Artificial Intelligence (AI) entered our lives stealthily and not before long has become an integral part of all we do. From choosing a playlist, to self-driving cars, to providing service desk support to name a few. Some people have openly embraced AI while others approach it more cautiously afraid of the domination and ‘rise of the machines. Along with the opportunities that AI presents, also come risks and therefore responsibility. ISO in December of 2023 published a management system standard, ISO/IEC 42001, that provides a framework for organizations looking to use a process-based approach to managing risks and opportunities associated with use of Artificial Intelligence.
What is AI system?
As defined by ISO/IEC 22989 and artificial intelligence system is and engineered system that generates outputs such as content, forecasts, recommendations, or decisions for a given set of human-defined objectives. Artificial intelligence can then further be broken down into various subcategories from weak AI to strong AI. There are also various associated terms that are used within the industry that wall within the realm of Artificial Intelligence systems. These include Autonomous AI system, Machine Learning, and Cognitive Computing to name a few.
An integrated standard approach
In structuring the standard ISO/IEC follows the harmonized 10 clause structure that is applicable to standards such as ISO 9001 and ISO 45001. This will make it easy for organizations seeking to integrate the requirements into their existing management system. Like other ISO management system standards, ISO/IEC 42001 is not prescriptive within the standard clauses. It does however, similar to ISO/IEC 27001 include an Annex of controls that must be considered and that must be justified when not applicable. Annex A has a total of 38 controls that are split among the 10 control objectives. As a risk-based standard it requires organizations to conduct an impact analysis, conduct a risk assessment and then implement controls to treat the risk to an acceptable level.
ISO/IEC 42001 control areas
The 10 control areas of Annex A intend to:
- Provide management commitment and direction
- Establish organizational accountability
- Determine and provide resources
- Assess the AI system impacts
- Provide a framework for managing the AI system life cycle
- Control data used within AI systems
- Provide a framework for communication with interested parties
- Ensure responsible use of AI systems
- Mange relationships
ISO/IEC 42001 also makes reference to the NIST Risk Management Framework, developed to better manage risks to individuals, organizations, and society associated with artificial intelligence (AI).
Next Steps for Companies seeking to align to ISO/IEC 42001
If your organization is seeking to demonstrate a responsible use of AI systems and choosing to align with the ISO /IEC 42001 framework, the next steps would be to:
- Conduct as “As-Is” assessment – Identify what controls and resources are already in place within the existing management system.
- Conduct an Impact Assessment – Annex A controls provide a structure of how to achieve this and Annex B provides further guidance. This requirement supports the requirements of the EU AI Act. Inputs to the assessment will come from an understanding of the organizational context and the needs of the interested parties.
- Conduct a Risk Assessment – to identify potential risks and opportunities for users and society. The assessment should include the implication for deploying AI systems.
- Develop Risk Treatment Controls – Identify measures that the organization will implement to mitigate the risks to an acceptable level and then a plan to ensure the effectiveness of controls implemented.
- Implement and monitor the controls and system, with an aim to driving continual improvement and ensuring the responsible use of AI.
To learn more about how QMII can support your implementation of ISO/IEC 42001 reach out to QMII solutions team at info@qmii.com or call us at +1 (888) 357-9001.
-By Julius DeSilva, Senior Vice-President