May 14, 2024

Last Updated on May 15, 2024

From virtual assistants to self-driving cars to ChatGPT, AI is rapidly reshaping how we conduct our work and personal lives. But to optimize AI benefits and avoid its security, privacy, and ethical pitfalls requires robust governance mechanisms.

Published in December 2023, ISO 42001, “Information technology Artificial intelligence Management system” is the first AI management system standard. Offering indispensable guidance for this highly dynamic technology, ISO 42001 directly addresses AI’s unique governance challenges and considerations at its current developmental stage—helping organizations to manage AI risks and maximize innovation opportunities in a best-practice manner.

This article explains what ISO 42001 offers for companies that develop and/or use AI, and shares insights on early adopters pursuing ISO 42001 alignment or certification today.


What are the ISO 42001 requirements?

Like ISO 27001, ISO 42001 includes seven clauses (4 through 10) that define the AI management system requirements and describe 39 AI-specific controls to support those requirements. ISO 42001 also provides broad implementation guidance beyond just describing the requirements.

ISO 42001 further parallels ISO 27001 by guiding organizations to define and comply with internal as well as external stakeholder requirements. These requirements can come from customers, suppliers, users, your board, investors, regulators, etc., as well as a company’s objectives for leveraging AI.

At first glance, ISO 42001 might seem simplistic or lightweight compared to ISO 27001, because it defines only 39 controls. But for businesses that don’t yet have a formal AI governance program, implementing ISO 42001 is likely to present unique challenges and demand new expertise.

The ISO 42001 requirements cover these key areas of AI lifecycle governance from design through operation:

  • Leadership—Senior management must demonstrate top-down commitment to the AI management system (AIMS) and establish policies and strategies for using and managing AI.
  • Planning—Organizations need to assess their AI risks, describe their AI strategic opportunities and goals, and document a plan for moving forward responsibly with AI.
  • Support—A central aspect of any ISO management system construct is to document and provide the resources needed to support the AIMS, such as user training and internal communication about AI governance.
  • Operation—To manage AI risk, organizations must put the appropriate processes in place to develop, deploy, and maintain AI systems in line with best practices.
  • Performance evaluation—Is the AI system meeting the goals set for it? To govern AI systems you need to monitor, measure, and evaluate their performance so you know when to take remedial action.
  • Continuous improvement—Like other ISO management systems, ISO 42001 emphasizes continuous improvement to ensure the AIMS remains effective and up to date with risks and the environment.


Benefits of ISO 42001 certification

While gaining and maintaining ISO 42001 certification requires significant effort and frequent audits, the benefits will be worth it for many organizations. These include:

  • Competitive advantage as an early adopter of responsible AI governance practices.
  • Enhanced stakeholder trust in the organization’s development and/or use of AI.
  • The ability to systematically mitigate AI risks and protect the organization and its stakeholders from financial, reputational, and/or personal harm.
  • Cost savings through streamlined AI activities, reduced likelihood of major risks manifesting and impacting the organization, and protection from legal and reputational damage due to AI failures.
  • Better performance, reliability, accuracy, quality, transparency, security, and privacy compliance for AI applications/models.
  • Improved ability to achieve, maintain, and show regulatory compliance and management of AI risk.


Benefits of ISO 4200. A Comparison

What organizations are looking to comply with ISO 42001 today?

The number of companies seeking ISO 42001 compliance is growing rapidly, as early adopters proactively anticipate regulations and claim competitive advantage in a wide range of verticals.

Many of these frontrunners fall into one or more of these categories:

  • They are developing what the EU AI Act calls “high risk” AI systems, which require robust risk management, impact assessment, usage oversight, data governance, privacy compliance, etc.
  • They are established market leaders looking to manage AI use alongside other mature business processes.
  • They need or want to demonstrate to clients, investors, their boards, and other stakeholders that their AI adoption is holistically governed and independently audited.
  • They fit in one of the above categories and already have an ISO 27001 and/or ISO 9001 management system construct in place.

Other organizations that should consider a proactive approach to AI risk management include:

  • Companies that outsource sensitive data and services to AI-driven third-party applications and service providers. It is likely important to evaluate whether that technology has been designed and implemented in an ethical and risk-attentive manner.
  • Companies whose software development organizations have adopted AI technologies, such as AI-assisted coding tools or API-based AI functionality, to improve efficiencies and deliver AI-assisted solutions to clients. These third-party tools can potentially introduce significant application security risk.

Emerging AI regulations and guidance like the Biden Administration’s AI executive order may apply not just to companies that are developing, deploying, and/or selling AI systems or products, but also those that only use those AI products.

Whatever your current AI use and strategy, especially if you operate in a regulated industry, you may want to consider and developing an AI use policy. These steps will help you to proactively identify and address your AI risks before they manifest in negative outcomes or create compliance hurdles.

What’s next?

For more guidance on this topic, listen to Episode 136 of The Virtual CISO Podcast with guest Ariel Allensworth, Senior GRC Consultant at CBIZ Pivot Point Security.