ISO 42001 Reference Card: Clause 9

May 4, 2026 · View on GitHub

Purpose

Clause 9 checks whether the AIMS is working. It requires the organisation to monitor, measure, analyse and evaluate AIMS performance, conduct internal audits and hold management reviews.

This clause is the evidence loop. It helps the organisation know whether AI governance controls are effective, whether objectives are being achieved and whether leadership needs to take action.

Sub-clauses

9.1 Monitoring, measurement, analysis and evaluation

The organisation must determine what needs to be monitored and measured, how this will be done, when it will be done, when results will be analysed and evaluated, and what documented information will be retained.

Monitoring should cover the performance and effectiveness of the AIMS, not just the technical performance of AI systems.

AIMS performance measures may include:

  • AI objectives progress
  • Completion and quality of AI risk assessments
  • Completion and quality of AI system impact assessments
  • Control implementation status
  • AI system inventory completeness
  • Number and severity of AI incidents or issues
  • Time to resolve AI governance findings
  • Training and competence completion
  • Internal audit findings
  • Supplier assurance completion
  • Management review actions closed on time

AI system monitoring may include:

  • Accuracy or performance drift
  • Bias or fairness indicators
  • Data quality issues
  • Security events or misuse indicators
  • Human override rates
  • User complaints or appeals
  • Unexpected outputs or behaviours
  • Changes in operating context

Monitoring should be proportionate to risk. Higher-impact AI systems typically require more frequent and more detailed monitoring.

9.2 Internal audit

The organisation must conduct internal audits at planned intervals to determine whether the AIMS conforms to ISO 42001 requirements, conforms to the organisation's own requirements and is effectively implemented and maintained.

Internal audit is a key readiness mechanism for certification. It should be independent enough to provide objective assurance.

An internal audit programme should define:

  • Audit frequency
  • Audit scope and criteria
  • Audit methods
  • Auditor responsibilities
  • Reporting requirements
  • Follow-up actions
  • How audit results are retained as documented information

Audit evidence may include:

  • Policies and procedures
  • Risk assessment records
  • Impact assessment records
  • Statement of Applicability
  • Control evidence
  • AI system inventory records
  • Training and competence records
  • Monitoring results
  • Incident and issue records
  • Management review outputs

Common internal audit themes:

  • Scope consistency with actual AI use
  • Completeness of AI system inventory
  • Traceability from risk assessment to controls
  • Evidence that controls operate in practice
  • Supplier and third-party AI oversight
  • Documentation quality and version control
  • Closure of previous findings

Internal audits should not be treated as paperwork exercises. They are one of the main ways the organisation finds weaknesses before external auditors, customers or regulators do.

9.3 Management review

Top management must review the AIMS at planned intervals to ensure it remains suitable, adequate and effective.

Management review is the leadership checkpoint. It brings together performance evidence, changes in context, audit results, risks, opportunities and improvement needs.

Management review inputs typically include:

  • Status of actions from previous reviews
  • Changes in external and internal issues
  • Changes in interested party requirements
  • AIMS performance and effectiveness
  • Progress against AI objectives
  • Monitoring and measurement results
  • Internal audit results
  • Nonconformities and corrective actions
  • Resource adequacy
  • Risks and opportunities
  • Opportunities for continual improvement

Management review outputs should include decisions and actions related to:

  • Improvement opportunities
  • Changes needed to the AIMS
  • Resource needs
  • Updates to policy, objectives, controls or governance processes
  • Escalation of significant AI risks or issues

A good management review creates clear decisions, owners and follow-up actions. It should show that leadership is actively steering the AIMS, not merely receiving a status report.

Common audit questions

  • What does the organisation monitor and measure to evaluate AIMS performance?
  • How are monitoring results analysed and acted upon?
  • What is the internal audit programme for the AIMS?
  • Are internal auditors competent and sufficiently independent?
  • How are audit findings tracked to closure?
  • How often does top management review the AIMS?
  • What decisions or actions came out of the most recent management review?

Connections to other clauses

Clause 9 outputUsed by
Monitoring and measurement resultsClause 10 (improvement), management review
Internal audit findingsClause 10 (nonconformity and corrective action)
Management review outputsClause 6 (planning), Clause 7 (resources), Clause 8 (operation)
Performance evidenceCertification audits and continual improvement

Key message

Clause 9 is the AIMS feedback loop. It tells the organisation whether AI governance is actually working and gives leadership the evidence needed to act.

Reference catalogue entry — use this as source material for matching funny and professional infographic cards.