Artificial intelligence (AI) usage is exploding to a point where nearly every business is now consuming it, and many are now developing it or extending it within their own offerings. Thus, many organizations will benefit from either showing or being shown that the AI we are working with is being created and used responsibly and ethically.

ISO 42001:2023, Information technology – Artificial intelligence – Management system is a global standard that specifies 38 controls for establishing, implementing, maintaining, and continuously improving an Artificial Intelligence Management System (AIMS). Its goal is to help organizations that provide and/or utilize AI-based products or services to “proceed with caution” and ensure responsible AI development and use long-term.

What is ISO 42001, how is it being used, and how can it benefit your organization? This article shares best-practice guidance from ISO 42001 consultants and auditors.

Key takeaways

• ISO 42001, the first global AI management system standard, provides a framework for responsible and trustworthy AI use.
• A key benefit of ISO 42001 is that organizations can receive a third-party compliance certification.
• Other benefits of ISO 42001 compliance include enhanced trust in AI systems, reduced AI-related risk, enhanced AI data quality, and the ability to balance innovation and governance.
• ISO 42001 defines 38 controls grouped within 9 control objectives. The standard is structured much like ISO 27001 and some other ISO management system standards.
• The scope and controls for an ISO 42001 implementation revolves around the roles (e.g., AI Customer, AI Producer) that an organization determines are relevant to its AI management system.
• Adopting ISO 42001 can benefit any organization that develops, provides, and/or uses AI. Many adopters are AI developers and service providers that offer AI systems and tooling to AI users.

Why is ISO 42001 important?

As the first AI management system standard, ISO 42001 offers relevant guidance to anyone trying to navigate this fast-changing technology arena. It seeks to give organizations a structured yet flexible framework to manage AI’s unique risks (e.g., transparency, ethics, and bias) so they can balance innovation and opportunities with effective governance.

ISO 42001 is applicable to firms of all sizes and sectors that develop, provide, and/or use AI products or services. It is relevant across the full spectrum of AI applications and usage contexts.

An important advantage of ISO 42001 is that you can receive a certification of compliance for your AIMS from an accredited certifying body following a rigorous audit of your AI processes. Valid for three years with annual surveillance audits, an ISO 42001 certification gives stakeholders peace of mind that your AI usage is ethical, transparent, secure, and aligned with best practices.

How does ISO 42001 benefit AI ecosystem partners?

Some of the main benefits of implementing ISO 42001 compliant processes or achieving ISO 42001 certification include:

• Demonstrating the ethical and responsible use of AI with a third-party compliance attestation.
• Enhancing trust in AI applications and reducing AI-related reputational risk.
• Support for legal and regulatory compliance (e.g., the EU AI Act, NIST AI Risk Management Framework).
• Improved AI risk management.
• Enhanced AI data quality.
• Alignment with sustainable AI practices.
• Empowering innovation within a governance framework.

What are the ISO 42001 controls and control objectives?

Like ISO 27001, ISO 42001 includes an Annex A, which specifies 38 controls grouped under 9 control objectives. These control descriptions cover specific processes that businesses should consider operationalizing to manage AI risk.

ISO 42001 control objectives categorize important AI management system activities. These include:

1. AI policies (including AI cybersecurity)
2. AI accountability and reporting
3. AI system resources (data, IT tools and services, AI staffing/roles)
4. AI impact assessment
5. AI system lifecycle management
6. Data for AI systems
7. Communication with AI stakeholders
8. Third-party relationship/risk management (customers, partners, suppliers, SaaS providers)
9. Responsible use of AI systems

A critical aspect of achieving ISO 42001 certification is rationalizing which of the 38 controls are applicable and should be implemented based on their unique AI role(s), business needs, and risk profile. Not every control applies to every organization.

What is an AIMS?

ISO 42001 defines an AIMS as a set of coordinated organizational processes that establish and seek to achieve specific requirements, policies, and objectives around responsible AI development, provisioning, and/or use. The goal of any ISO 42001 program is to build, operationalize, maintain, and continually improve the organization’s AIMS.

ISO 42001 was designed to integrate with or synergistically support other ISO management system standards/implementations, such as ISO 27001 for information security management. The AIMS guidance follows a parallel structure to ISO 27001, including using common terminology and the same high-level clause structure and headings.

As with ISO 27001 and some other ISO management system standards, Clauses 1 through 3 in ISO 42001’s Annex A lay the groundwork and Clauses 4 through 10 outline the requirements. Besides the control descriptions in Annex A, ISO 42001 shares a range of valuable AIMS guidance in its Annexes B, C, and D, including implementation details and example AI risk sources.

Table 1 lists Clauses 4 through 10 and their corresponding descriptions:

What are roles in ISO 42001?

As with other ISO management system standards like ISO 27701 and ISO 27017, ISO 42001 implementation guidance and direction start with AI organizational roles. As specified in Clause 4.1, a company’s AI role(s) shape the internal and external factors that influence AIMS scope and objectives—and thus the control requirements for certification.

AI roles affect an organization’s AI risks, responsibilities, and accountability within the AI lifecycle. Understanding roles also supports collaboration among different entities in the AI supply chain.

The roles that organizations most typically include within their AIMS scope include:

• AI Customer/User—a business that utilizes AI system outputs and capabilities.
• AI Provider—a business that develops or supplies AI products or services.
• AI Producer—a business that integrates components from AI Providers to create a unique AI system.
• AI Partner—a business that provides supporting AI services but does not have full control over an AI offering’s behavior. Examples of the AI Partner role include vendors of AI system components (e.g., libraries, APIs), firms that provide data for training AI, AI consultants, or companies that integrate third-party AI services for clients.

Other roles that may be in scope less frequently for companies seeking ISO 42001 certification include:

• AI Subject—Individuals or groups that are subject to AI processing activities and/or impacted by AI system outcomes. Common AI Subject scenarios include a loan applicant whose financial data is processed by an AI system, or a healthcare patient impacted by AI decisions around diagnostics.
• AI Relevant Authority—an organization that supports AI governance and responsible use, including regulatory compliance and alignment with industry best practices. Examples include lawmaking bodies, compliance officers, and AI ethics committees.

Many companies fit multiple AI roles. For example, AI is part of every modern software development lifecycle, so any AI Producer is also an AI User. Similarly, a SaaS provider would be an AI user relative to its public cloud hosting platform, as well as an AI Provider to its customers.

ISO 22989, Information technology – Artificial intelligence – Artificial intelligence concepts and terminology, provides more details on AI ecosystem roles, as well as other AI terminology and concepts.

Should our organization consider ISO 42001 certification?

ISO 42001 certification or alignment can potentially benefit any organization that develops, provides, and/or uses AI—which is almost every modern business on earth. While ISO 42001 adoption is a strategic decision and not a regulatory requirement, strong motivating factors include:

• Customers, prospects, and other stakeholders voicing concerns around how AI is being managed currently.
• Significant risk of potential compliance problems, data breaches, reputational damage, and/or other looming issues.
• A market requirement to demonstrate mature AI risk management practices.
• Companies in highly regulated industries like financial services, healthcare, and EdTech.
• A business goal to establish internal best practices for AI use.
• Any business looking to gain a competitive advantage through the responsible AI governance and use.

In practice, many businesses prioritizing ISO 42001 certification are AI developers and service providers that create, modify/extend, and deliver AI systems and tools to AI users. These firms may face a wider spectrum of AI risk and associated financial and operational risk; hence they stand to benefit the most from enhanced AI oversight, improved AI data analysis, and greater AI process automation.

Broad market pressure to demonstrate best-practice AI risk management is also creating a tailwind for ISO 42001 adoption. Notably, Microsoft’s Supplier Security and Privacy Assurance (SSPA) program now makes ISO 42001 certification mandatory for AI suppliers that provide AI systems or services with “sensitive use” cases, such as potential legal or human rights impacts.

What’s next?

For more guidance on this topic, listen to Episode 153 of The Virtual CISO Podcast with guest Danny Manimbo, ISO & AI Practice Leader at Schellman.