification body cannot meet the client's requirements for confidentiality of involved personnel
455 according to 8.4 of this document, the certification body shall not accept the assignment.
456 9.1.3 Audit programme
457 The requirements of ISO/IEC 17021-1:2015, 9.1.3 apply. In addition, the following requirements and
458 guidance apply.
459 9.1.3.1 General
460 The audit programme for AIMS-audits need to provide for all determined measures.
461 The audit programme for an ISO/IEC 42001:— audit shall identify the role of the client as an AI provider,
462 AI developer or AI user. A client can occupy one or multiple AI roles. For example, a client can be both an
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

463 AI developer and AI provider. The audit shall cover all relevant requirements in line with the entire life
464 cycle defined in ISO/IEC 5338:— [1]. In this context, all processes for regional and regulatory peculiarities
465 covered by the AIMS shall be surveyed and assessed for suitability in stage 1 in order to enable an
466 appropriate and risk-oriented selection of functional tests for stage 2.

467 9.1.4 Audit methodology

468 The certification body's procedures in stage 1 and stage 2 shall, in addition to demonstrating compliance
469 with the requirements of ISO/IEC 42001:—, consider in particular the interfaces with other management
470 systems to ISO 9001 [10], ISO/IEC 27001 and ISO/IEC 27701 and ensure consistency and feasibility of
471 controls and reporting routes between management systems.
472 If, according to the client's specifications, the management system certification is to be used for an
473 acceptance according to ISO/IEC 17065:2012, 7.4.5 as part of a product, service or process certification,
474 representative samples shall be drawn as part of stage 2.
475 Representative samples are samples for controls that have an effect on the quality of the product, service
476 or process if they are related to the quantity of AI products placed on the market or of the users of AI
477 services or processes.

© ISO/IEC 2023 – All rights reserved 11

 ISO/IEC DIS42006-:####(X)
ISO/IEC 42006:2023(E)

478 9.1.4.1 Deployment of remote audit

479 The certification body shall define procedures to determine the proportion of remote audit activities
480 (“remote audits”) within an entire audit. The procedures shall include a prior case by case risk
481 assessment as well as a review regarding the potential applicability of remote audits to the AI system(s)
482 managed by the specific AIMS. The certification body shall ensure that the remote technology is suitable
483 for providing the necessary evidence for a certification decision.

484 9.1.4.2 Scope of certification

485 The personnel conducting the AIMS audit shall audit the AIMS covered by the defined scope against all
486 applicable statements to fulfil the certification requirements. The certification body shall confirm that the
487 client’s AIMS addresses the requirements in ISO/IEC 42001:—.
488 Certification bodies shall ensure that the risk assessment and risk treatment of the client's AI
489 management system adequately reflects its activities and extends to the boundaries of the activities as
490 defined in the scope of certification. Certification bodies shall confirm th at this is reflected in the client’s
491 scope of their AIMS and statement of applicability (SoA). The certification body shall verify that there is
492 at least one SoA per scope of certification.
493 Certification bodies shall ensure that interfaces to services or activities that are not entirely within the
494 AIMS scope of applicability are addressed in the AIMS undergoing certification and have been included
495 in the risk assessment of the client's artificial intelligence management system. An example of such a
496 situation is the sharing of facilities on which the AI system runs or is interconnected (e.g. IT systems,
497 databases and telecommunication systems or the outsourcing of a business function) with other
498 organizations.
499 9.1.4.3 Certification audit criteria
500 The criteria against which the AIMS is audited shall be ISO/IEC 42001:—. Other documents can be
501 required for certification relevant to the function performed.
502 9.1.5 Determining audit time
503 9.1.5.1 General
504 The requirements of ISO/IEC 17021-1:2015, 9.1.4 apply. In addition, the following requirements and
505 guidance apply.
506 9.1.5.2 Audit time
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

507 Certification bodies shall provide personnel conducting the AIMS audit with sufficient time to perform all
508 activities related to an initial certification audit, surveillance audit, or re-certification audit. The
509 calculation of total audit time shall include sufficient time for audit reporting and for internal consultation
510 within the personnel conducting the audit.
511 Additional time shall be scheduled and provided as needed for each nonconformity finding, separate from
512 normal audit time calculations, to evaluate corrective actions, if needed.
513 The certification body shall use 9.1.5 and Annex A of this document to determine audit time requirements
514 for the defined scope under ISO/IEC 42001:—. The specified audit times in Annex A of this document
515 relate to the activities of the entire personnel conducting the AIMS audit on site. A breakdown of the times
516 by person is not permissible.
517 NOTE Annex C of this document provides further guidance and examples on the calculation of audit time.

518 9.1.6 Multi-site sampling

519 The requirements of ISO/IEC 17021-1:2015, 9.1.5 apply.

12 © ISO/IEC 2023 – All rights reserved

 ISO/IEC
ISO/IECDIS 42006:2023(E)
42006:####(X)

520 9.1.7 Multiple management systems

521 9.1.7.1 General
522 The requirements of ISO/IEC 17021-1:2015, 9.1.6 apply. In addition, the following requirements and
523 guidance apply.

524 9.1.7.2 Integration of the AIMS documentation into the documentation for other management
525 system
526 The certification body may accept documentation that is combined (e.g. for information security, privacy,
527 risk management and quality) as long as the AIMS can be clearly identified together with the appropriate
528 interfaces to the other systems.
529 9.1.7.3 Combining management system audits
530 The AIMS audit may be combined with audits of other management systems, provided that it can be
531 demonstrated that the audit satisfies all requirements for certification of the AIMS. All the elements
532 important to an AIMS shall appear clearly and be readily identifiable in the audit reports. The quality of
533 the audit shall not be adversely affected by the combination of the audits.

534 9.2 Planning audits

535 9.2.1 Determining audit objectives, scope and criteria
536 9.2.1.1 General
537 The requirements of ISO/IEC 17021-1:2015, 9.2.1 apply. In addition, the following requirements and
538 guidance apply.

539 9.2.1.2 Audit objectives

540 The audit objectives shall include the determination of the effectiveness of the AIMS to ensure that the
541 client, based on the risk assessment, has identified the necessary controls and achieved the established
542 objectives regarding the artificial intelligence management system.
543 9.2.1.3 Audit criteria
544 The criteria against which the AIMS is audited shall be the AIMS standard ISO/IEC 42001:—. The audit
545 criteria may be expanded to include comparison of controls additional to ISO/IEC 42001:—, Annex A
546 provided in sector-specific standard. Other documents can be required for certification relevant to the
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

547 function performed.

548 If the audit criteria include sector-specific standard extensions the following applies:
549 The certification body shall use an international, regional or national standard that defines requirements
550 for audit and certification in accordance with the sector-specific extension of ISO/IEC 42001:—
551 certification where such a standard exists. In addition, this document continues to apply.
552 NOTE Whenever this document uses the term “AIMS” it equally applies to the AIMS according to ISO/IEC 42001:—
553 and the sector-specific standard extensions of AIMS according to ISO/IEC 42001:—.

554 When selecting a standard that provides the requirements for the provision of audit and certification to
555 a sector-specific extension standard the certification body shall ensure that the standard covers at least
556 the following topics:
557 a) the exact reference to the standard describing the sector-specific extension to ISO/IEC 42001:—
558 (to supplement the requirements in 9.1.3.6 of this document);
559 b) the competence criteria of personnel conducting AIMS audits (as an extension of 7.1.3.2 and 7.2.2
560 of this document);
561 c) the calculation of audit time (as an extension of 9.1.4 and Annex A of this document).

© ISO/IEC 2023 – All rights reserved 13

 ISO/IEC DIS42006-:####(X)
ISO/IEC 42006:2023(E)

562 9.2.2 Selection and assignment of personnel conducting the AIMS audit
563 9.2.2.1 General
564 The requirements of ISO/IEC 17021-1:2015, 9.2.2 apply. In addition, the following requirements and
565 guidance apply.

566 9.2.2.2 Personnel conducting the AIMS audit

567 The personnel conducting the AIMS audit shall be formally appointed and provided with the appropriate
568 working documents. The mandate given to the personnel conducting the AIMS audit shall be clearly
569 defined and made known to the client.
570 9.2.3 Audit plan

571 9.2.3.1 General

572 The requirements of ISO/IEC 17021-1:2015, 9.2.3 apply. In addition, the following requirements and
573 guidance apply.

574 9.2.3.2 Audit plan for AIMS

575 The audit plan for AIMS audits shall take the determined artificial intelligence controls according to
576 ISO/IEC 42001:— into account.

577 9.2.3.3 Timing of audit

578 A certification body should agree with the organization to be audited , the timing of the audit that best
579 represents the scope under certification of the organization.

580 9.3 Initial certification

581 The requirements of ISO/IEC 17021-1:2015, 9.3 apply. In addition, the following requirements and
582 guidance apply.

583 9.3.1 Initial certification audit

584 9.3.1.1 Stage 1
585 In this stage of the audit, the certification body shall obtain documentation on the design of the AIMS that
586 covers the documentation required by ISO/IEC 42001:—.
587 The certification body shall obtain a sufficient understanding of the design of the AIMS in the context of
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

588 the client's organization, risk assessment and management (including defined measures), AI policy, and
589 information security policy and objectives, and in particular the client's readiness for the audit. This will
590 enable planning for stage 2.
591 The results of stage 1 shall be documented in a written report. The certification body shall review the
592 stage 1 audit report before deciding on proceeding with stage 2 and for selecting the personnel
593 conducting the stage 2 audit with the necessary competences. This shall be done through an independent
594 review by a person from the certification body who is not involved in the audit, or may be done by the
595 auditor who led the stage 1 audit if that auditor is deemed competent and sui table and also will not be
596 part of the stage 2 audit.
597 NOTE Independent review (i.e. by a person from the certification body not involved in the audit) is one measure
598 to mitigate the risks involved when deciding if and with whom to proceed to stage 2. However, other risk mitigation
599 measures can already be in place achieving the same goal .

600 The certification body shall make the client aware of the further types of information and records that
601 can be required for detailed examination during stage 2.

14 © ISO/IEC 2023 – All rights reserved

 ISO/IEC
ISO/IECDIS 42006:2023(E)
42006:####(X)

602 9.3.1.2 Stage 2

603 9.3.1.2.1 Audit plan for stage 2
604 The certification body shall develop an audit plan for conducting stage 2 based on the findings
605 documented in the stage 1 audit report. In addition to assessing the effective implementation of the AIMS,
606 the objectives of stage 2 are to:
607 a) confirm that the client is in compliance with its own policies, guidelines, objectives, and
608 procedures;
609 b) confirm that the client complies with legal obligations and any client requirements related to the
610 AI management system..
611 To this end, the audit shall focus on the following aspects of the client:
612 a) top management leadership and commitment to the AI policy and objectives for the AI system;
613 b) functional testing for the documentation requirements, controls, committees, risk assessment
614 processes, reporting processes and handling of complaints listed in ISO/IEC 42001:—;
615 c) assessment of the risks associated with the AI system and the degree to which repeated
616 assessments, produce consistent, valid, and comparable results;
617 d) determination of the objectives of action and measures based on the AI risk assessment and risk
618 treatment process;
619 e) effectiveness of the AIMS against the set AI objectives and scopes;
620 f) programmes, processes, procedures, records, internal audits, and evaluation of AIMS
621 effectiveness to ensure they are consistent with senior management decisions and AI policies and
622 objectives;
623 g) the AIMS requirements for functional testing through representative sampling for controls that
624 affect the quality of the product, service, or process related to the quantity of AI products placed
625 on the market or related to the amount of users of an AI system.

626 9.4 Conducting audits

627 9.4.1 General
628 The requirements of ISO/IEC 17021-1:2015, 9.4 apply. In addition, the following requirements and
629 guidance apply.

630 9.4.2 General requirements

631 The certification body shall have documented procedures for the following:
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

632 a) the initial certification audit of a client's AIMS, in accordance with ISO/IEC 17021-1 and ISO/IEC
633 42001:—;
634 b) surveillance and re-certification audits of a client's AIMS, in accordance with ISO/IEC 17021-1
635 and ISO/IEC 42001:—, for continued compliance with relevant requirements and to verify and
636 record that a client is taking timely corrective action to address any nonconformities.

637 9.4.3 Specific elements of the AIMS audit

638 The certification body represented by the personnel conducting the audit shall:
639 a) require the client to demonstrate that the assessment of AI -specific related risks is relevant and
640 appropriate to the AIMS operation covered by the scope of the AIMS;
641 b) determine whether the client's procedures for identifying, investigating, and assessing AI-specific
642 related risks and the results of implementation are consistent with the client's policies and
643 objectives.
644 The certification body shall also determine whether the procedures used in the risk assessment were
645 thoroughly and appropriately implemented.

© ISO/IEC 2023 – All rights reserved 15

 ISO/IEC DIS42006-:####(X)
ISO/IEC 42006:2023(E)

646 9.4.4 Audit report

647 9.4.4.1 General
648 The requirements of ISO/IEC 17021-1:2015, 9.4.8 apply. In addition, the following requirements and
649 guidance apply.

650 9.4.4.2 Audit report and objective evidence

651 The audit report shall include the following information or references to the reporting requirements in
652 ISO/IEC 17021-1:2015, 9.4.8:
653 a) an account of the audit, including a summary of the document review;
654 b) a narrative of the certification audit of the risk analysis for the client’s AI system;
655 c) deviations from the audit plan (e.g. increased or decreased time spent on certain planned
656 activities);
657 d) the AIMS application scope;
658 e) the objective evidence to demonstrate conformities summarily and to demonstrate all
659 nonconformities completely, including all documentation to demonstrate assessment and
660 elimination of the nonconformities.

661 9.4.4.3 Audit report and certification decision

662 The audit report shall provide sufficient detail to facilitate and support the certification decision. It shall
663 contain the following:
664 a) significant audit trails followed and audit methods used (see 9.1.3 and 9.1.4 of this document);
665 b) observations, both positive (e.g. notable features) and negative (e.g. potential nonconformities);
666 c) comments on compliance with certification requirements by the client ’s AIMS with a clear
667 statement listing identified nonconformity, a reference to the statement of applicability (SoA)
668 and, if appropriate, any useful comparison with the results of previous certification audits of the
669 client.
670 Completed questionnaires, checklists, observations, logs or auditor notes can form an integral part of the
671 audit report. If these methods are used, these documents shall be given to the certification body as
672 evidence to support the evaluation and certification decision. Information on sa mples evaluated during
673 the audit shall be included in the audit report or other certification documentation.
674 The report shall consider the adequacy of the internal organization and procedures used by the client to
675 gain confidence in the AIMS.
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

676 In addition to the reporting requirements in ISO/IEC 17021-1:2015, 9.4.8, the audit report shall further
677 include the following information:
678 a) a summary of key observations, both positive and negative, regarding the implementation and
679 effectiveness of the AIMS requirements and AI management measures;
680 b) the recommendations of the personnel conducting the audit regarding whether the organization
681 implementing the AIMS should be certified, including information on the rationale for that
682 recommendation.

683 9.5 Certification decision

684 The requirements of ISO/IEC 17021-1:2015, 9.5 apply.

685 9.6 Maintaining certification

686 9.6.1 General
687 The requirements of ISO/IEC 17021-1:2015, 9.6.1 apply.

16 © ISO/IEC 2023 – All rights reserved

 ISO/IEC
ISO/IECDIS 42006:2023(E)
42006:####(X)

688 9.6.2 Surveillance activities

689 9.6.2.1 General
690 The requirements of ISO/IEC 17021-1:2015, 9.6.2 apply. In addition, the following requirements and
691 guidance apply.

692 9.6.2.2 Surveillance audits

693 Surveillance audit procedures shall be consistent with those related to the certification audit of the
694 client’s organization as outlined in this document.
695 The purpose of surveillance is to verify that the organization continuously running an AIMS according to
696 ISO/IEC 42001:— , to consider the effect of changes to that system made due to changes in the client’s
697 organization, and to confirm continued compliance with the certification requirements.
698 The certification body shall adapt its surveillance programme to address AI issues related to risks and
699 effects to the client and justify that programme.
700 Surveillance audits may be combined with audits of other management systems. Reporting shall clearly
701 identify the aspects relevant to each management system.
702 As part of surveillance audits, certification bodies shall review records of appeals and complaints
703 submitted to the certification body. In cases of identified nonconformities and unmet certification
704 requirements, certification bodies shall verify that the client has investigated its own AIMS and
705 procedures and taken appropriate corrective action.
706 A surveillance audit report shall include, in particular, information on the resolution of previously
707 discovered nonconformities, as well as the version of the SoA and significant changes since the last audit.
708 9.6.3 Re-certification

709 9.6.3.1 General

710 The requirements of ISO/IEC 17021-1:2015, 9.6.3 apply. In addition, the following requirements and
711 guidance apply.

712 9.6.3.2 Re-certification audits

713 Re-certification audit procedures shall be consistent with the procedures related to the initial
714 certification audit of the client with an AIMS as outlined in this document.
715 The time allowed to implement corrective actions shall be proportionate to the severity of the
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

716 nonconformity and the associated risks of the AI system.

717 9.6.4 Special audits

718 9.6.4.1 General
719 The requirements of ISO/IEC 17021-1:2015, 9.6.4 apply. In addition, the following requirements and
720 guidance apply.

721 9.6.4.2 Special audits

722 The activities necessary to conduct special audits shall be subject to special provisions in the event that
723 a certified client with an AIMS makes significant changes to its system or in the event that other changes
724 occur that can affect the basis for certification.
725 9.6.5 Suspending, withdrawing or reducing the scope of certification
726 The requirements of ISO/IEC 17021-1:2015, 9.6.5 apply.

© ISO/IEC 2023 – All rights reserved 17

 ISO/IEC DIS42006-:####(X)
ISO/IEC 42006:2023(E)

727 9.7 Appeals

728 The requirements of ISO/IEC 17021-1:2015, 9.7 apply.

729 9.8 Complaints

730 The requirements of ISO/IEC 17021-1:2015, 9. 8 apply.

731 9.9 Client records

732 The requirements of ISO/IEC 17021-1:2015, 9. 9 apply.

733 10 Management system requirements for certification bodies

734 10.1 Options
735 The requirements of ISO/IEC 17021-1:2015, 10.1 apply.

736 10.2 Option A: General management system requirements

737 The requirements of ISO/IEC 17021-1:2015, 10.2 apply.

738 10.3 Option B: Management system requirements in accordance with ISO 9001
739 The requirements of ISO/IEC 17021-1:2015, 10.3 apply.
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

18 © ISO/IEC 2023 – All rights reserved

 ISO/IEC
ISO/IECDIS 42006:2023(E)
42006:####(X)

740 Annex A
741 (normative)
742
743 Audit time

744 A.1 Criteria of determining audit time

745 A.1.1 General
746 This Annex contains further requirements related to ISO/IEC 17021 -1, 9.1. This Annex provides
747 minimum requirements and guidance for a certification body on the development of its own procedures
748 for determining the amount of time required for the certification of an organization running an AIMS and
749 its determined scope based on differing sizes and complexity over a broad spectrum of activities.
750 Certification bodies shall identify the amount of audit time to be spent on initial certification, surveillance
751 and re-certification for each client. Using this Annex A at the audit-planning phase leads to a consistent
752 approach to the determination of appropriate audit time. Additionally, the audit time can be adjusted
753 based on what is found during the course of the audit, especially during stage 1 (e.g. different scopes and
754 system impacts that affect the assessment of the complexity of the AIMS).
755 This Annex presents:
756 — concepts that are used for audit time calculation (A.2);
757 — requirements for the procedures for determining audit time for the different stages of the audit (A.3;
758 A.4; A.5; A.6;A.8);
759 — requirements related to multi-site audits (A.7).
760 Examples for audit time calculation to illustrate the application of Annex A can be found in Annex C.
761 A basic assumption of this approach is that a calculation scheme for determining audit time should:
762 a) consider only substantiated attributes that can be determined;
763 b) be easy enough to be applied efficiently by certification bodies;
764 c) be complex enough to enable sufficient distinction between AIMS of differing complexity.
765 The determination of the audit time is based on the numbers provided in Table A.1 (“Calculation of
766 baseline audit time”) below and shall consider contributing factors for modification.
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

767 A.2 Concepts

768 A.2.1 Number of persons under the organization’s control that are involved in the AI
769 life cycle processes
770 The total number of persons under the organization’s control that are involved in the AI life cycle
771 processes for all shifts within the scope of the certification is the starting poin t for determination of audit
772 time.
773 NOTE Persons doing work under the organization’s control that are involved in the AI life cycle processes includes
774 the organization’s own personnel and contract workers required to work in accordance with the requirements of
775 the AIMS.

776 Part-time persons doing work under the organization's control contribute to the number of persons
777 doing work under the organization's control proportionally to the number of hours worked as compared
778 with a full-time person doing work under the organization's control. This determination shall depend
779 upon the number of hours worked as compared with a full-time employee.

© ISO/IEC 2023 – All rights reserved 19

 ISO/IEC DIS42006-:####(X)
ISO/IEC 42006:2023(E)

780 When a high percentage of persons doing work under the organization’s control within the scope of
781 certification perform certain identical activities, a reduction of the number of persons prior to the use of
782 Table A.1 is permitted for the calculation of audit time. Certification bodies shall use the factors below
783 and the influence of the AI system effect on the activities proposed to determine how a reduction of the
784 number of persons is applied within the scope of certification. Coherent , consistent and repeatable
785 procedure(s) that can be applied on a client-by-client basis shall be documented.

786 A.2.2 Auditor day

787 “Audit time” as referenced in the chart is stated in terms of “auditor days” spent on the audit. The basis
788 of the calculation of Annex A is an 8 h working day.
789 The specified “audit time” relates to the activities of the entire personnel conducting the audit on site. A
790 breakdown of the times by person is not permissible.

791 A.3 Procedure for determining audit time for initial certification audit
792 A.3.1 General
793 The calculation of audit time shall follow a documented procedure.
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

20 © ISO/IEC 2023 – All rights reserved

 ISO/IEC
ISO/IECDIS 42006:2023(E)
42006:####(X)

794 Table A.1 — Calculation of baseline audit time

795

Number of
persons
under the
organization
’s control
that are Further Total
involved in additive audit
the AI life AIMS roles factors time
cycle
processes
(based on
ISO/IEC
5338:— [1] /
ISO/IEC
22989:2022)
Auditor days Auditor days Auditor days —
— AIMS for AI — AIMS for AIMS for clients
Auditor developer or AI user with multiple
days — provider roles
AIMS for AI (≈ 2/3 of
producer (≈ 2/3 of AIMS AIMS audit (≈ 1/3 additional
audit time for time for AI audit time of AIMS
AI producer) producer) for AI producer)
1-10 5.0 3.5 3.5 6.5 See A.3.2
11-15 6.0 4.0 4.0 8.0 See A.3.2
16-25 7.0 4.5 4.5 9.5 See A.3.2
26-45 8.5 6.0 6.0 11.5 See A.3.2
46-65 10.0 7.0 7.0 13.0 See A.3.2
66-85 11.0 7.5 7.5 15.0 See A.3.2
86-125 12.0 8.0 8.0 16.0 See A.3.2
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

126-175 13.0 9.0 9.0 17.5 See A.3.2

176-275 14.0 9.5 9.5 19.0 See A.3.2
276-425 15.0 10.0 10.0 20.0 See A.3.2
Follow Follow Follow See A.3.2
Follow
> 425 progression progression progression
progression above
above above above
796

797 A.3.2 Factors for adjustment of audit time

798 The time allocated shall also consider the following factors that relate to the complexity of the AIMS and
799 therefore to the effort needed to audit the organization running the AIMS:
800 a) complexity of the AIMS (e.g. complexity of data, risk assessment procedures of the AIMS, etc.);
801 b) relevance of the system impact (has the system in question a high, medium or low impact);
802 c) the type(s) of business performed within the scope of the AIMS;
803 d) previously demonstrated performance of the AIMS;

© ISO/IEC 2023 – All rights reserved 21

 ISO/IEC DIS42006-:####(X)
ISO/IEC 42006:2023(E)

804 e) extent and diversity of technology utilized in the implementation of the various components of
805 the AIMS (e.g. number of different IT platforms, IT-Cloud, number of segregated networks);
806 f) extent of outsourcing and third party arrangements used within the scope of the AIMS;
807 g) number of company locations and number of Disaster Recovery (DR) sites;
808 h) number of all controls needed to satisfy ISO/IEC 42001 requirements based on controls outlined
809 in ISO/IEC 42001 or other sources or both;
810 i) extent and complexity of controls (including potential reconsideration before stage 2);
811 j) for surveillance or re-certification audit: the amount and extent of change relevant to the AIMS in
812 accordance with ISO/IEC 17021-1, 8.5.3.
813 Annex C provides examples how these different factors can be taken into account when calculating audit
814 time.
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

22 © ISO/IEC 2023 – All rights reserved

 ISO/IEC
ISO/IECDIS 42006:2023(E)
42006:####(X)

815 Table A.2 — Calculation of additive factors on audit time

Relevance of the AI system impacta
Auditor days — Auditor days —
medium impact low impact
Complexity of the AIMS Auditor days — Total audit time
high impact (≈ 2/3 of auditor (≈ 1/3 of auditor
days of high days of high
impact) impact)
Sensitive context of AI
8.0 5.5 3.0
system(s)
Non-sensitive context of
6.0 4.0 2.0
AI system(s)
Data complexity with
reference to the managed 20.0 13.5 7.0
AI system(s)
Risk assessment with
reference to the managed 25.0 17.0 8.5
AI system(s)
more than one legal
6.0 4.0 2.0
framework to manage
Number of outsourced
services used in the scope 10.0 7.0 3.5
of the AIMS
AIMS running in more
than one company 4.0 3.0 1.5
location
Number of Disaster
1.5 1.0 0.5
Recovery Sites
Diversity of technology 20.0 13.5 7.0
Number of all
documented controls
20.0 13.5 7.0
needed to satisfy ISO/IEC
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

42001 requirements
a Impact describes the real impact to be expected on the rights of the persons affected or on areas of public
interest such as health and safety by the AI system(s) that is managed by the AIMS of an organization.
816
817 The additive factors need to be evaluated on the basis of the experience present in the certification body.
818 In all cases where additional adjustments are made to the time provided in Table A.1, sufficient evidence
819 and records shall be maintained to justify the variation.
820
821 Examples of factors that can lead to additional audit time include the following:

© ISO/IEC 2023 – All rights reserved 23

 ISO/IEC DIS42006-:####(X)
ISO/IEC 42006:2023(E)

822 — complicated logistics involving more than one building or location in the scope of the AIMS;
823 — client staff speaking more than one language (requiring interpreter(s) or preventing individual
824 auditors from working independently) or documentation provided in more than one language;
825 — activities that require visiting temporary sites to confirm the activities of the permanent sites(s)
826 whose management system is subject to certification;
827 — high number of standards and regulations that apply to the AIMS.

828 A.3.3 On-site audit time

829 On-site audit time refers to the on-site audit time allocated for individual sites. The combined time for
830 planning, consultation within the personnel conducting the audit and report writing should not account
831 for more than 30 % of the time calculated in accordance with A.3.1 of this document. The on-site audit
832 time (physical/virtual) should be at least 70 % of the time calculated in accordance with A.3.1 of this
833 document. Where additional time is required for either planning or report writing, or both,, this shall not
834 be a justification for reducing on-site audit time. Any auditor travel time shall be added on top of the
835 calculated audit time in accordance with A.3.1 and A.3.2 of this document to determine the total audit
836 time.
837 NOTE 70 % is based on experience with ISMS audits.

838 A.3.4 Remote methods for conducting audit

839 Any remote auditing methods used to interface with the organization, such as interactive web-based collaboration,
840 web meetings, teleconferences or electronic verification of the organization’s processes, shall be identified in the
841 audit plan (as in 9.2.3 of this document). The use of such methods can contribute to calculations of total on-site audit
842 time. NOTE Electronic audits of remote sites do not contribute to on-site audit-time, even if these electronic audits
843 are conducted on the organization’s premises.

844 A.4 Audit time for surveillance audit

845 For the initial certification audit cycle, surveillance time for a given organization should be proportional
846 to the time spent at initial certification audit with the total amount of time spent annually on surveillance
847 being about 1/3 of the time spent on the initial certification audit. The planned surveillance time should
848 be reviewed from time-to-time to account for changes that affect audit time. The time spent for a
849 surveillance audit shall be adjusted proportionally to account for any changes in the AIMS (such as new
850 or changed controls).
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

851 A.5 Audit time for re-certification audit

852 The total amount of time spent performing the re-certification audit shall depend upon the results of any
853 prior audit as defined in 9.6.3 of this document and ISO/IEC 17021-1, 9.6.3. Re-certification audit time
854 should be proportional to initial certification audit time. Re-certification audit time should be at least 2/3
855 of the initial certification audit time.

856 A.6 Deviation from baseline audit time

857 To ensure that audits are effective and to ensure reliable and comparable results, the baseline audit time
858 calculated in Table A.1 of this document (including the additive factors) shall be considered a minimum
859 and shall not be reduced.
860 Appropriate reasons for deviation shall be established and documented.

24 © ISO/IEC 2023 – All rights reserved

 ISO/IEC
ISO/IECDIS 42006:2023(E)
42006:####(X)

861 A.7 Audit time of multi-site

862 The requirements of ISO/IEC 17021-1:2015, 9.1.5 apply.

863 A.8 Audit time for scope extensions

864 Required audit time for extension to the scope of an AIMS run by a certified client shall be calculated
865 based on the following factors:
866 a) type of extension;
867 b) activities of the current certification;
868 c) number of locations at which activities are undertaken;
869 d) risks related to the activities;
870 e) number of controls relevant to the extension:
871 f) number of persons under the organization’s control involved in the AI life cycle processes of the
872 extended scope;
873 g) time required to review the integration of the extended scope into the AIMS.
874 Certification bodies shall have procedures that provides a consistent approach to extension of scope.
875 For the initial certification audit of the extended scope, the time shall be calculated based on roles, sites
876 and number of persons using A.3 of this document.
877 Audit time shall be added to the calculated time to review the certified client running it’s AIMS. This
878 additional time shall be a minimum of 0,5 auditor day if the extension to scope audit is conducted at the
879 same time as an AIMS audit of the organization or 1 auditor day if the extension is conducted on its own.
880 NOTE The application of this document to different sectors potentially lead to differences in the calculation of audit
881 times.
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

© ISO/IEC 2023 – All rights reserved 25

 ISO/IEC DIS42006-:####(X)
ISO/IEC 42006:2023(E)

882 Annex B
883 (normative)
884
885 Template for certification document

886 B.1 General

887 The certification documents for an AIMS shall demonstrate conformance with the content of the template
888 in B.2. The certification body can display the information as it suits itself.

889 B.2 Certificate text for this document

890
891 Certification Body Logo and
address
892 Certificate
893
894 The certification body [_____________] hereby confirms as a result of the certification decision on [DD.MM.YYYY] according to
895 ISO/IEC 17021-1 that the

896
897 [Certified organization]: <exact name and address of the client>

898 [optional locations] <address of branch offices or subsidiaries>

899 a

900 Management System according to ISO/IEC 42001:—

901 SoA Version XXX
902 for the scope

903
904 [description of the scope for which the organization running the AIMS
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

905 has been certified, if applicable Appendix 1]

906
907 operates in compliance with the requirements of ISO/IEC 42001:— and this certified organization running the AIMS has
908 fulfilled the additional requirements of the [designation of additional requirement] and is monitored by the certification body
909 during the term of the certificate.

910
911 This certificate does not authorize the labelling of products or services.

912
913 -- Optional --Commencement

914 This certificate entitles the certified organization to use the following conformity mark [exact name of the conformity mark in
915 the sense of ISO/IEC 17030 [3]] under the conditions of the conformity assessment programme for the duration of the
916 certification:

917 Logo conformity mark

918

26 © ISO/IEC 2023 – All rights reserved

 ISO/IEC
ISO/IECDIS 42006:2023(E)
42006:####(X)

919 -- Optional - End

Conformity assessment scheme: [name of the certification scheme and version/rev. xxx]

Certificate ID / Number: XXX certificate number of certification body

Last audit day on site: <dd.mm.yyyy> /report number/date

Surveillance: next planned surveillance by no later than <dd.mm.yyyy>.

Date of issue: <dd.mm.yyyy> Duration until <dd.mm.yyyy> max. 3 years>.

920
921 Signature/named decision maker of the certification body
Accreditation symbol
IAF Symbol
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

© ISO/IEC 2023 – All rights reserved 27

 ISO/IEC DIS42006-:####(X)
ISO/IEC 42006:2023(E)

922 Annex C
923 (informative)
924
925 Examples for audit time calculations

926 C.1 General

927 This Annex provides further guidelines and examples on determining audit time based on the criteria
928 outlined in normative Annex A of this document.
929
930 [Editor’s note:
931 This Annex C will provide further guidelines and examples to illustrate normative Annex A of this document.
932 In order to achieve this, Annex C will be developed further and construct examples on audit time calculation
933 if the discussions on normative Annex A are settled. ]
934
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

28 © ISO/IEC 2023 – All rights reserved

 ISO/IEC
ISO/IECDIS 42006:2023(E)
42006:####(X)

935 Bibliography
936 [1] ISO/IEC 5338:—, Information technology – Artificial Intelligence – AI system life cycle processes
937 [2] ISO/IEC 17067, Conformity assessment — Fundamentals of product certification and guidelines for
938 product certification schemes
939 [3] ISO/IEC 17030, Conformity assessment — General requirements for third-party marks of conformity
940 [4] ISO 9000, Quality management systems — Fundamentals and vocabulary
941 [5] ISO 19011, Guidelines for auditing management systems
942 [6] ISO/IEC TR 24028:2020, Information technology — Artificial intelligence — Overview of
943 trustworthiness in artificial intelligence
944 [7] ISO/IEC 23894, Information technology — Artificial intelligence — Guidance on risk management
945 [8] ISO/IEC TR 24027:2021, Information technology — Artificial intelligence (AI) — Bias in AI systems and
946 AI aided decision making
947 [9] ISO/IEC 42005:—, Information technology — Artificial intelligence — AI system impact assessment
948 [10] ISO 9001, Quality management systems — Requirements
949 [11] ISO 13485, Medical devices — Quality management systems — Requirements for regulatory purposes
950
Normen-Download-Beuth-TÜV Süd AG Verlag-KdNr.7031496-LfNr.10998296001-2024-03-11 06:39

© ISO/IEC 2023 – All rights reserved 29