Why is ISO 42001 Certification Important?

With the adoption of Artificial Intelligence (AI) only increasing, there is greater pressure on your organisation to act ethically and securely when using and/or developing AI systems. The recently published EU AI Act is symbolic of the ever increasing need for control over the use of AI, with organisations now facing significant financial and reputational penalties for failing to have sufficient controls in place in relation to their use of AI systems. 

To avoid facing financial penalties and to help promote trust among your customers and other interested parties, you may want to consider aligning your AI practices and controls with ISO/IEC 42001:2023 (ISO 42001). ISO 42001 is the world’s first Artificial Intelligence Management System (AIMS) standard, providing organisations of all sizes with a clear structure to support the secure and ethical design, development, deployment and use of AI systems.  

What is ISO 42001? 

ISO/IEC 42001 is the international standard for establishing, implementing, maintaining, and continually improving Artificial Intelligence Management System (AIMS) within your organisation. 

In broad terms, an AI system can be defined as a tool or technology that uses data and algorithms to replicate human intelligence. The most common AI system that people use are generative AI systems, such as ChatGPT, which are used to create new content based on user prompts. ISO 42001 is concerned with addressing the challenges tools such as these create, including transparency, as well as security and ethical concerns. 

Benefits of ISO 42001 Certification 

Meeting the requirements of ISO 42001 demonstrates to interested parties (such as employees, customers and suppliers) that your organisation’s use and/ or development of AI systems follows best practice guidelines. These guidelines cover various perspectives including security, ethics and privacy. It also helps your organisation comply with your legal and regulatory requirements in relation to the use of AI, including the recently published EU AI Act.  

Other benefits of ISO 42001 certification include:  

• Providing a clear and consistent approach to the identification, analysis and treatment of AI risk. 

• Helping embed security and ethical considerations across the AI system life cycle 

• Introducing the requirement to conduct regular independent audits of your AIMS, which results in improved trust with all relevant interested parties including customers, suppliers, regulators and employees.   

• Providing a systematic approach to establishing and managing the impacts associated with the use and/ or development of AI systems. 

• Promoting the development of AI systems in a sustainable and environmentally friendly manner. 

• Generating and maintaining awareness amongst staff, including those involved in development activities, on key topics such as AI security, data privacy considerations, and ethical best practices.  

• Facilitating alignment with UN Sustainable Development Goals 

Key Requirements of ISO 42001 

ISO 42001 is structured in a similar way to many of the ISO standards. There are the mandatory clauses 4-10, which form the basis of all the controls and processes that you must put in place to align with ISO 42001 requirements. These clauses are as follows: 

Clause 4: Context of the Organisation 

Organisations wishing to achieve and maintain ISO 42001 certification must identify internal and external issues relevant to their AIMS, as well as all interested parties and their needs and expectations. The scope of the AIMS must also be clearly defined and subject to regular review. 

Clause 5: Leadership 

Top management must play an active role in the implementation, management and continuous improvement of the AIMS. This includes putting in place an AI Policy and ensuring it is communicated to all stakeholders. Top management must also define and communicate roles, responsibilities and authorities relevant to the AIMS, as well as demonstrate ongoing commitment to continuous improvement of the AIMS and meeting all relevant legal and regulatory requirements. 

Clause 6: Planning 

Processes must be put in place to identify and manage any risks or opportunities resulting from the AIMS. A methodology for doing so must be defined and followed, as well putting in place SMART objectives. A methodology for conducting AI system impact assessments must also be defined and followed.  

Clause 7: Support 

Controls must exist to ensure that there are sufficient resources in place for the AIMS to achieve its intended outcome. Those involved in the ongoing management of the AIMS must also be sufficiently competent to perform their duties, and training gaps must be addressed in a prompt manner. Regular awareness activities must take place to ensure all relevant individuals are made aware of the AI Policy and what their responsibilities are in helping meet the requirements of the AIMS. Internal and external communication requirements must also be defined, and processes must be put in place to control documented information. 

Clause 8: Operation 

Success criteria for all of the processes that make up the AIMS must be defined, measured, and closely monitored. AI system impact assessments, risk assessments and risk treatment plans must take place in accordance with the defined methodologies and on a regular basis.  

Clause 9: Performance Evaluation 

The performance of the AIMS must be continuously evaluated and monitored. This must take place using a combination of internal audits and management reviews. Metrics must be defined and monitored to measure and evaluate AIMS performance.  

Clause 10: Improvement 

The AIMS must be continuously improved. Where nonconformities have been identified, clear processes must be in place to respond to the nonconformity and plan and implement the required corrective actions. The effectiveness of any corrective actions must be closely monitored, and a root cause analysis must be performed to prevent future reoccurrence of similar issues.  

Which ISO 42001 Clauses are Mandatory? 

Clauses 4-10 are mandatory requirements for all organisations wishing to achieve and maintain ISO 42001 certification. The decision as to what controls your organisation uses to manage AI risk is entirely up to you, as long as any identified risks are being correctly managed. Organisations may choose to implement particular controls based on how it helps them meet a legal or regulatory requirement, or to manage a risk identified as part of the risk assessment.  

Annex A 

Annex A of the ISO 42001 standard outlines some suggested controls to implement that your organisation may choose between. The implementation of controls from Annex A is not mandatory – organisations may choose to use any control framework they deem suitable. Annex A of ISO42001 is built upon the following control areas: 

• A.2 Policies related to AI 

• A.3 Internal organisation 

• A.4 Resources for AI systems 

• A.5 Accessing impacts of AI systems 

• A.6 AI system life cycle 

• A.7 Data for AI systems 

• A.8 Information for interested parties of AI systems 

• A.9 Use of AI systems 

• A.10 Third-party and customer relationships 

Annex B 

Annex B of the ISO 42001 standards provide implementation guidance for those controls listed in Annex A. Again, there is no requirement for organisations to follow these guidelines, nor is there any requirement to implement the Annex A controls.  

Annex C 

Annex C of the ISO 42001 standard outlines some potential AI-related organisational objectives and risk sources. The definition and monitoring of AI objectives is a mandatory requirement, and Annex C provides a useful starting point in setting objectives in key AI related areas such as accountability, fairness and privacy.  

The ISO 42001 Certification Process 

To achieve ISO 42001 certification, you must perform various activities in a sequential order to ensure implementation and audit success. Below, we’ve outlined our methodology, which is split across five phases. 

Phase 1: Context Establishment 

Bridewell will build up an understanding of your organisation, its people, its AI systems and its existing controls and processes. A gap analysis will be undertaken to evaluate your organisations current controls and processes against the requirements of ISO 42001. The scope and context of your AIMS, which will form the nucleus of the entire implementation project, will be agreed during this phase.  

Phase 2: System Impact and Risk Assessment  

Phase two will focus on identifying all AI systems used within your organisation and performing an impact assessment on each of these systems. We will also undertake workshops to identify, analysis, evaluate and treat all AI related risks within your organisation. These assessments will help identify what controls must be put in place during phase 3 to manage all AI risks within your organisation. Data Privacy Impact Assessments (DPIAs) will also be undertaken on any AI systems that process personal data.  

Gartner have published the AI TRiSM framework which provides a structured approach to the management of AI risk and helps ensure organisations adhere to appliable data privacy legislation. NIST have also created the Artificial Intelligence Resource Centre (AIRC) which includes the AI Risk Management Framework (AI RMF 1.0) to better manage AI risks to individuals, groups of individuals, and societies. 

Phase 3: Control Implementation 

This will be the bulk of the implementation project where all the controls required to manage the AI risk(s) identified will be designed and implemented. This phase of the project is resource intensive and will require active involvement from stakeholders across your organisation ranging from developers to AI researchers, right the way through to senior management.  

Phase 4: Internal Audit 

To evaluate the implementation of the controls put in place during phase 3, an internal audit must be performed. This audit will be performed by an auditor who is completely independent from the implementation of the controls to ensure impartiality. A detailed audit report will be provided breaking down the findings for each control, and proposing suggested remedial actions where required. The completion of internal audits is a mandatory requirement of ISO 42001. 

Phase 5: External Audit 

When the AIMS is ready for the certification audit, we will work closely with you to ensure you are fully prepared and will support with the selection of a competent auditor. We will provide support throughout the duration of the external audit by attending any interviews and mentoring auditees on what is expected from them during any sessions they need to attend.  

Maintaining ISO 42001 Certification 

The ongoing management and continuous improvement of an AIMS is crucial. The AI threat and regulatory landscape is constantly changing and having processes in place to review and improve security controls is crucial to maintain compliance and manage AI risk. Organisations must ensure that all stakeholders are made aware of the important of continuous improvement and provide them with a means of identifying, planning and implementing improvement opportunities. Such improvements may include adding new controls or enhancing existing controls. Regardless of what improvements are made, the overall focus should be on maturing the capabilities of the AIMS.  

Overcoming Implementation Challenges 

There are a number of common challenges and pitfalls that organisations need to be wary of when attempting to achieve ISO4 2001 certification. These include: 

• Lack of expertise internally in relation to the requirements of ISO 42001 and how to implement all of the necessary controls. 

• Lack of oversight or control over AI systems used within the organisation. It can be difficult to complete system impact assessments and risk assessments on AI systems that you don’t have visibility of when your organisation. For example, do you have sufficient vendor management or shadow IT controls in place to prevent unauthorised AI systems been download or procured? 

• There may be a fear of AI amongst staff or a resistance to change. These cultural issues may negatively impact your ability to embed the necessary controls in place to manage AI risk and meet the requirements of ISO 42001.  

• There may be a lack of internal skills, experience and competence to be able to implement and manage all of the required controls.  

• Implementing all of the required controls can be resource intensive from a time, cost and effort perspective.  

• AI-related laws and regulations must be taken into consideration through the implementation project to ensure success. Organisations must be fully aware of what laws they must comply with across all of the regions and jurisdictions they operate from. Failure to do so may result in heavy financial penalties and fines.  

How to Prepare for ISO 42001 Certification 

To ensure a successful outcome in your ISO 42001 certification audit, you must consider the following as high priority activities:  

• Ensure buy in from top management. Their commitment and ongoing support for the project is essential in ensuring that sufficient resources are made available and that roles and responsibilities are assigned and clearly understood. 

• Fully understand the requirements of the ISO 42001 standard. Ensure that there is a full comprehension as to what controls must be put in place and what documentation is required – there should be no guessing done.  

• Set realistic goals and timelines for ISO 42001 certification. Outline the key tasks to be achieved and their priority, and plan what resources are needed to complete those tasks. Failure to plan properly will typically result in project delays or issues.  

• Get active involvement from staff across the organisation. Making staff feel included in the implementation process is key to promoting a pro-AI culture within your organisation.  

• Provide sufficient resources to ensure project success. This includes making the right people available to manage and support with the project. It also includes providing budget for new tools and technologies to help manage AI risk or allowing staff to complete additional training to ensure they have sufficient competence to perform their role within the AIMS correctly. 

• Don’t be afraid to ask for external assistance. If you lack the resources or capability to follow the above process internally, it may be worth using a third party. At Bridewell, we have experience across domains to help your organisation understand and adhere to the requirements of ISO 42001. Our team of consultants are vastly experienced with helping organisations align with various standards and frameworks including ISO 22301, ISO 27001, and the CAF.