Skip to content
 ⚙️Live webinar: AI governance in controlled environments: The next compliance challenge. Register now
All Blogs

How to write an AI policy that meets ISO 42001 requirements

Andrew Robinson
Published
How to write an AI policy that meets ISO 42001 requirements
5:42

TL;DR

  • ISO 42001 requires a documented AI policy that is approved by senior leadership, communicated across the organization, and reviewed regularly.

  • The policy must address fairness, privacy, security, accountability, transparency, and human oversight as minimum content requirements.
  • A policy that is aspirational but not operational will be flagged as a non-conformity in a certification audit.
  • 6clicks provides pre-built AI policy templates aligned to ISO 42001 requirements, reducing drafting time and ensuring coverage.
  • If your organization uses AI but has no formal AI policy, you are already non-compliant with ISO 42001.

Every ISO 42001 certification journey starts with a question: what exactly does our AI policy need to say? A documented AI policy is one of the first things an auditor will ask for, and one of the most common reasons organizations fail their Stage 1 review. Getting it right from the start saves significant remediation effort.

 

Why an AI policy is not optional under ISO 42001

ISO 42001 Clause 5.2 requires top management to establish, implement, and maintain an AI policy. The policy is the foundation of your entire Artificial Intelligence Management System (AIMS). Without it, there is nothing to build governance controls against.

 

The policy also signals to the organization, its customers, and its regulators that AI is being governed intentionally. Under ISO 42001, an effective AI policy is the first visible output of leadership commitment to responsible AI.

What ISO 42001 requires your AI policy to include

ISO 42001 does not prescribe specific policy language, but it sets clear requirements for what the policy must achieve. A compliant AI policy must:

 

  • Be appropriate to the organization's purpose and context
  • Provide a framework for setting AI objectives
  • Include commitments to satisfy applicable requirements
  • Include a commitment to continual improvement of the AIMS
  • Address the principles of responsible AI relevant to the organization's context

In practice, this means your policy must explicitly address the following domains:

 

  • Fairness and non-discrimination

    The policy must commit to identifying and mitigating bias in AI systems, ensuring that AI outputs are fair and do not discriminate against individuals or groups based on protected characteristics.

  • Privacy and data governance

    The policy must address how the organization handles personal data used in AI systems, covering collection, processing, retention, and the rights of subjects. This should align with applicable privacy regulations, including the General Data Protection Regulation (GDPR) and domestic privacy laws.

  • Security and resilience

    The policy must commit to protecting AI systems from misuse, manipulation, and unauthorized access, covering both the AI models themselves and the data they process.

  • Accountability and human oversight

    The policy must define who is responsible for AI governance decisions, how AI-related incidents are escalated, and the conditions under which human oversight overrides AI outputs.

  • Transparency and explainability

    The policy must commit to ensuring that AI system behavior can be explained to affected individuals and stakeholders to the extent technically and organizationally feasible.

     

 

The five structural elements of an effective AI policy

  1. Purpose and scope: What the policy covers and who it applies to.
  2. Principles: The organization's commitment to fairness, privacy, security, accountability, and transparency.
  3. Roles and responsibilities: Who owns AI governance and who is accountable for specific AI systems.
  4. AI lifecycle management: How AI systems are evaluated, approved, deployed, monitored, updated, and retired.
  5. Review and improvement: How the policy itself is kept current as AI use and regulation evolve.

Common AI policy mistakes that cause audit findings

  • Too abstract: Policies that state aspirations without defining measurable commitments or operational processes.
  • No leadership approval: Policies that exist as working documents but have not been formally approved by senior leadership.
  • Not communicated: Policies that sit in a shared drive but have not been formally distributed to staff involved in AI.
  • Never reviewed: Policies with no defined review cycle or evidence of update since initial publication.
  • Scope too narrow: Policies that only address AI developed internally, not AI systems procured from vendors.

 

How 6clicks helps

6clicks provides pre-built AI policy templates aligned to ISO 42001 requirements, covering all mandatory content areas and structured for operational use, not just documentation compliance.

 

If you are building an AIMS, see our ISO 42001 solution overview and how Hailey AI accelerates mapping, gap analysis, and evidence workflows. The platform enables policy approval, distribution, and acknowledgment workflows, version control, and review scheduling. When your auditor asks for your AI policy, 6clicks gives you a complete, evidenced audit trail from draft through to leadership approval. For a detailed implementation guide, download the ISO 42001 checklist or read how to automate ISO 42001 compliance. Explore integrations to connect your evidence sources.

 

Get a preview with this interactive demo:

 

Take a tour of product
 

Frequently asked questions

Length is less important than completeness and clarity. An effective AI policy for a mid-sized organization is typically three to six pages, covering purpose, principles, roles, governance processes, and review requirements. A longer policy is not necessarily a better policy. Clarity and operationality matter more than volume. 

ISO 42001 does not require the AI policy to be publicly available, but it must be available to relevant interested parties. Many organizations publish a summary or external-facing AI principles statement while maintaining a more detailed internal governance policy. 

ISO 42001 requires the AI policy to be established by top management. This typically means approval by the Chief Executive Officer, Chief Risk Officer, or equivalent. In practice, board-level acknowledgement is increasingly common as AI governance becomes a board agenda item. 

At minimum, the AI policy should be reviewed annually. It should also be reviewed when there is a significant change in AI use, a material change in applicable regulation, or following an AI-related incident that reveals gaps in the current policy framework. 

Existing IT or data governance policies may cover some ISO 42001 requirements, particularly around data privacy and security. However, ISO 42001 requires AI-specific policy commitments that are unlikely to be fully addressed in a general IT or data policy. Most organizations will need to create a dedicated AI policy, potentially cross-referencing existing policies for relevant sections.

Next step

Start with a compliant AI policy. Explore how we build safe AI by exploring the 6clicks platform or book a demo to learn more.

 

Have a question? Let's talk.

 
Andrew Robinson
Written by
Andrew started his career in the startup world and went on to perform in cyber and information security advisory roles for the Australian Federal Government and several Victorian Government entities. Andrew has a Masters in Policing, Intelligence and Counter-Terrorism (PICT) specialising in Cyber Security and holds IRAP, ISO 27001 LA, CISSP, CISM and SCF certifications.
6clicks achieves DESC CSP Security Standard certification

Recommended ISO 42001 posts

Book your strategy call

Send a message
Ready to transform GRC with 6clicks?

Let’s show you how it works for your team.

Book your strategy call Send a message
awards-mobile-v3