GRCWatch
Sign inStart free trial

ISO 42001 A.2.2: AI System Impact Assessment Policy

As AI systems increasingly shape business decisions and customer interactions, ISO 42001 A.2.2 requires you to systematically assess their impact on individuals, groups, and society before deployment. This control ensures your organization identifies and mitigates potential harms while building trust with stakeholders. Effective impact assessment becomes a competitive advantage when compliance is streamlined.

What this means

This control mandates establishing a formal policy that evaluates how your AI systems affect people and society—both positively and negatively. The policy must define what falls within scope, how often assessments occur, who owns them, and crucially, how findings influence your design and deployment decisions. Rather than assessing AI in isolation, this control ties assessment directly to governance actions.

How to comply

  1. 1.Draft an AI System Impact Assessment Policy that covers scope, frequency, roles, and decision-making processes
  2. 2.Define which AI systems trigger mandatory impact assessments (e.g., systems affecting hiring, credit decisions, or public services)
  3. 3.Establish assessment frequency—minimum annually or when systems materially change functionality or deployment
  4. 4.Assign clear ownership: who conducts assessments, who reviews findings, and who approves deployment decisions
  5. 5.Create a decision framework showing how negative impacts block or delay deployment, and what mitigations are required
  6. 6.Document impact assessment templates covering individual harms, group disparities, and broader societal effects
  7. 7.Link assessment results to design changes, monitoring requirements, and post-deployment review schedules
  8. 8.Train teams on the policy and ensure audit trails show assessment completion before go-live

Evidence auditors look for

  • Approved AI System Impact Assessment Policy document with defined scope, frequency, roles, and decision criteria
  • Impact assessment templates addressing individual, group, and societal harms
  • Completed assessments for deployed AI systems with documented findings and mitigation actions
  • Evidence of assessment results influencing design decisions (design change logs, deployment delay records)
  • Role definitions and RACI matrix showing who conducts, reviews, and approves assessments
  • Policy review and update logs demonstrating ongoing governance of the assessment process
  • Training records confirming staff understand assessment requirements and policy expectations
  • Post-deployment monitoring plans that reference pre-launch impact assessment findings

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates AI impact assessment workflows by tracking which systems require assessments, templating findings, routing approvals, and linking results directly to deployment gates—eliminating manual spreadsheets and ensuring no AI goes live without documented impact review.

See how GRCWatch handles this control automatically

Start free trial

Related controls

ISO 42001 A.2.1 — AI Governance and ManagementISO 42001 A.3.1 — Data and Information ManagementISO 42001 A.4.1 — Risk Management Framework