ISO 42001 Information Technology – Artificial Intelligence – Management Systems
ISO 42001 is the first international standard for AI management systems (AIMS?) and provides a framework for managing the risks and impacts associated with developing and using AI technologies. We’d like to think that ISO have been deliberately holding back the number ‘42001’ for an appropriate topic of which Douglas Adams would approve. It defines the requirements for an effective system that can be applied to any type and size of organisation. It’s not just for the IT Crowd.
We’ve all watched enough sci-fi by now to have a healthy fear of the implications of AI, and we’re not saying Terminator wouldn’t have happened if they’d have had ISO 42001, but Skynet might have at least had a roll back plan….
According to The Hitch Hiker’s Guide to the Galaxy, the number ‘42’ is the answer to the Ultimate Question of Life, the Universe and Everything. And we all know that management system standards have to end with 001. It was only fitting, therefore, that ISO put their two heads together to combine these numbers in a suitably nerdy fashion.
ISO 42001 is to AI as ISO 27001 is to Information Security. The two standards are structured in a similar way with a front end of basic ISO/risk requirements and an annex of specific controls. The good news is that ISO 42001 has a very similar front end and less than half the controls of its Big Brother.
Despite looking like any other ISO management system standard, the intention of ISO 42001 is to focus on features that are unique to AI such as: automatic decision making, transparency & explainability, insight & machine learning, data quality & analysis, trustworthiness, security, safety, fairness, risk management, continuous learning, and life cycle management.
We’re not going to suggest that every organisation needs ISO 42001. Not even every organisation thinking about using AI needs it. However, if AI is an important part of your business in terms of product development, data analysis, automation systems, or diagnostics, you might want to start thinking about it. You can guarantee if AI has any significant decision-making role or forms part of your actual product/service, then you are going to be asked about governance and due diligence, risk management, data security, etc. What better way to answer those questions than with an ISO certificate proving you’ve already taken control of the situation.
If your AI usage is limited to casual use of Chatbots, image generation, cheating on your social media posts or frantically cobbling together a presentation because Greg from Sales has dropped you right in it, then you need not worry.
It depends on what you mean by need. If your customers expect you to have it in place before placing a contract, that’s a definite immediate need. If your other stakeholders are nervous about ungoverned development or use of AI, that’s an emerging need that you shouldn’t ignore. If you are concerned about the pace of AI development and the dangers of uncontrolled roll-out, then you have a technical need. If you are looking for an edge over your competitors and a way of standing out in the market, that’s a commercial need.
Much like ISO 27001, you need to develop your own risk posture towards AI and implement the controls from ISO 42001 accordingly. If nothing else, you can use AS 42001 to carry out a gap, risk or impact assessment to help you decide if full implementation is needed.
Where ISO 42001 may differ from other ISO standards is in the speed of adoption. If the speed of AI adoption is any guide, you are going to have to move quick to avoid playing catch-up.
We are, first and foremost, a quality management consultancy. And we are really keen on the consulting part. This means not just answering your questions (AI can do that) but knowing which questions to ask you and which of your answers to make use of. Our HI approach is based on decades of human intelligence acquired from real-life experience and continual learning.
Like all good consultants, we spend a lot of time listening to your story before presuming to understand your needs and expectations. Then we rationalise what you want against what you need (not always the same thing!) to arrive at a uniquely tailored solution.
Before you ask, no, we won’t use AI to design your management system. We’ll use human intelligence, human interactions and human invention. Very much HI over AI. There are no one-size-fits-none solutions here. No oversize templates, no generic waffle.
The clue is in the title ISO 42001: 2023 and the fact that this is the first edition. So the news is its appearance and availability as an international standard, and the interest shown by certification bodies in becoming accredited by UKAS to deliver ISO 42001 certification. Not all standards catch the wind as they emerge, but this one has dropped right into the zeitgeist and we expect it to be widely adopted.
So unless you have been taking a leaf out of the Hotblack Desiato playbook and spending a year dead for tax reasons, you will know that the big topics in compliance right now are cybersecurity, AI and sustainability.
The standard itself has a structure that will be recognisable to anyone who has used one of the common ISO management systems. The front part of the standards covers the usual topics for setting up a management system – context, interested parties, scope, leadership, policy, organisation, planning, objectives, support, operation, performance evaluation. Running through these topics are the elements of AI risk and AI impact. The operation section facilitates a deep dive into a set of ‘controls’ reminiscent of ISO 27001. ISO 42001 has less than half the number of ‘controls’ of ISO 27001 and several overlapping aspects. Some of the key differences relate to system impacts, data and lifecycle. The similarity with ISO 27001 extends even as far as requiring a statement of applicability to justify the selection of AI controls.
ISO 42001 is not a huge document, but we know that for some of our clients, an ISO standard is second only to Vogon poetry in the league table of nauseous texts. Even a first pass translation can be daunting (example paragraph above). But that’s where we come in, working with you, translating the jargon into practical processes and tools, and making sure all the key requirements are addressed and auditable.
Anyone can use ISO 42001 as a tool for establishing, developing, and improving their AI management system. You may be an organisation working specifically in the AI sector, but you don’t have to be.
You may already be familiar with ISO 27001, the ISO standard for information security management systems. If so, you will understand the outline structure and basic principles of ISO 42001 as they are similar. But even if not, you can start by using ISO 42001 as a framework to “say what you do” and then set about proving that you “do what you say”. Your risk and impact assessments will drive you to think critically, and regularly, about the weaknesses in your systems and the potential threats so that you can continually develop your system to deal with them effectively. You will also need to consider the organisation, processes, controls and training you require to make your system workable, operationally secure and resilient – and to keep improving it.
We can help you to document your AIMS in a way that meets the requirements of the standard but also works for you and how you operate. We can support you by identifying the gaps between where you are and where the standard needs you to be, finding the time-saving synergies, and recommending necessary changes and improvements.
We can work with you to close the gaps and develop your system, adjusting our input to however much or little you need. We are here to help you to succeed, not only to meet the requirements of the standard, but to continue to develop and maintain compliance as your business grows.
Certification by an independent, accredited body is the best demonstration of your compliance to ISO 42001. Certification means that your system is scrutinised and verified on a scheduled basis through an external audit programme. It is an excellent way of confirming the application of your own system – to yourselves, to regulatory bodies and to your stakeholders.
In the UK, certification to ISO 42001 should be undertaken by a certification body accredited by UKAS, the UK’s National Accreditation Body for certification, calibration, inspection and testing services. Only UKAS-accredited certification bodies are recognised by the UK Government and major purchasers, and they operate programmes for transition to the new revision of the standard, as well as for new clients.
We can help you to choose a UKAS-accredited certification body and can support you through the certification process. We can help you however you need us to, whether by preparing documentation, training and mentoring, reviewing and auditing, or by working with you to develop and integrate your system beyond certification so that it always meets your needs as well as the requirements of the standard.
The process towards certification requires planning, commitment, and resources. How much work is involved will depend on your current stage of development, the size of your organisation and the number of people involved. We will work closely with you to identify your gaps and synergies against the requirements of the standard, and to develop a workable action plan to achieve your certification in the most efficient way. Our effective project management and extensive know-how will support your schedule and budget with the resources tailored to help you at every stage.
As with all ISO management system standards, the amount of documentation depends on the outcome of your initial gap/risk assessment and the type/level of control you need to clearly define and successfully implement an AIMS. There are, after all, many ways to fill a gap, mitigate risk or deploy a policy. In fact that’s the whole point of the ISO27001/42001 approach – it wants you to work out the risks before deciding on the controls. So you have an opportunity to seize the agenda and focus the documentation in areas that will benefit the most. Important: As a small business, perhaps with limited scope of AI application, you don’t have to implement every control or follow every guideline in the standard.
QFactorial can help you to update or build your system and document the requirements in the most effective ways. We don’t believe in producing a tome of paper that thuds onto the desk once a year when the auditor asks to see it. We want to create a tailor-made, usable, readable and (dare we say) useful AIMS that actually helps you run your business efficiently and effectively. So, whether you are just starting to develop your AIMS, or have a system that now needs updating to meet the new standard, we can help.
How long is a piece of string?
You’re not a cookie-cutter company, so we don’t deal with cookie-cutter prices. But let’s talk about what makes up the cost of ISO certification:
- Finding out where you’re starting from, where you need to be and how to get there.
- In house resources to manage and deliver the work plan.
- External consultants to help with parts of the plan that are outside your skills and experience (or time).
- Certification Body.
- Maintenance of your system and certification. Not just polishing the frame.
Depending on the size, scale and complexity of your organisation, you may need more or less consultancy time. We will suggest budget and schedule based on a specific number of days at an agreed rate, or a set of carefully scoped, fixed price work packages. Sometimes a combination of these approaches makes sense.
There is a difference between certification and accreditation. In the UK there is only one government approved accreditation body (UKAS). When your customers are asking to see your ISO certification, they expect to see the UKAS logo alongside the certification body’s logo. Without this, your customer may reject the certificate and you may face a costly exercise to undo the commercial damage, upgrade your system and put yourself through the certification process all over again. We can help you choose a UKAS accredited certification body to make sure you don’t get any awkward questions later.
We’ve been in this game a long time now and have developed a proven system of tackling the requirements of ISO certification with you. We begin with our Gap & Synergy Assessment with Action Plan (GSAAP for those acronym lovers) which shows us how close you already are to the standard requirements. We find, usually, that there are many more synergies than you’d expect - you’re running a successful business after all, aren’t you?
This gives us a head-start when creating the AIMS and gives you the opportunity to get to know your consultant and confirm you enjoy working with us before embarking on the good ship certification. At this point you’re able to take the GSAAP and run, but of course we’d like to think you’d want to keep working with us to help you with the documentation (Stage 1) and implementation (Stage 2).
We help share the load by reviewing what you create, or creating things for your review - business manuals, process maps, policies and procedures, etc. Once this is all done, there’s a desktop audit by the certification body to check all your documentation complies with the rigours of your chosen standard - and yes, we can be involved in this as your advocate, interpreter, translator or referee. Stage 1 is all about ‘saying what you do’ as a business. But you can’t just say what you do, you also need to ‘do what you say’. Stage 2 is all about those documents coming off the page and becoming a ‘real’ entity in your business. The burden of proof is on you to show that your system, as you’ve set out in Stage 1, is working as you say it should be. It takes time to gather this body of evidence, anywhere from 2-3 months, and this evidence can take various forms. Our role during Stage 2 is to provide training, mentoring, internal audits and management reviews to ensure your business is ready for the Stage 2 external audit. It’s entirely normal for a few ‘nonconformities’ to arise, especially at this stage, but we’ll be there to help you deal with them and make sure you get that recommendation for certification.
At this point you’re able to take your new ISO Certificate, pat yourselves on the back for a job well done and send us on our merry way, happiness all round. However, we recommend you stick with us for this first year. Why? So we can help establish quarterly health checks to keep things ticking over. No one wants to be thrown into a full-blown panic 11 months down the line as the surveillance visit looms and you realise things have gotten a little wobbly. With us on board that little while longer, you can be sure that the gears are turning and the processes are followed so when the auditor returns, you’re armed and, if not dangerous, at least prepared.
42.
Here I am, brain the size of a planet, and they ask me to generate cat memes
Marvin
The Hitch Hiker's Guide to the Galaxy (misquoted)