Splunk Inc.

10/09/2024 | News release | Distributed by Public on 10/09/2024 14:30

What Is ISO 42001 for AI

The 30th November 2022 is recognized as a canon event in the world of digital technology. It's the day when OpenAI's ChatGPT was launched, a free chatbot that presented a conversational form of artificial intelligence to the general public.

The ability to easily interact with large language models has upended corporate strategies - introducing new business models and threatening existing ones - and has had a profound impact on jobs, entertainment, cybersecurity, and many other sectors of society.

The mix of opportunities and threats has expectedly triggered various reactions as people wonder whether generative AI will take over the world. The EU AI Act is one such reaction. Here, nations are seeking to regulate such technology in order to:

  • Drive responsible use.
  • Limit risks from the dangers it poses.

The world's body of standards organizations has also not been left behind. In December 2023, the first AI management system standard was published: ISO 42001.

What is ISO 42001?

The ISO/IEC 42001:2023 international standard specifies requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS) within organizations.

The goal is to balance innovation with AI governance, by ensuring organizations that create or use AI-based products or services do so in a responsible manner, while addressing the unique challenges AI poses, such as:

In the following sections, we will first look at the standard itself - what's included - and then we'll explore the benefits it offers for organizations that adopt its guidance.

Structure of ISO 42001

The ISO 42001 standard adopts the Annex SL structure that was introduced in 2015 to provide a high-level structure for management systems, facilitating alignment and easy integration of multiple standards without duplication.

There are ten clauses within this structure and the actual requirements are listed in clauses 4 to 10, with the Operation Clause 8 being the main differential area for AI.

ISO 42001 Standard Structure (Annex SL)

The key areas covered in the requirements are as follows:

Clause 4: Context

The organization needs to identify:

  • The internal and external issues that would affect the AIMS
  • The needs of interested parties

The organization would also need to document the scope of the AIMS, then establish and maintain the AIMS.

Clause 5: Leadership

The organization's top management will need to:

  • Demonstrate commitment to the AIMS's establishment and maintenance. This includes strategy, resource allocation, communication, and support across all levels.
  • Approve and communicate an AI policy that aligns to the organization's purpose, sets the framework for AI objectives, commits to meeting requirements, and fosters a continual improvement approach.
  • Assign roles, responsibilities, and authorities for the AIMS including a designated person for coordination of AIMS activities and reporting on the AIMS performance.

Clause 6: Planning

The organization itself will:

  • Consider the opportunities and risks impacting the AIMS, then plan and implement actions to address them effectively.
  • Outline and communicate measurable AI objectives that align with the AI policy. These objectives would consider applicable requirements, be monitored, and updated. Plans to achieve these objectives would be identified, assigned and resourced.

Any changes to the AIMS would be carefully considered and implemented in a planned manner.

Clause 7: Resources

The organization will:

  • Determine and provide the resources required to run the AIMS, including recruiting and training competent staff. The staff and anyone else working in the organization would need regular awareness and communication on the AIMS, including their role in supporting it and consequences of non-conformance.
  • Manage the lifecycle of documented information related to the AIMS from creation through disposal.

Clause 8: Operation

The organization will:

  • Plan, implement, and control all processes related to the AIMS including outsourced processes. This would also involve implementing associated plans and maintaining documented information as evidence of implementation.
  • Conduct AI risks assessments regularly and plan treatment of identified risks, keeping documented information on the results.
  • Additionally conduct AI system impact assessments and make plans to address any adverse impacts.

(Related reading: how to perform a business impact analysis.)

Clause 9: Performance Evaluation

The organization will:

  • Monitor, measure, analyze, and evaluate the performance and effectiveness of the AIMS.
  • Conduct regular internal audits and management reviews to review the compliance status and effectiveness of the AIMS.

Clause 10: Improvement

The organization will need to:

  • Ensure the continual improvement of the AIMS in terms of suitability, adequacy, and effectiveness.
  • Analyze any non-conformities that occur within the AIMS, then identify and implement corrective actions.

ISO 42001 Annexures

There are four annexures that follow the ISO 42001 standard's clauses: Annexes A, B, C, and D.

Annex A

This is a normative annex listing a set of reference control objectives and controls that organizations may use to manage AI system risks and achieve business objectives. Examples of these controls include:

This annex is relevant to clause 8.3 on AI risk treatment. Organizations can design their own controls apart from this list. Any control that is not applicable should have a justification for its exclusion documented.

Annex B

This is a normative annex providing guidance for implementing the controls in Annex A. The organization may choose to:

  • Adopt this guidance.
  • Modify the controls
  • Ignore it altogether.

Annex C

Annex C is an informative annex that provides possible AI related objectives and risk sources that organizations can consider while conducting AI risk assessments. This annex is relevant to clauses 6.2 and 8.2 of the standard.

More detailed information on managing AI risks can be found in ISO/IEC 23894:2023 guidance on risk management.

(Related reading: AI risk management.)

Annex D

This is an informative annex that provides guidance on integrating the AIMS with other management systems standards such as ISO 9001:2015 for quality management, and ISO/IEC 27001:2022 for information security management.

Value & benefits of adopting ISO 42001

The fears associated with AI are not unfounded, according to Neuroscience News. Human beings thrive on having a sense of control, value, and privacy. We are rightfully scared when we see the rapid advances that generative AI - especially where job security and human relationships are concerned.

Enterprises, too, are worried about the erosion of their intellectual property such as information assets, as the owners of generative AI have used web scraping to train their models without permission.

Addressing these fears requires organizations to apply governance measures across all areas of their AI business model. By adopting ISO 42001, any enterprise can demonstrate to its stakeholders that they manage AI in a manner that addresses the risks that are attributed to the previously mentioned fears.

Some of the benefits that organizations can gain from complying with the requirements of the ISO/IEC 42001:2023 standard include:

Increasing trust in their AI products, confidence with stakeholders, and tackling associated risks such as bias are strategic imperatives that any enterprise involved in the development or use of AI systems should consider.

Simply put, think of ISO42001 as an umbrella that covers the key areas that organizations should address in their AI implementation journey.