AI & AIMS Fundamentals
21%of exam
AIMS Requirements (Clauses)
6%of exam
Planning AIMS Implementation
25%of exam
Implementing the AIMS
22-23%of exam
Monitoring & Measurement
12-13%of exam
Improvement & Certification Audit
12-13%of exam
Quick Facts
- Exam
- ISO 42001 LI
- Credential
- AIMS Lead Implementer
- Questions
- 80 MCQ
- Time
- 3 hours
- Pass
- 70%
- Format
- Open-book, 3 options
- Level
- Advanced
- Handbook
- v1.5 (2026)
Credential Ladder
Provisional -> Implementer -> Lead -> Senior Lead
42001 vs 27001
ISO 42001
- AI management system
- Annex A: AI controls
- AI risk + impact
ISO 27001
- Info security system
- Annex A: security controls
- Info security risk
AI vs security scope
AI Standards Family
- 42001
- AIMS requirements
- 22989
- AI concepts/terminology
- 23053
- ML framework
- 23894
- AI risk management
- 5338
- AI system lifecycle
- 38507
- Board AI governance
- 42005
- AI impact assessment
Provisional vs Lead Implementer
Provisional
- No experience
- Exam only
Lead Implementer
- 2yr AIMS work
- 300 project hours
Exam vs credentialed
EU AI Act Risk Tiers
- Unacceptable
- Banned practices (Art 5)
- High-risk
- Annex III systems
- Limited-risk
- Transparency duties
- Minimal-risk
- No specific obligation
- GPAI
- General-purpose AI rules
EU AI Act vs NIST RMF
EU AI Act
- Binding EU law
- Risk-tier obligations
NIST AI RMF
- Voluntary US framework
- Govern/Map/Measure/Manage
Law vs framework
AI Subfields & Concepts
- Machine learning
- Learn from data
- Deep learning
- Neural network layers
- Neural network
- Node-layer model
- Cognitive computing
- Mimic human reasoning
- Semantic computing
- Meaning-based processing
- Soft computing
- Tolerates imprecision
PECB Credential Levels
- Provisional
- No experience needed
- Implementer
- 1yr AIMS + 200hrs
- Lead Implementer
- 2yr AIMS + 300hrs
- Senior Lead
- 7yr AIMS + 1000hrs
Exam Mechanics
- 3 options
- 1 correct, 2 distractors
- Scenario sets
- 5 Qs per scenario
- Open-book
- Standard + notes allowed
- Cognitive split
- 40% comprehension/analysis, 60% evaluation
Clause 4-10 Flow
Context -> Leadership -> Operate -> Improve
Annex A vs Annex B
Annex A
- Normative controls
- Must implement
Annex B
- Implementation guidance
- Informative only
Requirement vs how-to
Clause 4-10 Structure
- Clause 4
- Context of organization
- Clause 5
- Leadership
- Clause 6
- Planning
- Clause 7
- Support
- Clause 8
- Operation
- Clause 9
- Performance evaluation
- Clause 10
- Improvement
Annex A-D Roles
- Annex A
- 38 normative controls
- Annex B
- Control implementation guidance
- Annex C
- AI objectives/risk sources
- Annex D
- Sector-specific tailoring
Risk vs Impact Assessment
Risk assessment
- Threats to org
- 23894 methodology
- Likelihood x severity
Impact assessment
- Effect on people/society
- 42005 methodology
- Individuals + groups
Org risk vs societal effect
Risk & Impact Response Picker
- New AI system planned→AI impact assessment
- Identify AI-specific risk→ISO/IEC 23894 method
- Control excluded→Justify in SoA
- Gap vs 42001 found→Gap analysis report
- Risk unacceptable→Risk treatment plan
AI Risk & Impact Assessment
- Risk assessment
- Identify/analyze/evaluate risk
- Impact assessment
- Effect on individuals/society
- SoA
- Statement of Applicability
- Gap analysis
- Current vs required state
- AI policy
- Top-level AI commitment
- Risk treatment
- Select risk options
Planning Inputs
- Internal context
- Org culture/resources
- External context
- Regulatory/market factors
- Interested parties
- Stakeholder needs
- AIMS objectives
- Measurable targets
- Project plan
- Implementation roadmap
Annex A 9 Objectives
Policy Org Resource Impact Lifecycle Data Info Use Third-party
Annex A Control Picker
- Need AI policy→A.2(Top-level commitment)
- Define AI roles→A.3(Internal organization)
- Need resources/compute→A.4(Resource allocation)
- Assess AI impact→A.5(Impact assessment)
- Control model lifecycle→A.6(AI system lifecycle)
- Govern training data→A.7(Data controls)
- Inform stakeholders→A.8(Transparency info)
- Ensure responsible use→A.9(Use of AI)
- Manage vendor AI→A.10(Third-party controls)
Annex A: 9 Objectives
- A.2
- AI policies
- A.3
- Internal organization
- A.4
- Resources for AI
- A.5
- Impact assessment
- A.6
- AI system lifecycle
- A.7
- Data for AI
- A.8
- Info for interested parties
- A.9
- Responsible use of AI
- A.10
- Third-party relationships
Bias Mitigation Stages
Pre -> In -> Post processing
Bias Mitigation Methods
- Pre-processing
- Reweigh/resample data
- In-processing
- Adversarial debiasing
- Post-processing
- Threshold adjustment
- Reweighing
- Adjust sample weights
Explainability Methods
- LIME
- Local approximation
- SHAP
- Shapley value attribution
- Model card
- Model documentation
- Datasheet
- Dataset documentation
AIMS Implementation Tasks
- AI landscape
- Inventory AI systems
- Documentation
- Records + control evidence
- Training program
- Awareness + skills
- Communication plan
- Stakeholder engagement
- Change management
- Control AI updates
Major vs Minor NC
Major NC
- Systemic failure
- Certification blocked
Minor NC
- Isolated lapse
- Corrective plan ok
System vs isolated
Monitoring & Measurement
- AIMS metrics
- Performance indicators
- Drift monitoring
- Detect data/model shift
- Internal audit
- ISO 19011 based
- Management review
- Top mgmt evaluation
- Suitability review
- Policy still fits
PDCA Improvement Cycle
Plan -> Do -> Check -> Act
Stage 1 vs Stage 2 Audit
Stage 1
- Review documents
- Readiness check
- Off-site often
Stage 2
- Test implementation
- Evidence of operation
- On-site typical
Paper vs practice
Certification Audit Stage Picker
- Docs not yet reviewed→Stage 1 audit
- Ready to test controls→Stage 2 audit
- One year post-cert→Surveillance audit
- Three years post-cert→Recertification audit
Continual Improvement Cycle
- Nonconformity
- Requirement not met
- Root cause
- Underlying failure source
- Corrective action
- Fix + prevent recurrence
- PDCA
- Plan-Do-Check-Act
- Lessons learned
- Incident-based insight
Certification Audit Stages
- Stage 1
- Documentation readiness review
- Stage 2
- Implementation effectiveness audit
- Surveillance audit
- Annual follow-up check
- Recertification
- 3-year renewal audit
- CB selection
- Choose certification body
Common Traps
42001 vs 27001 scope
42001 = AI mgmt ≠ 27001 = info security
Risk vs impact assessment
Risk: harm to org ≠ Impact: harm to society
Annex A vs Annex B
A: what to do ≠ B: how to do it
3 options not 4
Only 1 correct answer ≠ 2 distractors always
Open-book but timed
Standard + notes ok ≠ No internet lookup
Stage 1 vs Stage 2
1: review documents ≠ 2: test operation
Major vs minor NC
Major: systemic failure ≠ Minor: isolated lapse
Last Minute
- 1.Weights 21-6-25-22-13-13%
- 2.80 MCQ, 3 options each
- 3.Pass score is 70%
- 4.Open-book: standard + notes only
- 5.Clauses 4-10 = harmonized structure
- 6.Annex A = 38 controls
- 7.9 Annex A objectives: A.2-A.10
- 8.Impact assessment differs from risk assessment
- 9.Stage 1 = docs, Stage 2 = practice
- 10.PDCA drives continual improvement clause
Explore More PECB Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
