IA y gestion

ISO 42005 — AI System Impact Assessment

ISO/IEC 42005:2025 is the first international standard establishing how to evaluate the effects of an AI system on individuals, groups and society across its entire lifecycle. If your organisation develops or deploys AI, this analysis is no longer optional: the European AI Act requires it for high-risk systems.

StandardISO/IEC 42005:2025
PublishedMay 2025
ScopeAny organisation that develops or uses AI

ISO/IEC 42005:2025 was published in May 2025 by ISO and IEC as a guidelines standard — non-certifiable — designed to help organisations systematically assess the impact of their artificial intelligence systems. Unlike ISO 42001, which defines the AI management system at the organisational level, ISO 42005 drills down to each individual system: what effects it produces, on whom, at what point in the lifecycle, and which controls mitigate those effects. It is the technical complement that completes the governance picture.

The standard structures the assessment around six impact dimensions: social, economic, environmental, ethical, privacy and governance. For each dimension, affected groups are identified — employees, end users, third parties, communities — the likelihood and severity of the impact are analysed, and the mitigation measures adopted are documented. The result is an audited record that demonstrates due diligence to regulators, partners and clients. This approach aligns directly with Article 27 of the European AI Act, which requires fundamental rights impact assessments from public bodies, private entities providing public services, and deployers of certain high-risk AI systems.

At Summum Calidad we support this process from the initial analysis through to the integration of findings into your existing — or emerging — AI management system. With over 18 years of experience implementing standards-based systems and close to 200 ISO certifications supported since 2007, we translate technical requirements into procedures that your internal team can sustain without ongoing reliance on external consultants. If you already hold ISO 42001, ISO 42005 is the natural next step to demonstrate that your AI governance operates at system level, not only at organisational level.

The ISO 42005 process.

The process · four stages
01

System inventory and prioritisation

We identify all AI systems in use or under development, define assessment thresholds and prioritise them according to risk level, sector and regulatory exposure under the AI Act.

02

Impact assessment by dimension

We analyse each system across the six dimensions of the standard (social, economic, environmental, ethical, privacy, governance), identifying affected groups and the likelihood and severity of each impact.

03

Mitigation plan and controls

We design technical and procedural measures to reduce identified negative impacts, link them to the risk register, and establish internal owners responsible for ongoing monitoring.

04

Documentation, approval and continuous monitoring

We formalise the assessment report with full traceability, obtain the required internal approval, and configure a periodic review process aligned with the system's lifecycle.

What is included

What ISO 42005 includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • AI system inventory

    A structured catalogue of all systems subject to assessment, with documented prioritisation criteria and thresholds.

  • Standardised assessment templates

    Questionnaires and matrices aligned with ISO/IEC 42005:2025 and AI Act requirements for each risk category.

  • Affected stakeholder analysis

    Identification and classification of all potentially impacted groups: employees, clients, suppliers and the wider community.

  • Impact and controls register

    An audited document recording identified impacts, risk ratings, mitigation measures adopted and associated evidence.

  • Integration with ISO 42001

    Linking assessment findings to the existing or developing AI management system, closing the governance loop.

  • Internal team training

    Hands-on training so that the team responsible for AI can conduct subsequent assessments independently, without continuous external support.

Frequently asked questions about ISO 42005.

Is ISO 42005 certifiable?

No. ISO/IEC 42005:2025 is a guidelines standard, not a requirements standard. There is no third-party certification process for this standard. Its value lies in the methodological rigour it provides and the audited documentation it generates, which serves as evidence of due diligence before AI Act regulators and auditors.

What is the difference between ISO 42001 and ISO 42005?

ISO 42001 defines the AI management system at the level of the entire organisation and is certifiable. ISO 42005 operates at the level of each individual AI system and provides the method for assessing its specific impact. They are complementary: 42001 provides the framework; 42005 applies it system by system.

Which organisations are affected by AI impact assessment?

Any organisation that develops, deploys or uses AI systems, particularly those operating in high-risk sectors under the AI Act (human resources, credit, access to essential services, critical infrastructure). Organisations that supply AI to public authorities or regulated sectors face stricter obligations and closer deadlines.

How long does it take to complete an impact assessment under ISO 42005?

It depends on the number of systems and their complexity. For an SME with one or two AI systems in production, a well-guided process can be completed in four to eight weeks. The greatest effort lies in the initial inventory and the identification of affected groups; once the methodology is established, subsequent assessments are significantly faster.

Does ISO 42005 satisfy the European AI Act?

The standard aligns with Article 27 of the AI Act, which requires public bodies, private entities providing public services, and deployers of high-risk AI systems covered by Annex III points 5(b) and 5(c) to conduct fundamental rights impact assessments. Although ISO 42005 is not officially harmonised with the Regulation, applying it provides strong evidence of compliance and systematises the process the AI Act requires to be documented.