ISO42001 - the new AI standard

Introduction

With 82% of businesses either using or exploring Artificial Intelligence (AI), the potential for transformative benefits in accelerated software development, customer engagement, employee productivity, and operational efficiency is undeniable. 

AI is not just a buzzword; it’s a cornerstone of the current technology evolution for many organizations.

The AI market is expected to reach a staggering $407 billion by 2027. However, adopting these radical new technologies isn’t without its challenges. Concerns around bias, privacy, transparency, and security are at the forefront of AI adopters and management teams. Unfortunately, numerous high-profile AI failures by some of the world’s largest companies are a stark reminder of its risks. 

ISO 42001 - A new standard framework

So, what is ISO 42001? 

Published in December 2023, this standard provides a framework for designing, developing, and deploying secure and responsible AI. It aims to mitigate risks related to:

• Security, 
• Fairness, 
• Transparency, 
• Explainability, 
• Accessibility, and 
• Safety. 

ISO 42001 applies to companies that are: 

• AI Producers – Content creators, AI developers, AI designers, AI testers, evaluators and deployers
• AI Providers – AI platform providers, AI product and service providers
• AI Customers – AI users 

This means that if your organization uses AI anywhere in development or production systems, whether from AI service providers or custom-built, it’s relevant to you.

New regulations and standards are also being implemented worldwide, with many mandates that ISO 42001 supports. These include:

• The US Executive Order 14110 (October 30, 2023) https://www.federalregister.gov/documents/2023/11/01/2023-24283/safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence
• The EU AI Intelligence Act (March 13, 2024) https://www.europarl.europa.eu/topics/en/article/20230601STO93804/eu-ai-act-first-regulation-on-artificial-intelligence
• The NIST AI Risk Management Framework (AI RMF) (July 26, 2024). https://www.nist.gov/itl/ai-risk-management-framework
  
• OWASP AI Security and Privacy Guide v1.0  
  https://owasp.org/www-project-ai-security-and-privacy-guide/  

Adopting ISO 42001 helps companies:

●      Manage AI risks

●      Gain a competitive advantage

●      Strengthen customer trust

●      Demonstrate a commitment to responsible AI

●      Ensure regulatory compliance

●      Improve operational efficiency

Unpacking ISO 42001

Here’s a high-level overview of the ISO 42001 standard:

1. Artificial Intelligence Management System (AIMS)

The standard outlines AI Governance Requirements, including 32 clause requirements that demand specific policies, procedures, evidence, and audits. These clauses are referred to as AIMS. Think of the AIMS requirements as the program management tasks you must establish and maintain for ongoing compliance, certification, and overall process improvement and maturity.

2. Annex A Controls

-       There are 36 control requirements covering:

-       Policy requirements

-       Roles & responsibilities

-       Resourcing (Data, Tools, Compute, & People)

-       Impact assessment

-       AI Software Development Life Cycle (SDLC)

-       Data usage & AI training

-       Incident management

-       Responsible use

-       Supplier & customer management

Key steps involved in implementing ISO 42001

Implementing ISO 42001 requires time, resources, and commitment, which vary depending on the organization's size and complexity. Businesses familiar with frameworks like ISO 27001 or SOC-2 may find the process more straightforward. Typically, an AIMS implementation takes between 2-4 months. 

The key steps of an implementation are:

1. AIMS
   1. Establish clear AI governance goals and objectives.
2. Documentation
   1. Prepare and maintain comprehensive documentation to support your AI governance framework.
3. Risk Assessment
   1. Conduct thorough risk assessments to identify and mitigate AI-related risks.
4. Implementation
   1. Integrate ISO 42001 requirements into your existing processes and systems.
5. Compliance
   1. Ensure ongoing compliance with ISO 42001 standards.
6. Certification
   1. Pursue certification to demonstrate your commitment to responsible AI.
7. Operation
   1. Maintain and continuously improve your AI governance practices.

Note: Step 6 – Certification is optional but does provide customers and other third parties with the assurance that your organization meets the standard requirements and is validated by an independent qualified assessor.

Summary

As businesses adopt AI, they are turning to the ISO 42001 compliance framework to mitigate the risks associated with building, deploying, and managing AI technologies while reaping the significant benefits they offer. 
For more information

Please feel free to contact us for a briefing on our AI services and a solution demo on how Ekko Security can help you accelerate your ISO 42001 compliance initiative.

EKKO Agility Solution: https://ekkosecurity.com/iso42001/

ISO42001 Standard: https://www.iso.org/standard/81230.html

David Finnis Linked In: www.linkedin.com/in/david-finnis-cisa-5a5450204