ISO 42001 - What is it? Who is it for? What are the benefits?

ISO 42001 Overview

ISO 42001 was published in 2023 and specifies the requirements for an AI Management System (AIMS). It asks organisations to have a clear sense of direction with regard to the design, development and implementation of AI systems, with a focus on ethical use and development of AI, and on minimising harm to societies and individuals.

The scope of what is required will depend on which category or categories you fall into with regard to AI usage:

• Users - You use commercially available AI tools to improve your business processes.

• Providers - You incorporate AI tools into your products and services, making them available to customers or users.

• Producers - You create and train AI models or systems and make those available to internal or external users.

ISO 42001 is relevant to all three roles in the AI ecosystem, although many controls will be not applicable unless you are a producer of AI systems.

The main body of the standard follows the same structure (Annex SL) as all other managemet system standards.

• Context - What internal and external issues are relevant to your AI management system. Who is interested in your AIMS, and what are ttheir requirements

• Leadership - Top management must set a clear sense of direction, a policy should be established and roles and responsibilities defined and allocated.

• Planning - Risks and opportunities need to be understood, and risks treated if unacceptable. Objectives must be established, and changes to the AIMS need to be controlled.

• Resources - Resources to implement and maintain teh AIMS must be provided, emplyees must be competent in the field of AI system development, and documentation needed to control AI use and development must be available.

• Operation - Processes needed must be planned and implemented

• Measurement - Effectiveness measurements need to be defined and analysed, internal audits of the AIMS must be planned and completed and a Management Review meeting held periodically.

• Improvement - Organisations must aim to continually improve their AIMS and take action where non-conformity has been addressed.

There are a few specific additions in ISO 42001. Most notably, additions to clause 6 (planning) and clause 8 (operation) requires an organisation to have completed AI System Impact Analyses. A formal methodology must be used to assess the risks and impacts that AI systems in use could have on on individuals, groups of individuals, and societies.

In addition, ISO 42001 is similar to ISO 27001 with Annex A stating 38 controls that must be considered.

• A.2 Policies - AI related policies are required, aligned with other organisational policies and reviwed periodically

• A.3 Internal Organisation - Roles and responsibilities must be defined and allocated, and procedures for reporting AI related concerns must be established

• A.4 Resources - Organisations must ensure that it can be demonstrated that all resources (tooling, data, computing, people) have been identified and documented for each AI system.

• A.5 AI Impact Assessment - The potential impact of each AI system must be assessed and documented

• A.6 AI System Lifecycle - Processes for developing AI sstems must be established, including details on how AI Systems are designed, tested, deployed and monitored.

• A.7 Data for AI systems - Processes must be established to show how data used to train or operate an AI system is selected, cleaned and prepared.

• A.8 Information for interested parties of AI systems - Appropriate documentation for developers and users of an AI system must be created and made available. Incident management procedures must be established.

• A.9 Use of AI systems - Processes and objectives for responsible use of AI systems must be established

• A.10 Third-party and customer relationships - Processes to ensure that suppliers align with internal AI policy and objectives must be in place, and that responsibilities of customers, users and other third-parties are understood, allocated and communicated.

For 'AI user' and 'AI provider' roles some of these may not applicable, particularly sections A.6 and A.7, but each must be considered and a Statement of Applicability created which states whether each control is applicable or not, similar to the apporach taken in ISO 27001.

What are the benefits?

AI is becoming almost ubiquitous, with AI functionality seen incorporated into websites, software tools, even household devices. There are many potential benfits to AI systems, but there are also many risks.

If you are incorporating use or development of AI systems in your business operations, products or services, your approach will start to be queried more and more regularly by your customers. Over the past 18 months, ever more questions about use of AI are appearing in Know-Your-Customer (KYC) questionnaires and assessments, alongside information security and privacy topics.

Alignment with, or certification to, ISO 42001 can help you reassure your customers that you are an organisation that takes your responsibilities seriously, and that you are committing to understanding how AI could negatively impact the world around us, and are taking steps to minimise or mitigate that risk

If you would like more information, or would like assistance in exploring or implementing any aspect of ISO 42001 then get in touch.