What is ISO/IEC 42001:2023? 

 

ISO 42001 was published in December 2023 and is the first management system standard for artificial intelligence. It provides a framework for establishing, implementing, maintaining, and continually improving an artificial intelligence management system within organizations. It addresses the unique management challenges posed by AI systems, including transparency and explain ability, to ensure their responsible use and development. 

 

The standard will assist organizations to perform their role responsibly with respect to AI systems (e.g. to use, develop, monitor or provide products or services that utilize AI). AI potentially raises specific considerations such as: 

• The use of AI for automatic decision-making, sometimes in a non-transparent and non-explainable way, can require specific management beyond the management of classical IT systems. 

• The use of data analysis, insight and machine learning, rather than human-coded logic to design systems, both increases the application opportunities for AI systems and changes the way that such systems are developed, justified and deployed. 

• AI systems that perform continuous learning change their behavior during use. They require special consideration to ensure their responsible use continues with changing  

  ISO/IEC 42001:2023 Clauses: Key Components for AI Management

The clauses of the standard are broken down as follows and are very much in line with the high-level annex SL structure adopted by other management system standards including ISO 9001, ISO 27001, ISO 14001 and ISO 45001: 

• Clause 1: Scope 

• Clause 2: Normative references  

• Clause 3: Terms and definitions 

• Clause 4: Context of the organization including understanding the organization and its context, understanding the needs and expectations of interested parties, determining the scope of the AI management system, and AI management system. 

• Clause 5: Leadership including leadership and commitment, AI policy, and roles, responsibilities and authorities. 

• Clause 6: Planning including actions to address risks and opportunities, AI risk assessment, AI risk treatment, AI system impact assessment, AI objectives and planning to achieve them, and planning of changes. 

• Clause 7: Support including resources, competence, awareness, communication, and documented information. 

• Clause 8: Operation including operational planning and control, AI risk assessment, AI risk treatment, and AI system impact assessment. 

• Clause 9: Performance evaluation including monitoring, measurement, analysis, and evaluation, internal audit, and management review. 

• Clause 10: Improvement including continual improvement, and nonconformity and corrective action. 

 

Clauses 4, 5, 7, 9 and 10 are generally compatible with comparable clauses in ISO 9001:2015 albeit with an AI focus.  

Clause 6.1 Actions to address risks and opportunities has been expanded to encompass the following additional sub-clauses: 

• Clause 6.1.2 AI risk assessment 

• Clause 6.1.3 AI risk treatment 

• Clause 6.1.4 AI system impact assessment 

Clause 8 had a number of additional clauses. 

• Clause 8.2 AI risk assessment 

• Clause 8.3 AI risk treatment 

• Clause 8.4 AI system impact assessment 

ISO 42001: AI Risk Management Framework and Implementation Guidance

The approach adopted by ISO 42001 is very similar to that adopted by ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements in so far as it requires the implementing organization to conduct an AI risk assessment and then define an AI risk treatment process based on the controls outlined in annex A of the standard as follows: 

• A.2 Policies related to AI 

• A.3 Internal organization 

• A.4 Resources of AI systems 

• A.5 Assessing impacts for AI systems 

• A.6 AI system life cycle 

• A.7 Data for AI systems 

• A.8 Information for interested parties of AI systems 

• A.9 Use of AI systems 

• A.10 Third-party and customer relationships 

The organization must then produce a statement of applicability that contains the necessary controls and provide justification for inclusion and exclusion of controls. Following this, the organization must formulate an AI risk treatment plan (clause 6.1.3). 

Per the provisions of clause 6.1.4 AI system impact assessment, the organization must develop a process for assessing the potential consequences that can result from the development, provision or use of AI systems. In some contexts (such as safety or privacy critical AI systems), the organization can require that discipline-specific AI system impact assessments (e.g., safety, privacy or security impact) be performed as part of the overall risk management activities of an organization.  

Clause 8.2 requires the organization to perform AI risk assessments at planned intervals or when significant changes are proposed to occur. Clause 8.3 requires the organization to implement an AI risk treatment plan and clause 8.4 requires the organization to perform AI system impact assessments at planned intervals or when significant changes are proposed to occur. 

Finally, annex B of the standard provides implementation guidance for the AI controls listed in annex A. 

By adhering to the guidelines and requirements set out in ISO 42001, organizations can navigate the complexities of AI management, ensuring that their AI systems are not only effective but also ethical, secure, and aligned with global standards and best practice. 

 

Sources

https://www.iso.org/standard/81230.html

https://antarisconsulting.com/service/iso-management-systems/