In December 2023, the introduction of ISO 42001 marked a significant step towards guiding organizations in the responsible engagement with Artificial Intelligence (AI) systems. This standard is designed to address the unique challenges posed by AI, including opaque decision-making processes, the shift from human-coded logic to data-driven system design, and the adaptive behaviors of AI systems during their operational life.
What is ISO 42001
According to iso.org it is an international standard that provides a comprehensive framework for the establishment, implementation, maintenance, and continuous improvement of an AI management system, focusing on:
- Setting organizational objectives, engaging stakeholders, and developing policies.
- Managing risks and seizing opportunities.
- Ensuring the trustworthiness of AI systems through their lifecycle, emphasizing security, safety, fairness, transparency, and data quality.
- Overseeing relationships with suppliers and third parties involved in AI system development or provision.
The format of the ISO 42001: 2023 standard is harmonized with other standards. Meaning it follows the Clauses 4-10 format and additional controls are noted in Annex A.
Key Details on Mandatory Requirements (Clauses 4-10)
Scope Statement
As with any other ISO standard the following are the components to be documented in the scope statement:
- Intended purpose of the AI System
2.External and internal context, issues, and stakeholders.
- Any applicable legal requirements, including prohibited uses of AI (if no prohibitions exist, mention explicitly that your organization doesn’t have any specific prohibitions), policies, guidelines, and decisions form regulations.
- Contractual obligations (example: client expect from your company to have security, privacy and explainability requirements of our service/product etc.)
- Policies, guidelines, and decisions from regulators impact the interpretation or enforcement of legal requirements in the development and use of AI systems.
AIMS Manual
This is a special ‘catch all’ comprehensive guide to align with the necessary documentation requirements for specific clauses of the framework, effectively addressing audit prerequisites.
The Roles and responsibilities section of the AIMS manual delineates clear roles and responsibilities across various stakeholders:
- AI Providers: Encompassing AI platform providers, AI product or service providers.
- AI Producers: Including AI developers, AI designers, AI operators, AI testers and evaluators, AI deployers, AI human factor professionals, domain experts, AI impact assessors, procurers, AI governance and oversight professionals.
- AI Customers & Users: Detailing the engagement and expectations.
- AI Partners: System integrators and data providers.
- AI Subjects: Data subjects and affected individuals.
- Authorities: Policymakers and regulators, ensuring compliance.
- Data Obligations: Roles like PII processor/controller, dictated by data categories handled.
Also, role can be formed by obligations related to categories of data the organization processes (e.g. personally identifiable information (PII) processor or PII controller when processing PII).
AIMS objectives and associated metrics for the scope of the AIMS. Focus on the top 3-5 objectives and then build associated metrics for the Information Security Management System (ISMS). This would have to be customized depending on the scope of the AIMS.
Specific to metrics, ensure that explicit document of metrics include
a) what needs to be monitored and measures, methods to obtain the metrics (inputs, calculations, outputs) to ensure valid and consistent results.
b) Evidence of review of metrics and improvement of metrics and program over time.
Training- Outlines the AI scope-specific training provided, including methods for maintaining training records and evidence.
Documented Information- Adheres to ISO standards for maintaining essential documents, ensures compliance with requirements regarding the maintenance of AIMS documents, including policies, ISMS audit artifacts, and mandatory documentation. It’s crucial to focus on key areas such as managing access control to these repositories, implementing version control, maintaining consistent formatting, and conducting annual reviews. These practices uphold compliance and contribute to the efficiency and reliability of the management system.
Operational Planning and Control – Encapsulates the processes of planning, implementation, and oversight within our organization. This involves conducting annual risk assessments, executing independent internal audits, and convening periodic AIMS Steering Committee meetings for comprehensive reviews of the AIMS program. Furthermore, it encompasses the documentation and reporting of corrective action plans. Of particular importance is the scrutiny of planned changes, whether discussed within the CAB or the Steering Committee, and the explicit acknowledgment of the repercussions of unintended changes, as delineated in the AIMS Manual and/or the AIMS Steering Committee Charter.
Corrective Action Plan (CAP) and Process
Document your process to handle non-conformities and opportunities for improvement (OFIs). Implement a dedicated tracker with the suggested fields below:
- Finding type (Minor Non-conformity Major Non-conformity)
- Description
- Root Cause
- Recommendation
- Action to address finding
- Owner
- Due Date
- Notes of review and progress of finding
- Remediation effectiveness
The CAP and risk register should undergo discussion during regular Steering Committee meetings, with documented evidence of review provided afterward. It is imperative to ensure the CAP remains updated and reflective of current circumstances.
AI Governance Policy and Related Training
Document an AI Governance policy tailored to the organization’s scope. The policy should encompass the following sections:
- Authorized Use of AI
- Responsible Use of AI
- Ethical Considerations
- Data Privacy and Security Considerations
- Monitoring and Compliance of AI Policy
Training evidence needs to be maintained for ISO on the policy. Also ensure that statements about the contribution of employees and contractors in scope to the effectiveness of the AIMS, benefits of improved AI performance and elucidate the consequences of non-compliance with the policy.
AI Risk Assessment
When conducting risk assessments, particularly for AI systems, it is crucial to define the scope meticulously. Consider elements such as data, tooling, hosting locations, models, access protocols, and outputs as integral components within this scope.
Once the scope is established, identify inherent risks, encompassing cyber, privacy, development, and data science machine learning Ops (MLOps)-related risks. Then, determine the controls necessary to mitigate these risks, referencing Annex A and evaluating their design effectiveness. This process reveals residual risks, completing the risk assessment.
For ISO engagements, ensure a comprehensive risk assessment methodology is in place, outlining risk management and treatment strategies. Document risks in a Risk Register or within the CAP. Additionally, for ISO 42001 compliance, factor in the results of the AI System Impact Assessment, mapping controls to Annex A appropriately.
AI System Impact Assessment
Like a Data Privacy Impact Assessment (DPIA) performed for General Data Protection Regulation (GDPR), AI System impact assessment seeks to identify:
- Purpose of AI
- Assessment of potential consequences for individuals, groups of individuals and society to the AI scope
- Potential consequences an AI system’s deployment, intended use and foreseeable misuse of AI system
- For scopes that require the review of Safety, Privacy and/or Security considerations of the AI system(s), additional documentation on how Safety, Privacy and Security considerations are assessed, and their impact shall be documented.
AIMS Internal Audit
An annual internal audit needs to take place (independent of the departments/ personnel in scope) to ensure objectivity and independence.
The following artifacts are to be produced for the audit
- AIMS Internal Audit Charter- defines frequency, methods, responsibilities, planning and reporting requirements.
- AIMS Internal Audit Work program – details about the test procedures and status of tests (supports the internal audit report)
- AIMS Internal Audit Report – report that includes Major or Minor Non-conformities and OFIs (Opportunities for improvement). The scope of the audit, timing and auditor should be documented in the report.
Conclusion
Preparing for an ISO 42001 audit involves a thorough understanding of the standard’s requirements, a comprehensive documentation process, and a commitment to continuous improvement. This guide offers a streamlined approach to navigating the complexities of AI management system, ensuring organizations can meet the standard’s demands effectively and responsibly.
Stay tuned for the next installment, focusing on preparation for an audit or review of Annex A controls for the AIMS.
