Learn · ISO 42001 Concepts
AI Risk Assessment vs
AI Impact Assessment
The most-confused distinction in ISO 42001. Both are mandatory, they are not the same document, and auditors check that you know the difference: the risk assessment looks inward at your organization; the impact assessment looks outward at the people your AI touches.
One-line rule: risk = what the AI system could do to you (clause 6.1.2). Impact = what it could do to them (clause 6.1.4, methodology in ISO/IEC 42005:2025). Each feeds the other, and both feed the SoA.
Plain-English explainer · Cites ISO/IEC 42001, 23894 & 42005 · Last reviewed July 2026
ISO/IEC 42001 requires two distinct assessments: an AI risk assessment (clause 6.1.2) that looks inward at risks to your organization, and an AI system impact assessment (clause 6.1.4) that looks outward at consequences for individuals, groups, and society. Teams coming from ISO 27001 expect one risk process and are surprised by the second artifact — there is no ISMS equivalent of the impact assessment, and treating it as a section inside the risk register is one of the most common Stage 1 findings. The two assessments use different lenses, different guidance standards (ISO/IEC 23894 for risk, ISO/IEC 42005:2025 for impact), and different units of analysis — but they interlock: harms you identify to people usually become risks to you (regulatory, contractual, reputational), and both drive which Annex A controls your Statement of Applicability selects.
Side by Side
The Two Assessments, Dimension by Dimension
| AI risk assessment | AI system impact assessment | |
|---|---|---|
| Question it answers | What could go wrong for us — the organization and its objectives? | How could this AI system affect them — individuals, groups, and society? |
| Where the standard requires it | Clause 6.1.2 (AI risk assessment) with treatment under 6.1.3. | Clause 6.1.4 (AI system impact assessment), operationalized by the Annex A.5 controls (A.5.2–A.5.5). |
| Guidance standard | ISO/IEC 23894 (AI risk management, built on ISO 31000). | ISO/IEC 42005:2025 (AI system impact assessment, published May 2025). |
| Unit of analysis | The organization: objectives, obligations, assets, reputation. | Each AI system, per deployment context: affected parties and potential harms. |
| Typical contents | Risk register — bias, robustness, security, drift, third-party dependency — with likelihood × impact and treatments. | Affected-party inventory, harm scenarios (fairness, rights, safety, autonomy), severity, mitigations, residual position. |
| Who reads it hardest | Management and the internal audit function. | The certification auditor at Stage 2 — the artifact AIMS auditors probe hardest. |
How They Interlock
One Feeds the Other, Both Feed the SoA
The working sequence most AIMS implementations settle on: inventory your AI systems, run the impact assessment per system (who could be affected, how badly, with what mitigations — ISO/IEC 42005 gives the step-by-step), then fold the results into the organizational risk assessment: a discriminatory-outcome harm to loan applicants becomes, on your side, a regulatory-penalty and contract-loss risk. Treatment decisions under 6.1.3 then select controls, and the Statement of Applicability records the result — each applicable Annex A control traceable to a specific risk or impact, each exclusion justified. That traceability chain (impact → risk → treatment → SoA → evidence) is exactly what a Stage 2 auditor walks, in both directions.
Cadence matters as much as sequence: both assessments are living documents. Re-run them on triggers — a new model version, a new data source, a new deployment context or user population, an incident, detected drift — and at least annually. A dated one-time assessment is among the most common AIMS nonconformities; our step-by-step methodology guide covers the register structures and AI-specific risk categories in detail.
The Third Document
And Neither One Is a DPIA
- A DPIA (data protection impact assessment — GDPR Article 35, and the DPIA obligations for Significant Data Fiduciaries under India's DPDP Act) assesses risks from processing personal data.
- The AI system impact assessment is broader: fairness, safety, human autonomy, and societal effects are in scope even when no personal data is processed at all — a computer-vision QC system with no personal data still needs one.
- They overlap where AI processes personal data — and the machinery is reusable: one combined assessment workflow can produce both artifacts, provided each regime's specific questions are answered.
- Practical structure we use in engagements: a single impact-assessment template with a personal-data module that activates when the system touches personal data — one process, two defensible outputs.
Risk vs Impact — Common Questions
The distinction auditors test, in Q&A form.
What is the difference between an AI risk assessment and an AI impact assessment in ISO 42001?
Direction. The AI risk assessment (clause 6.1.2) looks inward: what could go wrong for the organization — regulatory exposure, security failures, model drift, reputational damage — with likelihood, impact, and treatment. The AI system impact assessment (clause 6.1.4, operationalized by Annex A.5) looks outward: how the AI system could affect individuals, groups of individuals, and society — fairness, rights, safety, autonomy. ISO 42001 requires both, as separate, documented artifacts.
Which clauses and controls require each assessment?
The risk assessment is required by clause 6.1.2, with risk treatment under 6.1.3. The impact assessment is required by clause 6.1.4, and Annex A objective A.5 turns it into auditable controls: a defined process (A.5.2), documented results (A.5.3), assessment of impacts on individuals and groups (A.5.4), and of societal impacts (A.5.5).
What methodology should each assessment follow?
For risk: ISO/IEC 23894 applies ISO 31000's establish-context / identify / analyze / evaluate / treat cycle to AI-specific risks; the NIST AI RMF is a complementary function-based approach. For impact: ISO/IEC 42005:2025, published in May 2025, is the dedicated AI system impact assessment standard most organizations now follow. ISO 42001 mandates a defined, repeatable, documented process rather than one specific method.
Can the two assessments be one document?
They can live in one workflow, but keep the artifacts distinguishable. Auditors need to see that impacts on people were assessed per system and per context (6.1.4 / A.5), not summarized as a row in the corporate risk register. The clean pattern: per-system impact assessments feeding a consolidated AI risk register, with cross-references both ways.
Is an AI impact assessment the same as a DPIA?
No. A DPIA (GDPR Article 35; DPDP's DPIA duty for Significant Data Fiduciaries) is scoped to personal-data processing risks. The AI system impact assessment covers a wider harm surface — fairness, safety, autonomy, societal effects — and applies even to AI systems that process no personal data. Where both apply, run them as one exercise with two outputs; where only one applies, don't stretch the other's template to fit.
How do the assessments connect to the Statement of Applicability?
The SoA is where the chain becomes auditable: every Annex A control marked applicable should trace back to an assessed risk (6.1.2) or impact (6.1.4), and every exclusion should carry a documented justification. SoA exclusions without reasoned justification are among the most commonly cited AIMS nonconformities — the assessments are what make your justifications defensible.
Related reading: the Learn hub, the step-by-step risk & impact methodology, the Annex A control catalog, which AI role you hold, and the ISO 42001 hub. Terms in the compliance glossary.
Written By Expert Auditors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours