Are You Compliant with ISO/IEC 42001?

by PQE Group

This article explores the emergence of the ISO/IEC 42001 standard as a response to the challenges posed by the rapid advancement of artificial intelligence (AI). Through a comprehensive examination of the standard's key requirements and its compatibility with existing management system standards, the article highlights its significance in promoting responsible and ethical AI use.

By emphasizing transparency, accountability, and risk mitigation, ISO/IEC 42001 establishes a global framework for AI management systems. The article concludes by underscoring the strategic importance of achieving compliance with ISO/IEC 42001 and the role of organizations like PQE Group in supporting this endeavor. 

AI ISO 42001_Site Banner

We are at the dawn of regulation for the responsible use of artificial intelligence (AI). The historical-normative context in which we live is still "vacillating" on the issues related to the use and development of AI because technological progress is too fast compared to the regulatory one, which struggles to keep up. 

The AI Risk Management Framework was published by NIST in March 2023. President Biden issued the Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence on 30th October. Meanwhile, the Council of the European Union and the European Parliament have reached an agreement on the Regulation of Artificial Intelligence (AI Act). 

For these reasons, ISO and IEC have developed the ISO/IEC 42001 standard as a response to the rise of AI and its challenges.  

Applicable to all types of companies in any industry, ISO/IEC 42001 is the first international management system certifiable standard for AI.  

The standard sets out requirements to establish, implement, maintain, and continuously improve an AI management system. The purpose of the standard is to ensure that systems are developed and used responsibly: 

  • Promoting the development and use of AI systems that are reliable, transparent, and accountable;  

  • Stressing ethical principles and values in the use of AI systems, such as fairness, non-discrimination, and respect for privacy;  

  • Helping organizations identify and mitigate risks related to AI implementation by ensuring appropriate mitigation measures are taken; 

  • Encouraging organizations to prioritize human well-being, safety, and user experience in the design and implementation of AI; 

  • Assisting organizations in complying with data protection laws and regulations or obligations to stakeholders. 

 

Compatibility with other management system standards

 

This standard has been drafted in such a way as to facilitate integration with other standards of management systems already widely established, such as ISO/IEC 27001:2022, ISO/IEC 27701:2019, ISO 9001:2015, ISO 13485:2016 etc., without requiring its implementation as a prerequisite. This aspect suggests that organizational models adopt a holistic approach, with each system pursuing a particular objective.  

As well as ISO/IEC 27001:2022 and other ISO/IEC 2001 family standards, it also gives structure to requirements, risk analysis, and controls. 

 

Key requirement of the standard

 

The first three points of the standard, pursuing the structure of the ISO standards, concern respectively "Purpose, Normative References, Terms and Definitions." From the fourth standard point onwards, we find: 

  • Context of the Organization: understanding internal and external factors, understanding the needs and expectations of stakeholders, determining AI-related objectives, and therefore the purpose of the AI management system within the organization; 

  • Leadership: commitment, responsibility, and promotion of an informed culture of AI; 

  • Planning: identification of the opportunities and risks of AI, definition of objectives and planning of actions for AI-related risk mitigation and response; 

  • Support: providing the resources, skills, awareness, and communication necessary for responsible management of AI; 

  • Operation: implementation of AI systems, data management, performance monitoring and risk management; 

  • Performance Evaluation: monitoring and measuring the performance of AI, evaluation against objectives and conducting management reviews; 

  • Improvement: taking continuous action to improve AI systems and the AI Management System itself, based on assessment and feedback, assessing any non-compliance and defining preventive and corrective actions. 

 

What about the annexes?

 

The standard consists of four annexes, and below is a brief explanation of each annex. 

Annex A of the standard outlines 39 controls (structured as controls and control objectives) that help organizations achieve their objectives related to the use of AI and address threats identified in the AI risk assessment process during the design, development, and operation of the AI system.  

Similar to ISO/IEC 27001, there is no obligation to use the controls listed in this annex.  

They are intended to serve as a reference, and each organization is free to design and implement its own set of controls based on its context. 

Annex B, instead, provides guidelines for the implementation of the controls listed in Annex A, including data management processes.  

Annex C deals with the objectives and sources of risk that organizations must consider. The responsibility of determining the relevant objectives and sources of risk lies with each organization. 

Finally, Annex D explores the use of an AI management system in various domains or sectors (e.g., health, defense, finance) and deals with the integration of this system with others. 

 

Achieving compliance with ISO/IEC 42001

 

Compliance with ISO/IEC 42001:2023 is a strategic step for organizations aiming to ensure their AI systems are managed ethically, securely, and transparently. 

Following are the necessary steps that an organization should perform to obtain compliance: 

  1. Perform a Gap Analysis on your management system documentation: in this phase, it is important to identify current practices against ISO 42001 requirements to understand where changes are needed; 

  2. Develop an AI Management System, which means integrating an AI management system with existing organizational processes; 

  3. Perform Risk and Impact Assessments on the AI system regularly to identify potential risks and relative impacts; 

  4. Implement AI policies and/or procedures to cover the following AI aspects: ethics, data protection, and privacy; 

  5. Document all processes;  

  6. Prepare for the external audit to obtain the certification. 

PQE Group can support your organization with all the above phases to obtain the ISO 42001 certification by performing a gap assessment on your documentation, providing policy or procedures, or helping the organization by implementing a robust AI risk management process.  

Of course, after obtaining certification it will be important to maintain compliance with the standard. To do this, the organization will need to keep track of changing laws and regulations and ensure that the policies and procedures are kept updated. Also, be sure that regular internal audits will be scheduled and that the employees are trained in this field.  

 

Conclusion

 

In conclusion, the development of the ISO/IEC 42001 standard marks a pivotal moment in AI regulation. As organizations navigate the complex landscape of AI implementation, this standard provides a comprehensive framework to ensure responsible and ethical use. By prioritizing transparency, accountability, and human well-being, ISO/IEC 42001 sets a new standard for AI management systems worldwide. With the support of organizations like PQE Group, achieving compliance with ISO/IEC 42001 is not just a regulatory requirement but a strategic imperative for organizations committed to ethical AI practices. 

 

 

Want to know more?

PQE Group staff comprises experienced and skilled experts in multidisciplinary teams, available to support your company achieving the highest levels of safety for your systems. Visit our Digital Governance services page to know more or to contact us, and find the most suitable solution for your company.

Connect with us