ISO 42001 risk assessment: Requirements, process, and audit expectations
An ISO 42001 risk assessment helps organisations understand the potential risks associated with the development, deployment, and use of AI systems. It provides the foundation for informed decision-making, effective governance, and continual improvement.
What is an ISO 42001 risk assessment?
An ISO 42001 risk assessment helps organisations understand the risks that come with developing, deploying, or using AI systems. Under Clause 6.1.2, organisations are expected to identify these risks, assess their potential impact, and decide how they will be managed.
Unlike a traditional IT risk assessment, which tends to focus on areas such as cybersecurity and system availability, an ISO 42001 risk assessment looks at the wider risks AI can introduce. This might include issues around decision-making, transparency, accountability, or unintended outcomes.
Risk assessment vs impact assessment: What ISO 42001 requires
Many organisations assume risk assessments and impact assessments are the same thing, but ISO 42001 treats them as separate requirements. Understanding the difference is essential for audit readiness and certification success.
Key takeaway: A risk assessment focuses on risks to the organisation, while an impact assessment focuses on the effects AI may have on people. ISO 42001 requires both.
Key AI risk areas to assess under ISO 42001 (+ Tempo's approach)
AI risks go beyond traditional IT concerns, such as security and availability. ISO 42001 encourages organisations to assess a wider range of risks, including fairness, transparency, human oversight, and the potential impact of AI-driven decisions.
While every organisation's risk profile will be different, the areas below are commonly reviewed when assessing AI systems against ISO 42001 requirements.
1. Fairness and bias
AI systems can unintentionally produce unfair or discriminatory outcomes if the data they are trained on is incomplete, unrepresentative, or biased. This can affect everything from recruitment decisions to customer service interactions and automated approvals.
What Tempo reviews: We assess how bias risks are identified, tested, monitored, and mitigated, including training data quality, fairness testing procedures, and documented controls designed to reduce discriminatory outcomes.
2. Transparency and explainability
Users, customers, regulators, and internal stakeholders may need to understand how an AI system reaches its conclusions. A lack of transparency can make it difficult to justify decisions, investigate issues, or build trust in AI-driven processes.
What Tempo reviews: We examine whether organisations can explain how AI systems operate, how decisions are documented, and whether affected parties receive appropriate information about AI-assisted outcomes.
3. Human oversight
Not every decision should be left entirely to AI. In some cases, human review and intervention are essential to reduce risk and maintain accountability, particularly when decisions have significant consequences.
What Tempo reviews: We assess whether appropriate human oversight mechanisms are in place, including review processes, escalation routes, intervention controls, and documented responsibilities for high-risk AI activities.
4. Safety and reliability
AI systems should perform consistently and safely throughout their lifecycle. Unexpected outputs, model failures, or poorly managed updates can create operational, legal, and reputational risks.
What Tempo reviews: We review testing methodologies, validation procedures, incident management processes, and controls designed to ensure AI systems remain reliable, resilient, and fit for purpose.
5. Privacy
Many AI systems rely on large volumes of data, including personal information. Organisations must understand how data is collected, processed, stored, and protected throughout the AI lifecycle.
What Tempo reviews: We assess data governance practices, privacy controls, data minimisation measures, consent management processes, and alignment with broader information security requirements where applicable.
6. Accountability
Clear ownership is essential for effective AI governance. Organisations should be able to demonstrate who is responsible for managing AI systems, approving changes, monitoring risks, and responding to issues.
What Tempo reviews: We examine governance structures, documented roles and responsibilities, decision-making processes, and audit trails to ensure accountability is embedded throughout the AI management system.
How to conduct an ISO 42001 risk assessment
Most ISO 42001 risk assessments can be completed within a few weeks, depending on the number of AI systems in scope and the maturity of existing governance processes. The outcome is a documented risk register, agreed treatment plan, and evidence that supports certification readiness.
Evidence auditors expect to see for ISO 42001 risk assessments
A completed risk register alone is rarely enough to demonstrate compliance with Clause 6.1.2. Auditors will look for evidence that risks have been identified, assessed, treated, reviewed, and approved through a documented and repeatable process.
1. A documented risk assessment methodology
A risk assessment should follow a defined process rather than relying on individual judgement. This helps ensure risks are identified and evaluated consistently across different AI systems.
Auditors will typically look for:
- A documented risk assessment procedure
- Defined criteria for likelihood and impact scoring
- A consistent risk rating methodology
- Guidance on when treatment actions are required
- Evidence the methodology is used across all in-scope AI systems
A completed spreadsheet may show the outcome of the assessment, but auditors will also want to understand the process behind it.
2. A risk register covering all in-scope AI systems
The risk register should provide a complete and up-to-date view of AI-related risks across the organisation. It should be clear which systems have been assessed and how risks are being managed.
Auditors will typically look for:
- All AI systems within the scope of the AIMS
- Risk descriptions and categories
- Likelihood and impact ratings
- Assigned risk owners
- Existing controls and mitigation measures
- Current treatment status
Gaps in coverage can indicate that risks have not been assessed consistently across the organisation.
3. Evidence of risk treatment decisions
Risk identification is only one part of the process. Organisations should be able to demonstrate how significant risks have been addressed and why particular treatment decisions were made.
Auditors will typically look for:
- A documented treatment decision for each significant risk
- Evidence that mitigation actions have been implemented
- Justification where risks have been accepted
- Links between risks and relevant controls
- References to Annex A controls where applicable
The objective is to show that identified risks lead to meaningful actions rather than remaining as entries in a register.
4. A reassessment schedule
AI risks can change quickly as systems evolve, data changes, or new use cases emerge. Risk assessments should therefore be reviewed regularly and updated when circumstances change.
Auditors will typically look for:
- A defined review frequency
- Triggers for reassessment
- Records of completed reviews
- Evidence of updates following significant changes
- Version history or change tracking
Common triggers include model retraining, new data sources, major system changes, supplier changes, and incidents.
5. Ownership and sign-off
Effective risk management requires accountability. Auditors need to see that responsibility for assessing and managing AI risks has been formally assigned.
Auditors will typically look for:
- Named risk owners
- Clearly defined responsibilities
- Management review records
- Approval of treatment decisions
- Formal sign-off of the assessment
Clear ownership helps ensure risks continue to be monitored after the assessment has been completed.
6. Alignment with impact assessment outputs
Risk assessments and AI impact assessments serve different purposes, but they should not exist in isolation. Findings from one should inform the other where relevant.
Auditors will typically look for:
- References between risk registers and impact assessments
- Consistent treatment of significant issues
- Shared mitigation actions
- Alignment between identified impacts and risk ratings
- Evidence that both assessments support decision-making
Strong documentation creates a clear link between identified AI risks, potential impacts, and the controls used to manage them.
How ISO 27001 and ISO 42001 risk assessments work together
One of the biggest advantages of already being certified to ISO 27001 is that many of the foundations required for ISO 42001 are likely to be in place. The biggest difference is scope. ISO 27001 focuses on protecting information and information assets, while ISO 42001 extends risk management to cover the governance, development, deployment, and use of AI systems. This means organisations can often reuse existing risk management processes, governance structures, and many operational controls when pursuing ISO 42001 certification.As shown in the image below, several areas overlap between the two standards, including:
- Risk management
- Access control
- Asset management
- Incident management
- Supplier management
- Business continuity

Already certified to ISO 27001? Your risk assessment has a head start.
If your organisation already holds ISO 27001 certification, much of the foundation for an ISO 42001 risk assessment is likely to be in place. Both standards follow a risk-based approach, requiring organisations to identify risks, assess their significance, implement controls, and review their effectiveness over time.
ISO 42001 builds on this by extending the assessment beyond information security to include AI-specific risks such as bias, transparency, human oversight, and societal impact.
If you're already certified to ISO 27001 and looking to add ISO 42001, Tempo Audits can often combine audit activities, reduce duplicated effort, and help you build on the controls and governance processes you already have in place. Contact us today.
Reviews
Trusted by fast-moving tech teams across the world who value a more human audit experience.

FAQs
Trusted by fast-moving tech teams across the world who value a more human audit experience.
ISO 42001 requires organisations to identify, analyse, and evaluate AI-related risks as part of Clause 6.1.2. The output should include a documented risk assessment methodology, a risk register, and defined treatment actions. Risks should be linked to relevant controls, including applicable Annex A controls, and reviewed regularly as AI systems evolve.
A template can help structure your assessment, but it is not enough on its own. To satisfy Clause 6.1.2, organisations also need a documented methodology explaining how risks are identified, evaluated, and treated. Auditors will review the process behind the assessment, not just the completed template.
Risk treatment is the process of deciding how identified AI risks will be managed. ISO 42001 follows four common treatment options: accept, mitigate, transfer, or avoid. For significant risks, organisations should document the chosen approach and demonstrate how treatment actions are supported by relevant controls and governance measures.
ISO 42001 is designed for organisations that develop, deploy, provide, or use AI systems. This includes software companies, AI vendors, SaaS providers, and businesses embedding AI into products or decision-making processes.
Often, the requirement for ISO 42001 is driven by a company's clients (or future clients), who might request it during procurement processes. Growing regulatory expectations, including the EU AI Act, are increasing demand for structured AI governance and compliance frameworks.
When choosing an ISO 42001 auditor, look for UKAS accreditation, experience auditing management systems, and a strong understanding of AI technologies and governance. The best auditors combine technical expertise with practical audit experience. Tempo is a UKAS-accredited certification body for ISO 27001 and offering ISO 42001 audits designed for modern technology and AI-driven organisations.
Auditors assess whether AI risks have been identified, evaluated, treated, and reviewed through a structured process. They typically review the risk assessment methodology, risk register, treatment decisions, reassessment schedules, and evidence of ownership. Auditors also look for alignment between risk assessments, impact assessments, and implemented controls.
Book a call
No forms, no faff – just a conversation and a quote. Prefer to skip straight to it? Fill out the application form and we'll get moving.
Alternatively, if you have all the details,
fill out this form here.





