ISO 42001

With the field of artificial Intelligence (AI) continuing to develop and becoming increasingly pervasive throughout our culture and business landscape, the International Organization for Standardization (ISO) has released ISO/IEC 42001:2023, Information technology- Artificial intelligence-Management system Standard.  Published in December 2023, the Standard is aimed at helping organisations responsibly perform their role with respect to AI systems to use, develop, monitor or provide products that utilise AI.  By meeting the requirements of ISO 42001, organisations will be able to generate evidence of responsibility and accountability in respect of AI.

‍

The Standard requires organisations to potentially consider issues such as the use of AI for automatic decision making, the use of data analytics and machine learning to design systems and AI systems performing continuous learning that change behaviour during use.  The Standard addresses topics such as ethical considerations, transparency, fairness and bias, and is applicable across a range of AI applications and contexts.

In time, organisations will be able to certify against ISO 42001, but in the meantime are able to establish, implement, maintain and continually improve an AI management system (AIMS).  ISO 42001 applies the same harmonised structure with clause numbers and titles identical to ISO 27001 and ISO 9001, thereby facilitating integration of management systems.

In comparison to ISO 27001, the main body sets out requirements in the familiar Clauses 4 – 10 format, with reference controls set out in Annex A.  These controls provide references for meeting an organisation’s objectives and addressing risks related to the design and operation of AI systems.  However, unlike ISO 27001, the ISO 42001 Standard includes 3 additional annexes:

Annex B provides implementation guidance in relation to the controls set out in Annex A, while potential organisational objectives, risk sources and descriptions that can be considered when managing risks are outlined in Annex C.   The potential use of an AIMS across domains or sectors are covered within Annexes C and D respectively. Integrating ISO 42001 with standards such as ISO 27001 is also covered in Annex D.

Gap Analysis

URM’s consultants can conduct gap analyses for existing management systems against the requirements of ISO 42001, to allow for the development or extension of an integrated management system encompassing ISO 42001 and other standards to which you are already conformant and/or certified.  The gap analysis will also allow us to identify areas where you are currently meeting the best practice defined in ISO 42001, any areas where your use, provision or development of AI is not currently conformant, and where we recommend appropriate remediation approaches.  

ISO 42001 Implementation and Remediation Support

Having established your current conformance position, URM can support you implement and maintain your AIMS which will be fully tailored to the context of your organisation.  Services we can offer you include:

• Supporting you in the implementation of an ISO/IEC 42001 conformant management system (whether a standalone AIMS or an integrated management system)
• Assisting you conduct an AI impact assessments for systems that you are developing or are using
• Supporting you in your journey to achieve certification against the ISO 42001 Standard.

ISO 42001 Internal Audits

Once your AIMS has been implemented, URM can perform internal audits of your management system and controls to ensure they are operating effectively and meeting the requirements in ISO 42001.  URM’s auditors are not only skilled in audit techniques and knowledgeable about the subject of the audit, but can also provide the objectivity and impartiality required in the auditing process for conformance to the Standard.

‍

Why URM for ISO 42001?

Track record

While ISO 42001 is a new standard, URM’s extensive experience in supporting organisations conform and certify to existing ISO management system standards, such as ISO 27001 and ISO 22301, means we are uniquely positioned to provide informed and reliable support in helping you meet the requirements of ISO 42001.  Over the last two decades of steady, organic growth as a consultancy and training provider, we have supported over 400 successful ISO certifications without being involved in a single failed certification project.  As such, you can be assured that any guidance you receive from URM is informed by a long history of success stories, and can guarantee the same result for your organisation.  

Tailored solutions

We at URM appreciate that the use and development of AI will never be the same across any two organisations and, therefore, neither will the AIMS.  The unique requirements of your organisation, its industry, size and structure, risk appetite, products and services provided, legal and obligatory requirements, etc. will always shape the approach we take in helping you develop, implement and maintain your AIMS.  Meanwhile, we will ensure the advice and guidance we offer you reflects how you work and your existing culture, enabling you to integrate the AIMS into business-as-usual operations as seamlessly as possible.

Knowledge transfer

One of the most fundamental aspects of the way we work at URM is our ‘real world’ knowledge transfer philosophy. This enables you to benefit from our large team of consultants’ extensive practical experience and knowledge of AI best practice and, ultimately, independently maintain and improve your AIMS by virtue of what you have learned from them, without needing to rely on ongoing consultancy support.

‍