|
1 | 1 | # Clause 10 — Improvement |
2 | 2 | ## ISO/IEC 42001:2023 | Implementation Guide |
3 | 3 |
|
4 | | -> **Purpose:** An AIMS is not a one-time project — it is a continuously improving system. Clause 10 ensures that when things go wrong (or could go better), the organisation takes structured action to fix problems, prevent recurrence, and systematically improve AI governance over time. |
| 4 | +Purpose: Address nonconformities, take corrective action, and drive continual improvement of the AIMS. |
5 | 5 |
|
6 | 6 | --- |
7 | 7 |
|
8 | | -## Files in This Folder |
| 8 | +## Files in This Folder — Read in This Order |
9 | 9 |
|
10 | | -| File | Contents | |
11 | | -|------|---------| |
12 | | -| README.md | This clause guide | |
13 | | -| AI-INCIDENT-RESPONSE-PROCEDURE.md | How to detect, respond to, and learn from AI incidents | |
14 | | -| NCR-REGISTER.md | Nonconformity and Corrective Action Register template | |
15 | | -| CONTINUAL-IMPROVEMENT-LOG.md | Continual Improvement Log template | |
| 10 | +| # | File | What It Is | ISO Ref | |
| 11 | +|---|------|-----------|---------| |
| 12 | +| 1 | [NCR-REGISTER.md](NCR-REGISTER.md) | Nonconformity and Corrective Action Register | 10.1 | |
| 13 | +| 2 | [CONTINUAL-IMPROVEMENT-LOG.md](CONTINUAL-IMPROVEMENT-LOG.md) | Log of improvement initiatives with PDCA tracking | 10.2 | |
| 14 | +| 3 | [AI-INCIDENT-RESPONSE-PROCEDURE.md](AI-INCIDENT-RESPONSE-PROCEDURE.md) | Procedure for responding to AI incidents | 10.1 | |
| 15 | + |
| 16 | +Read order: 1 > 2 > 3 |
16 | 17 |
|
17 | 18 | --- |
18 | 19 |
|
19 | 20 | ## 10.1 — Nonconformity and Corrective Action |
20 | 21 |
|
21 | | -### What it requires |
22 | | -When a nonconformity occurs (something does not meet requirements), the organisation must: |
23 | | -1. React to the nonconformity and take action to control and correct it |
24 | | -2. Evaluate the need for action to eliminate the cause |
25 | | -3. Implement any action needed |
26 | | -4. Review the effectiveness of the corrective action taken |
27 | | -5. Update risks and opportunities if necessary |
28 | | -6. Make changes to the AIMS if necessary |
29 | | - |
30 | | -### What Counts as a Nonconformity? |
31 | | - |
32 | | -| Type | Examples | |
33 | | -|------|---------| |
34 | | -| AIMS process failure | Impact assessment not completed before deployment | |
35 | | -| Policy breach | AI system deployed without required approvals | |
36 | | -| Legal / regulatory breach | AI system violates GDPR or EU AI Act requirement | |
37 | | -| Audit finding | Internal audit identifies missing documentation | |
38 | | -| AI system failure | Model produces discriminatory outputs in production | |
39 | | -| Supplier nonconformity | Third-party AI vendor fails contractual requirements | |
40 | | -| Incident | AI system causes harm to a user or affected person | |
41 | | -| Objective not met | AI governance KPI falls below acceptable threshold | |
42 | | - |
43 | | -### Nonconformity and Corrective Action Process |
44 | | - |
45 | | -**Step 1 — Detect and Record** |
46 | | -- Source: audit finding, incident report, monitoring alert, stakeholder complaint, management review |
47 | | -- Record the nonconformity: what happened, when, where, who identified it |
48 | | -- Assign a severity level (Critical / Major / Minor / Observation) |
49 | | - |
50 | | -**Step 2 — Contain the Immediate Problem** |
51 | | -- Stop the harm or prevent it spreading |
52 | | -- Examples: suspend AI system, disable feature, halt data processing, notify affected users |
53 | | -- Document containment actions taken |
54 | | - |
55 | | -**Step 3 — Root Cause Analysis** |
56 | | -- Determine why the nonconformity occurred — not just what happened |
57 | | -- Methods: 5 Whys, Fishbone (Ishikawa) diagram, fault tree analysis |
58 | | -- Example: Model bias detected. Why? Training data was not representative. Why? No data quality check in the development process. Why? The development process did not include this step. Root cause: gap in AI development procedure. |
59 | | - |
60 | | -**Step 4 — Plan Corrective Action** |
61 | | -- Define specific actions to address the root cause |
62 | | -- Assign owner and deadline for each action |
63 | | -- Ensure actions are proportionate to the severity of the nonconformity |
64 | | - |
65 | | -**Step 5 — Implement Corrective Action** |
66 | | -- Execute the planned actions |
67 | | -- Update documentation, procedures, training as needed |
68 | | -- Communicate changes to relevant staff |
69 | | - |
70 | | -**Step 6 — Verify Effectiveness** |
71 | | -- After the correction is implemented, check it worked |
72 | | -- Re-test the AI system, re-audit the process, or monitor the metric |
73 | | -- Close the nonconformity only when the root cause is confirmed eliminated |
74 | | - |
75 | | -**Step 7 — Update the AIMS** |
76 | | -- If the nonconformity reveals a systemic issue, update relevant AIMS elements |
77 | | -- Risk register, procedures, training, controls — whatever needs updating |
78 | | - |
79 | | -### Nonconformity and Corrective Action Register Template |
80 | | - |
81 | | -| NCR ID | Date | Source | Description | Severity | Root Cause | Corrective Action | Owner | Deadline | Status | Effectiveness Check | |
82 | | -|--------|------|--------|-------------|----------|-----------|------------------|-------|----------|--------|---------------------| |
83 | | -| NCR-001 | 2025-03-15 | Internal Audit | AI system deployed without completed impact assessment | Major | Development checklist not enforced | Update deployment gate to require IA sign-off; retrain developers | AI Gov Lead | 2025-04-15 | Open | Pending | |
84 | | -| NCR-002 | 2025-04-01 | Incident Report | Customer service bot gave incorrect medical information | Critical | No scope limitation controls on bot | Add content filtering; update bot terms of use | Product Manager | 2025-04-10 | Closed | Effective — no recurrence in 60 days | |
85 | | - |
86 | | -### AI Incidents and Corrective Action |
87 | | -When an AI system causes harm or near-harm (an incident), the response must be both immediate (contain the harm) and systemic (prevent recurrence). This is why incidents feed directly into the corrective action process. |
88 | | - |
89 | | -> Full incident response procedure: see AI-INCIDENT-RESPONSE-PROCEDURE.md in this folder |
90 | | -
|
91 | | -### Documents Required |
92 | | -- Nonconformity and Corrective Action Register (NCR log) |
93 | | -- Root Cause Analysis Records (per nonconformity) |
94 | | -- Corrective Action Plans |
95 | | -- Effectiveness Review Records |
96 | | - |
97 | | ---- |
| 22 | +When a nonconformity occurs: react to it, evaluate need for corrective action, eliminate root causes, review effectiveness. See NCR-REGISTER.md and AI-INCIDENT-RESPONSE-PROCEDURE.md. |
98 | 23 |
|
99 | 24 | ## 10.2 — Continual Improvement |
100 | 25 |
|
101 | | -### What it requires |
102 | | -The organisation must continually improve the suitability, adequacy, and effectiveness of the AIMS. |
103 | | - |
104 | | -### The Difference Between Corrective Action and Continual Improvement |
105 | | - |
106 | | -| Corrective Action (10.1) | Continual Improvement (10.2) | |
107 | | -|--------------------------|------------------------------| |
108 | | -| Reactive — triggered by a problem | Proactive — not necessarily triggered by a failure | |
109 | | -| Addresses a specific nonconformity | Addresses systemic or strategic improvement opportunities | |
110 | | -| Required when something goes wrong | Required even when things are going well | |
111 | | -| Example: Fix a process that failed | Example: Adopt better bias testing tools before they are required | |
112 | | - |
113 | | -### Sources of Improvement Opportunities |
114 | | -- Management review outputs (Clause 9.3) |
115 | | -- Internal audit observations (Clause 9.2) |
116 | | -- AI performance trends (Clause 9.1) |
117 | | -- Stakeholder feedback |
118 | | -- New AI governance best practices or standards updates |
119 | | -- Industry incidents and lessons learned from peers |
120 | | -- Staff suggestions and innovation |
121 | | -- Emerging regulations (e.g., new EU AI Act requirements) |
122 | | -- Technology improvements (better explainability tools, fairness metrics) |
123 | | - |
124 | | -### Continual Improvement Framework |
125 | | - |
126 | | -Use a Plan-Do-Check-Act (PDCA) cycle applied to your AIMS: |
127 | | - |
128 | | -**PLAN:** Identify improvement opportunity, set objectives, plan the change |
129 | | -**DO:** Implement the improvement |
130 | | -**CHECK:** Monitor and measure the results of the improvement |
131 | | -**ACT:** If effective, standardise it across the AIMS. If not, try again. |
132 | | - |
133 | | -### Continual Improvement Log Template |
134 | | - |
135 | | -| ID | Date Identified | Source | Description | Expected Benefit | Priority | Owner | Target Date | Status | Result | |
136 | | -|----|----------------|--------|-------------|-----------------|----------|-------|-------------|--------|--------| |
137 | | -| CI-001 | 2025-02-01 | Management Review | Implement automated model drift monitoring | Earlier detection of performance issues | High | MLOps Lead | 2025-Q2 | In Progress | TBD | |
138 | | -| CI-002 | 2025-03-01 | Audit Observation | Create AI ethics training e-learning module | Increase staff awareness efficiency | Medium | HR Lead | 2025-Q3 | Planned | TBD | |
139 | | -| CI-003 | 2025-04-01 | Industry Best Practice | Adopt NIST AI RMF playbook for risk assessment | Improve risk assessment quality | Low | Risk Manager | 2025-Q4 | Backlog | TBD | |
140 | | - |
141 | | -### Improvement Review Cycle |
142 | | -1. Monthly: Review open improvement actions and progress |
143 | | -2. Quarterly: Identify new improvement opportunities from metrics and incidents |
144 | | -3. Annual: Comprehensive review at management review meeting (Clause 9.3) |
145 | | -4. As needed: React to external developments (new regulations, major incidents) |
146 | | - |
147 | | -### Documents Required |
148 | | -- Continual Improvement Log |
149 | | -- Improvement Review Records (evidence improvements were evaluated) |
150 | | - |
151 | | ---- |
152 | | - |
153 | | -## The Improvement Loop — How Clause 10 Connects Everything |
154 | | - |
155 | | -Clause 10 is the engine that makes the entire AIMS self-correcting and self-improving: |
156 | | - |
157 | | -- Clause 9 (Performance Evaluation) identifies what is working and what is not |
158 | | -- Clause 10.1 (Corrective Action) fixes what went wrong |
159 | | -- Clause 10.2 (Continual Improvement) makes things better proactively |
160 | | -- Improvements feed back into Clauses 4-9, updating context, policies, plans, controls, and measurements |
161 | | - |
162 | | -This creates a genuine management system — not a static compliance checklist. |
163 | | - |
164 | | ---- |
165 | | - |
166 | | -## Clause 10 — Documents Checklist |
167 | | - |
168 | | -| # | Document | ISO Ref | Location | Status | |
169 | | -|---|----------|---------|----------|--------| |
170 | | -| 1 | Nonconformity and Corrective Action Register | 10.1 | This folder | To Do | |
171 | | -| 2 | Root Cause Analysis Records | 10.1 | This folder | Per NCR | |
172 | | -| 3 | Corrective Action Plans | 10.1 | This folder | Per NCR | |
173 | | -| 4 | Effectiveness Review Records | 10.1 | This folder | Per NCR | |
174 | | -| 5 | AI Incident Response Procedure | 10.1 | AI-INCIDENT-RESPONSE-PROCEDURE.md | Available | |
175 | | -| 6 | Continual Improvement Log | 10.2 | This folder | To Do | |
176 | | -| 7 | Improvement Review Records | 10.2 | This folder | To Do | |
177 | | - |
178 | | ---- |
179 | | - |
180 | | -## What Auditors Check in Clause 10 |
181 | | -- Is there a nonconformity register — and is it actually used? |
182 | | -- Are root cause analyses documented — not just corrective actions? |
183 | | -- Is there evidence that corrective actions were effective? |
184 | | -- Are AI incidents linked to the corrective action process? |
185 | | -- Is there a continual improvement log with proactive improvements (not just reactions to failures)? |
186 | | -- Do improvement actions trace back to management review or audit findings? |
187 | | -- Is there evidence the AIMS is actually getting better over time? |
| 26 | +Continually improve the suitability, adequacy, and effectiveness of the AIMS. See CONTINUAL-IMPROVEMENT-LOG.md. |
188 | 27 |
|
189 | 28 | --- |
190 | 29 |
|
191 | | -## Summary — The Complete ISO 42001 AIMS Document Set |
| 30 | +## Documents Checklist |
192 | 31 |
|
193 | | -| Clause | Folder | Key Documents | |
194 | | -|--------|--------|--------------| |
195 | | -| 4 — Context | 03-CLAUSE4-CONTEXT | Context Register, Interested Parties Register, Scope Statement, AI Systems Inventory | |
196 | | -| 5 — Leadership | 04-CLAUSE5-LEADERSHIP | AI Management Policy, Leadership Commitment, Roles and RACI Matrix | |
197 | | -| 6 — Planning | 05-CLAUSE6-PLANNING | Risk Register, SOA, AI Objectives, Risk Treatment Plan | |
198 | | -| 7 — Support | 06-CLAUSE7-SUPPORT | Resource Plan, Competence Matrix, Training Records, Master Document List | |
199 | | -| 8 — Operation | 07-CLAUSE8-OPERATION | Impact Assessments, Lifecycle Procedure, Supplier Assessments, Deployment Checklists | |
200 | | -| 9 — Performance | 08-CLAUSE9-PERFORMANCE | Monitoring Dashboard, Audit Programme, Audit Reports, Management Review Minutes | |
201 | | -| 10 — Improvement | 09-CLAUSE10-IMPROVEMENT | NCR Register, Root Cause Analyses, Improvement Log, Incident Response Procedure | |
| 32 | +| # | Document | ISO Ref | File | |
| 33 | +|---|----------|---------|------| |
| 34 | +| 1 | Nonconformity and Corrective Action Register | 10.1 | [NCR-REGISTER.md](NCR-REGISTER.md) | |
| 35 | +| 2 | Continual Improvement Log | 10.2 | [CONTINUAL-IMPROVEMENT-LOG.md](CONTINUAL-IMPROVEMENT-LOG.md) | |
| 36 | +| 3 | AI Incident Response Procedure | 10.1 | [AI-INCIDENT-RESPONSE-PROCEDURE.md](AI-INCIDENT-RESPONSE-PROCEDURE.md) | |
202 | 37 |
|
203 | 38 | --- |
204 | 39 |
|
205 | | -*ISO/IEC 42001:2023 AI Governance Toolkit — Clause 10 of 10 | See root README.md for full index* |
| 40 | +*ISO/IEC 42001:2023 AI Governance Toolkit | Clause 10 of 10 | See root README.md for full index* |
0 commit comments