Skip to content

ISO/IEC 42001:2023

Build an AI management system that auditors can follow. CRP's event-sourced architecture, risk classification, and audit exports map directly to ISO 42001 clauses and Annex A controls, so compliance evidence is produced as a side effect of normal operations.

Availability

The CRP SDK and CRP Comply are available for self-hosting today. The managed SaaS console is on the waitlist at comply.crprotocol.io.

Business value

  • Single source of truth - risk, audit, and quality evidence live in one system.
  • Faster certification prep - export clause-by-clause evidence with client.compliance.report().
  • Continuous compliance - controls are exercised on every client.complete() and client.ask() call.
  • Cross-standard reuse - the same evidence supports ISO 42001, EU AI Act, GDPR, and NIST AI RMF.

What is ISO 42001?

ISO 42001 follows the Annex SL high-level structure (same as ISO 27001, ISO 9001) with AI-specific requirements. It covers:

  • Establishing an AI management system
  • AI risk assessment and treatment
  • AI system lifecycle management
  • Responsible AI development and deployment

CRP Alignment

Clause 4 - Context of the Organization

Requirement CRP Implementation
Understanding AI-specific context 10 design axioms define protocol boundaries
Interested parties and requirements Provider-agnostic design, zero lock-in
Scope of the AIMS Protocol specification §1–§9

Clause 5 - Leadership

Requirement CRP Implementation
AI policy Elastic License 2.0 + governance framework
Roles and responsibilities RBAC with OBSERVER / OPERATOR / ADMIN roles
Organizational roles Security specification defines trust zones

Clause 6 - Planning

Requirement CRP Implementation
AI risk assessment client.compliance.classify(...)
AI risk treatment Automatic mitigations per risk level
AI objectives Quality tiers (S/A/B/C/D) with measurable targets

Clause 7 - Support

Requirement CRP Implementation
Competence Certification pathway (Education & Certification pillar)
Awareness Comprehensive documentation, demo app
Communication Quality reports, session status, envelope preview
Documented information Event-sourced fact model, audit trails

Clause 8 - Operation

Requirement CRP Implementation
AI system lifecycle Session lifecycle (create → ingest → dispatch → close)
AI system impact assessment Compliance classification + quality tier assessment
Data management 4-tier memory hierarchy with encryption at rest
AI system development 6-stage extraction, quality gates, 3-tier validation

Clause 9 - Performance Evaluation

Requirement CRP Implementation
Monitoring and measurement Real-time quality scoring per window
Internal audit HMAC-SHA256 audit trail with chain verification
Management review client.compliance.report()

Clause 10 - Improvement

Requirement CRP Implementation
Nonconformity and corrective action Re-grounding on degradation, echo detection
Continual improvement CKF cross-session learning, meta-learning (ORC/ICML/RTL)

Annex A - AI Controls

ISO 42001 Annex A defines 39 controls across 4 domains. CRP provides technical implementation for:

Domain Controls CRP Coverage
A.2 - Policies for AI 4 controls Protocol axioms, security spec
A.3 - Internal organization 3 controls RBAC, trust zones
A.4 - Resources for AI 4 controls Hardware-adaptive config
A.5 - Assessing impacts 4 controls Compliance classification, quality tiers
A.6 - AI system lifecycle 10 controls Full lifecycle management
A.7 - Data for AI 5 controls Extraction pipeline, fact validation
A.8 - Information for AI 4 controls Transparency declarations
A.9 - Use of AI 3 controls Human oversight, session controls
A.10 - Third parties 2 controls Provider-agnostic adapters

Annex B - AI Objectives

ISO 42001 Annex B requires measurable AI objectives. CRP provides these through its quality system:

Objective Metric CRP Measurement
Accuracy Quality tier S / A / B / C / D with degradation %
Reliability Window success Quality score per window
Transparency Audit completeness Chain verification (valid/broken)
Fairness Bias indicators Multi-aspect decomposition balance
Security Vulnerability count 8-layer security, OWASP coverage

SDK Evidence Example

import crp

client = crp.SDKClient()
client.configure(safety_profile="strict")

# Map the AI system to ISO 42001 controls
classification = client.compliance.classify(framework="iso-42001")
print(classification.controls)

# Produce management-review evidence
report = client.compliance.report(framework="iso-42001")
print(report.mapped_controls)

# Verify audit integrity for internal audit
summary = client.audit.summary()
print(f"Chain valid: {summary.chain_valid}")
print(f"Entries:     {summary.entry_count}")

Integration with Other Standards

ISO 42001 is designed to integrate with:

  • ISO 27001 (Information Security) - CRP's security layers align
  • ISO 9001 (Quality Management) - CRP's quality tiers provide measurement
  • ISO 31000 (Risk Management) - CRP's compliance classification follows this structure

CRP's event-sourced, auditable architecture makes cross-standard compliance evidence straightforward to produce.