Guide to ISO 42001 Clause 9 Performance Evaluation With Examples

What Is Clause 9 in ISO 42001 and Why Does It Matter?

If you are building or maintaining an AI Management System under ISO 42001, Clause 9 is where you prove that your system is actually working. It covers performance evaluation, which means monitoring, measurement, internal audits, and management review. This is not a box-ticking exercise. Done properly, Clause 9 gives your organisation real visibility into how your AI systems are performing, where the risks are growing, and whether your controls are doing what they are supposed to do.

ISO 42001 is the international standard for AI Management Systems (AIMS), published in 2023. It follows the same High Level Structure used by ISO 9001, ISO 14001, and ISO 27001, so if you have experience with any of those standards, Clause 9 will feel familiar in structure. But the content is different. AI systems introduce unique risks around bias, transparency, data quality, and unintended outputs that require specific measurement approaches you will not find in a generic quality management context. You can read more about the standard itself in our overview of ISO IEC 42001 for AI Management Systems.

This guide walks through every sub-clause of Clause 9 in plain language, with practical examples to show you what good implementation looks like in a real business setting.

Clause 9.1: Monitoring, Measurement, Analysis and Evaluation

Clause 9.1 requires your organisation to determine what needs to be monitored and measured, how you will do it, when you will do it, and who will analyse and evaluate the results. It sounds straightforward, but this is where most organisations fall short. They collect data but never turn it into decisions.

What the Standard Requires

The standard asks you to define:

• What aspects of the AIMS and its AI systems will be monitored
• The methods used for monitoring and measurement
• When monitoring and measurement will be performed and by whom
• When the results will be analysed and evaluated
• Who is responsible for that analysis

You also need to retain documented information as evidence that the results are genuine. An auditor will look for records that show monitoring actually happened, not just a procedure that says it should happen.

What to Actually Measure in an AI Context

This is where ISO 42001 differs from other standards. You are not just measuring customer satisfaction or defect rates. You are measuring things like:

• Model accuracy and drift: Is the AI model still performing as intended? Has its accuracy degraded since deployment?
• Bias indicators: Are outputs consistently favourable or unfavourable to particular groups?
• Data quality metrics: Is the input data still representative, clean, and complete?
• Incident frequency: How often are AI-related incidents or near-misses being reported?
• User complaints related to AI outputs: Are customers or staff flagging unexpected or harmful outputs?
• Control effectiveness: Are the controls you put in place in Clause 6 actually reducing the risks they were designed for?

Practical Example: A Recruitment Technology Company

Imagine a mid-sized recruitment platform that uses an AI model to shortlist candidates. Under Clause 9.1, they set up monthly monitoring of shortlist demographics to detect potential bias against gender or age groups. They measure the model's shortlisting rate across demographic categories and compare it against the incoming applicant pool. They also track user complaints from hiring managers who flag unexpected candidate exclusions.

Every month, the data analyst produces a one-page summary that goes to the AI governance lead. If the shortlisting rate for any demographic deviates by more than 10 percent from the baseline, it triggers a formal review. That review is documented and fed into the management review process. This is exactly the kind of structured, evidence-based monitoring that Clause 9.1 is asking for.

Documented Information Requirements

You must retain records of your monitoring results. This does not mean you need a complex system. A shared spreadsheet with timestamped entries, signed off by the responsible person, is sufficient for many small to medium businesses. What matters is that the records are controlled, retrievable, and actually reviewed. Our article on controlled documents and how to implement them gives practical guidance on managing this kind of documentation without overcomplicating your system.

Clause 9.2: Internal Audit

Internal audits are one of the most misunderstood requirements in any ISO standard. Many organisations treat them as a rehearsal for the certification audit. That is the wrong mindset. An internal audit is a genuine investigation into whether your AIMS is working as planned and whether it conforms to the requirements of ISO 42001.

What Clause 9.2 Requires

You need to conduct internal audits at planned intervals to determine whether the AIMS:

• Conforms to your organisation's own requirements for the AIMS
• Conforms to the requirements of ISO 42001
• Is effectively implemented and maintained

You must plan, establish, implement, and maintain an audit programme that takes into account the importance of the processes concerned and the results of previous audits. Auditors must be objective and impartial, which means they cannot audit their own work. Results must be reported to relevant management, and documented information must be retained as evidence.

What an AI Management System Internal Audit Actually Looks Like

Auditing an AIMS is not the same as auditing a quality management system. You need auditors who understand both the audit process and the AI-specific risks in your organisation. A good internal audit of an AIMS will examine things like:

• Whether AI risk assessments have been completed and kept up to date
• Whether staff who interact with AI systems have received appropriate training
• Whether incident records show that issues are being captured and investigated
• Whether the controls documented in your AIMS are actually being applied in practice
• Whether monitoring data from Clause 9.1 is being acted on

It is worth noting that ISO 19011 provides guidance on auditing management systems and is a useful reference when structuring your internal audit programme, even though it is not mandatory under ISO 42001.

Practical Example: A Healthcare AI Provider

A healthcare technology company uses an AI tool to assist radiologists in reviewing scans. Their internal audit programme covers the AIMS twice per year. One audit focuses on documentation and process conformance. The other focuses on operational effectiveness, including interviews with radiologists about how they use the AI tool and whether they have ever overridden its suggestions.

During one audit, the internal auditor discovers that overrides are not being consistently logged. This is a nonconformity because the organisation's own procedure requires override logging for model improvement purposes. The finding is raised, a corrective action is assigned, and the fix is verified at the next audit. That cycle of find, fix, and verify is exactly what internal auditing is for.

Audit Programme Planning Tips

Do not set your audit schedule and forget it. Risk-based thinking should drive your programme. If you have deployed a new AI model, that area needs more attention. If a previous audit found no issues in a particular area for two consecutive cycles, you can reduce the frequency for that area and redirect resources. The programme should be a living document, not a fixed calendar event.

Clause 9.3: Management Review

Management review is the mechanism by which top management stays connected to the performance of the AIMS. It is not a status update meeting. It is a structured review that results in decisions and actions. If your management review produces no outputs, something is wrong.

What Clause 9.3 Requires

Top management must review the AIMS at planned intervals. The review must consider:

• The status of actions from previous management reviews
• Changes in external and internal issues relevant to the AIMS
• Information on AIMS performance, including trends in nonconformities and corrective actions, monitoring and measurement results, and audit results
• Adequacy of resources
• The effectiveness of actions taken to address risks and opportunities
• Opportunities for improvement

The outputs of the management review must include decisions and actions related to improvement opportunities, any need for changes to the AIMS, and resource needs.

The AI-Specific Inputs That Matter Most

In an AI management context, management review inputs should go beyond the standard list. Consider including:

• Updates on regulatory developments affecting AI in your industry or jurisdiction. The ISO 42001 standard page on ISO.org is a useful reference for staying current with the standard's scope and related publications.
• Emerging AI risks identified through horizon scanning
• Feedback from external stakeholders including customers, regulators, or affected communities
• Performance data from deployed AI models, including any bias or drift indicators
• Results from any third-party assessments or penetration testing of AI systems

Practical Example: A Financial Services Firm

A fintech company uses AI for credit scoring. Their management review is held quarterly and chaired by the Chief Risk Officer. The agenda always includes a summary of AI-related incidents from the previous quarter, a review of model performance metrics, and a standing item on regulatory developments in responsible AI.

At one quarterly review, the monitoring data shows that the credit scoring model is approving fewer applications from a particular postcode cluster than the baseline. The management team decides to commission an independent bias assessment and temporarily increase human oversight of decisions in that cluster. Both decisions are documented as outputs of the review. That is management review working as intended.

Frequency and Format

The standard says “at planned intervals” but does not specify how often. For most organisations, an annual management review is the minimum. Organisations with rapidly evolving AI systems, high-risk AI applications, or significant regulatory exposure should consider quarterly reviews. The format does not have to be a formal board meeting. A well-documented working group session with the right attendees is perfectly acceptable, provided the inputs are considered and the outputs are recorded.

Connecting Clause 9 to the Rest of Your AIMS

Clause 9 does not operate in isolation. It feeds directly into Clause 10, which covers improvement. The nonconformities identified in internal audits, the trends spotted through monitoring, and the decisions made in management review all become inputs to your corrective action process. If you want to understand how that improvement cycle works in practice, our guide to ISO 42001 Clause 10.1 General picks up where this article leaves off.

Clause 9 also depends on the work done in earlier clauses. Your monitoring metrics should be tied to the risks and opportunities identified in Clause 6. Your internal audit scope should reflect the processes established in Clause 8. And your management review inputs should draw on the objectives set in Clause 6.2. If these connections are missing, your performance evaluation will feel disconnected from the rest of the system, and an auditor will notice.

Common Mistakes Organisations Make in Clause 9

Having worked through many AI-related management system implementations, the same patterns of failure come up repeatedly. Here are the ones to watch for:

• Measuring the wrong things: Organisations track generic KPIs that have nothing to do with AI-specific risks. Model accuracy, bias indicators, and incident rates are more relevant than generic customer satisfaction scores when evaluating an AIMS.
• Monitoring without acting: Data is collected, reports are produced, and nothing happens. Monitoring is only valuable if the results trigger decisions.
• Internal audits that are too shallow: Auditors tick boxes based on document reviews but never speak to the people actually using the AI systems. Interviews and operational observations are essential.
• Management reviews that lack genuine engagement: Top management attends but does not engage. The review becomes a presentation rather than a decision-making forum.
• Poor documentation: Results are discussed verbally but not recorded. An auditor cannot verify what was never written down.

Building a Practical Clause 9 Implementation Plan

If you are starting from scratch or preparing for your first ISO 42001 certification audit, here is a practical sequence to follow:

1. Define your monitoring indicators: Start with your AI risk register from Clause 6. For each significant risk, identify at least one measurable indicator that tells you whether the risk is under control.
2. Assign ownership: Every metric needs an owner who is responsible for collecting and reporting the data. Without ownership, nothing gets done.
3. Build a reporting cadence: Decide how often each metric is reviewed and by whom. Operational metrics might be reviewed monthly. Strategic metrics can wait for the quarterly management review.
4. Design your audit programme: Map out which parts of the AIMS will be audited, when, and by whom. Ensure auditor independence and competence. Build in flexibility to increase frequency for high-risk areas.
5. Structure your management review agenda: Create a standard agenda that covers all the required inputs. Assign someone to compile the pre-read pack at least one week before each review.
6. Close the loop: Ensure that every output from the management review and every finding from an internal audit is tracked to completion. Use your corrective action register for this.

If you are unsure whether your approach will satisfy an auditor, it is worth getting an independent perspective before your certification audit. Preparing for your ISO 42001 Stage 1 audit is a good place to start understanding what auditors will actually look for across all clauses, including Clause 9.

Getting the Right Support for ISO 42001 Certification

ISO 42001 is a relatively new standard, and finding consultants with genuine experience in both AI governance and management systems auditing is not straightforward. The market is still maturing, and the quality of advice varies considerably. If you are looking for a consultant to help you implement Clause 9 properly, or a certification body to conduct your audit, CertBetter can help. Submit one form and receive up to three competing quotes from vetted ISO 42001 consultants and accredited certification bodies. The service is completely free for businesses seeking certification, and it saves you the time and risk of finding providers on your own.