ISO/IEC 42001

What is ISO/IEC 42001 and why do we need it?

As AI becomes more powerful, so do its risks. A lack of transparency, explainability, and the potential for biased or erroneous outcomes make the need for trustworthy and responsible AI development more urgent than ever. However, companies must not only develop technically robust, ethical and legally compliant AI systems - a major challenge is also to integrate these aspects seamlessly into internal processes and structures. Numerous influencing factors need to be considered, such as strategic corporate goals, stakeholder expectations, compliance requirements and the right balance between governance measures and innovation endeavours.

To make these tasks feasible for companies, the ISO/IEC 42001 standard was jointly developed and published in 2023 by the International Organisation of Standards (ISO) and the International Electronical Commission (IEC). It is the world's first standard for artificial intelligence management systems and provides companies with a clear framework for successfully implementing best practices for the governance of AI systems. The standard outlines specific requirements for the design, implementation, upkeep, and continuous enhancement of AI management frameworks within organizations.

The standard is designed to be interoperable with other management system standards (see list), ensuring seamless integration within existing frameworks. Additionally, it is classified as a Type A standard, meaning organizations can claim conformity with its requirements. In contrast, Type B management standards provide guidance but do not establish certifiable requirements. At their core, management system standards (MSS) serve as a foundation for effective organizational management. Implementing MSS provides a structured approach to decision-making, helping organizations navigate the evolving dynamics of their management processes.

What is an AI Management System?

As defined by ISO/IEC 42001, an AI Management System is a set of interrelated or interacting elements of an organisation designed to establish policies and objectives, and processes for achieving those objectives, relating to the responsible development, deployment or use of AI systems. 

Who should follow ISO/IEC 42001?

Management standards are applicable in all sectors of the economy for different types and sizes of organisations and under different geographical, cultural and social conditions. They support governance and management functions at all levels.

The ISO/IEC 42001 standard therefore applies to any organisation that uses AI and wants to ensure and demonstrate the high quality of its AI systems. Start-ups that want to gain a competitive advantage and build trust in their AI solutions will also benefit from clear AI governance in accordance with ISO/IEC 42001. Compliance with this standard provides early guidance, and is particularly relevant for organisations that want to comply with new and upcoming global AI laws and regulations.

For example, companies whose AI applications have a high-risk potential under the EU AI Act (Art. 6 & Annex I & III) can ensure legally compliant governance structures. Hence, if you want to scale AI systems responsibly, you should familiarise yourself with ISO/IEC 42001.

Key Principles in ISO/IEC42001

The ISO/IEC 42001 standard outlines the essential components for building an effective AI Management System. It emphasizes key areas, all of which are integrated into thedesign and structure of management processes.

• Definition of organisational goals with the involvement of stakeholders and organisational guidelines.
• The management of AI risks and opportunities.
• Processes for managing aspects of trustworthy AI such as security, fairness, transparency, data quality and quality of AI systems throughout their lifecycle.
• Processes for the management of suppliers, partners and third parties that provide or develop AI systems for the organisation.

The standard defines key terms and is interoperable with existing ISO standards, such as ISO 27001 for information security management systems (ISMS). It follows a high-level structure, which is presented below. The following sections provide an overview of the requirements in clauses 4 to 10, which are also contained in other management system standards:

ARTICLE 4: CONTEXT OF THE ORGANISATION

The organisation must identify the relevant internal and external needs, expectations and problems and define the boundaries and applicability of the AI management system.

ARTICLE 5: LEADERSHIP

Senior management buy-in is crucial for the successful implementation of the AI management system according to ISO/IEC 42001. Senior management must establish a clear AI policy and AI objectives, integrate them into business processes and provide the necessary resources. They are also responsible for communicating, promoting and continuously improving AI governance.

ARTICLE 6: PLANNING

Organisations must develop an action plan that balances the risks and opportunities to achieve the defined objectives. This includes regular risk assessments, the selection of appropriate measures to address risks and the setting and monitoring of clear objectives. These objectives should be SMART: specific, measurable, achievable, relevant and time bound.

ARTICLE 7: SUPPORT

Ensuring support and training is essential for the success of the AI management system. This includes providing the necessary financial, technological and human resources. A clear communication and documentation framework also supports staff skills development.

ARTICLE 8: OPERATION

In the operational part, organisations must ensure that all processes meet the defined criteria, are regularly monitored and adapted as necessary. This includes carrying out risk assessments and risk treatment measures, as well as regularly assessing the impact of AI systems on individuals and society to continuously consider all relevant risks and opportunities.

ARTICLE 9: PERFORMANCE EVALUATION

Article 9 sets out requirements for the continuous monitoring and evaluation of the performance of the AI management system. In this way, weaknesses can be identified and improvements promoted. This includes regular measurements and analyses of system performance, internal audits to ensure compliance and management assessments of the long-term suitability and effectiveness of the system.

ARTICLE 10: IMPROVEMENT

Organisations must continuously ensure the effectiveness of the AI management system and adapt to changing requirements. Immediate corrective action is required to prevent inadequate processes in the future and to transparently document all steps taken to this end.

The figure shows the PDCA cycle of the AI management system standard ISO/IEC 42001. Standards - such as ISO/IEC 42001 - that are already subject to the high-level structure can be assigned to the PDCA cycle chapter by chapter.

Detailed instructions for implementing ISO/IEC 42001 are contained in the four annexes of the standard. While Annex A focuses on the controls, objectives and risk aspects, similar to ISO 27001, ISO/IEC 42001 also provides guidance in the form of three further annexes that go beyond the scope of other management system standards.

• Appendix B - Guidance on implementing the AI controls in Appendix A
• ‍Appendix C - Possible AI-related organisational objectives and sources of risk
• ‍Appendix D - Standards for the use of AI management systems in different areas and sectors

ISO/IEC42001 and the EU AI Act

The voluntary ISO/IEC 42001 standard and the European Union's AI Act complement each other to ensure the safe, transparent and ethically responsible use of artificial intelligence (AI). While the AI Act sets out legal requirements, ISO/IEC 42001 helps organisations to implement best practices and procedures to comply with these regulations and establish internal structures for the governance of AI systems. ISO/IEC 42001 provides a solid basis for integrating and demonstrating a risk management system (Art. 9) and a quality management system in accordance with the EU AI Act into an organisation's processes (Art. 17).

The AI Act and ISO/IEC 42001 help companies meet legal requirements while ensuring that their AI systems comply with internationally recognised standards for ethics, security and transparency.

Is Certification necessary?

The ISO/IEC 42001 standard is a type A management system standard that requires proof of conformity. To claim this, an organisation must prove that it meets the requirements. This proof is provided by an audit.

There are three types of audits: First-party, second-party and third-party audits. First-party audits are internal audits. Second-party and third-party audits are external audits, with the latter being conducted by independent institutions. These audits are offered by accredited certification bodies such as TÜV, DEKRA or other qualified auditing companies. If the audit is successful, the organisation receives a certificate that serves as official proof of compliance with the standard.

The choice between internal, external or combined audits plays a decisive role in shaping an organisation's compliance strategy. Internal audits promote continuous improvement and prepare the organisation for external audits. External audits, on the other hand, are essential for achieving certification and strengthening public confidence. By combining both approaches, the respective strengths can be optimally utilised to ensure a solid compliance strategy that meets the requirements of the management review process.

Key Takeaways

ISO/IEC 42001 offers companies a comprehensible framework for the secure and efficient organisation of their AI governance. The following points should be noted in particular:

Voluntary implementation: The introduction of ISO/IEC 42001 is a strategic decision and not a legal obligation but offers considerable advantages.

Trustworthy AI: The standard promotes the development and operation of technically robust, ethically sound and legally secure AI systems.

Regulatory compliance: ISO/IEC 42001 helps companies to comply with local and international regulations such as the EU AI Act and minimise legal risks.

Management System Standard: The standard is compatible with other management system standards such as ISO 27001 and enables both internal and external audits.

AI Policy: A clearly defined company policy on the development and use of AI forms the basis for effective AI governance.

Continuous Improvement: A core element of the standard is the regular review and improvement of AI processes to ensure the efficiency and safety of the systems.

Risk Management: The standard requires proactive identification, assessment and treatment of AI-related risks.

Competitive Advantage: External certification signals to customers and stakeholders that the company handles its AI systems responsibly.

Responsible AI Governance: ISO/IEC 42001 helps organisations implement stronger oversight that improves the accountability and reliability of their AI systems.

To summarise, ISO/IEC 42001 provides companies with a solid foundation for the ethical, secure and legally compliant management of AI systems. On the one hand, this ensures compliance with regulations and, on the other, strengthens trust in AI technologies and creates competitive advantages.

References

• ISO/IEC 42001, Information technology — Artificial intelligence — Management system; First edition 2023-12
• TÜV Süd, ISO/IEC 42001 CERTIFICATION, https://www.tuvsud.com/en-in/services/auditing-and-system-certification/iso-42001
• Cyber Navigator: Introducing ISO 42001: Setting the Standard for AI Management Systems, https://www.cybernavigator.org/p/introducing-iso-42001-setting-the?r=a7ywp&utm_campaign=post&utm_medium=web