ISO/IEC 42005 — AI System Impact Assessment

ISO/IEC 42005 provides guidance for conducting AI System Impact Assessments (AISIA) — a structured evaluation of the benefits and harms an AI system can create for individuals, groups, and society. It is the recognised method for the impact-assessment requirement embedded in ISO 42001 and referenced by the EU AI Act.

What ISO 42005 is

ISO/IEC 42005 sits in the ISO/IEC 42000 series alongside ISO 42001 (the certifiable management system) and ISO 23894 (risk guidance). Where ISO 23894 focuses on risk, ISO 42005 focuses on impact — a wider lens that includes benefits, second-order effects, and consequences for people who are not direct users of the system. It gives programs a repeatable AISIA process, a set of components to document, and criteria for deciding when to escalate.

When to conduct an AISIA

Key components of an AISIA

  1. System description — what the AI system does, model type, inputs and outputs, decision autonomy.
  2. Purpose and context of use — intended use, foreseeable misuse, deployment environment.
  3. Stakeholders — direct users, affected non-users, operators, oversight bodies.
  4. Expected benefits — for the organization, users, and affected groups.
  5. Potential harms — safety, fairness and discrimination, privacy, autonomy, security, transparency, environmental impact.
  6. Likelihood and severity — analysis for each identified impact.
  7. Mitigations — controls, guardrails, human oversight, communication measures.
  8. Residual impact — what remains after mitigations, and whether it is acceptable.
  9. Decision and accountable owner — proceed, proceed with conditions, or do not proceed.
  10. Review schedule — triggers and cadence for reassessment.

Categories of impact to consider

How an AISIA feeds ISO 42001

ISO 42001 Annex A includes explicit controls for assessing impacts of AI systems. An AISIA built with ISO 42005 is the artifact those controls expect. Its outputs — identified risks, mitigations, and residual impact decisions — flow directly into the ISO 42001 risk register and the operational planning clause (Clause 8), and its review schedule feeds performance evaluation (Clause 9).

How an AISIA feeds the EU AI Act

For providers of high-risk AI systems, the EU AI Act requires technical documentation covering intended purpose, foreseeable misuse, and expected impact on health, safety, and fundamental rights. For certain deployers, it requires a fundamental rights impact assessment. An ISO 42005 AISIA produces the raw material for both — a single assessment that satisfies both the ISO 42001 AIMS and the Act's documentation duties without duplication.

AISIA template outline

  1. System identity — name, version, owner, inventory ID
  2. Purpose and intended use
  3. Foreseeable misuse and out-of-scope uses
  4. Deployment context and environment
  5. Data sources, quality, provenance, and lawful basis
  6. Model type, capabilities, and autonomy level
  7. Stakeholder map, including affected non-users
  8. Expected benefits by stakeholder group
  9. Potential harms by impact category, with likelihood and severity
  10. Mitigations in place, mitigations required
  11. Human oversight and override arrangements
  12. Residual impact and acceptance decision
  13. Accountable owner and sign-off
  14. Reassessment triggers and next review date

Frequently asked questions

What is ISO/IEC 42005?

ISO/IEC 42005 is the international standard that provides guidance for conducting AI system impact assessments (AISIA). It describes how to identify, analyze, and document the potential impacts — both benefits and harms — of an AI system on individuals, groups, and society.

What is an AI System Impact Assessment (AISIA)?

An AISIA is a structured evaluation of the effects an AI system can have on stakeholders, including affected people who are not direct users. It looks at context, purpose, data, model behavior, benefits, harms, and mitigations, and produces a documented record used for governance and audit.

When should an AISIA be conducted?

An AISIA should be conducted before an AI system is deployed, and repeated when the system, its data, its purpose, or its context of use changes materially. It should also be revisited on a scheduled cadence — commonly annually — even when nothing appears to have changed.

What are the key components of an AISIA?

The main components are: system description and purpose, context of use, stakeholder identification, expected benefits, potential harms across categories (safety, fairness, privacy, autonomy, environment), likelihood and severity, existing and additional mitigations, residual impact, decision, and review schedule.

How does ISO 42005 relate to ISO 42001?

ISO 42001 requires organizations to assess AI system impacts (Annex A.5.2 among other controls). ISO 42005 is the guidance that tells you how to actually run the assessment. Using ISO 42005 as your AISIA method is a clean way to satisfy the ISO 42001 impact-assessment requirement.

How does an AISIA relate to the EU AI Act?

The EU AI Act imposes a fundamental rights impact assessment on certain deployers of high-risk systems, and providers of high-risk systems must document intended purpose, foreseeable misuse, and expected impact. An ISO 42005-based AISIA produces the artifacts these obligations require, in a format regulators recognize.

Who should be involved in an AISIA?

An AISIA should be cross-functional. Expect participation from product, engineering, data, legal, privacy, security, risk, and — critically — representatives of stakeholders affected by the system. Impact assessment done only by the build team tends to miss the very harms it exists to catch.

Is an AISIA the same as a DPIA?

No. A DPIA focuses on personal data and privacy risk. An AISIA is broader — it covers all AI-specific impacts including fairness, safety, autonomy, transparency, and environmental effect. In many programs the AISIA references the DPIA where personal data is involved, rather than duplicating it.

Run AISIAs in Zilonex Govern

Every AI system in your inventory gets an ISO 42005 impact assessment that also satisfies ISO 42001 controls and EU AI Act documentation duties.

Start Zilonex Govern free for 14 days