Implementing and Certifying to ISO 42001

ISO 42001 uses the Harmonized Structure shared by other ISO management system standards, such as ISO 27001, ISO 9001, ISO 14001, etc., with the mandatory requirements set out in the familiar Clauses 4-10.  However, it does include some variations from other management system standards across the following areas:

• Context / Objectives of the organisation
• Policy
• Roles and responsibilities
• Planning, risk assessment and risk treatment
• AI system impact assessment
• Performance evaluation and management review.

While many of these differences are relatively minor, the following sections highlight where ISO 42001 most significantly diverges from other management system standards.

AI risk assessment

Your AI risk assessment can use the same approach as is used for other standards, but there will be significant differences in content, i.e., what you are considering.  AI risks will vary from traditional risks, and will include ethical considerations, not just technical.  To reflect this, you will need to define AI-specific risk criteria and potentially introduce different tolerances for AI risk as are in place for other areas, such as information security.  Reviewing Annex A of the Standard will help you identify the areas that need to be covered in your ISO 42001 risk assessment, such as lifecycle, data, how AI is being used, stakeholders, third parties, etc.

AI impact assessments (AIIAs)

The artificial intelligence impact assessment (AIIA) represents by far the biggest departure from similar ISO standards.  They are detailed and substantial, and assess impacts of AI on individuals, groups, and society as a whole.  Both AI producers and users are required to complete an AIIA (although many organisations will be both).  

AIIAs are broken down into 7 key sections (Sections A-G).  The largest of these is Section F – Actual and potential benefits and harms, where you will need to articulate benefits and harms to interested parties against distinct qualities or ‘perspectives’, with these perspectives defining the trustworthiness of the AI system.  The perspectives are grouped into 8 categories:

• Accountability
• Transparency
• Fairness and discrimination (bias)
• Privacy
• Reliability
• Safety
• Explainability
• Environmental impact.

Guidance on how to conduct an AIIA is set out in ISO 42005, the supporting standard to ISO 42001.  AIIAs need to be completed at the beginning of an AI project or before an AI system is used, and need to be updated throughout the AI lifecycle.  There is flexibility in how you approach your AIIA, as it can be aligned by system, by organisation, or a combination of the two, and it is similar to an internal audit, but lighter touch.

To learn more about AIIAs, read our blog ISO 42001 Artificial Intelligence Impact Assessments (AIIAs). Meanwhile, our blog on ISO 42001 and AI Perspectives provides a comprehensive breakdown of each AI perspective.

‍

Where do you start?

To implement ISO 42001 and build an AIMS, you must first understand and define how your organisation uses AI, i.e., the systems you build and tools you use.  In our experience, organisations who undertake these discovery exercises are often surprised by how many individuals within the business are using AI, so it is important not to simply assume you already know where AI exists within your organisation.  

It is beneficial to conduct a gap assessment at the earliest stages of the implementation project to identify where you are already conformant with the Standard’s requirements, and any gaps to be remediated.  A decision must also be taken as to whether certification or just conformance is your goal.

In addition, you will need to understand whether any regulatory and policy requirements and risks that apply to your organisation, such as the EU AI Act.  While ISO 42001 does not mandate that all conformant organisations comply with the EU AI Act, it does require you to understand your regulatory landscape, and the Act’s extraterritorial scope means that even companies outside the EU may need to comply.  Having identified the legal requirements you are subject to, you can then identify any AI uses that are considered high-risk or prohibited by these requirements, and whether any of your AI usage falls into these categories.

Following this, you will need to establish a governance framework and ownership, as well as assessing what documentation and evidence you already have.  If you are certified to ISO 27001 or another management system standard, you may already have a governance framework and some of the required evidence.  However, you will almost certainly need to modify your governance framework somewhat for the purposes of ISO 42001 due to the differences in landscapes being considered, and produce further documentation, e.g., a new Statement of Applicability (SoA) that reflects the ISO 42001 control set.  

When establishing, implementing, and maintaining the AIMS, you need to ensure it is aligned with the wider organisation.  This will again be familiar if you are certified to management system standards, such as ISO 27001, with these other standards also requiring you to integrate your management system into business operations, not treat them as a bolt-on.

How does scoping work?

Your scope will depend on your organisation, what best fits the way it wants to certify and where it wants its certification to apply.  We are increasingly seeing ISO 42001 scopes defined around specific products or services, as well as scopes based on particular teams or functions.  These are currently more common than scopes centred on a single location or site.  However, all of these approaches are valid, and you should focus on selecting the scope that makes the most sense for your organisation.  

There are a range of factors that will drive the scope you define, such as customer or regulatory requirements, but also the business information you are willing to subject to auditor scrutiny.  For example, if you have a research and development team, it may be that it experiments with AI in a somewhat unstructured manner and would not be able to meet ISO 42001 requirements; in this case, including such teams in a certification scope may not be appropriate.  However, you would also need to consider how R&D is using and working on AI, the tools and data they are using, etc.  If it is training AI with sensitive data, then this would need to be controlled and therefore brought into scope.  

Can you recycle other management systems?

You can reuse elements of existing management systems within your AIMS, but there are some important considerations needed before you decide to do so.  The ownership and responsibilities around day-to-day management of the AIMS, how this fits with your existing management systems and whether integration of the two makes sense will need to be assessed.  Differences between the scopes of your AIMS and other management system(s) may also dictate that they need to remain separate.  As discussed above, AI risk assessment and management vary quite significantly to other risk types, so you will need to establish whether the risk process used for other standards can handle AI.  It is possible that the nuances of your existing risk processes will not be appropriate for AI, in which case a different approach would need to be taken.

Overall, where most management system standards allow for around 75% reuse during integration, the proportion for ISO 42001 is far lower – more realistically in the 50-60% range.  While the processes are often very similar, what you’re producing can be very different, and the variations between the outputs from management systems might drive you to keep them separate.

‍

Poorly defined scope

While scoping is not an entirely unique issue to ISO 42001, it is particularly important to this standard, where the boundaries of what is and is not in scope are critical.  As such, you need to ensure the boundaries of your scope are clearly defined, with any areas of your business that are not suitable for certification excluded.

It is equally important to avoid defining an overly broad scope, as an AIIA will need to be conducted for each in-scope AI system.  So, by bringing AI systems into scope that are not necessary, you will significantly increase the amount of time, resource and effort that will need to be spent on achieving certification, without adding proportional value.

Weak governance approach

Some ISO 42001 implementations have left internal and external issues insufficiently defined and failed to properly capture stakeholder needs, despite these areas generally requiring much more depth and clarity than in other management system standards.   While both are partly influenced by the defined scope, they should also inform and shape nuances within it, ensuring it reflects your organisation’s broader context.

In addition, many organisations underestimate the extent to which ISO 42001 applies across the business, with limited oversight beyond IT.  In reality, effective AI governance requires cross-functional engagement, with clear accountability and involvement from all relevant areas of the organisation.

Gap between policy and practice

It is not unusual for organisations to produce policies and procedures that do not fully reflect the way work is done in practice.  This is certainly not unique to ISO 42001, however it is always worth calling out as it presents an immediate red flag to external auditors and consistently leads to findings being raised.  In an ISO 42001 audit, you are not only being assessed against the requirements of the Standard, but also your own internal policies and procedures, so it is essential that the policies and procedures defined align with day-to-day operational realities.

Objectives not aligned to AI

You must avoid simply reusing objectives you have used for other management systems, such as information security, without at least adapting these to AI. The AIMS spans across every element of the organisation, not just security or technology, and the objectives you define need to reflect that.

Generic or misaligned AI policy

We have seen an over-reliance on templates or AI-generated content in some organisations’ AI policy.  If you do use AI when producing your policy, you must ensure the outputs are carefully reviewed and validated, and that the policy is tailored to your organisation’s context.  An effective AI policy is a must-have.  Even if you do nothing else to govern AI within your organisation, you will at the very least need a clear, practical policy in place that defines what AI tools can be used, how they can be used, and who to engage with if employees need to use AI in ways that fall outside of the defined acceptable use.  For more details on how to produce and what to include within an AI policy, read our blog on Establishing Organisational Control Over Artificial Intelligence.

Insufficient resourcing

This is particularly relevant for organisations with existing teams or individuals managing conformance to other standards, such as ISO 27001, that are already stretched thin by their existing workload.  To then add another standard without providing the appropriate additional resource can lead to reduced effectiveness and increased risk of non-conformance.   Ensuring that the resources needed for the AIMS are made available by leadership is in itself a requirement for conformance under Clause 5.1 (Leadership and commitment) of the Standard, so such resources need to be clearly set out when planning the AIMS.

AI is rapidly becoming a core business capability, but with that comes a growing expectation that it is developed and used in a way that is reliable, secure, ethical and trustworthy.  Organisations that can demonstrate responsibility and effectiveness in how they develop and deploy AI will be far better placed to realise its benefits, while maintaining confidence among stakeholders.

ISO 42001 enables you to demonstrate this responsibility and provide the assurance clients and partners are increasingly seeking from AI.  However, its success and value ultimately arise from how effectively it is implemented in practice.  Organisations that take a considered, practical approach, aligning governance with how AI is actually developed and used and recognising that it extends beyond a purely technical exercise, will be far better placed to maintain control and realise the full value of their ISO 42001 investment.