ISO 42005: the new standard for AI impact assessments

In May 2025, ISO published ISO/IEC 42005, the first international standard fully dedicated to conducting AI system impact assessments. Where ISO 42001 prescribes that an organization must perform impact assessments, ISO 42005 fills in that task concretely. The standard answers the question that troubles many organizations: how do you actually approach such an assessment?

What is an AI impact assessment?

An AI impact assessment maps how an AI system, and its reasonably foreseeable use, may affect individuals, groups, and society. It therefore goes further than a classic risk analysis that looks at the organization itself. The core question is outward-facing: who experiences the consequences of this system, and what are those consequences?

That distinction matters. A data breach primarily affects the organization. An AI system that wrongly rejects applicants affects people who never become customers or employees and who often cannot even trace the decision. The impact assessment is designed to make precisely those effects visible before the system goes into production.

No certification, but structure

An important characteristic of ISO 42005 is that it is not a certifiable standard. No external auditor comes by to issue a certificate. The standard is meant for internal use: it gives organizations a common method to assess the consequences of their AI systems, from initial design through deployment and monitoring.

That does not make the standard non-committal. ISO 42005 aligns with ISO 42001, which is certifiable. An organization that implements ISO 42001 and refers to ISO 42005 as its method for impact assessments within its AI management system builds a well-founded and explainable approach. And for those preparing for the EU AI Act, the assessment produces exactly the documentation regulators expect.

What the standard requires

ISO 42005 describes which topics belong in an impact assessment. It begins with a description of the AI system itself: what it does, for whom, in what context, and based on what data. Then it addresses the intended and reasonably foreseeable use, including misuse scenarios. After that come the potential consequences, both the benefits and the harms, for the various parties involved.

The standard emphasizes that an impact assessment is not a one-off exercise. AI systems change: models are retrained, datasets shift, and real-world use diverges from what was envisaged at design. That is why the assessment should have a fixed moment in the system's lifecycle, with reassessment upon significant changes.

The relationship with the GDPR DPIA

Many privacy professionals recognize the structure of the Data Protection Impact Assessment from the GDPR in the AI impact assessment. That resemblance exists, but the scope differs. A DPIA focuses on the processing of personal data and the privacy risks of that processing. An AI impact assessment looks broader: at bias, at reliability, at transparency, at societal effects that need not have anything to do with personal data.

In practice, both assessments often overlap. An AI system that processes personal data for a decision with legal consequences calls for both a DPIA and an AI impact assessment. We advise organizations not to treat the two as separate tracks, but as one integrated assessment in which the privacy and the AI perspectives come together.

How Secure Audit can help

We help organizations set up a workable impact assessment process that aligns with ISO 42005, ISO 42001, and the requirements of the EU AI Act. That starts with a template that fits your own context, and with sharpening the question of which AI systems need which form of assessment. Contact us to get acquainted.