AI Governance

ISO 42005 Explained: AI System Impact Assessment Guide

Standarity Editorial Team·ISO 42001/42005 Practitioners
··9 min read

ISO 42005 (formally ISO/IEC 42005:2025) is the international standard that gives organizations a structured method for conducting an AI system impact assessment: a documented evaluation of how an AI system can affect individuals, groups, wider society, and the environment across its lifecycle. Published in May 2025 by ISO/IEC JTC 1/SC 42, the subcommittee responsible for artificial intelligence, it is guidance rather than a certifiable management system (ISO, 2025). Where ISO 42001 requires that impact assessments happen, ISO 42005 tells you what one should actually contain and how to run it.

For teams that have already read our ISO 42001 Annex A walkthrough, this standard fills the most obvious gap in that control set. Annex A control A.5 says you must assess the impacts of your AI systems on people, but 42001 deliberately does not spell out the method. ISO 42005 is that method. In this guide we cover what the standard is, what an impact assessment covers, the process it recommends, when to conduct it, and how it maps onto both ISO 42001 and the EU AI Act.

What is ISO 42005?

ISO/IEC 42005:2025 is a 39-page guidance document that helps organizations identify, evaluate, and document the potential and actual consequences of an AI system for the people and communities it touches (ISO, 2025). Crucially, it is not a standard you get certified against. There is no external auditor stamping an ISO 42005 certificate, and no accreditation scheme. You use it internally, and as supporting evidence, to bring rigour and repeatability to a process that most organizations were previously improvising.

The standard sits inside the growing SC 42 family of AI standards. If ISO 42001 is the management-system backbone — comparable to how ISO 27001 governs information security — then ISO 42005 is a companion how-to for one specific, high-value activity within it. It assumes you understand what an AI management system is and gives you the operational detail to make one part of it defensible.

What an AI system impact assessment covers

The defining feature of an AI impact assessment, and what separates it from a traditional risk assessment, is that it looks outward at people rather than inward at the organization. A conventional risk register asks what could go wrong for the business. An impact assessment asks who could be harmed, and how, when the system behaves as designed as well as when it fails. ISO 42005 directs attention across four broad categories of impact:

  • Individuals — effects on a single person, such as an unfair loan denial, a wrongful benefit cut-off, or loss of privacy from inappropriate data use.
  • Groups — disproportionate or discriminatory effects on a demographic or protected category, including bias amplified at scale.
  • Society — broader consequences such as erosion of trust, information integrity, market concentration, or effects on democratic and civic processes.
  • Environment — resource, energy, and sustainability impacts associated with training and operating the system.

For each category the assessment considers both intended and unintended effects, and both benefits and harms. This dual lens matters: an AI triage tool may deliver real clinical benefit while simultaneously introducing a risk of systematically under-serving one patient group. A credible assessment records both, rather than only cataloguing negatives, and ties each identified harm to a mitigation and a residual-risk judgement.

The most common failure we see is treating an AI impact assessment as a relabelled data protection impact assessment. A DPIA is scoped to privacy and personal data. ISO 42005 asks about non-discrimination, safety, autonomy, environmental cost, and societal effects that a DPIA was never designed to capture (ISO, 2025). Reusing a DPIA template wholesale leaves most of the real AI risk surface unexamined.

The ISO 42005 process, step by step

ISO 42005 frames the assessment as a repeatable process rather than a one-off document. While the standard allows organizations to adapt the depth to the system, the recommended flow moves through a consistent set of stages:

  • Establish scope and threshold — decide which AI systems trigger an assessment and how deep it needs to go, so low-risk features are not treated identically to high-stakes systems.
  • Describe the AI system — document its intended purpose, context of use, data inputs, users, affected parties, and deployment environment.
  • Identify potential impacts — enumerate benefits and harms across individuals, groups, society, and the environment, including unintended and downstream effects.
  • Analyse and evaluate — assess the likelihood and severity of each impact and prioritise the ones that matter most.
  • Determine and record treatment — define mitigations, controls, and human-oversight measures, then capture the residual impact that remains.
  • Document, approve, and communicate — record the assessment, assign accountability for sign-off, and share results with the relevant internal and external stakeholders.
  • Monitor and review — revisit the assessment as the system, its data, or its context change across the lifecycle.

A distinctive strength of ISO 42005 is that it specifies documentation content in real detail. It sets out the fields an assessment record should contain — system description, intended and reasonably foreseeable uses, relevant data, affected stakeholders, identified impacts, mitigations, and residual risk — which is exactly the structure that makes a set of assessments comparable and auditable rather than a folder of inconsistent narratives.

When to conduct it across the AI lifecycle

ISO 42005 is emphatic that an impact assessment is not a launch-gate checkbox. It should be triggered during design, updated before deployment, reviewed during operation and post-market monitoring, refreshed after any significant change, and considered again at retirement or decommissioning (ISO, 2025). An AI system that was assessed as low-impact at launch can become high-impact after a model retrain, a new data source, or expansion into a new user population — which is precisely why the standard ties the activity to lifecycle stages rather than a single date.

This lifecycle discipline is where ISO 42005 reinforces the operating rhythm we describe in the ISO 42001 implementation roadmap. If you already run a structured ML or MLOps lifecycle, the change-triggered review points slot into stages you likely already have. The gap for most teams is not the technical practice; it is documenting the impact decision at each of those points.

How ISO 42005 links to ISO 42001 and the EU AI Act

The relationship with ISO 42001 is complementary and deliberate. ISO 42001 ensures that impact assessments happen consistently as a required part of AI governance; ISO 42005 ensures that each assessment is thorough, systematic, and actionable. Together they connect high-level organizational oversight to practical, system-level evaluation. In audit terms, an assessor checking Annex A control A.5 wants evidence your assessments are consistent and repeatable — and an ISO 42005-shaped process is one of the cleanest ways to demonstrate that.

The regulatory link is the one drawing most attention. Article 27 of the EU AI Act requires deployers of certain high-risk AI systems to complete a Fundamental Rights Impact Assessment (FRIA) — a systematic evaluation of a system’s effect on rights such as non-discrimination, privacy, and access to justice, with the obligation applying from August 2026. ISO 42005 is not a FRIA and does not claim legal equivalence, but its people-centred structure covers much of the same analytical ground, so a mature ISO 42005 process gives organizations a strong methodological foundation to build FRIA evidence on. If the EU AI Act is your driver, pair this guide with our EU AI Act compliance guide to see where the standard helps and where the regulation demands more.

ISO 42005 is a globally recognised methodology, not a compliance shortcut. It can support EU AI Act efforts and go beyond them, but it does not automatically satisfy Article 27, whose notification and template obligations are specific to the regulation (ISO, 2025). Treat the standard as the engine and the FRIA as one of the outputs it helps you produce.

Who should use ISO 42005

The standard is written for any organization that develops, provides, or uses AI systems and needs to manage AI-related risk to people — whether or not it is pursuing ISO 42001 certification. In practice the natural adopters are teams already building an AI management system, deployers preparing for the EU AI Act, and governance, risk, and legal functions who have been asked to prove their AI is being handled responsibly. It is equally useful whether you build models in-house or procure AI services, because the impact on affected people is the same regardless of who wrote the code.

Where organizations are weighing frameworks against each other, it helps to remember that ISO 42005 is not an alternative to voluntary risk frameworks — a point we draw out in our comparison of ISO 42001 and the NIST AI RMF. The NIST AI RMF gives you a broad risk-management vocabulary; ISO 42005 gives you a precise, documentable method for one core activity within it. Used together with ISO 42001, they turn AI impact assessment from an improvised exercise into a repeatable, evidenced, and defensible discipline.

Frequently Asked Questions

What is ISO 42005?

ISO/IEC 42005:2025 is an international standard, published in May 2025 by ISO/IEC JTC 1/SC 42, that provides guidance for conducting and documenting AI system impact assessments across the AI lifecycle. It helps organizations evaluate how an AI system affects individuals, groups, society, and the environment (ISO, 2025).

Is ISO 42005 a certifiable standard?

No. ISO 42005 is guidance and is not designed for certification. There is no external auditor or accreditation scheme for it. Organizations use it internally to bring structure to their AI impact assessments, and its output can serve as supporting evidence for ISO 42001 and regulatory requirements.

What is the difference between ISO 42001 and ISO 42005?

ISO 42001 is the certifiable AI management system standard that requires impact assessments to happen consistently as part of AI governance. ISO 42005 is the companion guidance that tells you what an impact assessment should contain and how to run it. ISO 42001 ensures assessments occur; ISO 42005 ensures they are thorough and actionable.

What does an AI impact assessment cover?

An ISO 42005 assessment examines both intended and unintended effects of an AI system on four broad areas: individuals, groups, wider society, and the environment. For each identified impact it records benefits, harms, mitigations, and residual risk, looking outward at affected people rather than only at business risk.

When should you conduct an ISO 42005 impact assessment?

Throughout the AI lifecycle rather than once. ISO 42005 recommends conducting an assessment during design, updating it before deployment, reviewing it during operation and monitoring, refreshing it after significant changes, and revisiting it at retirement (ISO, 2025). It is a living document, not a launch-gate checkbox.

Does ISO 42005 satisfy the EU AI Act FRIA requirement?

Not on its own. The EU AI Act Article 27 Fundamental Rights Impact Assessment has specific legal obligations, including notifying the market surveillance authority, that apply from August 2026. ISO 42005 covers much of the same people-centred analysis and provides a strong methodological foundation, but it does not automatically fulfil Article 27.

Explore Courses on Udemy

Intermediate

ISO/IEC 42001: Artificial Intelligence Management System

Intermediate

Implement ISO 42001 Step by Step With Templates

Intermediate

Auditing ISO 42001 Annex A Controls