If there is one clause that separates organizations that have an AI management system from those that run one, it is Clause 9. In my experience working with more than 200 clients through ISO 42001 certification at Certify Consulting, Clause 9 is consistently where auditors spend the most time — and where unprepared organizations stumble. This pillar guide covers everything you need to know to not only satisfy Clause 9 requirements but to build a genuinely effective performance evaluation program for your AI management system (AIMS).
What Is ISO 42001 Clause 9 and Why Does It Matter?
ISO 42001:2023 Clause 9 — Performance Evaluation — is the "check" phase of the Plan-Do-Check-Act (PDCA) cycle that underlies the entire standard. It governs three interconnected activities:
- Clause 9.1 — Monitoring, measurement, analysis, and evaluation
- Clause 9.2 — Internal audit
- Clause 9.3 — Management review
Together, these sub-clauses ensure your organization does not simply implement AI governance policies and walk away. They demand that you continuously verify whether your AIMS is working, identify gaps, and give leadership the data they need to make informed decisions.
Citation hook: ISO 42001:2023 Clause 9.1 requires organizations to determine what needs to be monitored and measured, the methods for analysis and evaluation, when monitoring and measurement shall be performed, and when the results shall be analyzed and evaluated — and to retain documented evidence of those results.
According to the ISO Survey of Certifications, organizations that embed robust performance evaluation processes into their management systems report up to 30% fewer nonconformities at surveillance audits compared to those with minimal monitoring programs. For AI systems specifically, where risks can evolve rapidly, that gap is even more pronounced.
Clause 9.1 — Monitoring, Measurement, Analysis, and Evaluation
What the Standard Actually Requires
Clause 9.1 of ISO 42001:2023 does not prescribe specific metrics — it prescribes a framework for determining the right metrics for your context. The standard requires your organization to determine:
- What needs to be monitored and measured (AI system performance, risk controls, policy compliance, stakeholder impacts)
- How analysis and evaluation methods ensure valid results
- When monitoring and measurement shall be performed
- When results shall be analyzed and evaluated
- Who is responsible for carrying this out
- What documented information shall be retained as evidence
This intentional flexibility is a feature, not a bug. AI systems across industries carry vastly different risk profiles. A hospital deploying a diagnostic AI has different key performance indicators than a retailer using a recommendation engine. Clause 9.1 lets you build a measurement program that fits your actual risk landscape.
Building Your AI Performance Metrics Framework
In practice, I advise clients to organize their Clause 9.1 metrics into four categories:
1. AI System Performance Metrics
These measure whether the AI system is doing what it is supposed to do, accurately and reliably.
- Model accuracy, precision, recall, and F1 score versus established baselines
- Data drift indicators (statistical divergence between training and production data distributions)
- System availability and response latency
- Error rates and failure modes
2. Risk Control Effectiveness Metrics
These verify that the controls you identified in Clause 6 (risk treatment) are actually working.
- Frequency of AI-related incidents and near-misses
- Time-to-detection and time-to-resolution for AI system anomalies
- Percentage of high-risk AI use cases with documented human oversight checkpoints
- Bias and fairness metrics relevant to your context (e.g., demographic parity, equalized odds)
3. Policy and Process Compliance Metrics
These confirm that your people and processes are following AIMS policies.
- Training completion rates for AI ethics and governance programs
- Supplier AI governance assessment completion rates (linking to Clause 8 controls)
- Percentage of new AI projects that completed the required impact assessment before deployment
4. Stakeholder Impact Metrics
These capture external signals about whether your AI is creating or destroying trust.
- Customer complaints attributable to AI-driven decisions
- Regulatory inquiries or enforcement actions related to AI
- Results of third-party AI audits or transparency reports
Documented Information Requirements
Clause 9.1 explicitly requires that organizations retain documented information as evidence of monitoring and measurement results. This means dashboards, logs, reports, or records — whatever format works for your organization — must be maintained and retrievable during an audit. I recommend a centralized AI performance register that aggregates metrics from each category above into a single document that management can review monthly and auditors can inspect efficiently.
The "When" Question: Establishing Monitoring Cadence
One question I hear constantly: How often do we need to measure? The standard does not specify a frequency — it requires that you specify one, and that the cadence is appropriate to the risk level. A useful rule of thumb I apply with clients:
| Risk Level | Recommended Monitoring Cadence |
|---|---|
| Critical (high-stakes, regulated AI) | Continuous / Real-time |
| High | Weekly |
| Medium | Monthly |
| Low | Quarterly |
This table should be reflected in your AIMS documentation and referenced in your internal audit program.
Clause 9.2 — Internal Audit
The Purpose of Internal Audits Under ISO 42001
Clause 9.2 requires organizations to conduct internal audits at planned intervals to provide information on whether the AIMS:
- Conforms to the organization's own requirements for the AIMS
- Conforms to the requirements of ISO 42001:2023
- Is effectively implemented and maintained
Citation hook: ISO 42001:2023 Clause 9.2.1 requires organizations to plan, establish, implement, and maintain an audit program that includes frequency, methods, responsibilities, planning requirements, and reporting — with documented information retained as evidence of the audit program and results.
What Makes an Effective ISO 42001 Internal Audit Program?
After guiding more than 200 organizations through AI management system certification, I can tell you that the internal audit programs most likely to catch real issues — and most likely to satisfy external auditors — share five characteristics:
- Risk-based scheduling: Higher-risk AI systems and processes get audited more frequently. Your audit program schedule should be explicitly linked to your risk register from Clause 6.
- Trained auditors: Internal auditors must be objective and impartial. They cannot audit their own work. Ideally, they have completed ISO 42001 internal auditor training and understand AI system fundamentals.
- Structured audit criteria: Each audit uses defined criteria — typically the ISO 42001 standard itself, your AIMS policies, and applicable legal requirements (e.g., the EU AI Act for organizations with EU exposure).
- Documented findings: Nonconformities, observations, and opportunities for improvement are formally recorded and tracked to resolution.
- Linkage to corrective action: Audit findings feed directly into your Clause 10.2 corrective action process, closing the loop.
Internal Audit vs. External Certification Audit: Key Differences
A common misconception is that internal audits are just "practice runs" for certification. They are much more than that — but understanding the differences helps you prepare both effectively.
| Dimension | Internal Audit (Clause 9.2) | External Certification Audit |
|---|---|---|
| Conducted by | Trained internal staff or contracted internal auditor | Accredited third-party certification body |
| Purpose | Identify conformance gaps and improvement opportunities | Issue or maintain ISO 42001 certificate |
| Frequency | Organization-determined (typically annual or more frequent) | Stage 1/Stage 2 (initial), annual surveillance, triennial recertification |
| Output | Internal audit report, corrective action items | Audit report, certificate decision |
| Formal certificate issued? | No | Yes |
Common Clause 9.2 Nonconformities to Avoid
Based on patterns I observe across client engagements, the most frequent Clause 9.2 nonconformities are:
- No documented audit program — organizations conduct ad hoc reviews but lack a formal, planned program with defined frequency
- Auditor independence failures — process owners auditing their own processes
- Findings not tracked to closure — audit nonconformities documented but never formally closed through corrective action
- Audit scope too narrow — auditing only IT/AI teams while ignoring procurement, HR, and legal functions that touch AI governance
Clause 9.3 — Management Review
Why Management Review Is the Heart of Clause 9
Management review is where data becomes decisions. Clause 9.3 requires top management to review the organization's AIMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. This is not a delegation-friendly activity — the standard is explicit that top management must be involved.
Citation hook: ISO 42001:2023 Clause 9.3.2 specifies that management review inputs must include the status of actions from previous reviews, changes in external and internal issues relevant to the AIMS, AI-related performance data and trends, nonconformity and corrective action status, audit results, and opportunities for continual improvement.
Required Inputs to Management Review
Clause 9.3.2 is unusually specific for a management systems standard. The inputs to your management review must include:
| Input Category | Examples |
|---|---|
| Status of previous actions | Open corrective actions, improvement initiatives |
| Changes in external/internal context | New regulations (EU AI Act), new AI technologies deployed |
| AI performance trends | Metric trends from Clause 9.1 monitoring |
| Nonconformities and corrective actions | Audit findings, incident reports |
| Monitoring and measurement results | Dashboards, KPI reports |
| Audit results | Internal audit findings, external audit reports |
| Interested party feedback | Customer complaints, regulator feedback |
| Risk and opportunity status | Updated risk register summary |
| Continual improvement opportunities | Staff suggestions, benchmarking results |
Required Outputs from Management Review
Clause 9.3.3 requires that management review outputs include decisions and actions related to:
- Opportunities for continual improvement
- Any need for changes to the AIMS
- Resource needs
These outputs must be retained as documented information — typically in the form of management review minutes and an action log. I recommend a formal management review report template that captures all required inputs, records the discussion, and logs every decision with an owner and due date.
How Often Should Management Reviews Be Held?
The standard says "planned intervals" — it does not mandate annually. For most organizations, I recommend:
- Quarterly management reviews during the first year of certification (when you are still calibrating your AIMS)
- Semi-annual reviews once the system is mature and stable
- Ad hoc reviews triggered by significant AI incidents, major regulatory changes, or organizational restructuring
Clause 9 and the EU AI Act: A Critical Intersection
Organizations subject to the EU AI Act (which applies to AI systems placed on the EU market regardless of where the provider is based) will find that ISO 42001 Clause 9 aligns closely with Article 9 of the EU AI Act's risk management system requirements and Article 72's post-market monitoring obligations for high-risk AI systems. Specifically:
- EU AI Act Article 72 requires providers of high-risk AI systems to implement post-market monitoring plans — a requirement directly supported by a well-designed Clause 9.1 monitoring program
- The EU AI Act's requirement for "serious incident" reporting to national authorities is most effectively supported by the incident tracking systems built under Clause 9.1
Organizations that implement a robust ISO 42001 Clause 9 program are positioned to satisfy a significant portion of EU AI Act post-market monitoring obligations simultaneously. This dual-compliance benefit is one of the strongest business cases for ISO 42001 certification for organizations with EU market exposure.
Practical Implementation: Building Your Clause 9 Program in 90 Days
Here is the 90-day implementation roadmap I use with new clients at Certify Consulting:
Days 1–30: Foundation
- Identify all AI systems in scope and classify by risk level
- Define metrics for each of the four performance categories (system performance, risk control, policy compliance, stakeholder impact)
- Assign metric owners and establish data collection methods
- Draft the AI performance register template
Days 31–60: Structure
- Develop the internal audit program with risk-based scheduling
- Train internal auditors (or engage an external internal auditor service)
- Conduct a gap-based "pre-audit" against Clause 9 requirements
- Build the management review agenda template and input collection process
Days 61–90: Execution
- Conduct the first formal internal audit cycle
- Hold the first formal management review with top management
- Close any Clause 9-related nonconformities from the pre-audit
- Establish the ongoing monitoring cadence and review calendar
How Clause 9 Connects to the Rest of ISO 42001
Clause 9 does not exist in isolation. Understanding its connections to other clauses is essential for building an integrated AIMS:
| Clause 9 Activity | Inputs From | Outputs To |
|---|---|---|
| Monitoring & Measurement (9.1) | Clause 6 (Risks & Objectives), Clause 8 (Operations) | Clause 9.3 (Mgmt Review), Clause 10 (Improvement) |
| Internal Audit (9.2) | Clause 6 (Risk Register), Clause 7.5 (Documented Info) | Clause 10.2 (Corrective Action) |
| Management Review (9.3) | Clause 9.1, Clause 9.2, Clause 4 (Context) | Clause 6 (Updated Objectives), Clause 10 (Improvement) |
This interconnection is why I always tell clients: you cannot retrofit Clause 9 compliance — it must be designed into the system from the beginning.
Frequently Asked Questions About ISO 42001 Clause 9
What documented information does Clause 9 require?
Clause 9.1 requires evidence of monitoring and measurement results. Clause 9.2 requires the audit program, audit criteria, scope, frequency, methods, and audit results. Clause 9.3 requires evidence of management review outputs, including decisions and actions.
Can we outsource our internal audits?
Yes. ISO 42001 requires auditors to be objective and impartial — it does not require them to be employees. Many organizations, particularly smaller ones, engage qualified external consultants to conduct their internal audits. The key requirement is that the auditors do not audit their own work and have relevant competence.
How many internal audits per year does ISO 42001 require?
The standard requires audits at "planned intervals" without specifying a minimum number. In practice, most certification bodies expect at least one complete internal audit cycle per year covering all AIMS processes. Organizations with higher-risk AI systems should consider more frequent cycles.
What is the difference between monitoring (Clause 9.1) and audit (Clause 9.2)?
Monitoring (9.1) is ongoing, operational data collection against defined metrics — it is continuous or periodic measurement of how your AI systems and controls are performing. Internal audit (9.2) is a periodic, structured, evidence-based evaluation of whether the AIMS as a whole conforms to requirements and is effectively implemented. Both are required; neither substitutes for the other.
What happens if our management review reveals the AIMS is not effective?
This is exactly what the management review is designed to surface. If the review reveals the AIMS is not effective, the required output is decisions and actions to address the gaps — including resource allocation, policy changes, or objective revisions. A management review that never identifies anything to improve is a red flag for auditors, not a sign of excellence.
Working With an ISO 42001 Expert on Clause 9
Clause 9 is the most auditor-visible part of ISO 42001 for a reason — it is where the standard transitions from policy and planning into proof. Every audit finding, every performance trend, every management decision made under your AIMS flows through Clause 9.
At Certify Consulting, Jared Clark and the team have helped more than 200 organizations build Clause 9 programs that not only satisfy certification auditors — with a 100% first-time audit pass rate — but genuinely improve AI governance outcomes. Whether you are building your AIMS from scratch or preparing for your Stage 2 audit, having an experienced guide makes the difference between a monitoring program that looks good on paper and one that drives real accountability.
Explore our ISO 42001 implementation services or contact us to discuss your Clause 9 readiness today.
Last updated: 2026-04-04
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.