ISO/IEC 42005 AI Impact Assessment

Jurisdiction:

OECD

voluntary

Effective:

May 28, 2025

Authority:

International Organization for Standardization

Official text Verified Mar 26, 2026

Obligations Covered

Risk Assessment

Regulatory Crosswalk

Binding regulations that require the same obligations this standard addresses. Implementing this standard can help satisfy these regulatory requirements.

Regulation	Jurisdiction	Shared Obligations
Work Health and Safety Amendment (Digital Work Systems) Act 2026	New South Wales	1
Privacy Act 1988 — Automated Decision-Making Reforms	Australia	1
Brazil AI Bill (PL 2338/2023)	Brazil	1
California CCPA ADMT Regulations	California	1
Provisions on the Management of Algorithmic Recommendations	China	1
Interim Measures for Generative AI Services	China	1
Framework Convention on AI, Human Rights, Democracy and Rule of Law (CETS 225)	Council of Europe	1
Colorado Privacy Act Rules (4 CCR 904-3)	Colorado	1
Colorado Protecting Consumers from Unfair Discrimination in Insurance Practices	Colorado	1
EU AI Act	European Union	1
Digital Operational Resilience Act (DORA)	European Union	1
AI Promotion Act	Japan	1
AI Basic Act	South Korea	1
Law on Artificial Intelligence	Kazakhstan	1
Artificial Intelligence Regulations 2025	Malta	1
New York RAISE Act	New York	1
QCB Artificial Intelligence Guideline	Qatar	1
Law for the Promotion of Artificial Intelligence and Technologies	El Salvador	1
Artificial Intelligence Basic Act	Taiwan	1
UK Online Safety Act 2023	United Kingdom	1
EO 14319 — Preventing Woke AI in the Federal Government	United States	1
Executive Order on AI State Law Preemption	United States	1
Law on Artificial Intelligence	Vietnam	1

Provisions (1)

AI System Impact Assessment #

Obligation:

Risk Assessment

enforcing

Effective:

May 1, 2025

Risk tier:

all

Scope:

providers, deployers

cross-domain

ISO/IEC 42005 fills the gap between generic risk management (ISO 23894) and impact on individuals and society — it is the AI equivalent of a Data Protection Impact Assessment (DPIA). As AI impact assessment requirements appear in the EU AI Act, CETS 225, and national strategies, this standard provides the reference methodology for conducting them.

Requirements

Requirement	Details
Impact identification	Identify potential impacts of AI systems and their foreseeable applications on individuals, groups, and society
Intended and unintended use assessment	Assess intended, unintended, sensitive, restricted uses, and foreseeable misuse scenarios
Benefit and harm evaluation	Evaluate both positive and negative impacts throughout the AI lifecycle
Stakeholder perspective	Integrate perspectives of affected individuals and groups in the assessment process
Documentation	Produce assessment documentation supporting transparency, accountability, and fairness
Lifecycle integration	Apply impact assessment from design and development through deployment and post-market monitoring
Integration with risk management	Coordinate impact assessment with ISO/IEC 23894 (risk management) and ISO/IEC 42001 (management system)

Penalties

Violation	Fine
Non-compliance	Voluntary — no binding enforcement mechanism