ISO 42001

What is ISO 42001

ISO 42001 is a standard published in 2023 by the International Organization for Standardization (ISO) to address security concerns of artificial intelligence (AI). It is the first certifiable standard to provide requirements for establishing, implementing, maintaining, and continually improving an AI Management System (AIMS).

How ISO 42001 Compares to ISO 27001

ISO 27001 is an information security framework designed to help organizations protect data through the implementation of an Information Security Management System (ISMS).

ISO 42001 is focused on governance, risk management, and ethical considerations of AI systems through Artificial Intelligence Management Systems (AIMS). It helps organizations address AI-related challenges, including bias, transparency, explainability, and accountability.

Getting ISO 42001 Certified

ISO 42001 certification is achieved by demonstrating compliance with the framework’s requirements. The ISO/IEC 42001 certification process works the same as other ISO standards. An accredited third-party certification body will execute an audit to determine if your AIMS meets the standard’s requirements. Certification is valid for three years. To maintain accreditation for the three-year period, a certification body must perform annual supervision audits.

ISO 42001 Clauses 4-10 are mandatory and detail what is required of an AIMS to achieve certification.

4. Context of the organization

4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the AI management system
4.4 AI management system

5. Leadership

5.1 Leadership and commitment
5.2 AI policy
5.3 Roles, responsibilities, and authorities

6. Planning

6.1 Actions to address risks and opportunities
6.2 AI objectives and planning to achieve them
6.3 Planning of changes

7. Support

7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information

8. Operation

8.1 Operational planning and control
8.2 AI risk assessment
8.3 AI risk treatment
8.4 AI system impact assessment

9. Performance evaluation

9.1 Monitoring, measurement, analysis, and evaluation
9.2 Internal audit
9.3 Management review

10. Improvement

10.1 Continual improvement
10.2 Nonconformity and corrective action

ISO/IEC 42001 contains four annexes that provide detailed guidance on how organizations can comply with the standard.

Annex A: Provides a comprehensive list of the standard’s controls and their objectives.
Annex B: Provides guidance for the implementation of the controls and data management processes.
Annex C: Addresses AI objectives and risk sources.
Annex D: Addresses the use of AI systems across different domains and sectors.

Benefits of ISO 42001 Certification

ISO 42001 certification will demonstrate to the market that your business is an early adopter of AI best practices and that you are committed to using the technology securely and ethically. Certification will separate your company from the competition and potentially serve as a business driver.

Putting in the work to secure ISO 42001 certification will give your organization confidence that your AI systems operate safely, fairly, and with quality data, while still being able to realize the benefits of AI technology. The controls you put in place will allow you to identify and remediate risks more effectively.

How we can Help

At CompliancePoint, we have a team of former ISO auditors and experienced practitioners that can prepare your organization for a successful ISO 42001 audit. We will put you on the path to certification by helping you identify and remediate gaps in your existing AIMS and implement the necessary policies, procedures, and technical controls.

CompliancePoint has a partnership with Mastermind, the world's first certification body for ISO 42001. We work with Mastermind to streamline the entire certification process for our customers, from initial readiness assessments and policy development to the resulting certification audit.