Originally published by Schellman.
Written by Megan Sajewski.
When seeking ISO 42001:2023 certification, you must ensure that your artificial intelligence management system (AIMS) aligns with the standard’s key clauses (4-10), each of which focuses on a specific facet—context, leadership, planning, support, operation, performance evaluation, and improvement.
For those acquainted with other, more established ISO standards, that format may feel familiar initially, but there are some key differences in ISO 42001, including its expansion of clauses 6 and 8 to cover interactions of artificial intelligence with individuals and the public sector.
To have your AIMS certified, you’ll need to satisfy those additional nuances, as well as the rest of the specific requirements clauses 4 through 10. We’re going to help in providing you with a starting baseline.
In this article, we’ll break down each of ISO 42001’s clauses 4-10 in detail along with some basic strategies for compliance with their requirements so that you’ll gain a solid understanding of what will be expected of your AIMS as you begin to stand it up and engage in initial certification services.
What are the Key Clauses of ISO 42001?
Similar to other ISO standards, clauses 1-3 of ISO 42001 are more general and provide the background information you’ll need when implementing the requirements outlined in clauses 4-10:
- Clause 1: Scope
- Defines the boundaries and applicability of the ISO 42001 standard.
- Clause 2: Normative References
- Refers to documents that are referenced in the text of the ISO 42001 standard in such a way that some or all of their content constitutes requirements of the standard. That document is ISO/IEC 22989:2022, Information Technology – Artificial intelligence – Artificial intelligence concepts and terminology.
- Clause 3: Terms & Definitions
- Establishes common terminology used in the framework to facilitate consistent implementation of the standard across organizations.
Context of the Organization (Clause 4)
What’s Required: The identification of:
- The scope of your AIMS
- All the issues relevant to the purpose and strategic direction of your AIMS
- The needs of both internal and external stakeholders, who may include customers, suppliers, employees, and regulatory bodies
Every organization’s AIMS should be tailored to its individual needs, but before you can cut yours to the right fit, you must first demonstrate a complete understanding of your specific context, including things like:
- Your strategic business objectives (e.g., competitive market share, stakeholders’ expectations, compliance with global laws);
- Relevant risks (e.g., threats and vulnerabilities); and
- Your customer expectations (e.g., required functionality of AI tools, etc.).
How to Get Started with Compliance:
- Determine which of your existing processes, personnel departments, activities, software dependencies, and locations should be included in your AIMS.
- Identify and document factors that could impact your AIMS, including relevant market trends, regulatory requirements, technological advancements, competitive pressures, organizational culture, resources, current capabilities, and performance metrics.
- Consider the intended purpose for the AI product or processes relating to the following:
- Incentives or consequences associated with the intended purpose of AI,
- Culture, traditions, values, norms, and ethics for the development and utilization of AI, as well as the competitive landscape and trends for new products and processes relying on AI.
- Internal context-related issues focused on governance, objectives, policies, procedures, and contractual obligations, for example.
- Determine and document the needs of all relevant stakeholders (e.g., interested parties) regarding your AI products or services, quality standards, delivery schedules, and communication preferences.
- Develop a document that reflects your organization's commitment to meeting those needs, complying with applicable regulations, and continually improving your products, services, and processes (NOTE: You should also communicate that policy to your organization).
- Determine whether or not climate change is a factor in developing and continually improving the AIMS and document it either way.
Leadership (Clause 5)
What’s Required: The commitment of top management to your AIMS, artificial intelligence policy, and AIMS roles, responsibilities, and authorities
To ensure the effectiveness of your AIMS’ implementation, maintenance, and continual improvement throughout the three-year certification lifecycle—from initial certification to surveillance and recertification—management must be actively involved in support, especially through the artificial intelligence policy and communicated roles and responsibilities.
(While the standard does require that, executive and senior leadership—in many cases, even the Board of Directors (BoD), if possible—can also further benefit from getting involved and remaining involved in your ISO 42001 certification, as your AIMS can integrate formerly siloed departments and teams’ work and create more meaningful cross-functional collaboration.)
How to Get Started with Compliance:
- Top management should:
- Contribute to the establishment of your artificial intelligence (AI) policy, its communication to your wider organization, and its integration into your overall business process and strategies.
- Provide and assign adequate resources, support, and direction for the AIMS by visibly championing AI initiatives, promoting a culture of continuous improvement, and actively engaging in AIMS activities—including regular reviews of the AIMS’ effectiveness with reporting sent up the management chain to the BoD so that the AIMS remains funded appropriately.
- Create roles and responsibilities that govern and provide moderated authority to personnel serving the AIMS, including top management, safety and risk committee members, and day-to-day operators of the AIMS.
Planning (Clause 6)
What’s Required:
- The setting of artificial intelligence objectives
- The determination of AIMS risks, impact, and opportunities, as well as the planning of actions to address them
Integrating your AIMS into established processes so that it achieves your organizational priorities—and so that it is set up to endure and improve—will take careful planning. But as we noted before, clause 6 within ISO 42001 goes a step further than some of the other familiar ISO standards—specifically through its required completion of an AI impact assessment.
How to Get Started with Compliance:
- Identify AI risk criteria and organizational AI appetite for risk that supports distinguishing acceptable from non-acceptable risks—that may mean performing AI-specific risk assessments, conducting AI-specific risk treatment, and assessing AI-specific risk impacts.
- Conduct a comprehensive risk assessment to identify those that may affect your ability to achieve your AI objectives and develop related mitigation (risk treatment) strategies.
- Develop detailed procedures—including those addressing the implementation of changes to the AIMS and contingency plans for any deviations—to ensure the ongoing effectiveness of AIMS processes and achievement of AI objectives.
- Consider and document formal steps for how changes to the AIMS will be enacted when the need for such a change arises.
- Define roles, responsibilities, and authorities for executing planned activities and ongoing monitoring of their progress.
- Establish metrics and targets for the effectiveness of AIMS activities and achievement of AI objectives.
- Maintain accurate records of all these planning activities and ensure that this documented information is accessible, up-to-date, and effectively communicated to relevant stakeholders.
Tips for Your AI Impact Assessment:
- Define a process to assess the potential consequences that can result from AI systems on individuals, groups, and societies.
- Outline the potential consequences of an AI deployment, intended use, and potential misuse for individuals, groups, and societies.
- Understand the context—both technical and social—where your AIMS is primarily deployed considering applicable jurisdictions.
- Retain documented information of the AI impact assessment, available to internal and external interested parties (as determined by the organization’s strategic alignment).
- Use the results of the AI impact assessment as inputs for your AI risk assessment as required by ISO 42001.
Support (Clause 7)
What’s Required: The allocation of adequate resources to support the operation and effectiveness of the AIMS, appropriate competence for persons doing work under the AIMS, personnel’s awareness of the AIMS, as well as communication and documented information regarding the AIMS
In requiring the allocation of resources, ISO 42001 doesn’t just mean employing adequate personnel and deploying the necessary data, tooling, systems, and assets (including human capital) to support your AIMS—the framework also mandates a certain level of competence, awareness, communication, and documented information as part of that support.
How to Get Started with Compliance:
- Identify the knowledge, skills, and competencies required for personnel involved in AIMS-related activities and assign/hire them—that includes providing any necessary training for your existing relevant workforce on AI—and document the mechanisms used to verify these competencies.
- Make sure that your employee base is aware of your AI policy and how each individual can aid in achieving the AIMS strategic priorities.
- Establish and use effective communication channels to facilitate the flow of information related to the AIMS, including the importance of individual contributions to the AIMS, policies, procedures, instructions, and feedback.
- Develop and maintain documented information necessary for the effective planning, operation, and control of AIMS processes—make sure that information is accurate, up-to-date, accessible, and properly controlled through designed procedures for such.
Operation (Clause 8)
What’s Required: The implementation of processes regarding your artificial intelligence offerings
Together with Clause 6, Clause 8 is paramount for your compliance—it addresses the conformance of AI operational planning and control within your design, development, and production processes through effective, efficient, and agile implementations.
How to Get Started with Compliance:
- Plan, implement, and control actions determined in your completed AI assessment by implementing and measuring the success of controls related to the operation of the AIMS (refer to the AI controls in Annex A and the implementation guidance in Annex B).
- Monitor the effectiveness of controls and institute corrective actions if intended results are not wholly achieved, all while forming and maintaining documented information to ensure confidence that the processes as stated have been performed.
- Control and formalize planned changes, review the results of unintended changes, act on any perceived or real adverse effects, and verify that third-party products or services needed for the functioning of the AIMS are controlled.
- Perform AI risk assessment, treatment, and impact assessments at planned intervals or when significant changes occur. When treatment plans are not effective, review, revalidate, and update the risk assessment, treatment, and AI impact processes.
- Retain documented information on the process (e.g., policies, standards) and results (e.g., output, reporting, evaluation) of your AI risk assessment, AI risk treatment, and AI impact assessments.
Performance Evaluation (Clause 9)
What’s Required: The monitoring, measurement, analysis, and evaluation of AIMS processes and performance, internal audit against the AIMS framework and applicable Annex A controls, and a dedicated management review
Clause 9 requires the measurement of key performance indicators, regular internal audits, and management review, which constitute inputs towards analysis and evaluation for driving AIMS effectiveness over the entire certification lifecycle.
How to Get Started with Compliance:
- Design and implement a systematic approach to collecting, recording, and analyzing performance data—whatever you can measure for an accurate heartbeat of your AI product/tool—to evaluate the effectiveness and efficiency of AI operational processes, its conformity to expected behavior, its performance versus real human capability, and real or perceived customer satisfaction, among any other relevant metrics.
- Conduct regular, impartial / objective internal audits against ISO 42001 requirements. (These can be done by a qualified third party or by internal personnel not involved in the running of the AIMS.)
- Regularly review AIMS performance data and feedback to evaluate the effectiveness of the AIMS and identify opportunities for improvement.
- Document and store information related to the operational effectiveness of the AIMS, including the results of regular measuring, internal audit against ISO 42001 requirements, and the subsequent resulting reports related to both measuring and internal audit delivered to top management during planned regular management reviews.
Improvement (Clause 10)
Though taking a systemic approach to artificial intelligence management through the establishment of an AIMS is already a big step, ISO 42001 also requires that you remain vigilant and seek opportunities to further enhance the success and functioning of your AIMS—that includes adapting your AIMS to any changing technologies, circumstances, or objectives. The compliance journey will necessitate the correction of gaps, identified as major or minor nonconformities, which can be raised by your organization, your internal auditors, or by an external certification body performing a readiness assessment or initial certification.
How to Get Started with Compliance:
- Develop processes for identifying, documenting, and addressing nonconformities, areas of concern, and opportunities for improvement identified through internal or external assessments to ensure the implementation of necessary corrective actions to prevent recurrence.
- Establish and analyze systematically the root cause of any identified deviation from the ISO 42001 standard requirements and periodically evaluate the results of each applied corrective step to sustainably remediate nonconformities when they arise.
- Continuously monitor and review your AIMS to identify opportunities for the improvement of its suitability, adequacy, and effectiveness.
- Establish mechanisms for capturing and implementing improvement ideas from employees as well as internal and external stakeholders.
Getting ISO 42001 Certified
While you’ll require more than this short outline of clauses 4-10 to implement a comprehensive AIMS, we hope that what has been provided here will make for a good start in addressing the requirements of each of these key clauses within ISO 42001 as you build out your AIMS.
If we could offer one last tip, it would be to document everything as you go through these planning and implementation motions, as not only will that be key for compliance, but it’ll also help streamline your operations throughout the certification lifecycle.