ISO/IEC 23894:2023
Information technology - Artificial intelligence - Guidance on risk management. Provides guidance on how organizations that develop, produce, deploy, or use products, systems and services that utilize AI can manage risk specifically related to AI. Extends ISO 31000 risk management principles to AI contexts. Published February 2023.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (11)
AI-Specific Risk Sources (Annex A)
Annex A: Sources of risk specific to AI systems that organizations should consider
| Code | Title |
|---|---|
| ISO23894-A.1 | Data Quality and Representativeness |
| ISO23894-A.2 | Model Transparency and Explainability |
| ISO23894-A.3 | Algorithmic Bias and Fairness |
| ISO23894-A.4 | AI System Robustness |
| ISO23894-A.5 | Privacy and Data Protection in AI |
| ISO23894-A.6 | AI System Security |
| ISO23894-A.7 | Human Oversight of AI |
| ISO23894-A.8 | AI Accountability and Governance |
Annex Guidance
| Code | Title |
|---|---|
| 23894-A.2 | AI Objectives and Risk Sources |
| 23894-A.3 | Lifecycle Risk Considerations |
| 23894-A.4 | AI System Impact Assessment |
| 23894-A.5 | Human Oversight Controls |
| 23894-A.6 | Transparency and Explainability |
| 23894-A.7 | Data Quality and Provenance |
| 23894-A.8 | Robustness and Resilience Testing |
| 23894-A.9 | Third-Party AI Components |
Framework
| Code | Title |
|---|---|
| 23894-5.2 | Leadership and Commitment |
| 23894-5.3 | Integration into Organizational Processes |
| 23894-5.4.1 | Understanding Organization and Context |
| 23894-5.4.2 | AI Risk Management Policy |
| 23894-5.4.3 | Roles, Authorities, Responsibilities |
| 23894-5.4.4 | Allocation of Resources |
| 23894-5.5 | Communication and Consultation |
Framework (Clause 5)
Clause 5: AI risk management framework for establishing governance and organizational structures
| Code | Title |
|---|---|
| ISO23894-5.1 | Leadership and Commitment |
| ISO23894-5.2 | AI Risk Management Integration |
| ISO23894-5.3 | AI Risk Management Design |
| ISO23894-5.4 | AI Risk Management Implementation |
| ISO23894-5.5 | Framework Evaluation |
| ISO23894-5.6 | Framework Improvement |
Framework – ISO/IEC 23894:2023
| Code | Title |
|---|---|
| iso-iec-23894-2023::5.1 | General |
| iso-iec-23894-2023::5.2 | Leadership and commitment |
| iso-iec-23894-2023::5.3 | Integration |
| iso-iec-23894-2023::5.4 | Design |
| iso-iec-23894-2023::5.4.1 | Understanding the organization and its context |
| iso-iec-23894-2023::5.4.2 | Articulating risk management commitment |
| iso-iec-23894-2023::5.4.3 | Assigning organizational roles, authorities, responsibilities and |
| iso-iec-23894-2023::5.4.4 | Allocating resources |
| iso-iec-23894-2023::5.4.5 | Establishing communication and consultation |
| iso-iec-23894-2023::5.5 | Implementation |
| iso-iec-23894-2023::5.7.1 | Adapting |
| iso-iec-23894-2023::5.7.2 | Continually improving |
Principles
| Code | Title |
|---|---|
| 23894-4.1 | AI Risk Management Principles |
Principles (Clause 4)
Clause 4: Risk management principles adapted for AI contexts
| Code | Title |
|---|---|
| ISO23894-4.1 | Integrated AI Risk Management |
| ISO23894-4.2 | Structured and Comprehensive Approach |
| ISO23894-4.3 | Customized to AI Context |
| ISO23894-4.4 | Inclusive Stakeholder Engagement |
| ISO23894-4.5 | Dynamic and Responsive |
| ISO23894-4.6 | Best Available Information |
| ISO23894-4.7 | Human and Cultural Factors |
| ISO23894-4.8 | Continual Improvement |
Process
| Code | Title |
|---|---|
| 23894-6.3 | AI Risk Assessment Scope and Criteria |
| 23894-6.4.2 | AI Risk Identification |
| 23894-6.4.3 | AI Risk Analysis |
| 23894-6.4.4 | AI Risk Evaluation |
| 23894-6.5 | AI Risk Treatment |
| 23894-6.6 | Monitoring and Review |
| 23894-6.7 | Recording and Reporting |
Process (Clause 6)
Clause 6: AI risk management process covering identification, analysis, evaluation, and treatment of AI-specific risks
| Code | Title |
|---|---|
| ISO23894-6.1 | Communication and Consultation |
| ISO23894-6.2 | Scope, Context and Criteria |
| ISO23894-6.3 | AI Risk Assessment |
| ISO23894-6.3.1 | AI Risk Identification |
| ISO23894-6.3.2 | AI Risk Analysis |
| ISO23894-6.3.3 | AI Risk Evaluation |
| ISO23894-6.4 | AI Risk Treatment |
| ISO23894-6.5 | Monitoring and Review |
| ISO23894-6.6 | Recording and Reporting |
Risk management process – ISO/IEC 23894:2023
| Code | Title |
|---|---|
| iso-iec-23894-2023::6.1 | General |
| iso-iec-23894-2023::6.2 | Communication and consultation |
| iso-iec-23894-2023::6.3.1 | General |
| iso-iec-23894-2023::6.3.2 | Defining the scope |
| iso-iec-23894-2023::6.3.3 | External and internal context |
| iso-iec-23894-2023::6.3.4 | Defining risk criteria |
| iso-iec-23894-2023::6.4 | Risk assessment |
| iso-iec-23894-2023::6.4.1 | General |
| iso-iec-23894-2023::6.4.2 | Risk identification |
| iso-iec-23894-2023::6.4.3 | Risk analysis |
| iso-iec-23894-2023::6.4.4 | Risk evaluation |
| iso-iec-23894-2023::6.5 | Risk treatment |
| iso-iec-23894-2023::6.5.1 | General |
| iso-iec-23894-2023::6.5.2 | Selection of risk treatment options |
| iso-iec-23894-2023::6.5.3 | Preparing and implementing risk treatment plans |
| iso-iec-23894-2023::6.6 | Monitoring and review |
| iso-iec-23894-2023::6.7 | Recording and reporting |
Scope, Terms and References (Clauses 1-3)
Clauses 1-3: Scope of AI risk management, normative references, and terms and definitions
| Code | Title |
|---|---|
| ISO23894-1 | Scope of AI Risk Management |
| ISO23894-3 | AI-Specific Terminology |
Your Compliance Coverage
If you comply with ISO/IEC 23894:2023, you already cover:
ISO 31000:2018
56%
48 controls mapped
Compare →ISO 31000
40%
34 controls mapped
Compare →ISO/IEC 27557:2022 - Organisational Privacy Risk Management
28%
24 controls mapped
Compare →+ 303 more: ISO/IEC 27003:2017 (26%), AS9100D - Aerospace Quality Management System (24%)
See all 306 mapped frameworks ↓Maps to 306 other frameworks
Frequently Asked Questions
What is ISO/IEC 23894:2023?
ISO/IEC 23894:2023 is a compliance framework from International with 11 domains and 85 controls. Information technology - Artificial intelligence - Guidance on risk management. Provides guidance on how organizations that develop, produce, deploy, or use products, systems and services that utilize AI can manage risk specifically related to AI. Extends ISO 31000 risk management principles to AI contexts. Published February 2023. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does ISO/IEC 23894:2023 have?
ISO/IEC 23894:2023 has 85 controls organised across 11 domains. The largest domains are Risk management process – ISO/IEC 23894:2023 (17 controls), Framework – ISO/IEC 23894:2023 (12 controls), Process (Clause 6) (9 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does ISO/IEC 23894:2023 map to?
ISO/IEC 23894:2023 maps to 306 other compliance frameworks. The top mapping partners are ISO 31000:2018 (56% coverage), ISO 31000 (40% coverage), ISO/IEC 27557:2022 - Organisational Privacy Risk Management (28% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with ISO/IEC 23894:2023 compliance?
Start your ISO/IEC 23894:2023 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about ISO/IEC 23894:2023 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 85 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 723 frameworks.
Get Started Free →Free forever — no credit card required