ISO 42001 2023 – The standard that’s anticipated to work towards the step that most haven’t dreaded to take as yet – draw a boundary within which AI systems have to act.
The regulation of Artificial Intelligence (AI) has been a topic of significant debate and discussion. Governments, industry stakeholders, and advocacy groups continue to grapple with many issues surrounding the eminence of Artificial Intelligence in today’s technical world, aiming to strike a balance between fostering innovation and ensuring responsible and ethical use of AI technologies. The regulatory landscape is evolving, with different countries taking various approaches to address the complex challenges posed by AI.
Several key issues are at the forefront of this debate, including:
In the purview of all the various challenges that AI is posing in the ever evolving world of technology, ISO/IEC has come up with the right thing at the right time in terms of ISO 42001:2023 – AIMS.
It is meant for those involved in offering or using AI-based products or services, ensuring responsible AI system development and use.
This standard is crucial as it is the world’s first AI management system standard, offering guidance in the dynamic field of AI technology. ISO/IEC 42001 tackles specific challenges related to AI, including ethics, transparency, and continuous learning. For organizations, it provides a structured approach to managing risks and opportunities associated with AI, allowing a balance between innovation and governance.
The benefits of ISO/IEC 42001 include providing a framework for handling risks and opportunities, demonstrating responsible AI use, ensuring traceability, transparency, and reliability, as well as contributing to cost savings and efficiency gains.
In accordance with ISO/IEC 42001, an AI management system refers to a collection of connected elements within an organization. Its purpose is to define policies and objectives, along with establishing processes to achieve those objectives, particularly concerning the responsible development, provision, or use of AI systems. ISO/IEC 42001 outlines the requirements and offers guidance for creating, implementing, maintaining, and continuously improving an AI management system within the organization’s framework.
Objectives of ISO/IEC 42001:
Keeping yourself abreast with and implementing this standard will reap many benefits, namely:
Certain features of AI, such as the ability to continuously learn and improve or a lack of transparency or explainability, can warrant different safeguards if they raise additional concerns compared to how the task would traditionally be performed. The adoption of an AI management system to extend the existing management structures is a strategic decision for an organization.
The structure of the ISO 42001 standard will appear very familiar to those who’ve already been ISO 27001 certified, as ISO 42001 also features:
* These particular controls are not required to be used—rather, they’re meant to be a reference, and you are free to design and implement controls as needed.
ISO 42001 also contains an Annex B and Annex C:
Annex B – Provides the implementation guidance for the controls listed in Annex A
(Think of this similar to the separate ISO 27002 standard for ISO 27001’s Annex A.)
Annex C – Outlines:
Those potential objectives and risk sources referenced in Annex C address the following areas:
And finally, ISO 42001 contains an Annex D that speaks to the use of an AIMS across domains or sectors.
(Source: cloudsecurityalliance.org)
This standard has been drafted in such a way as to facilitate integration with other, existing MSS, such as:
Finally, let’s look at the harmonized structure (identical clause numbers, clause titles, text and common terms and core definitions) developed to enhance alignment among management system standards (MSS). The AI management system provides requirements specific to managing the issues and risks arising from using AI in an organization. This common approach facilitates implementation and consistency with other management system standards, e.g. related to quality, safety, security and privacy. (Source- ISO.ORG)
Person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives.
Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm, enterprise, authority, partnership, charity or institution or part or combination thereof, whether incorporated or not, public or private.
Note 2 to entry: If the organization is part of a larger entity, the term “organization” refers only to the part of the larger entity that is within the scope of the AI management system.
Person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity
Note 1 to entry: An overview of interested parties in AI is provided in ISO/IEC 22989:2022.
Person or group of people who directs and controls an organization at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the organization.
Note 2 to entry: If the scope of the management system covers only part of an organization, then top management refers to those who direct and control that part of the organization.
Set of interrelated or interacting elements of an organization to establish policies and objectives, as well as processes to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
Note 2 to entry: The management system elements include the organization’s structure, roles and responsibilities, planning and operation.
Intentions and direction of an organization as formally expressed by its top management
Result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.
Note 2 to entry: Objectives can relate to different disciplines (such as finance, health and safety, and environment). They can be, for example, organization-wide or specific to a project, product or process.
Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended result, as a purpose, as an operational criterion, as an AI objective or by the use of other words with similar meaning (e.g. aim, goal, or target).
Note 4 to entry: In the context of AI management systems, AI objectives are set by the organization, consistent with the AI policy, to achieve specific results.
Effect of uncertainty
Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.
Note 3 to entry: Risk is often characterized by reference to potential events and consequences, or a combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence.
Set of interrelated or interacting activities that uses or transforms inputs to deliver a result
Note 1 to entry: Whether the result of a process is called an output, a product or a service depends on the context of the reference.
Ability to apply knowledge and skills to achieve intended results
Information required to be controlled and maintained by an organization and the medium on which it is contained
Note 1 to entry: Documented information can be in any format and media and from any source.
Note 2 to entry: Documented information can refer to:
Measurable result
Note 1 to entry: Performance can relate either to quantitative or qualitative findings.
Note 2 to entry: Performance can relate to managing activities, processes, products, services, systems or organizations.
Note 3 to entry: In the context of this document, performance refers both to results achieved by using AI systems and results related to the AI management system. The correct interpretation of the term is clear from the context of its use.
Recurring activity to enhance performance.
Extent to which planned activities are realized and planned results are achieved
Need or expectation that is stated, generally implied or obligatory
Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and interested parties that the need or expectation under consideration is implied.
Note 2 to entry: A specified requirement is one that is stated, e.g. in documented information.
Fulfilment of a requirement.
Non-fulfilment of a requirement.
Action to eliminate the cause(s) of a nonconformity and to prevent recurrence
Systematic and independent process for obtaining evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party), and it can be a combined audit (combining two or more disciplines).
Note 2 to entry: An internal audit is conducted by the organization itself, or by an external party on its behalf.
Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.
Process to determine a value
Determining the status of a system, a process or an activity
Note 1 to entry: To determine the status, there can be a need to check, supervise or critically observe.
<risk> measure that maintains and/or modifies risk
Note 1 to entry: Controls include, but are not limited to, any process, policy, device, practice or other conditions and/or actions which maintain and/or modify risk.
Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.
[SOURCE: ISO 31000:2018, 3.8, modified — Added <risk> as application domain ]
Person or group of people who are accountable for the performance and conformance of the organization
Note 1 to entry: Not all organizations, particularly small organizations, will have a governing body separate from top management.
Note 2 to entry: A governing body can include, but is not limited to, board of directors, committees of the board, supervisory board, trustees or overseers.
[SOURCE: ISO/IEC 38500:2015, 2.9, modified — Added Notes to entry.]
Preservation of confidentiality, integrity and availability of information
Note 1 to entry: Other properties such as authenticity, accountability, non-repudiation and reliability can also be involved.
[SOURCE: ISO/IEC 27000:2018, 3.28]
Formal, documented process by which the impacts on individuals, groups of individuals, or both, and societies are identified, evaluated and addressed by an organization developing, providing or using products or services utilizing artificial intelligence
Characteristic of data that the data meet the organization’s data requirements for a specific context
[SOURCE: ISO/IEC 5259-1:—1, 3.4]
Documentation of all necessary controls and justification for inclusion or exclusion of controls
Note 1 to entry: Organizations may not require all controls listed in Annex A or may even exceed the list in Annex A with additional controls established by the organization itself.
Note 2 to entry: All identified risks shall be documented by the organization according to the requirements of this document. All identified risks and the risk management measures (controls) established to address them shall be reflected in the statement of applicability.
For more topics related to cybersecurity and AI, please visit our Cyber Security services section.
At ABS, we have a team of professionals that can guide you at every step of your accreditation journey. Contact Us today to know more.
You may also browse through our Services to know more about our other offerings.