ISO 42001 2023 || Artificial Intelligence Management System

ISO 42001:2023 Artificial Intelligence Management System

ISO 42001 2023 – The standard that’s anticipated to work towards the step that most haven’t dreaded to take as yet – draw a boundary within which AI systems have to act.

The regulation of Artificial Intelligence (AI) has been a topic of significant debate and discussion. Governments, industry stakeholders, and advocacy groups continue to grapple with many issues surrounding the eminence of Artificial Intelligence in today’s technical world, aiming to strike a balance between fostering innovation and ensuring responsible and ethical use of AI technologies. The regulatory landscape is evolving, with different countries taking various approaches to address the complex challenges posed by AI.

Several key issues are at the forefront of this debate, including:

  1. Doing the Right Thing: There are worries about AI being used in ways that might not be fair or good. For example, in jobs, healthcare, and law, there are concerns about how AI might treat people.
  2. Being Open and Responsible: Some AI systems make decisions, but we don’t always understand how. It’s important to know why AI does what it does, especially if it affects people a lot.
  3. Treating Everyone Fairly: AI can sometimes be unfair because it learns from the information it’s given. If that info is biased, AI can make unfair choices. This is a big worry in areas like hiring, loans, and policing.
  4. Keeping Jobs Safe: Some people are concerned that AI might take away jobs. We might need rules to make sure that if jobs change, people get help to learn new things.
  5. Staying Safe and Secure: AI can be used for things like weapons and cyber attacks. Countries need to work together to make sure AI is used safely and doesn’t cause harm.
  6. Protecting Personal Information: AI uses a lot of data, and people want to make sure their information is kept private and not misused. Some places already have rules, like the GDPR in Europe.
  7. Working Together: Because AI is used everywhere, it’s important for different countries to agree on some basic rules so that things work well together.
  8. Making Things Clear and Simple: It’s important to have clear and simple rules so that everyone knows what’s allowed and what’s not when it comes to AI.

ISO 42001:2023 || Artificial Intelligence Management System

In the purview of all the various challenges that AI is posing in the ever evolving world of technology, ISO/IEC has come up with the right thing at the right time in terms of ISO 42001:2023 – AIMS.

It is meant for those involved in offering or using AI-based products or services, ensuring responsible AI system development and use.

This standard is crucial as it is the world’s first AI management system standard, offering guidance in the dynamic field of AI technology. ISO/IEC 42001 tackles specific challenges related to AI, including ethics, transparency, and continuous learning. For organizations, it provides a structured approach to managing risks and opportunities associated with AI, allowing a balance between innovation and governance.

The benefits of ISO/IEC 42001 include providing a framework for handling risks and opportunities, demonstrating responsible AI use, ensuring traceability, transparency, and reliability, as well as contributing to cost savings and efficiency gains.

What is an Artificial Intelligence Management System or ISO 42001 2023? 


In accordance with ISO/IEC 42001, an AI management system refers to a collection of connected elements within an organization. Its purpose is to define policies and objectives, along with establishing processes to achieve those objectives, particularly concerning the responsible development, provision, or use of AI systems. ISO/IEC 42001 outlines the requirements and offers guidance for creating, implementing, maintaining, and continuously improving an AI management system within the organization’s framework.

What are the key features of ISO 42001 2023?

  • Organization Context: Align AI strategies with stakeholder needs and the organization’s objectives.
  • Leadership and Commitment: Define clear roles and responsibilities within the AI system.
  • Risk and Change Management: Plan for potential risks and changes in the AI landscape.
  • Support Systems: Ensure resource availability, including competent personnel and effective communication.
  • Operational Excellence: Focus on operational control and thorough risk assessment.
  • Performance Evaluation: Regularly assess the system through monitoring, audits, and reviews.
  • Continuous Improvement: Address nonconformities and take corrective and preventive actions.

What are the objectives of ISO 42001 2023 || AIMS 

Objectives of ISO/IEC 42001:

  1. Comprehensive Guidance: Provide organizations with comprehensive guidance for the responsible and effective use of AI, considering the dynamic nature of the technology.
  2. Adaptability to Technology Evolution: Address the challenges posed by the rapid evolution of AI technology, ensuring that the standard remains relevant and applicable over time.
  3. Coverage of AI Aspects: Encompass various aspects of artificial intelligence and the diverse applications organizations may employ, promoting a holistic understanding and management of AI-related activities.
  4. Integrated Approach: Offer an integrated approach to managing AI projects, spanning from risk assessment to the effective treatment of identified risks, fostering a cohesive and systematic management system.
  5. Applicability to Different Organizations: Be designed to cater to the needs of different types of organizations, irrespective of their size or industry, promoting widespread adoption and adherence to responsible AI practices.

What are the benefits of ISO 42001 2023 Implementation

Keeping yourself abreast with and implementing this standard will reap many benefits, namely:

    • Responsible AI: ensures ethical and responsible use of artificial intelligence.
    • Reputation management: enhances trust in AI applications.
  • Addressing Security, Safety, Fairness, Transparency, and Data Quality: makes sure that their AI systems address key aspects such as security, safety, fairness, transparency, and data quality.
  • Strategic Decision-Making and Governance: promotes strong governance practices and helps organizations align their AI initiatives with their overall business objectives and risk management strategies.
  • AI governance: supports compliance with legal and regulatory standards.
  • Practical guidance: manages AI-specific risks effectively.
  • Identifying opportunities: Encourages innovation within a structured framework.

In a Nutshell || Why 42001 2023

Certain features of AI, such as the ability to continuously learn and improve or a lack of transparency or explainability, can warrant different safeguards if they raise additional concerns compared to how the task would traditionally be performed. The adoption of an AI management system to extend the existing management structures is a strategic decision for an organization. 

ISO 42001 2023 || Understanding the Structure

The structure of the ISO 42001 standard will appear very familiar to those who’ve already been ISO 27001 certified, as ISO 42001 also features:

  • Clauses 4-10; and
  • An Annex A listing of controls that can help organizations* both:
  • Meet objectives as they relate to the use of AI; and
  • Address the concerns identified during the risk assessment process related to the design and operation of AI systems.

* These particular controls are not required to be used—rather, they’re meant to be a reference, and you are free to design and implement controls as needed.

Within the current draft of ISO 42001, the 39 Annex A controls touch on the following areas:

  • Policies related to AI
  • Internal organization (e.g., roles and responsibilities, reporting of concerns)
  • Resources for AI systems (e.g., data, tooling, human)
  • Impact analysis of AI systems on individuals, groups, & society
  • AI system life cycle
  • Data for AI systems
  • Information for interested parties of AI systems
  • Use of AI systems (e.g., responsible / intended use, objectives)
  • Third-party relationships (e.g., suppliers, customers)

ISO 42001 also contains an Annex B and Annex C:

Annex B – Provides the implementation guidance for the controls listed in Annex A

(Think of this similar to the separate ISO 27002 standard for ISO 27001’s Annex A.)

Annex C – Outlines:

  • The potential organizational objectives
  • Risk sources
  • Descriptions that can be considered when managing risks related to the use of AI.

Those potential objectives and risk sources referenced in Annex C address the following areas:

And finally, ISO 42001 contains an Annex D that speaks to the use of an AIMS across domains or sectors.

(Source: cloudsecurityalliance.org)

Compatibility with other management system standards

This standard has been drafted in such a way as to facilitate integration with other, existing MSS, such as:

  • ISO 27001 (information security)
  • ISO 27701 (privacy)
  • ISO 9001 (quality)

 Finally, let’s look at the harmonized structure (identical clause numbers, clause titles, text and common terms and core definitions) developed to enhance alignment among management system standards (MSS). The AI management system provides requirements specific to managing the issues and risks arising from using AI in an organization. This common approach facilitates implementation and consistency with other management system standards, e.g. related to quality, safety, security and privacy. (Source- ISO.ORG)

  • Organization

Person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives.

Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm, enterprise, authority, partnership, charity or institution or part or combination thereof, whether incorporated or not, public or private.

Note 2 to entry: If the organization is part of a larger entity, the term “organization” refers only to the part of the larger entity that is within the scope of the AI management system.

  • Interested party

Person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity

Note 1 to entry: An overview of interested parties in AI is provided in ISO/IEC 22989:2022.

  • Top management

Person or group of people who directs and controls an organization at the highest level

Note 1 to entry: Top management has the power to delegate authority and provide resources within the organization.

Note 2 to entry: If the scope of the management system covers only part of an organization, then top management refers to those who direct and control that part of the organization.

  • Management system

Set of interrelated or interacting elements of an organization to establish policies and objectives, as well as processes to achieve those objectives

Note 1 to entry: A management system can address a single discipline or several disciplines.

Note 2 to entry: The management system elements include the organization’s structure, roles and responsibilities, planning and operation.

  • Policy

Intentions and direction of an organization as formally expressed by its top management 

  • Objective

Result to be achieved

Note 1 to entry: An objective can be strategic, tactical, or operational.

Note 2 to entry: Objectives can relate to different disciplines (such as finance, health and safety, and environment). They can be, for example, organization-wide or specific to a project, product or process.

Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended result, as a purpose, as an operational criterion, as an AI objective or by the use of other words with similar meaning (e.g. aim, goal, or target).

Note 4 to entry: In the context of AI management systems, AI objectives are set by the organization, consistent with the AI policy, to achieve specific results.

  • Risk

Effect of uncertainty

Note 1 to entry: An effect is a deviation from the expected — positive or negative.

Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.

Note 3 to entry: Risk is often characterized by reference to potential events and consequences, or a combination of these.

Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence.

  • Process

Set of interrelated or interacting activities that uses or transforms inputs to deliver a result

Note 1 to entry: Whether the result of a process is called an output, a product or a service depends on the context of the reference.

  • Competence

Ability to apply knowledge and skills to achieve intended results

  • Documented information

Information required to be controlled and maintained by an organization and the medium on which it is contained

Note 1 to entry: Documented information can be in any format and media and from any source.

Note 2 to entry: Documented information can refer to:

  • — the management system, including related processes;
  • — information created in order for the organization to operate (documentation);
  • — evidence of results achieved (records).

  • Performance

Measurable result

Note 1 to entry: Performance can relate either to quantitative or qualitative findings.

Note 2 to entry: Performance can relate to managing activities, processes, products, services, systems or organizations.

Note 3 to entry: In the context of this document, performance refers both to results achieved by using AI systems and results related to the AI management system. The correct interpretation of the term is clear from the context of its use.

  • Continual improvement

Recurring activity to enhance performance. 

  • Effectiveness

Extent to which planned activities are realized and planned results are achieved

  • Requirement

Need or expectation that is stated, generally implied or obligatory

Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and interested parties that the need or expectation under consideration is implied.

Note 2 to entry: A specified requirement is one that is stated, e.g. in documented information.

  • Conformity

Fulfilment of a requirement.

  • Nonconformity

Non-fulfilment of a requirement.

  • Corrective action

Action to eliminate the cause(s) of a nonconformity and to prevent recurrence

  • Audit

Systematic and independent process for obtaining evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled

Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party), and it can be a combined audit (combining two or more disciplines).

Note 2 to entry: An internal audit is conducted by the organization itself, or by an external party on its behalf.

Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.

  • Measurement

Process to determine a value

  • Monitoring

Determining the status of a system, a process or an activity

Note 1 to entry: To determine the status, there can be a need to check, supervise or critically observe.

  • Control

<risk> measure that maintains and/or modifies risk

Note 1 to entry: Controls include, but are not limited to, any process, policy, device, practice or other conditions and/or actions which maintain and/or modify risk.

Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.

[SOURCE: ISO 31000:2018, 3.8, modified — Added <risk> as application domain ]

  • Governing body

Person or group of people who are accountable for the performance and conformance of the organization

Note 1 to entry: Not all organizations, particularly small organizations, will have a governing body separate from top management.

Note 2 to entry: A governing body can include, but is not limited to, board of directors, committees of the board, supervisory board, trustees or overseers.

[SOURCE: ISO/IEC 38500:2015, 2.9, modified — Added Notes to entry.]

  • Information security

Preservation of confidentiality, integrity and availability of information

Note 1 to entry: Other properties such as authenticity, accountability, non-repudiation and reliability can also be involved.

[SOURCE: ISO/IEC 27000:2018, 3.28]

  • AI system impact assessment

Formal, documented process by which the impacts on individuals, groups of individuals, or both, and societies are identified, evaluated and addressed by an organization developing, providing or using products or services utilizing artificial intelligence

  • Data quality

Characteristic of data that the data meet the organization’s data requirements for a specific context

[SOURCE: ISO/IEC 5259-1:—1, 3.4]

  • Statement of applicability

Documentation of all necessary controls and justification for inclusion or exclusion of controls

Note 1 to entry: Organizations may not require all controls listed in Annex A or may even exceed the list in Annex A with additional controls established by the organization itself.

Note 2 to entry: All identified risks shall be documented by the organization according to the requirements of this document. All identified risks and the risk management measures (controls) established to address them shall be reflected in the statement of applicability.

For more topics related to cybersecurity and AI, please visit our Cyber Security services section.

At ABS, we have a team of professionals that can guide you at every step of your accreditation journey. Contact Us today to know more.

You may also browse through our Services to know more about our other offerings.

Leave a Reply

Your email address will not be published. Required fields are marked *

× How can I help you?