ISO 42001 risk assessment: Requirements, process, and audit expectations

An ISO 42001 risk assessment helps organisations understand the potential risks associated with the development, deployment, and use of AI systems. It provides the foundation for informed decision-making, effective governance, and continual improvement.

Key takeaways

1

ISO 42001 risk assessments help organisations identify, evaluate, and manage AI-specific risks, forming a core requirement of Clause 6.1.2.

2

Risk assessments and impact assessments are separate ISO 42001 requirements, with both playing an important role in certification readiness.

3

During audits, assessors review your risk methodology, risk register, treatment decisions, reassessment process, ownership, and supporting evidence.

What is an ISO 42001 risk assessment?

An ISO 42001 risk assessment helps organisations understand the risks that come with developing, deploying, or using AI systems. Under Clause 6.1.2, organisations are expected to identify these risks, assess their potential impact, and decide how they will be managed.

Unlike a traditional IT risk assessment, which tends to focus on areas such as cybersecurity and system availability, an ISO 42001 risk assessment looks at the wider risks AI can introduce. This might include issues around decision-making, transparency, accountability, or unintended outcomes.

Risk assessment vs impact assessment: What ISO 42001 requires

Many organisations assume risk assessments and impact assessments are the same thing, but ISO 42001 treats them as separate requirements. Understanding the difference is essential for audit readiness and certification success.

Risk assessment Clause 6.1.2

  • Identifies risks that could affect the organisation's AI management system
  • Assesses the likelihood and potential consequences of identified risks
  • Results in a risk register and risk treatment plan
  • Applies to the organisation's AI systems, processes, and governance arrangements
  • Supports decisions on risk treatment and control implementation
  • Required for ISO 42001 certification and reviewed during audits

Impact assessment Clause 6.1.4

  • Evaluates how AI systems could affect people, groups, and society
  • Considers issues such as fairness, bias, transparency, safety, and human oversight
  • Results in an AI impact assessment linked to relevant controls
  • Applies to each AI system developed, deployed, or significantly changed
  • Supports decisions on safeguards and responsible AI practices
  • Required for ISO 42001 certification and reviewed during audits

Key takeaway: A risk assessment focuses on risks to the organisation, while an impact assessment focuses on the effects AI may have on people. ISO 42001 requires both.

Key AI risk areas to assess under ISO 42001 (+ Tempo's approach)

AI risks go beyond traditional IT concerns, such as security and availability. ISO 42001 encourages organisations to assess a wider range of risks, including fairness, transparency, human oversight, and the potential impact of AI-driven decisions.

While every organisation's risk profile will be different, the areas below are commonly reviewed when assessing AI systems against ISO 42001 requirements.

1. Fairness and bias

AI systems can unintentionally produce unfair or discriminatory outcomes if the data they are trained on is incomplete, unrepresentative, or biased. This can affect everything from recruitment decisions to customer service interactions and automated approvals.

What Tempo reviews: We assess how bias risks are identified, tested, monitored, and mitigated, including training data quality, fairness testing procedures, and documented controls designed to reduce discriminatory outcomes.

2. Transparency and explainability

Users, customers, regulators, and internal stakeholders may need to understand how an AI system reaches its conclusions. A lack of transparency can make it difficult to justify decisions, investigate issues, or build trust in AI-driven processes.

What Tempo reviews: We examine whether organisations can explain how AI systems operate, how decisions are documented, and whether affected parties receive appropriate information about AI-assisted outcomes.

3. Human oversight

Not every decision should be left entirely to AI. In some cases, human review and intervention are essential to reduce risk and maintain accountability, particularly when decisions have significant consequences.

What Tempo reviews: We assess whether appropriate human oversight mechanisms are in place, including review processes, escalation routes, intervention controls, and documented responsibilities for high-risk AI activities.

4. Safety and reliability

AI systems should perform consistently and safely throughout their lifecycle. Unexpected outputs, model failures, or poorly managed updates can create operational, legal, and reputational risks.

What Tempo reviews: We review testing methodologies, validation procedures, incident management processes, and controls designed to ensure AI systems remain reliable, resilient, and fit for purpose.

5. Privacy

Many AI systems rely on large volumes of data, including personal information. Organisations must understand how data is collected, processed, stored, and protected throughout the AI lifecycle.

What Tempo reviews: We assess data governance practices, privacy controls, data minimisation measures, consent management processes, and alignment with broader information security requirements where applicable.

6. Accountability

Clear ownership is essential for effective AI governance. Organisations should be able to demonstrate who is responsible for managing AI systems, approving changes, monitoring risks, and responding to issues.

What Tempo reviews: We examine governance structures, documented roles and responsibilities, decision-making processes, and audit trails to ensure accountability is embedded throughout the AI management system.

How to conduct an ISO 42001 risk assessment

Most ISO 42001 risk assessments can be completed within a few weeks, depending on the number of AI systems in scope and the maturity of existing governance processes. The outcome is a documented risk register, agreed treatment plan, and evidence that supports certification readiness.

1

Scoping

Before risks can be assessed, organisations need to establish which AI systems, processes, teams, and data flows fall within the AI Management System. This creates clear boundaries for the assessment and ensures no significant AI activities are overlooked.

2

Risk identification

Once the scope is defined, organisations identify the risks associated with each AI system. This typically includes areas such as fairness, transparency, privacy, accountability, safety, and human oversight, alongside operational and regulatory risks.

3

Risk evaluation

Each identified risk is assessed to determine how likely it is to occur and what impact it could have on the organisation, users, or other stakeholders. The results help prioritise which risks require immediate attention and which can be monitored over time.

4

Risk treatment

For each significant risk, organisations decide how it will be managed. This may involve implementing new controls, strengthening existing processes, increasing oversight, or accepting risks that fall within agreed tolerance levels.

5

Audit sign-off

The completed risk assessment is reviewed by relevant stakeholders and formally approved. During an ISO 42001 audit, Tempo reviews the risk register, treatment decisions, supporting evidence, and governance records to confirm compliance with Clause 6.1.2.

Evidence auditors expect to see for ISO 42001 risk assessments

A completed risk register alone is rarely enough to demonstrate compliance with Clause 6.1.2. Auditors will look for evidence that risks have been identified, assessed, treated, reviewed, and approved through a documented and repeatable process.

1. A documented risk assessment methodology

A risk assessment should follow a defined process rather than relying on individual judgement. This helps ensure risks are identified and evaluated consistently across different AI systems.

Auditors will typically look for:

  • A documented risk assessment procedure
  • Defined criteria for likelihood and impact scoring
  • A consistent risk rating methodology
  • Guidance on when treatment actions are required
  • Evidence the methodology is used across all in-scope AI systems

A completed spreadsheet may show the outcome of the assessment, but auditors will also want to understand the process behind it.

2. A risk register covering all in-scope AI systems

The risk register should provide a complete and up-to-date view of AI-related risks across the organisation. It should be clear which systems have been assessed and how risks are being managed.

Auditors will typically look for:

  • All AI systems within the scope of the AIMS
  • Risk descriptions and categories
  • Likelihood and impact ratings
  • Assigned risk owners
  • Existing controls and mitigation measures
  • Current treatment status

Gaps in coverage can indicate that risks have not been assessed consistently across the organisation.

3. Evidence of risk treatment decisions

Risk identification is only one part of the process. Organisations should be able to demonstrate how significant risks have been addressed and why particular treatment decisions were made.

Auditors will typically look for:

  • A documented treatment decision for each significant risk
  • Evidence that mitigation actions have been implemented
  • Justification where risks have been accepted
  • Links between risks and relevant controls
  • References to Annex A controls where applicable

The objective is to show that identified risks lead to meaningful actions rather than remaining as entries in a register.

4. A reassessment schedule

AI risks can change quickly as systems evolve, data changes, or new use cases emerge. Risk assessments should therefore be reviewed regularly and updated when circumstances change.

Auditors will typically look for:

  • A defined review frequency
  • Triggers for reassessment
  • Records of completed reviews
  • Evidence of updates following significant changes
  • Version history or change tracking

Common triggers include model retraining, new data sources, major system changes, supplier changes, and incidents.

5. Ownership and sign-off

Effective risk management requires accountability. Auditors need to see that responsibility for assessing and managing AI risks has been formally assigned.

Auditors will typically look for:

  • Named risk owners
  • Clearly defined responsibilities
  • Management review records
  • Approval of treatment decisions
  • Formal sign-off of the assessment

Clear ownership helps ensure risks continue to be monitored after the assessment has been completed.

6. Alignment with impact assessment outputs

Risk assessments and AI impact assessments serve different purposes, but they should not exist in isolation. Findings from one should inform the other where relevant.

Auditors will typically look for:

  • References between risk registers and impact assessments
  • Consistent treatment of significant issues
  • Shared mitigation actions
  • Alignment between identified impacts and risk ratings
  • Evidence that both assessments support decision-making

Strong documentation creates a clear link between identified AI risks, potential impacts, and the controls used to manage them.

How ISO 27001 and ISO 42001 risk assessments work together

One of the biggest advantages of already being certified to ISO 27001 is that many of the foundations required for ISO 42001 are likely to be in place. The biggest difference is scope. ISO 27001 focuses on protecting information and information assets, while ISO 42001 extends risk management to cover the governance, development, deployment, and use of AI systems. This means organisations can often reuse existing risk management processes, governance structures, and many operational controls when pursuing ISO 42001 certification.As shown in the image below, several areas overlap between the two standards, including:

  • Risk management
  • Access control
  • Asset management
  • Incident management
  • Supplier management
  • Business continuity

Already certified to ISO 27001? Your risk assessment has a head start.

If your organisation already holds ISO 27001 certification, much of the foundation for an ISO 42001 risk assessment is likely to be in place. Both standards follow a risk-based approach, requiring organisations to identify risks, assess their significance, implement controls, and review their effectiveness over time.

ISO 42001 builds on this by extending the assessment beyond information security to include AI-specific risks such as bias, transparency, human oversight, and societal impact.

If you're already certified to ISO 27001 and looking to add ISO 42001, Tempo Audits can often combine audit activities, reduce duplicated effort, and help you build on the controls and governance processes you already have in place. Contact us today.

Reviews

Trusted by fast-moving tech teams across the world who value a more human audit experience.

We transferred to Tempo from one of the established certification bodies — and we are delighted with the choice. Our audit was one of the smoothest we’ve had in terms of collaboration and engagement.
Laurence, Director of IT & Client Services @ RDT
If Carlsberg did auditors… We use Tempo for our ISO 27001 auditing and I'm thrilled that we were introduced. They ensured that the process dovetailed so smoothly with our ongoing operational activities that the impact was barely noticeable.
Jason, Director of Operations @ The Risk Factor
The Tempo team moved really fast to help us meet our timeframes — it’s rare to have an audit firm move at the speed of a start-up.
Ellie, COO @ Everblue Technology
Alfonso was nothing short of brilliant. Having worked with many auditors over the years, he stood out for his clarity, professionalism, and kindness. He completely changed my view of auditors.
Amardeep, Director @ Blue Edge
Tempo lives up to its name. No other company we contacted was faster or more straightforward during the process.
Lukas, CEO @ Noreja Intelligence
Is it weird to say I had a good time? We had worked with a more traditional auditor, but they didn't understand the needs/tech of our start-up. Tempo knew how to use our ISMS software and understood our business.
Jonny, Head of Engineering @ Nomio

Resources

No items found.

ISO 42001 Resources

FAQs

Trusted by fast-moving tech teams across the world who value a more human audit experience.

ISO 42001 requires organisations to identify, analyse, and evaluate AI-related risks as part of Clause 6.1.2. The output should include a documented risk assessment methodology, a risk register, and defined treatment actions. Risks should be linked to relevant controls, including applicable Annex A controls, and reviewed regularly as AI systems evolve.

A template can help structure your assessment, but it is not enough on its own. To satisfy Clause 6.1.2, organisations also need a documented methodology explaining how risks are identified, evaluated, and treated. Auditors will review the process behind the assessment, not just the completed template.

Risk treatment is the process of deciding how identified AI risks will be managed. ISO 42001 follows four common treatment options: accept, mitigate, transfer, or avoid. For significant risks, organisations should document the chosen approach and demonstrate how treatment actions are supported by relevant controls and governance measures.

ISO 42001 is designed for organisations that develop, deploy, provide, or use AI systems. This includes software companies, AI vendors, SaaS providers, and businesses embedding AI into products or decision-making processes.

Often, the requirement for ISO 42001 is driven by a company's clients (or future clients), who might request it during procurement processes. Growing regulatory expectations, including the EU AI Act, are increasing demand for structured AI governance and compliance frameworks.

When choosing an ISO 42001 auditor, look for UKAS accreditation, experience auditing management systems, and a strong understanding of AI technologies and governance. The best auditors combine technical expertise with practical audit experience. Tempo is a UKAS-accredited certification body for ISO 27001 and offering ISO 42001 audits designed for modern technology and AI-driven organisations.

Auditors assess whether AI risks have been identified, evaluated, treated, and reviewed through a structured process. They typically review the risk assessment methodology, risk register, treatment decisions, reassessment schedules, and evidence of ownership. Auditors also look for alignment between risk assessments, impact assessments, and implemented controls.

Book a call

No forms, no faff – just a conversation and a quote. Prefer to skip straight to it? Fill out the application form and we'll get moving.

Alternatively, if you have all the details,
fill out this form here.