S2 E21: Where are all the ISO 42001 Certificates? Part 1

Where are all the ISO 42001 Certificates Part 1

Listen to part 2.

Transcript

Jordan Eisner: Well, hello and welcome to Compliance Pointers. I am your host, Jordan Eisner, and I’m excited to be joined by David Forman today of Mastermind.

David, how are you?

David Forman: Doing well. New company. It’s still kind of like rolling off the tongue, isn’t it? Got to say a little bit faster. Got to go like Mastermind.

Jordan Eisner: Mastermind. There you go. That’s better.

We’re going to be talking about something that’s very near and dear to David, and that’s ISO. We’re going to be talking about a newer ISO framework, ISO 42001, which is an AI management framework that we’re excited to dive into. The topic today is where are all the ISO 42001 certifications? David’s got a plethora of thoughts on that and good information I think for our audience.

We’re excited here at CompliancePoint to learn more about David and Mastermind. I go back, I guess, just a couple of years now though, right, David?

David Forman: Two, probably. Two and a half.

Jordan Eisner We probably should have interacted prior to that.

David Forman: You avoided me for a while.

Jordan Eisner: If you look at our backgrounds both raised in Georgia. You’re a little younger than me, but we were in the same fraternity, two different schools, but still, you know, chapters talk to each other on occasion, right?

We know some of the same people. We worked in the same industry for a decade, but I’m glad we met when we did. I’m glad we’ve fostered a little bit of a relationship, and I am genuinely excited to have you on today.

David Forman: You forgot our biggest shared trait though, which is..

Jordan Eisner: Sushi.

David Forman: Oh yeah, thank you for finishing my sentence. But yeah, I mean, there’s so many good sushi restaurants in the metro Atlanta area, landlocked Atlanta, so I mean, the fact we haven’t run into each other around Nagiri or like an Omokase would be kind of surprising at this point too.

Jordan Eisner: That’s true. You know, on that topic, before we dive deeper into ISO 42001, we got invited to one of these at home sushi, right? Where they come in. I’m sure you’ve probably done this multiple times.

David Forman: I have not.

Jordan Eisner: You haven’t? Have you done it once?

David Forman: No.

Jordan Eisner: Okay, we’re going to do it. It’s probably more expensive than my wife and I going to a dinner or sushi restaurant, even though we’re going to be part of a group in what our individuals share.

David Forman: Like next episode of this, you have to share like the experience. Like that’s a follow up.

Jordan Eisner: I’m expecting to be blown away. So I’ll let you know. And then maybe we’ll do a podcast and have somebody come back sushi for us while we do the podcast.

David Forman: Now we’re onto a topic for a future like podcast series.

Jordan Eisner: Now we’re cooking. Now we’re thinking two steps ahead.

Well, let’s get into it then, right, unless there’s anything else you want to add. I do want to give you the opportunity to talk about Mastermind first before we start talking about ISO. I think that’s going to be important. But anything else before we dive in?

David Forman: No, I just think this topic in general, though, it’s quickly moving. And we came up with, I think this topic specifically because ISO 42001 and its current form came out in December of 2023. It’s been six, seven months now. And it just feels like I’m not saying the buzz on AI has died down at all. I mean, go look at Nvidia stock right now. But I will say from the standpoint of where are the actual certificates being issued six months later, it raises a point around kind of this process of publishing an international standard through accreditation and then accreditation issuances and then certificate issuances to organizations.

So I think it’ll be interesting to talk about this because we’re like in the middle of the timeline right now. And then we’re going to see like a spike in terms of like the activity of 42001 here coming up shortly too. So I’m excited to kind of give that update too.

Jordan Eisner: Good lead-in. So before we talk more about that, tell us about Mastermind.

David Forman: Mastermind launched last month. I think we’re like in week three right now. And I guess the simplest way for I’ll say our competent audience who’s already in compliance is we’re a pure play management system certification body.

This doesn’t exist currently in the U.S. It is a model that has been adopted, I’ll say, in more mature ISO markets, which is generally the EU, UK, some Asia-Pac as well.

But essentially, Mastermind, all we do all day every day is the accredited ISO certification on it. So we do nothing more. So we don’t even do like gap assessment, reg assessments related to ISO and the frameworks we start. We don’t do anything around risk assessments, internal audits, like any of those kind of complementary advisory.

And then also in the U.S., we have this entire idea of like bundled, integrated, coordinated audits, all kind of the same thing, typically mixed with other kind of commercial services type assurance frameworks like SOC 2 reporting or high trust HIPAA, PCI DSS, FedRAMP. And there’s been a push towards, I’ll say like audit one supply many over the last few years. And Mastermind is kind of the antithesis of that. We say ISO is a conformity audit. It’s not a compliance-based audit. So you should parse that out and you should be thinking of that more as your governance program. And then when you get more to the technical control areas or criteria, that’s when you might start finding leverage through bundled audits.

So a little bit different flavor that we’ve seen here in the U.S. but also it’s we’re in the awareness business. And what I mean by that is I think there’s a lot of organizations, namely CPA firms, vCISO-type companies that want to be able to provide ISO services to their customers. And we provide an outlet for that too for those kind of partners, as I would call it, to be able to kind of have those capabilities almost overnight through having this kind of complementary partnership.

But yeah, mastermind is three weeks old, but we have a lot of traction and we’re excited about kind of trying to provide a little bit different angle to the market.

Jordan Eisner: And you’ve already certified at least one customer, right?

David Forman: Yeah, I mean, for your audience. And by the time this probably gets published, you’ll see the second. But yeah, we have certified two at this point within the first three weeks. And so that speaks to the network too. And so it’s been a really warm response and we’re fortunate.

Jordan Eisner: That’s awesome. You picked your lane. You’re sticking in it. Pure play.

David Forman: I had somebody tell me there’s riches and niches. Yeah, I’m not sure I’m going to get rich off this per se, but I do find value in having a narrow focus.

Jordan Eisner: So richness would just be a nice byproduct, right?

David Forman: Yes, very much.

Jordan Eisner: And you’re truly passionate about this. I think that’s clear and I think our audience will see that as we go through these. So thank you. Good segue.

Tell us more about ISO 42001. How it works with other ISO standards and frameworks. A quick overview maybe to start. Give us the quick pitch on it.

David Forman: So ISO, International Organization for Standardization, doesn’t make any sense with this acronym that you would think it’d be IOS, but ISO publishes this standard known as ISO 42001. The long name for it is actually ISO slash IEC 42001: 2023. All that means is it’s a jointly published international standard with the International Electrotechnical Commission that’s also jointly published, kind of authors behind ISO 27001 for information security and 27001 for data privacy. So it’s not a first. And then the 2023, that just means the year that it was published. So it was published in December of 2023.

But to your point earlier, and I’ll save you here, you said 27001 on accident, but 27001 is actually very closely related to 42001 for information security. And actually you’ll find several areas of the 42001 text that talks about how you can find I’ll say parallels or even leverageability by having a 27001 program for an information security management system.

So they are meant to be tied together. They aren’t as tied together as like 27001 for privacy. In order to get certified to that privacy standard, you have to, it’s called a co-requisite. You basically have to have the 27001 component for the scope as well in order to be certified to 27001. That does not exist for 42001.

Jordan Eisner: You answered a question I was going to have before I even asked it. So see, that’s a symbiotic relationship.

David Forman: But 42001, the name of the standard is artificial intelligence management system. So that gives obviously some credence to what this is actually governing. It is built on the same high-level structure known as Annex SL for ISO standards. And basically that means like the clauses four through 10 you know and love from ISO 27001, ISO 9001, and 22301, they all have the same kind of clauses four through 10, starting with scope and context of the organization and down to like a corrective action process. That exists in 42001 as well.

Now different from maybe some other management system standards. So ISO issues over 25,000 standards. I think that’s like the current number right now. I don’t think they’re quite at 26,000 yet.

But across those 25,000 standards, there’s only about a dozen that make up this special category called management system standards. And you can imagine that, you know, that’s where we get AIMS, the artificial intelligence management system. That’s where we get ISMS.

We get PIMS for all these standards. And those standards are actually what we would say certifiable. So you have a bunch of like guidance documents, specification documents or technical specifications, etc. that ISO will publish.

They have standards that will talk about, you know, what color a school bus should be in a given country. They’ll have a standard for what is the first day of the week. It’s Monday according to ISO.

So it’s all around this idea of standardization so that no matter where you’re in the world, there’s kind of like this like NTP clock that everyone can have the standardization around. So we’re all speaking the same language.

And it even goes down to like maybe you don’t think you touch ISO ever, but you’re kind of in this field. Well, if you do like continuing education grants or CPEs, that is all based on ISO standard as well for personnel certification. That’s based on ISO 17024. And that’s this idea of this like recurring competency checks to make sure you can maintain a credential.

Anyways, I’m getting off-topic with 42001.

It is one of those management system standards and it follows that annex SL structure, but it’s honestly more closely related to 27001 and 27701 because it has this annex in it as well. And that annex is filled with 38 annex A controls as we call it. And it gets a little bit more detailed down to like, you know, policies you’d have to have for your AI governance.

It gets down to thinking about risk associated with certain actions on how you use or produce or develop AI. And then additionally, kind of how you do kind of follow-through actions. So more of a privacy-related component. But imagine you have somebody that wants to understand what type of data is being collected on them and they’re being used for like machine learning type purposes. There are controls around that type of, I’ll say risk theme as well.

Jordan Eisner: I saw ethics and transparency thrown around a lot, right? And, you know, in my reading about it and the theme felt, you know, you mentioned 27001, 27701. You know, I saw start with a gap assessment and then you need to perform a risk assessment, right? And then you need to have treatment to that risk, right? All associated with the AIMS as opposed to ISMS.

One thing I saw in it, and you’re probably going to correct me because I’m probably wrong with this, but it was talking about AI impact assessments.

I hadn’t seen impact assessments in others or maybe I just have been missing that. But maybe I just glossed over it, you know, in my night reading.

David Forman: So there’s no idea or concept of impact assessment in 27001. So you’re clear there. However, in 27701, if you are a PII controller specifically, an NXA, there is a control around a DPI in there. So data protection impact assessment.

You’re right though, like seeing it actually in the clauses versus the controls of the standard. So those clauses four through 10, this one pops up specifically in clause six and clause eight. And then this idea of an AI system impact assessment, which is different from a risk assessment. So like all of us have been trained on 27001. We have to kind of augment our knowledge here.

But a risk assessment focuses more or less on the organization’s risk to being in the AI business if you want to do it that way. Whereas the impact assessment, it focuses on the risk that you are creating to essentially your data subjects or your users of AI as well. And you start seeing these like really kind of bubbly terms thrown around now in the 42001 standard that you haven’t seen kind of other InfoSec and data protection standards. And they start talking about like the risk to society, the risk to ethics or ethical norms and stuff.

But it’s true though. If you start thinking about a model like I think most AI users are familiar with ChatGPT at this point. Like it had its big bang about a year ago and now like we’re all like super users on it and I think I pay for a premium subscription.

But like you think about the type of queries I’m putting through that and like what it’s learning about me. What’s to say that it’s pulling that same information possibly from a citizen of I’ll just say a highly regulated or tightly government controlled like entity in a different jurisdiction and then that entity gets their hands on that type of citizen data. Like you could have quite the impact really quickly on I’ll say societal norms, especially if like there’s like government spy programs in place like that kind of thing and there’s not appropriate agreements.

Jordan Eisner: Did you see Jerry Seinfeld’s commencement speech at Duke? It was only 17 minutes.

David Forman: I think I have actually watched that video but it’s funny you bring up Jerry Seinfeld. My sisters were texting me an hour ago. He’s coming to Atlanta in October and yeah and so they were looking at tickets. I think the Fox Theater here in Atlanta.

Jordan Eisner: So I might need to check that out. I never thought his stand up on the show at the beginning of the show was very funny. Yeah, but then his real-life stand up I’ve always thought was pretty good. But he talks about AI. He said I’m paraphrasing I’m not quoting exactly right but he says something about we’re smart enough to create it and too stupid to understand it.

What to do with it is the point right, trying to control like yeah there’s ethics and transparency and what happens and you know bad actors and the data they can get and you know what point is the Pandora’s box.

David Forman: Well true and I honestly it builds on I would say over the last five to eight years here in the States where we start talking about like the rights of consumer privacy as well. I mean these topics while it’s you know affecting how we build AI models it is technically a privacy conversation and I think it comes down to you said transparency, I like that word I’ll use that. But like being transparent on how you intend to use the data that is supplying your models and I think that’s where organizations have gotten I’ll say caught their pants down more recently.

I mean we all were affected when Zoom started recording all our meetings even if you were on a paid enterprise license we’re all are affected the second Slack decided that they’re going to start selling our data Reddit to the same thing for all its users and now I saw an article I think last week like Shutterstock like if you were like uploading like your own images to that over the last I don’t know two decades like they’re now selling that off as well because they have this giant image library. It’s being transparent about what you intend to do with your storage even if it’s like super cold storage possibly just to make a buck. I think these companies like using shutter stock example like they’re probably within their rights of like the original terms of use like they probably like own any image that is getting uploaded to their platform but in all reality like is that still being open I guess in terms of transparency with your users as well how you intend to use any of their creations.

Jordan Eisner: Right because it’s going to especially as consumer awareness about this stuff and the consequences I think continues to grow it will change. I think of course that’s just my opinion.

David Forman: Well unfortunately we live in the US and I say unfortunate in that sense I’ll be careful for our audience but we are slow to act when it comes to like new laws that protect this type of stuff and it was actually the same month so December 2023 the EU AI Act ended up actually I’ll say it got publicized or it was published in its draft text and then it starts floating around LinkedIn if you’re in the same communities I follow. Then a couple months later ended up getting like formally approved I think by the EDPB and then from there like it made it to its like version of the Federal Register for the EU and so it’s going into law.

There’s no concept of like an AI national law right now in the US in fact we just received our first concept and bill form of a national law for privacy and this is what year 2024 we’re six years after the go live date for the GDPR. It was May of 2018, I think it was originally released in 2015 and draft form so it’s like you know the US is literally probably 10 years behind.

Jordan Eisner: they had the directive before that.

David Forman: I think we have a very much wait and see approach but also technically we have what’s called a sectoral law system so like the states end up coming up with their own laws first before anything a national or federal level comes into force.

Jordan Eisner: I’ve been telling everybody you know when we talk with prospects or clients you know there’s 13 state laws, and then I mean this was like two weeks ago or maybe a little longer than that then I was on phone with one of our privacy experts the other day and he said well now there’s17. By the time this ends right it could be in the 20s.

How many companies or organizations are getting certified to be ISO 42001 certification bodies?

David Forman: it’s a trick question. It’s a good question by the way. If you go on LinkedIn and search a hashtag 42001 you’ll find a few kind of like almost like trophy presentation announcements of when people or organizations are getting certified to 42001. I slipped up my words right there but I think it’s important to delineate there is personnel certification for 42001 so like a 42001 lead implementer, 42001 lead auditor, that exists it’s not accredited so it’s just kind of like marketing material. I shouldn’t speak too poorly about it I have ISO 42001 lead auditor certification so it’s a thing. From an organization standpoint which is really a topic for this webinar you’ll find a few non-accredited or unaccredited same thing um 42001 certificates that have been issued to this date. If you search on LinkedIn you’ll find a few these kind of trophy presentations, I literally laugh about that. It’ll be like at a conference or something like that I’ll be like one of these large certification bodies is like you know here’s this like little plaque of like the certificate of work printed out the pdf and they’re like presenting it to their customer and like everyone’s taking a photo op for that.

But in all reality, it’s all early so I think your question is actually more rooted in  why are we not seeing more of them and also understand a little bit more of what I was talking about the start this accreditation process so let me get into that because this is gonna be a long way to answer your question but I think it’s gonna make sense if you bear with me for a second.

So 400001 gets published in December 2023 and in order for it to be issued as an accredited certificate as we know here in this market you need to have accreditation and in order for there to be accreditation those rules are published by the accreditation bodies. In the United States we have kind of two major ones. There are technically three now. The two major ones we all know about is um the ANSI national accreditation board and NAB and then we also know about the international accreditation service which is actually what Mastermind’s accreditation is through. For both of those they have to individually come out with what they call like their accreditation rule or like a bulletin related to how certification bodies like Mastermind would actually apply for that accreditation. Once they apply for accreditation meaning a rule exists they then have to build their system to basically augment for AI so like a certification by just because I know what 400001 is I’m not competent in AI overnight I have to go obtain the skills the experience built into my system and then apply for the accreditation um understanding how I built an audit program for initial applicant all the above. They review that and then they have to watch you go through an audit with a test customer um in order to give you feedback on a stage one and a stage two audit as well so that that all takes time.

However in the US across those two bodies ANAB issued an accreditation rule in January of 2024 so they did it very early and they actually it was interesting they issued it because there’s an underlying standard that they’re waiting on called ISO 42006 and that tells us stuff like competency requirements tells us audit time requirements tells us how an organization might initially get certified such as are they an AI user an AI producer developer like all these kind of items that we would need to have in order to build the programs as a certification body. ISO 42006 hasn’t actually officially been published yet it’s still in what’s known as DIS draft international standard. I looked it up before this call it still is in draft form as well it was issued as draft form in August of 2023 it went to a 12-week voting period which wrapped up in January 2024 and it still has not been issued as a final draft issue or final draft international standard at DIS yet and we’re still waiting on that so we can actually even create accreditation rules to then apply for accreditation.

ANAB did something a little bit different than we’ve seen before and I’ve been here when 27701 initially got released in 2019 and I saw that process what ANAB did was they said we’re going to use the draft international standard for 2006 assume that’s going to be 90 percent correct and we’re going to go ahead and create an accreditation rule just so that we can start meeting the demands in the market. So a bunch of certification bodies apply for accreditation with ANAB and every going from January all the way through this last month you’ll see like applicants on their page and they started kind of going through the process. It’s interesting if 42006 gets published as FDIS or as an international standard sometime here in the future ANAB is going to have to go back change their accreditation rule and then go re-audit all these customers as well to the like the actual final text and then those certification bodies can actually maintain their accreditation at that point.

Long story short we should see the first accredited certification bodies probably end of next month and I got some good intel on that and so I know that’s kind of the first movers on it. When they come out you’ll see kind of some big announcements I’m sure from the certification body saying like hey we’re credited to issue 42001 now. And 42006 may still not be in its final text which is interesting and then thereafter you’ll start seeing some certificates start to get published under accreditation which are the kind of the final legit ones.

Jordan Eisner: Is Mastermind one of those companies in the next month?

David Forman: We are early applicants I’ll leave it at that.

Jordan Eisner:  Okay fair enough. So second half of this year then?

David Forman: Yeah second half of this year you should see a wave for 2001 certificates and it will be primarily in the United States I have not seen similar accreditation rules and I’ll say the urgency behind it come out of the UK which is obviously United Kingdom accreditation service come out of Netherlands which is RBA come out Germany DACA it’s like I haven’t seen any of those accreditation bodies issue similar rules. You’ll have a flood of 42001 certificates in the US to start and then obviously some international customers might actually procure services from US-based certification bodies because they have kind of the jump.

Jordan Eisner: David this has been great, a lot of information. I think we got a lot more to get to so let’s actually pause here and we will do a part two of this so let’s wrap. In case somebody can’t catch or does not catch part two how do they get in touch with you and Mastermind?

David Forman: first of all our full name is Mastermind Assurance. We are a certification body. Mastermindassurance.com you can find our website there’s a contact form on there if you forget everything I’m about to say and you can email us at hello@mastermindassurance.com. We have on our website that will chat you back within 15 minutes and then additionally you find us on LinkedIn. We’re quite pesky on LinkedIn if you end up following the company page or even yours truly. You can find the company page at Mastermind Assurance and then my LinkedIn handle personally is Mastermind David. We also have a newsletter by the way you’ll find that if you go on LinkedIn and we do kind of building in public kind of founders led newsletter that’s drops in your inbox every Wednesday at 8 a.m. You can find that at intel.mastermindassurance.com.

Jordan Eisner: Okay that’s good. The CompliancePoint channels that our audience typically hears are still there so LinkedIn, CompliancePoint.com. You can email us at connect@compliancepoint.com. You can reach out to me personally if you reach out to me and you need David I will facilitate that as well.

So we’ll wrap for that and please stay tuned for part two coming out later.