With the field of artificial Intelligence (AI) continuing to develop and becoming increasingly pervasive throughout our culture and business landscape, the International Organization for Standardization (ISO) has released ISO/IEC 42001:2023, Information technology- Artificial intelligence-Management system Standard.  Published in December 2023, the Standard is aimed at helping organisations responsibly perform their role with respect to AI systems to use, develop, monitor or provide products that utilise AI.  By meeting the requirements of ISO 42001, organisations will be able to generate evidence of responsibility and accountability in respect of AI.

The Standard requires organisations to potentially consider issues such as the use of AI for automatic decision making, the use of data analytics and machine learning to design systems and AI systems performing continuous learning that change behaviour during use.  The Standard addresses topics such as ethical considerations, transparency, fairness and bias, and is applicable across a range of AI applications and contexts.

In time, organisations will be able to certify against ISO 42001, but in the meantime are able to establish, implement, maintain and continually improve an AI management system (AIMS).  ISO 42001 applies the same harmonised structure with clause numbers and titles identical to ISO 27001 and ISO 9001, thereby facilitating integration of management systems.

In comparison to ISO 27001, the main body sets out requirements in the familiar Clauses 4 – 10 format, with reference controls set out in Annex A.  These controls provide references for meeting an organisation’s objectives and addressing risks related to the design and operation of AI systems.  However, unlike ISO 27001, the ISO 42001 Standard includes 3 additional annexes:

Annex B provides implementation guidance in relation to the controls set out in Annex A, while potential organisational objectives, risk sources and descriptions that can be considered when managing risks are outlined in Annex C.   The potential use of an AIMS across domains or sectors are covered within Annexes C and D respectively. Integrating ISO 42001 with standards such as ISO 27001 is also covered in Annex D.

Gap Analysis

URM’s consultants can conduct gap analyses for existing management systems against the requirements of ISO 42001, to allow for the development or extension of an integrated management system encompassing ISO 42001 and other standards to which you are already conformant and/or certified.  The gap analysis will also allow us to identify areas where you are currently meeting the best practice defined in ISO 42001, any areas where your use, provision or development of AI is not currently conformant, and where we recommend appropriate remediation approaches.  

ISO 42001 Implementation and Remediation Support

Having established your current conformance position, URM can support you implement and maintain your AIMS which will be fully tailored to the context of your organisation.  Services we can offer you include:

  • Supporting you in the implementation of an ISO/IEC 42001 conformant management system (whether a standalone AIMS or an integrated management system)
  • Assisting you conduct an AI impact assessments for systems that you are developing or are using
  • Supporting you in your journey to achieve certification against the ISO 42001 Standard.

ISO 42001 Internal Audits

Once your AIMS has been implemented, URM can perform internal audits of your management system and controls to ensure they are operating effectively and meeting the requirements in ISO 42001.  URM’s auditors are not only skilled in audit techniques and knowledgeable about the subject of the audit, but can also provide the objectivity and impartiality required in the auditing process for conformance to the Standard.

Why URM for ISO 42001?

Track record

While ISO 42001 is a new standard, URM’s extensive experience in supporting organisations conform and certify to existing ISO management system standards, such as ISO 27001 and ISO 22301, means we are uniquely positioned to provide informed and reliable support in helping you meet the requirements of ISO 42001.  Over the last two decades of steady, organic growth as a consultancy and training provider, we have supported over 400 successful ISO certifications without being involved in a single failed certification project.  As such, you can be assured that any guidance you receive from URM is informed by a long history of success stories, and can guarantee the same result for your organisation.  

Tailored solutions

We at URM appreciate that the use and development of AI will never be the same across any two organisations and, therefore, neither will the AIMS.  The unique requirements of your organisation, its industry, size and structure, risk appetite, products and services provided, legal and obligatory requirements, etc. will always shape the approach we take in helping you develop, implement and maintain your AIMS.  Meanwhile, we will ensure the advice and guidance we offer you reflects how you work and your existing culture, enabling you to integrate the AIMS into business-as-usual operations as seamlessly as possible.

Knowledge transfer

One of the most fundamental aspects of the way we work at URM is our ‘real world’ knowledge transfer philosophy. This enables you to benefit from our large team of consultants’ extensive practical experience and knowledge of AI best practice and, ultimately, independently maintain and improve your AIMS by virtue of what you have learned from them, without needing to rely on ongoing consultancy support.

What is the CIA Security Triad? Confidentiality, Integrity and Availability Explained

Latest update:
25 Mar
2024

URM’s blog explains how the principles of confidentiality, integrity and availability (CIA) can help align your information security controls with best practice

Read more
Thumbnail of the Blog Illustration
Information Security
updateD:
25/3/2024
The New Threat Intelligence Requirements in ISO 27001:2022

URM’s blog discusses the changes to the requirements around threat intelligence in ISO 27001:2022 and what certified organisations will need to do differently.

Read more
Thumbnail of the Blog Illustration
Information Security
updateD:
25/3/2024
A Comparison of ISO 9001 and ISO 27001

URM’s blog compares the management system clauses of ISO 27001 and ISO 9001 to identify integration opportunities.

Read more
Thumbnail of the Blog Illustration
Information Security
updateD:
21/3/2024
The Timeline for Transitioning to ISO 27001:2022

URM’s blog, produced in collaboration with BSI, discusses the timeline for transition to ISO 27001:2022 and what you can expect from your transition assessment.

Read more
"
We used URM as we had a large amount of information to redact for a Court of Protection case and neither had the time nor the knowledge to be able to complete this appropriately. URM were suggested to us and we made contact. They responded very quickly and were able to explain their role, estimated timescales & costings. During the initial consultation, they were very professional and approachable, and certainly had the skills we required. URM’s consultant provided us with details of the work they had completed before & we felt confident to pursue the work with them. We were on a tight deadline for court and URM were confident that they could provide the services we required in a timely manner. The logistics of sending a large amount of confidential documents were easy to navigate and straightforward. We were unable to very accurately gauge how much work was required, however URM’s Team supported us with this and maintained regular contact regarding their progress and addressed any concerns they had. When we needed to contact them, they were prompt with their responses. The work did take longer that envisaged, however that was due to the amount of work that we, as clients, were unable to accurately identify would be required. We did, however, meet the deadline for court. I would certainly use the services of URM again & if possible would work with same team. The services are not cheap, however redacting sensitive information is a skilled task and, therefore, having a professional complete this work is priceless.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.