System inventory and prioritisation
We identify all AI systems in use or under development, define assessment thresholds and prioritise them according to risk level, sector and regulatory exposure under the AI Act.
ISO/IEC 42005:2025 is the first international standard establishing how to evaluate the effects of an AI system on individuals, groups and society across its entire lifecycle. If your organisation develops or deploys AI, this analysis is no longer optional: the European AI Act requires it for high-risk systems.
ISO/IEC 42005:2025 was published in May 2025 by ISO and IEC as a guidelines standard — non-certifiable — designed to help organisations systematically assess the impact of their artificial intelligence systems. Unlike ISO 42001, which defines the AI management system at the organisational level, ISO 42005 drills down to each individual system: what effects it produces, on whom, at what point in the lifecycle, and which controls mitigate those effects. It is the technical complement that completes the governance picture.
The standard structures the assessment around six impact dimensions: social, economic, environmental, ethical, privacy and governance. For each dimension, affected groups are identified — employees, end users, third parties, communities — the likelihood and severity of the impact are analysed, and the mitigation measures adopted are documented. The result is an audited record that demonstrates due diligence to regulators, partners and clients. This approach aligns directly with Article 27 of the European AI Act, which requires fundamental rights impact assessments from public bodies, private entities providing public services, and deployers of certain high-risk AI systems.
At Summum Calidad we support this process from the initial analysis through to the integration of findings into your existing — or emerging — AI management system. With over 18 years of experience implementing standards-based systems and close to 200 ISO certifications supported since 2007, we translate technical requirements into procedures that your internal team can sustain without ongoing reliance on external consultants. If you already hold ISO 42001, ISO 42005 is the natural next step to demonstrate that your AI governance operates at system level, not only at organisational level.
We identify all AI systems in use or under development, define assessment thresholds and prioritise them according to risk level, sector and regulatory exposure under the AI Act.
We analyse each system across the six dimensions of the standard (social, economic, environmental, ethical, privacy, governance), identifying affected groups and the likelihood and severity of each impact.
We design technical and procedural measures to reduce identified negative impacts, link them to the risk register, and establish internal owners responsible for ongoing monitoring.
We formalise the assessment report with full traceability, obtain the required internal approval, and configure a periodic review process aligned with the system's lifecycle.
The operational detail: what we deliver as part of the work and what we keep alive afterwards.
AI system inventory
A structured catalogue of all systems subject to assessment, with documented prioritisation criteria and thresholds.
Standardised assessment templates
Questionnaires and matrices aligned with ISO/IEC 42005:2025 and AI Act requirements for each risk category.
Affected stakeholder analysis
Identification and classification of all potentially impacted groups: employees, clients, suppliers and the wider community.
Impact and controls register
An audited document recording identified impacts, risk ratings, mitigation measures adopted and associated evidence.
Integration with ISO 42001
Linking assessment findings to the existing or developing AI management system, closing the governance loop.
Internal team training
Hands-on training so that the team responsible for AI can conduct subsequent assessments independently, without continuous external support.
AI impact assessment connects Summum Calidad's standards-based governance with the AI Act legal advisory of Summum Consultoría and the technical model governance offered by Summum IA.
ISO 42001 is the certifiable AI management system of which ISO 42005 is a direct complement: without the organisational framework of 42001, impact assessment lacks a governance foundation.
View service → consultoríaThe AI Act requires fundamental rights impact assessments for high-risk AI; Summum Consultoría supports the legal and regulatory analysis that completes the technical perspective of ISO 42005.
View service → iaSummum IA provides ongoing technical governance of models — monitoring, quality evaluation, drift detection — feeding the periodic reviews required by the standard.
View service →No. ISO/IEC 42005:2025 is a guidelines standard, not a requirements standard. There is no third-party certification process for this standard. Its value lies in the methodological rigour it provides and the audited documentation it generates, which serves as evidence of due diligence before AI Act regulators and auditors.
ISO 42001 defines the AI management system at the level of the entire organisation and is certifiable. ISO 42005 operates at the level of each individual AI system and provides the method for assessing its specific impact. They are complementary: 42001 provides the framework; 42005 applies it system by system.
Any organisation that develops, deploys or uses AI systems, particularly those operating in high-risk sectors under the AI Act (human resources, credit, access to essential services, critical infrastructure). Organisations that supply AI to public authorities or regulated sectors face stricter obligations and closer deadlines.
It depends on the number of systems and their complexity. For an SME with one or two AI systems in production, a well-guided process can be completed in four to eight weeks. The greatest effort lies in the initial inventory and the identification of affected groups; once the methodology is established, subsequent assessments are significantly faster.
The standard aligns with Article 27 of the AI Act, which requires public bodies, private entities providing public services, and deployers of high-risk AI systems covered by Annex III points 5(b) and 5(c) to conduct fundamental rights impact assessments. Although ISO 42005 is not officially harmonised with the Regulation, applying it provides strong evidence of compliance and systematises the process the AI Act requires to be documented.