Skip to main contentChat with us

Learn · ISO 42001 Concepts

AI Risk Assessment vs
AI Impact Assessment

The most-confused distinction in ISO 42001. Both are mandatory, they are not the same document, and auditors check that you know the difference: the risk assessment looks inward at your organization; the impact assessment looks outward at the people your AI touches.

One-line rule: risk = what the AI system could do to you (clause 6.1.2). Impact = what it could do to them (clause 6.1.4, methodology in ISO/IEC 42005:2025). Each feeds the other, and both feed the SoA.

6.1.2the risk assessment clause
6.1.4the impact assessment clause
42005the impact methodology standard

Plain-English explainer · Cites ISO/IEC 42001, 23894 & 42005 · Last reviewed July 2026

ISO/IEC 42001 requires two distinct assessments: an AI risk assessment (clause 6.1.2) that looks inward at risks to your organization, and an AI system impact assessment (clause 6.1.4) that looks outward at consequences for individuals, groups, and society. Teams coming from ISO 27001 expect one risk process and are surprised by the second artifact — there is no ISMS equivalent of the impact assessment, and treating it as a section inside the risk register is one of the most common Stage 1 findings. The two assessments use different lenses, different guidance standards (ISO/IEC 23894 for risk, ISO/IEC 42005:2025 for impact), and different units of analysis — but they interlock: harms you identify to people usually become risks to you (regulatory, contractual, reputational), and both drive which Annex A controls your Statement of Applicability selects.

Side by Side

The Two Assessments, Dimension by Dimension

AI risk assessment AI system impact assessment
Question it answersWhat could go wrong for us — the organization and its objectives?How could this AI system affect them — individuals, groups, and society?
Where the standard requires itClause 6.1.2 (AI risk assessment) with treatment under 6.1.3.Clause 6.1.4 (AI system impact assessment), operationalized by the Annex A.5 controls (A.5.2–A.5.5).
Guidance standardISO/IEC 23894 (AI risk management, built on ISO 31000).ISO/IEC 42005:2025 (AI system impact assessment, published May 2025).
Unit of analysisThe organization: objectives, obligations, assets, reputation.Each AI system, per deployment context: affected parties and potential harms.
Typical contentsRisk register — bias, robustness, security, drift, third-party dependency — with likelihood × impact and treatments.Affected-party inventory, harm scenarios (fairness, rights, safety, autonomy), severity, mitigations, residual position.
Who reads it hardestManagement and the internal audit function.The certification auditor at Stage 2 — the artifact AIMS auditors probe hardest.

How They Interlock

One Feeds the Other, Both Feed the SoA

The working sequence most AIMS implementations settle on: inventory your AI systems, run the impact assessment per system (who could be affected, how badly, with what mitigations — ISO/IEC 42005 gives the step-by-step), then fold the results into the organizational risk assessment: a discriminatory-outcome harm to loan applicants becomes, on your side, a regulatory-penalty and contract-loss risk. Treatment decisions under 6.1.3 then select controls, and the Statement of Applicability records the result — each applicable Annex A control traceable to a specific risk or impact, each exclusion justified. That traceability chain (impact → risk → treatment → SoA → evidence) is exactly what a Stage 2 auditor walks, in both directions.

Cadence matters as much as sequence: both assessments are living documents. Re-run them on triggers — a new model version, a new data source, a new deployment context or user population, an incident, detected drift — and at least annually. A dated one-time assessment is among the most common AIMS nonconformities; our step-by-step methodology guide covers the register structures and AI-specific risk categories in detail.

The Third Document

And Neither One Is a DPIA

  • A DPIA (data protection impact assessment — GDPR Article 35, and the DPIA obligations for Significant Data Fiduciaries under India's DPDP Act) assesses risks from processing personal data.
  • The AI system impact assessment is broader: fairness, safety, human autonomy, and societal effects are in scope even when no personal data is processed at all — a computer-vision QC system with no personal data still needs one.
  • They overlap where AI processes personal data — and the machinery is reusable: one combined assessment workflow can produce both artifacts, provided each regime's specific questions are answered.
  • Practical structure we use in engagements: a single impact-assessment template with a personal-data module that activates when the system touches personal data — one process, two defensible outputs.

Risk vs Impact — Common Questions

The distinction auditors test, in Q&A form.

What is the difference between an AI risk assessment and an AI impact assessment in ISO 42001?

Direction. The AI risk assessment (clause 6.1.2) looks inward: what could go wrong for the organization — regulatory exposure, security failures, model drift, reputational damage — with likelihood, impact, and treatment. The AI system impact assessment (clause 6.1.4, operationalized by Annex A.5) looks outward: how the AI system could affect individuals, groups of individuals, and society — fairness, rights, safety, autonomy. ISO 42001 requires both, as separate, documented artifacts.

Which clauses and controls require each assessment?

The risk assessment is required by clause 6.1.2, with risk treatment under 6.1.3. The impact assessment is required by clause 6.1.4, and Annex A objective A.5 turns it into auditable controls: a defined process (A.5.2), documented results (A.5.3), assessment of impacts on individuals and groups (A.5.4), and of societal impacts (A.5.5).

What methodology should each assessment follow?

For risk: ISO/IEC 23894 applies ISO 31000's establish-context / identify / analyze / evaluate / treat cycle to AI-specific risks; the NIST AI RMF is a complementary function-based approach. For impact: ISO/IEC 42005:2025, published in May 2025, is the dedicated AI system impact assessment standard most organizations now follow. ISO 42001 mandates a defined, repeatable, documented process rather than one specific method.

Can the two assessments be one document?

They can live in one workflow, but keep the artifacts distinguishable. Auditors need to see that impacts on people were assessed per system and per context (6.1.4 / A.5), not summarized as a row in the corporate risk register. The clean pattern: per-system impact assessments feeding a consolidated AI risk register, with cross-references both ways.

Is an AI impact assessment the same as a DPIA?

No. A DPIA (GDPR Article 35; DPDP's DPIA duty for Significant Data Fiduciaries) is scoped to personal-data processing risks. The AI system impact assessment covers a wider harm surface — fairness, safety, autonomy, societal effects — and applies even to AI systems that process no personal data. Where both apply, run them as one exercise with two outputs; where only one applies, don't stretch the other's template to fit.

How do the assessments connect to the Statement of Applicability?

The SoA is where the chain becomes auditable: every Annex A control marked applicable should trace back to an assessed risk (6.1.2) or impact (6.1.4), and every exclusion should carry a documented justification. SoA exclusions without reasoned justification are among the most commonly cited AIMS nonconformities — the assessments are what make your justifications defensible.

Related reading: the Learn hub, the step-by-step risk & impact methodology, the Annex A control catalog, which AI role you hold, and the ISO 42001 hub. Terms in the compliance glossary.

Written By Expert Auditors

Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Last reviewed: July 2026Content verified by certified lead auditors

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations