Clause 4: Context of the Organization
Understanding internal and external issues, interested parties, scope definition, and establishing the AI Management System foundation.
Chapter Overview
Clause 4 establishes the foundation for your AIMS by requiring you to understand your organization's context, identify stakeholders, and define the scope. This clause sets the stage for everything that follows.
Clause Structure
| Sub-clause | Title | Focus |
|---|---|---|
| 4.1 | Understanding the organization and its context | Internal and external issues |
| 4.2 | Understanding needs and expectations of interested parties | Stakeholder requirements |
| 4.3 | Determining the scope of the AIMS | Boundaries and applicability |
| 4.4 | AI management system | Establishing and maintaining AIMS |
4.1 Understanding the Organization and Its Context
Requirement
The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its AI management system.
Context analysis identifies factors that influence how you develop, provide, or use AI systems. These factors shape your AIMS design and risk assessment.
External Issues to Consider
| Category | Examples |
|---|---|
| Legal/Regulatory | EU AI Act, sector regulations, data protection laws, liability frameworks |
| Technological | AI advancement pace, emerging technologies, infrastructure availability |
| Market | Competitor AI adoption, customer expectations, industry standards |
| Social | Public perception of AI, workforce concerns, ethical expectations |
| Economic | AI investment trends, cost pressures, resource availability |
| Political | Government AI strategies, trade restrictions, international relations |
Internal Issues to Consider
| Category | Examples |
|---|---|
| Governance | Existing policies, decision-making structures, risk appetite |
| Culture | Innovation mindset, ethical values, change readiness |
| Capabilities | AI expertise, technical infrastructure, data assets |
| Resources | Budget, personnel, technology investments |
| Strategy | AI strategy alignment, business objectives, transformation goals |
| Existing Systems | Current AI deployments, legacy systems, integration needs |
Implementation Steps
- Conduct environmental scanning for external factors
- Perform internal capability assessment
- Document issues in a context register
- Assess relevance to AI systems and AIMS
- Review and update periodically
4.2 Understanding Needs and Expectations of Interested Parties
Requirement
The organization shall determine:
- The interested parties that are relevant to the AIMS
- The relevant requirements of these interested parties
- Which of these requirements will be addressed through the AIMS
An interested party (stakeholder) is a person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity related to AI systems.
Common Interested Parties
| Interested Party | Typical Requirements |
|---|---|
| Customers/Users | AI reliability, transparency, fairness, data privacy |
| Employees | Job security, training, ethical AI use, safe working conditions |
| Regulators | Compliance, reporting, audit access, incident notification |
| Shareholders/Investors | Risk management, value creation, responsible AI reputation |
| Board/Management | Governance, oversight, strategic alignment, liability protection |
| AI Subjects | Fairness, explainability, recourse, human oversight |
| Suppliers/Partners | Clear requirements, collaboration, data sharing agreements |
| Society/Public | Ethical AI, transparency, societal benefit, environmental impact |
| Industry Bodies | Standards compliance, best practices, benchmarking |
Implementation Steps
- Identify all relevant interested parties
- Determine their requirements related to AI
- Assess which requirements are applicable
- Document in interested parties register
- Monitor for changes in requirements
Template: Interested Parties Register
Columns to include:
• Interested Party (name/category)
• Type (internal/external)
• Requirements (what they need/expect)
• Relevance to AIMS (how it affects AI governance)
• How Addressed (controls, processes, communications)
• Review Frequency (how often to reassess)
• Owner (who monitors this stakeholder)
4.3 Determining the Scope of the AIMS
Requirement
The organization shall determine the boundaries and applicability of the AIMS to establish its scope. When determining this scope, the organization shall consider:
- The external and internal issues referred to in 4.1
- The requirements referred to in 4.2
- Interfaces and dependencies between activities performed by the organization and those performed by other organizations
The scope shall be available as documented information. This is a mandatory document for certification.
Scope Definition Elements
| Element | Description | Example |
|---|---|---|
| AI Systems | Which AI systems are included | All production ML models, excluding R&D prototypes |
| AI Activities | Development, provision, use | Development and use of AI for customer service |
| Business Units | Organizational boundaries | Digital Services Division, Data Analytics Team |
| Locations | Geographic/physical scope | UK and EU operations, Cloud infrastructure |
| Lifecycle Stages | Which stages covered | Design, development, deployment, monitoring |
| Exclusions | What is explicitly out of scope | Third-party AI tools used for internal admin only |
Scope Statement Example
"The scope of the AI Management System covers the development, deployment, and operation of artificial intelligence systems used for customer-facing applications within the Digital Services Division of [Organization Name], including machine learning models for recommendation, natural language processing for customer support, and predictive analytics for service optimization. The scope applies to operations in the United Kingdom and European Union, encompassing all stages of the AI system lifecycle from design to decommissioning. Excluded from scope are: (a) AI systems in research and development phase not yet approved for production, (b) third-party AI tools used solely for internal administrative purposes, and (c) operations outside the EU/UK region."
Scope Considerations
- Start manageable: Begin with critical AI systems, expand later
- Risk-based: Prioritize high-risk AI systems
- Practical boundaries: Align with organizational structure
- Clear exclusions: Document and justify what's excluded
- Integration: Consider alignment with ISO 27001/9001 scope
4.4 AI Management System
Requirement
The organization shall establish, implement, maintain and continually improve an AI management system, including the processes needed and their interactions, in accordance with the requirements of this document.
You must create a functioning management system - not just documents. The AIMS must be operational, with processes that interact and work together to achieve AI governance objectives.
AIMS Process Interactions
| Process | Inputs From | Outputs To |
|---|---|---|
| Risk Assessment | Context, AI inventory | Risk treatment, controls |
| Control Implementation | Risk treatment, SoA | Operational processes |
| Monitoring | Operational processes | Management review, improvement |
| Internal Audit | AIMS documentation | Corrective actions, review |
| Management Review | Audit, monitoring, incidents | Improvement actions, resources |
Documented Information Requirements
Required:
• AIMS Scope Statement (4.3)
Recommended:
• Context Analysis Document
• Interested Parties Register
• AI System Inventory
• Process Interaction Map
Sample Audit Questions
4.1 Context:
• How did you identify external and internal issues relevant to AI?
• What regulatory requirements affect your AI systems?
• How do you monitor changes in the AI landscape?
• What internal capabilities influence your AIMS?
4.2 Interested Parties:
• Who are your key stakeholders for AI governance?
• How did you determine their requirements?
• How do you communicate with interested parties about AI?
• How do you handle conflicting stakeholder requirements?
4.3 Scope:
• Show me your documented AIMS scope
• How did you determine which AI systems to include?
• What is excluded and why?
• How does your scope align with your ISO 27001 scope?
4.4 AIMS:
• How do your AIMS processes interact?
• Show me evidence that AIMS is operational, not just documented
• How do you ensure continual improvement?
Common Nonconformities
| Type | Nonconformity | How to Avoid |
|---|---|---|
| Major | No documented scope statement | Create and approve scope document |
| Major | Scope excludes significant AI systems without justification | Document exclusion rationale |
| Major | Interested parties not identified | Conduct stakeholder analysis |
| Minor | Context analysis not updated after significant changes | Establish review triggers |
| Minor | Stakeholder requirements not clearly linked to AIMS | Map requirements to controls |
| Minor | Process interactions not documented | Create process map |
1. Context analysis covers both external (regulatory, market) and internal (capability, culture) issues
2. Interested parties include anyone affected by or affecting AI systems
3. Scope must be documented and available - this is mandatory
4. Scope should be practical and aligned with organizational boundaries
5. AIMS must be operational with interacting processes
6. Consider integration with existing management systems
• Know the difference between internal and external issues
• Remember scope must be "available as documented information"
• Understand that interested parties include AI subjects (people affected by AI decisions)
• Know that 4.4 requires processes and their interactions, not just documents
• Be able to explain how context influences AIMS design