What is ISO/IEC 42005?
Global AI regulation
ISO/IEC 42005 is the international standard that gives organisations a structured way to assess how an AI system, and its foreseeable uses, may affect people, groups and society. Published in May 2025, it is a voluntary guidance standard rather than a law. It helps teams identify, evaluate and document intended and unintended effects across the AI lifecycle, and it is designed to work alongside ISO/IEC 42001, AI risk management, DPIAs and, where relevant, rights-based assessments such as the EU AI Act FRIA.
What this means
ISO/IEC 42005 explains how to run an AI system impact assessment. In practical terms, that means asking disciplined questions about what an AI system is for, who it may affect, what evidence exists about likely benefits and harms, and what controls, changes or governance steps are needed before and after use.
It is broader than a data protection impact assessment because it is not limited to personal data. It is also different from a fundamental rights impact assessment or other rights-based reviews, because it looks at a wider set of system effects, including operational, social and governance issues. But it does not replace those other assessments where law requires them.
The standard matters because many organisations now need something more robust than a one-page ethics checklist, but more practical than abstract principles. ISO/IEC 42005 gives them a common method that can be embedded into product, procurement, risk and governance processes.
Why it matters
AI governance often breaks down in one of two ways. Either teams do not assess impacts at all, or they assess only one slice of the problem, usually privacy, and miss wider issues such as unfair treatment, indirect effects on groups, weak oversight, poor explainability, unsafe use, misuse or lack of accountability. ISO/IEC 42005 matters because it gives organisations a repeatable way to look at the broader picture.
That broader picture is increasingly important in regulation and procurement. The EU AI Act brings in a legal fundamental rights impact assessment for certain deployers. Data protection law can already require a DPIA. International instruments such as the Council of Europe AI Convention expect iterative risk and impact assessment on human rights, democracy and the rule of law. Boards, buyers and regulators therefore want evidence that an organisation has thought through what the system does, who carries the risk, what controls are in place and when the assessment will be refreshed.
For operators, the value is not just regulatory readiness. A good impact assessment improves decision quality. It can stop weak use cases before launch, force better data and oversight choices, surface affected groups early, and create a record that helps with assurance, internal challenge, procurement due diligence and later incident review.
How it works
Where the standard sits
ISO/IEC 42005 was published as an International Standard in May 2025 by ISO/IEC JTC 1/SC 42, the main international committee for AI standards. It is written as guidance for organisations conducting AI system impact assessments. Public summaries say it is relevant to any organisation developing, providing or using AI systems, regardless of sector or size.
It sits in a wider ISO/IEC AI standards family. ISO/IEC 42001 is the management system standard for organisation-wide AI governance. ISO/IEC 23894 deals with AI risk management. ISO/IEC 38507 addresses governance implications for organisations. ISO/IEC 5338 covers AI lifecycle processes. In that family, ISO/IEC 42005 plays the system-level impact assessment role.
What the assessment is meant to examine
The public ISO summary describes ISO/IEC 42005 as a framework for understanding how AI systems, and their foreseeable applications, may affect individuals, groups or society at large throughout the AI lifecycle. That matters because the standard is not confined to one narrow legal issue. It is asking for a rounded view of effects.
National standards body summaries add useful detail. They say the standard helps organisations document impacts on individuals and societies, define mitigation processes, and align AI system impact assessment with privacy, human rights, financial and environmental assessments. They also describe a structured approach that looks at issues such as responsibility, transparency, fairness, consistency, reliability, safety, security and privacy. In other words, it is designed to capture both direct and indirect effects, and not only technical failure.
A practical reading of the standard is that it is asking organisations to move beyond a simple "is this risky?" question. It asks whether the system is desirable in context, whether its use is proportionate, who may be affected, which assumptions matter, and what evidence the organisation can produce if challenged later.
How it connects to ISO/IEC 42001 and AI risk management
ISO presents ISO/IEC 42001 and ISO/IEC 42005 as complementary. ISO/IEC 42001 sets the organisation-wide management system, with policies, accountability, planning, operation, review and continual improvement. ISO/IEC 42005 gives the more detailed method for assessing individual AI systems within that governance structure.
That is an important distinction. ISO/IEC 42001 is about the management architecture. ISO/IEC 42005 is about the assessment process for particular systems and use cases. Public ISO and BSI materials both frame 42005 as something that should be integrated into the organisation's broader AI management and risk processes, rather than treated as a parallel exercise.
Operationally, that means a 42005-style assessment should connect to existing project gates, procurement checks, model review, change control, incident handling and post-deployment monitoring. It should also be updated when the use context changes, when affected groups change, when the model or data changes, or when fresh evidence appears.
How it differs from a DPIA and a rights-based assessment
A DPIA is a legal tool from data protection law. Under GDPR and UK GDPR, it is required where a type of processing is likely to result in a high risk to the rights and freedoms of individuals. The ICO describes it as an assessment of the impact of envisaged processing on the protection of personal data, and its process focuses on necessity, proportionality, privacy risks and safeguards.
ISO/IEC 42005 is wider than that. It is not limited to personal data and it is not triggered only by data protection thresholds. An AI system impact assessment can therefore pick up issues that a DPIA may not fully cover, such as social effects, governance gaps, reliance risks, wider fairness questions, or impacts on groups that are not reducible to privacy analysis.
Rights-based assessments are different again. Under Article 27 of the EU AI Act, certain deployers must perform a fundamental rights impact assessment before first use of certain high-risk AI systems. The assessment must describe the use context, likely affected people and groups, specific risks of harm, human oversight measures and the measures to be taken if those risks materialise. It also links to notification duties and an AI Office questionnaire template. Article 27 states expressly that, where a DPIA already exists, the FRIA complements it rather than replacing it.
The Council of Europe HUDERIA methodology shows another rights-based model. It is centred on human rights, democracy and the rule of law, and it gives strong weight to triage, stakeholder engagement, detailed risk and impact review, mitigation planning and, where appropriate, access to remedies. Compared with these rights-based methods, ISO/IEC 42005 is broader in one sense and narrower in another: broader because it is an all-purpose AI system impact standard, narrower because it is not itself a dedicated human-rights instrument.
What evidence and governance records it creates
A useful feature of ISO/IEC 42005 is that it is not just a thinking exercise. Public summaries describe it as a document-heavy, structured process. BSI says it supports documentation and records, and that it includes an example template in Annex E. Official ANSI and INCITS materials describing the standard's templates point to records such as system identifiers, revision history, approvals, intended and unintended uses, data information, interested parties, benefits and harms, and possible system failures or misuse.
This kind of record matters in practice. It creates traceable evidence for internal approval, vendor due diligence, board reporting, audit, procurement, incident response and regulator questions. It also makes the organisation's assumptions visible. If the system is later challenged, the question is rarely only whether the model performed as expected. The question is also whether the organisation had a credible process for deciding to build, buy or use it in the first place.
How it enters practice through law, policy and procurement
ISO/IEC 42005 is a voluntary standard, not an Act of Parliament or an EU Regulation. ISO and IEC's own public policy material explains that international standards are voluntary unless they are referenced in law, regulation, contract or other binding instruments. That is the key legal status point.
Even so, voluntary standards often shape binding practice. National standards bodies can adopt them identically, as BSI has done in the UK with BS ISO/IEC 42005:2025. Regulators and public bodies can use them as implementation support. Buyers can write them into procurement. Internal governance teams can make them mandatory by policy. So while ISO/IEC 42005 does not itself create legal duties, it can become practically important wherever an organisation needs a recognised way to evidence responsible AI governance.
That interaction with law is already visible. The EU AI Act's fundamental rights impact assessment for certain high-risk deployers is currently set to apply from 2 August 2026, though this date depends on the proposed "AI Omnibus" process and related implementation work, so organisations should check the latest position before relying on it. The Council of Europe Framework Convention expects parties to ensure iterative risk and impact assessment measures in relation to actual and potential impacts on human rights, democracy and the rule of law. A standard like ISO/IEC 42005 can therefore help organisations build a durable assessment method that can be adapted to more specific legal requirements.
Examples
A lender using AI for creditworthiness assessment is a good example of overlap in practice. The European Commission's AI Act materials treat credit scoring as a high-risk use case, and Article 27 specifically captures deployers of certain Annex III point 5 systems. In that setting, a deployer needs a fundamental rights impact assessment before first use. If personal data processing is also likely to create high risk to individuals, a DPIA may be needed as well. ISO/IEC 42005 can sit above both exercises by providing the wider system map, the affected-group analysis and the broader governance record.
A hiring team using AI to sort CVs or automate applicant evaluation faces a different but equally practical overlap. The Commission's AI Act page lists recruitment tools such as CV-sorting software as high-risk use cases. The ICO says systematic and extensive profiling with legal or similarly significant effects always requires a DPIA. In that workflow, a privacy-only form may be too narrow. A 42005-style assessment adds the wider questions: what the tool is really being used for, which applicants or groups may be indirectly disadvantaged, what human review actually means in practice, and what evidence exists for fairness, transparency and reliability.
The Dutch government's AI Impact Assessment shows what a broader AI impact assessment programme looks like inside a public organisation. The official tool is meant to be used from the start of development and procurement, and it must be completed when the system goes into production, including pilot use. It is designed for a multidisciplinary group and covers purpose, necessity, fundamental rights, sustainability, data governance, risk management, accountability and AI Act appendices. That is not ISO/IEC 42005 itself, but it is a concrete example of the kind of cross-functional, lifecycle-based assessment discipline that ISO/IEC 42005 is trying to standardise internationally.
Common misunderstandings
It is a law. It is not. ISO/IEC 42005 is a voluntary international standard. It becomes binding only if a law, contract, procurement rule or internal policy makes it so.
It replaces a DPIA. It does not. A DPIA remains a separate legal requirement where personal data processing is likely to create high risk to individuals. The EU AI Act FRIA also remains separate, and Article 27 says it complements a DPIA where one already exists.
It is only for public bodies or only for high-risk AI. It is not. Public summaries say it is intended for any organisation developing, providing or using AI systems. The legal trigger for a FRIA is narrower than the standard's intended audience.
It is a one-off launch document. It is not. ISO's own summary says the assessment should be performed across the AI lifecycle and updated as needed. If the model, data, use context or affected groups change, the assessment should change too.
It is only about harms. Public summaries indicate that the standard is also interested in intended and unintended effects more generally, and BSI notes a harms and benefits taxonomy. That makes it a broader governance tool than a simple red-flag checklist.
Risks and boundaries
The biggest misuse of ISO/IEC 42005 is to turn it into paperwork detached from decision-making. If the assessment is done after procurement, after build, or after policy approval, it becomes a filing exercise rather than a governance control. The standard is most useful when it is tied to real approval gates and real authority to change or stop a project.
It is also not a legal safe harbour. Following ISO/IEC 42005 does not by itself prove compliance with the EU AI Act, GDPR, UK GDPR, equality law, consumer law, product safety law, medical device law or sector-specific supervision. Those legal frameworks still have their own tests, institutions and enforcement paths.
A second boundary is scope. Because ISO/IEC 42005 is broad, organisations can be tempted either to use it as a substitute for specialist review or to duplicate every specialist review inside it. Neither approach is ideal. In practice, it works best as the umbrella method that coordinates narrower assessments, such as DPIAs, safety reviews, cybersecurity reviews and rights-based assessments, while preserving each one's legal function.
There is also some implementation uncertainty around adjacent law. Article 27 of the EU AI Act requires the AI Office to develop a questionnaire template, including through an automated tool, to simplify compliance. The official materials reviewed for this article still describe that tool as something the AI Office should develop, rather than as a settled, published instrument. Organisations should therefore expect the FRIA process around Article 27 to become more concrete over time.
Finally, this article relies on official public summaries, catalogue pages and guidance, not on the paid full text of ISO/IEC 42005. That is the right way to explain the standard publicly, but it means fine-grained implementation detail should be checked against the official standard text and local legal requirements before an organisation locks in its operating method.
What to do next
Start by separating three things that are often muddled together: a general AI impact assessment method, a DPIA, and a rights-based assessment such as a FRIA. Name each clearly in your governance documents so teams know which one is voluntary good practice, which one is a legal duty, and when they overlap.
Get one official version of ISO/IEC 42005 through your national standards body and map it against your existing processes. Most organisations already have project approval, procurement, privacy, security and risk review steps. The aim should be to integrate 42005 into those steps, not to create an isolated form that nobody owns.
Choose trigger points. At minimum, require an AI system impact assessment at concept stage, before procurement or deployment, when the use context materially changes, and after significant incidents or model changes. Make clear who signs off, who can require extra mitigation, and who can halt deployment.
Map assessment overlap deliberately. If a system uses personal data, decide whether a DPIA is needed. If the system falls into EU AI Act Article 27 scope, design a FRIA path and notification path. If the use case is rights-sensitive or public-facing, consider whether a HUDERIA-style stakeholder engagement and remedy lens would add value.
Keep one evidence trail. The strongest practice is a single controlled record that links system purpose, affected groups, assumptions, risk analysis, mitigation steps, approvals, complaints handling and review history. That record becomes useful far beyond compliance, including procurement, audit, board reporting and incident response.
Treat this as a programme capability, not a one-time template exercise. The organisations that get value from ISO/IEC 42005 are the ones that assign ownership, train teams, build review discipline and refresh the assessment when systems change.
FAQs
Is ISO/IEC 42005 mandatory?
Not by itself. It is a voluntary international standard. It becomes practically mandatory only where a law, contract, procurement term or internal policy requires it.
Who should use ISO/IEC 42005?
Public summaries say it is for organisations developing, providing or using AI systems. That includes founders, product teams, buyers, compliance leaders, public sector bodies and governance teams.
Does ISO/IEC 42005 replace a DPIA?
No. A DPIA is a distinct data protection law requirement focused on personal data processing and the rights and freedoms of individuals. ISO/IEC 42005 is broader and can inform a DPIA, but it does not replace it.
Does ISO/IEC 42005 replace the EU AI Act FRIA?
No. Article 27 of the EU AI Act has its own legal scope, content and notification path. ISO/IEC 42005 can support that work, but it is not the same thing.
When should an AI system impact assessment be done?
Early, and more than once. Public ISO material recommends assessment across the AI lifecycle, from design and development through deployment and post-market or post-deployment monitoring, with updates when needed.
Is ISO/IEC 42005 only about harm?
No. Official summaries describe intended and unintended effects more broadly, and national standards body material says the standard includes a harms and benefits taxonomy.
Is ISO/IEC 42005 a certification standard?
It is primarily guidance. In the ISO/IEC AI family, the certification architecture is centred elsewhere, especially ISO/IEC 42001 and ISO/IEC 42006, while 42005 gives a method for assessing impacts at AI system level.
Can buyers and procurement teams use it?
Yes. Even where it is not legally required, it is useful in procurement because it creates a structured record of the system's purpose, affected groups, evidence base, controls and review history.