ISO/IEC 42001 · Risk & Impact Assessment
AI Risk & Impact Assessment
under Annex A.5
ISO 42001 asks two questions about every AI system: what could go wrong for you, and how could it affect the people around it. This guide covers both assessments — the AI-specific risk categories, the methodology, and the register that records it all.
ISO/IEC 42001:2023 · AI Management System · Last reviewed July 2026
Two Assessments
Risk looks inward. Impact looks outward
The single most common ISO 42001 mistake is collapsing two different assessments into one. They are related, but they answer different questions — and the standard requires both.
AI risk assessment
Question: what could go wrong for the organization and its objectives?
Internal lens. Likelihood × consequence to your operations, finances, reputation, and compliance. Lives in clauses 6 and 8.
AI system impact assessment
Question: how could this system affect individuals, groups, and society?
External lens. Rights, fairness, safety, autonomy. This is Annex A.5 — and the artifact auditors scrutinize most.
What to Look For
The AI-specific risk categories
Classic IT risk assessment misses most of these. An AI risk assessment has to go looking for them deliberately.
Bias & fairness
Discriminatory or skewed outcomes across protected groups, from training data or model design.
Transparency & explainability
Decisions that cannot be explained to users, auditors, or affected people.
Robustness & accuracy
Errors, hallucinations, and degradation under edge cases or distribution shift.
Security
Adversarial inputs, prompt injection, data poisoning, and model extraction or theft.
Privacy & data protection
Exposure of personal data in training data, prompts, or outputs (DPDP Act, GDPR).
Human oversight & autonomy
Systems acting beyond intended scope with no effective human intervention.
Model drift
Silent performance decay as the world changes away from the training distribution.
Third-party & foundation models
Inherited risk from vendors, APIs, and foundation models you do not control.
Societal & environmental
Broader harms — misinformation, labor impact, and compute footprint.
The Methodology
Six steps, ISO 31000 in shape
ISO 42001 does not prescribe one method — it requires a defined, repeatable process with documented results. This is the shape most teams use, drawn from ISO 31000 and ISO/IEC 23894 for risk — and ISO/IEC 42005:2025 for the impact assessment.
Scope & context
Define the AI system, its intended purpose, stakeholders, and the criteria you will judge risk against.
Identify
Enumerate risks across the categories above, and the parties each could affect.
Analyze
Estimate likelihood and consequence for each risk, using consistent, documented scales.
Evaluate
Compare against your risk-acceptance criteria to decide what needs treatment.
Treat
Avoid, reduce, transfer, or accept — and map each treatment to an Annex A control.
Monitor & review
Re-assess on a schedule and on triggers: new data, model changes, incidents, drift.
The Artifact
The AI risk register
The register is where the methodology becomes evidence. These columns capture what an auditor needs to trace a risk from identification through to the control that treats it — and the residual you accepted.
| ID | AI system | Risk & category | Affected parties | Likelihood × impact | Treatment / control | Owner | Residual |
|---|---|---|---|---|---|---|---|
| R-01 | Resume-screening model | Bias against protected groups (Fairness) | Applicants | High × High | Bias testing + human review (A.5, A.9) | Talent lead | Medium |
| R-02 | Support chatbot (LLM) | Prompt injection (Security) | Customers, brand | Medium × High | Input filtering + output guardrails (A.6.2) | Eng owner | Low |
| R-03 | Credit-scoring model | Unexplainable denials (Transparency) | Applicants, regulator | Medium × High | Explainability + adverse-action notices (A.8) | Risk lead | Medium |
Illustrative rows for structure only — your register reflects your own AI systems and risk criteria.
A pre-built AI risk register, impact-assessment template, and Statement of Applicability come in our template pack. Each treatment maps to a control in the Annex A catalog, and the EU AI Act mapping shows how this satisfies the Act's Article 9 risk-management duty.
Keep Exploring
More in the ISO 42001 Hub
AI Governance & AIMS
How an AI Management System is structured under ISO 42001 — policy, accountability, and principles.
Annex A Controls Catalog
All 38 Annex A controls across the nine objectives (A.2–A.10), with what each one governs.
Certification Process
Stage 1, Stage 2, and surveillance — the two-stage audit path and how to prepare for it.
EU AI Act Mapping
How ISO 42001 controls map onto EU AI Act obligations — and what certification does and does not prove.
Templates & Downloads
The AIMS template pack — AI use-case register, AI policy, risk and impact assessment, and SoA.
Frequently Asked Questions
What teams ask when they sit down to assess an AI system for the first time.
What is the difference between an AI risk assessment and an AI impact assessment?
They answer different questions. An AI risk assessment looks inward: what could go wrong for the organization and its objectives, how likely is it, and how bad would it be? An AI system impact assessment (ISO 42001 Annex A.5) looks outward: how could this AI system affect individuals, groups, and society — fairness, rights, safety, autonomy? ISO 42001 requires both. They feed each other: impacts on people are often the most serious risks to the organization, and the impact assessment frequently surfaces risks a purely internal view would miss.
What does ISO 42001 Annex A.5 require?
Annex A.5 ("Assessing impacts of AI systems") requires a documented process for assessing the potential consequences of AI systems for individuals and groups of individuals (A.5.4) and for society (A.5.5), with the results documented (A.5.3) using a defined process (A.5.2). In practice that means: for each AI system, identify who could be affected and how, assess the severity and likelihood of those impacts, define mitigations, and record the residual position. ISO/IEC 42005:2025 — the AI system impact assessment standard published in May 2025 — provides the step-by-step methodology most organizations now follow to satisfy A.5. It is one of the objectives auditors examine most closely at Stage 2.
What AI-specific risks should the assessment cover?
Beyond classic security and availability, an AI risk assessment should cover bias and fairness, transparency and explainability, robustness and accuracy (including hallucination and edge-case failure), AI-specific security (adversarial inputs, prompt injection, data poisoning, model extraction), privacy and data protection, human oversight and autonomy, model drift over time, and third-party or foundation-model dependency. For generative and agentic systems, prompt injection and unbounded autonomy deserve particular attention.
Is there a standard methodology for AI risk assessment?
Yes. The shape follows ISO 31000 — establish context, identify, analyze, evaluate, treat, monitor and review — applied to AI-specific risks. ISO/IEC 23894 gives guidance on AI risk management specifically, ISO/IEC 42005:2025 gives the methodology for AI system impact assessments, and the NIST AI Risk Management Framework offers a complementary function-based approach (Govern, Map, Measure, Manage). ISO 42001 does not mandate one method; it requires that you have a defined, repeatable process and that you document the results, which is what the risk register and impact-assessment templates capture.
How often should AI risk assessments be repeated?
Treat them as living documents, not one-time exercises. Re-assess on a regular cadence (annually is common) and on triggers: a material model change or retraining, a new data source, a new deployment context, a relevant incident, or detected drift. Because AI systems change behavior as their data and environment change, a risk assessment that is never revisited is one of the more common audit findings.
Written By Expert Auditors
Keep Exploring
Related Reading
ISO 42001 Knowledge Hub
AIMS controls, EU AI Act mapping, risk assessment and guides.
Read moreISO 42001 Annex A Controls
The 39 AI-specific controls grouped by domain, mapped to clauses.
Read moreAI Governance & AIMS
How an AI Management System is structured — policy, accountability, principles.
Read moreEU AI Act Mapping
How ISO 42001 controls map onto EU AI Act obligations.
Read moreISO 42001 Certification Guide
From gap analysis to Stage 2 audit — the path to an AIMS certificate.
Read moreISO 27001 Overview
The ISMS standard — the baseline certificate global buyers ask for.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours