Hael
Sign inRequest a demo
ISO/IEC 42001 · Implementation

ISO/IEC 42001 risk and impact assessment

Updated 12 July 2026 · 6 min read
Key takeaway
ISO/IEC 42001 asks for two related-but-distinct assessments. AI risk assessment considers risks to the organisation from operating AI: security, resilience, model behaviour, supplier failure. AI system impact assessment considers impact on individuals, groups and society from the AI system's use: fairness, autonomy, safety, rights. Neither replaces a Data Protection Impact Assessment (DPIA); the three overlap but answer different questions. Auditors look for both, per system, with dated evidence and named owners.
  • AI risk assessment looks at risks to the organisation from operating AI.
  • AI system impact assessment looks at impact on individuals and society from the system's use.
  • Neither replaces a DPIA — the three overlap but answer different questions.
  • Both must be per system, dated, owned, and traceable to treatment actions.
  • Reassess when the system, its use, its data or its context materially change — not only annually.
  • General information, not legal advice. Current as of July 2026.

Two assessments, one register

The standard distinguishes AI risk assessment from AI system impact assessment because they answer different questions. Risk assessment is inward-looking: what can go wrong for us if this system fails, is attacked, drifts or is misused. Impact assessment is outward-looking: what happens to the people, groups and processes the system affects.

How they relate to a DPIA

A DPIA under GDPR Article 35 is required when processing is likely to result in high risk to the rights and freedoms of individuals. Its scope is personal data. An AI system impact assessment is broader: it covers non-personal-data impacts too, such as effects on autonomy, on access to services, or on societal groups. Where the AI system processes personal data at scale or in sensitive ways, the DPIA and the impact assessment overlap materially; the practical answer is to run one integrated assessment and record the outputs against both frameworks.

What the risk assessment covers

  • Model risk — accuracy, drift, hallucination, adversarial exposure.
  • Data risk — quality, representativeness, provenance, poisoning, leakage.
  • Operational risk — availability, latency, incident response, dependency on suppliers.
  • Security risk — confidentiality, integrity, model-specific attacks.
  • Compliance risk — obligations attaching to the system's use, including sector regulation.

What the impact assessment covers

  • Affected populations — who is subject to the system's decisions, directly or indirectly.
  • Categories of impact — fairness, autonomy, safety, rights, access to services, dignity.
  • Vulnerability considerations — children, medically vulnerable groups, protected characteristics.
  • Reversibility and remedy — can affected people contest, correct or exit the process.
  • Mitigations — controls that reduce the identified impacts to an accepted level.

What auditors expect to see

Per system: dated assessments, named owners, evidence of leadership sign-off, and a traceable line from findings to treatment actions and residual risk acceptance. Assessments that live only as a spreadsheet template with no operating record for six months are a common Stage 1 finding.

When to reassess

The standard expects reassessment when the system, its use, its data or its context materially change. Annual review is a floor, not a ceiling; a system deployed into a new user population, or fine-tuned on new data, warrants a fresh assessment on that event.

Key terms

AI system impact assessment
A structured assessment of the impact an AI system has on individuals, groups and society.
DPIA
Data Protection Impact Assessment — required under GDPR Article 35 for high-risk personal-data processing.

References

Related guides

Keep reading on ISO/IEC 42001.

Free check

See where you stand on ISO/IEC 42001, free.

Answer a few questions and get an indicative view of what ISO/IEC 42001 expects of your AI systems and where you stand today — no sign-up to see your result.

Indicative, not legal advice.
ISO/IEC 42001 · indicative readiness
HAEL FREE TOOLLIVE
Applicability
Applies to your AI use
MAPPED
What's expected
Risk classification · governance · documentation · oversight
4 PILLARS
Where you stand
Banded result · pointed to the gaps that matter most
SOURCED
Result
On-screen, free · optional PDF
FREE
Effort
Pre-scoped to ISO/IEC 42001
~ 5 MIN
INDICATIVE · NOT LEGAL ADVICE