Determine Scope of the AI Management System

ISO 42001 Clause 4.3 requires organizations to determine the boundaries and applicability of their AI management system by considering internal and external issues, as well as stakeholder requirements, and maintaining this scope as documented information.

You write an ISO/IEC 42001 scope statement by explicitly detailing the specific business activities, AI systems, physical locations, and departments covered. It must clearly articulate the boundaries of the AIMS and any justified exclusions.

The scope should include all AI systems, models, and use cases relevant to your defined organizational context and stakeholder requirements. Organizations must clearly document how to scope AI systems and AI use cases for ISO 42001 based on their role as a provider, developer, or deployer.

Yes, an organization can restrict the scope to a specific product line, department, or geographical location as long as the boundaries are clearly defined and logical. However, interfaces and dependencies with parts of the organization outside the scope must be strictly managed.

Auditors evaluate the ISO 42001 audit scope by verifying that it logically aligns with the documented organizational context and interested party requirements. They check that the defined boundaries do not arbitrarily exclude high-risk AI systems that are core to the stated business objectives. Tools like WatchDog Security's Compliance Center can help link the published scope to collected evidence and highlight gaps when in-scope AI activities lack controls or artifacts.

Organizations must retain documented information that explicitly defines the boundaries and applicability of the management system. Using an ISO 42001 scope template for certification alongside the Statement of Applicability provides the primary audit evidence. Tools like WatchDog Security's Policy Management can help keep the scope document under version control with approvals, and WatchDog Security's Compliance Center can organize supporting evidence for audits.

While an organization cannot certify another entity's internal operations, the ISO 42001 scope for third-party and outsourced AI services must include the internal processes used to manage, evaluate, and monitor those third parties. For vendor oversight, tools like WatchDog Security's Vendor Risk Management can track third-party AI services, assessments, and risk tiering that support your in-scope governance processes.

Organizations should map the interfaces where AI systems interact with external systems or overlap with other frameworks like ISO 27001. ISO 42001 scope boundaries and applicability examples typically demonstrate shared governance over data security while keeping AI-specific lifecycle risks strictly within the AIMS scope.

Common mistakes include making the scope too vague to manage effectively, or attempting to improperly exclude AI systems from ISO 42001 scope when they pose significant risks. Failing to document a clear justification for the chosen boundaries is another frequent audit finding.

The scope should be formally reviewed during periodic management reviews. It must be updated whenever there are significant changes to the organization's context, new major AI systems are introduced, or substantial shifts in stakeholder requirements occur. Tools like WatchDog Security's Asset Inventory can help flag newly discovered AI systems or integrations that may change scope, and WatchDog Security's Risk Register can document scope-related risks and treatment decisions.

Keeping scope current requires continuously identifying new AI systems, integrations, data sources, and deployments, then assessing whether they fall inside the defined boundaries. Tools like WatchDog Security's Asset Inventory can help maintain an up-to-date system inventory, while WatchDog Security's Compliance Center can use that inventory to track in-scope coverage and highlight evidence gaps.

Scope changes should follow a controlled workflow: document the change, justify any exclusions, obtain approvals, and record related risks and decisions for auditability. Tools like WatchDog Security's Policy Management can help manage version control and approvals for the scope document, and WatchDog Security's Risk Register can capture scope-related risks, treatments, and risk acceptance decisions.