7 AI-specific controls in ISO 42001 that distinguish it from ISO 27001

7 AI-specific controls in ISO 42001 that distinguish it from ISO 27001

Discussion about AI and ISO standards

Many organisations working with ISO 27001 find that ISO 42001 feels familiar. Both standards are built on the same principles of management commitment, risk management and continual improvement.

Nevertheless, ISO 42001 is more than an AI version of ISO 27001. The standard introduces several controls developed specifically for the challenges that artificial intelligence creates. It is not only about information security, but also about consequences for people, data quality, transparency and the responsible use of AI.

Here are seven of the most important control areas that distinguish ISO 42001 from traditional management systems.

1. Impact assessments of AI systems

A central requirement in ISO 42001 is that the organisation must assess the consequences AI systems may have for individuals, groups and society as a whole.

An AI system can function technically as expected whilst simultaneously creating unintended consequences. For example, it may affect recruitment processes, customer handling or the basis for decisions in ways the organisation had not foreseen.

This perspective is far less prominent in ISO 27001, where the primary focus is on protecting information and reducing security risk.

2. Responsible development of AI systems

ISO 42001 places significant emphasis on how AI systems are developed.

The organisation must define objectives and processes for responsible development, so that considerations such as quality, reliability, security and ethical factors become an integral part of the development work.

This is an important distinction from traditional IT systems. For AI, risk is not only about the technology itself, but also about how the system is designed, trained and deployed.

3. Verification and validation of AI systems

Traditional software is tested to ensure it functions as expected. For AI, this is not sufficient.

An AI system can be technically correct and still produce misleading or undesirable results. ISO 42001 therefore requires verification and validation throughout the entire lifecycle.

The organisation must be able to document how the AI system has been tested, which criteria have been used and how the results have been assessed.

Working with ISO

4. Monitoring AI systems in operation

A common misconception is that AI risk is assessed once at the point of implementation.

In practice, AI systems can change in character over time. The underlying data can evolve, usage patterns can shift, and results can deteriorate below expectations.

ISO 42001 therefore requires the organisation to establish processes for ongoing monitoring of AI systems’ performance and behaviour.

This is an area in which many organisations currently have limited experience.

5. Data quality and data provenance

The quality of an AI system is closely linked to the quality of the data it is built on.

ISO 42001 therefore includes several controls relating to data collection, data quality, data management and documentation of data provenance.

For many organisations, this will be one of the most demanding areas. It is often easier to procure an AI tool than to document the quality of the data used to train, configure or operate it.

Poor data rarely produces good AI results.

6. Transparency and information for stakeholders

Users and other stakeholders must understand how AI systems affect them.

ISO 42001 therefore emphasises documentation, information for users and reporting of unintended consequences.

This is not necessarily about explaining every technical detail, but about providing sufficient information for users to understand the system’s purpose, limitations and risks.

Transparency is becoming increasingly important as AI is adopted in more business-critical processes.

7. Intended use of the AI system

An AI system should be used for the purpose for which it was developed or assessed.

This may seem self-evident, but in practice many organisations find that employees start using AI tools in new areas without the risks having been assessed in advance.

A tool approved to assist with content production suddenly gets used as a decision-support tool, analytical tool or source of professional judgements.

ISO 42001 addresses this challenge by requiring the organisation to maintain control over what AI systems are actually being used for.

Certain QMS

AI governance is about more than security

Organisations already working with ISO 27001 will recognise many of the principles in ISO 42001. Both standards are concerned with governance, accountability and risk management.

At the same time, ISO 42001 introduces several new perspectives specific to artificial intelligence. Impact assessments, data quality, transparency and responsible use are areas that rarely receive the same degree of attention in traditional management systems.

It is precisely these controls that make AI governance something more than information security. The goal is not only to protect the organisation against risk, but also to ensure that AI systems are developed and used in a responsible, verifiable and trustworthy manner.

Talk to us about AI management systems

We help organisations with advisory services, establishment and further development of AI management systems. Get in touch to find out how we can help you!

Mirjam Meling

Mirjam Meling

Marketing & Communication Manager

Produces content for Certain QMS on management systems, quality management, information security and AI governance. She works with subject matter experts to communicate complex topics in a clear and practical way.

eHandbook for document control in the healthcare sector

eHandbook for document control in the healthcare sector

eHandbook document control in the healthcare sector

The document module in Certain QMS is the core of the quality management system, bringing together the organisation’s internal procedures, guidelines, routines and other governing documentation in one place.

For many years, the solution has been used by large organisations in the healthcare sector, where it is referred to as the eHandbook — a term with a long history in the sector. The eHandbook in Certain QMS serves as the organisation’s digital reference for both practical working routines and other governing documentation that forms the basis for operations, internal control and systematic quality work.

Key features of the eHandbook

To support the requirements for document control, internal control and quality in the healthcare sector, the eHandbook in Certain QMS covers the entire lifecycle of governing documents — from drafting, internal consultation and approval through to publishing, use and revision. The solution offers, amongst other things:

  • Flexible and customised document templates for different types of procedures, guidelines and instructions, making documentation more consistent and easier to maintain.
  • Approval workflows and clearly defined roles for who can edit, quality-assure, approve and publish documents.
  • Advanced role and access management, which can be integrated with the organisation’s AD/Entra ID, so that employees are automatically granted access to the right content based on their role and department.
  • Restriction of sensitive information, ensuring that certain content is only accessible to defined roles or user groups.
  • HTML-based and searchable documents, combined with the ability to upload various file formats and link to external resources.
  • Change summaries, giving users a quick overview of what is new or changed in a document.
  • Reading lists with acknowledgement, where managers can require employees to read selected documents and have confirmation of completion recorded.
  • Review deadlines and automatic notifications, ensuring that documents do not remain outdated without responsible parties being followed up.
  • Public document portal for external publishing of selected documents, so that procedures, guidelines and other information can be shared online — without requiring a login.

Scope and use of the eHandbook in the healthcare sector

Figures from the large healthcare organisations using the eHandbook in Certain QMS show that the solution is not a passive document archive, but a reference tool that is actively used by employees on a daily basis.

Usage data shows high levels of activity, with thousands of document views each day and a large number of unique users over time. This confirms the eHandbook’s role as a central working environment for governing documentation — for clinical staff, managers and support functions alike.

Examples of document scope and publishing:

Organisation Internal documents Public documents
Oslo University Hospital HF approx. 33,000 approx. 8,000
Vestre Viken HF approx. 18,000 approx. 8,000
Helse Fonna HF 8,000+ approx. 500
Lovisenberg Diaconal Hospital approx. 3,500 0*

 

eHandbook healthcare sector

Public document portal – controlled sharing of governing documentation

Many organisations need to make parts of their documentation available to external users, whilst retaining full control over content, versions and publishing. With the public document portal, selected documents from the eHandbook can be published in a dedicated, open eHandbook portal that is accessible via a browser, with no login required. The documents continue to be maintained, approved and revised within the same solution before being published to the public portal.

In the healthcare sector, this is used, amongst other things, to share patient-facing procedures, information about services, collaboration routines with GPs and other stakeholders, and guidelines that are required to be publicly available. When documents are updated in the eHandbook, they are also updated automatically in the public portal, reducing the risk of outdated information being accessible externally.

The public document portal in Certain QMS thus enables secure public access to and sharing of documents, with full traceability and revision control maintained within Certain QMS.

Experiences from Oslo University Hospital

Oslo University Hospital (OUS) was established in 2009 through the merger of Rikshospitalet, Ullevål University Hospital and Aker University Hospital. The hospital is the largest in Europe, with 24,000 employees.

The eHandbook in a large and complex organisation

OUS has used Certain QMS for effective document control since 2010, and demonstrates a mature and considered approach to the use of the eHandbook. With a document base running to tens of thousands of internal documents and daily use by many thousands of employees, the solution functions as a central knowledge platform across disciplines, roles and locations.

Usage is high throughout the year, with continuous lookups of documents that are directly integrated into both clinical and administrative day-to-day work.

Training and role understanding as the key to effective system use

At OUS, considerable emphasis has been placed on training in the use of the eHandbook, and a dedicated internal support function has been established to build user competence over time. Experience shows that the way in which support and guidance are provided has a significant bearing on whether employees become confident and independent in their use of the system.

Rather than completing tasks on behalf of users, the focus has largely been on explaining how different roles should work within the solution and how tasks are carried out correctly. This has contributed to a strong understanding of roles, higher quality in system use and a clear reduction in the number of support requests over time.

Active use and high engagement with content

Usage statistics show that the eHandbook is used by many thousands of employees, with daily views of thousands of documents. Data from OUS also shows that the solution is not merely visited, but actively used throughout the year.

The figures indicate a high degree of engagement with the content, with employees navigating between pages, opening documents, using search and following the structure of the handbook — rather than retrieving individual documents in isolation.

When training supports quality compliance in practice

Training is not, however, solely about learning to use the system itself — it is about ensuring that quality work is genuinely put into practice across the entire organisation. At OUS, the eHandbook is closely linked to e-learning courses and competence plans associated with different roles, so that employees receive training in both their responsibilities and work processes — not just in the features of the solution.

To maintain quality in document work, employees who are to be granted write access must complete mandatory training before access is granted. In addition, checklists within documents are used to support the correct completion of key tasks in day-to-day work, and a refresher shortly after training is recommended to ensure that knowledge is translated into practice.

OUS's public document portal: a national reference for procedures and professional practice

The public document portal at OUS is not only used internally, but is also actively used by other actors in the healthcare sector. Healthcare professionals across the country can look up how OUS approaches various procedures, treatments and interventions, and use this as guidance in their own work. In this way, OUS effectively serves as a national reference for the design of procedures, the content of routines and professional practice across a wide range of areas.

This is closely connected to the role Oslo University Hospital plays in medical research and the training of healthcare professionals in Norway. As a university hospital, OUS contributes significantly to the development of professional standards, and through publicly available documentation this knowledge can be shared broadly across the sector — in a structured, quality-assured and up-to-date manner.

View OUS’s public eHandbook here: ehandboken.ous-hf.no

Taken together, the experiences from OUS demonstrate how the eHandbook can be used as an active tool for building competence, ensuring quality and enabling efficient operations — not merely as a place where documents are stored.

From documentation to quality in practice

In complex organisations, effective document control is a prerequisite for good and efficient management.

Experience from the healthcare sector shows that the true value of the eHandbook is realised when it becomes a natural part of day-to-day work — where employees can easily find current routines and training is closely linked to the governing documentation.

Over time, this contributes to shared practice, fewer errors and a stronger basis for improvement — and experience from Oslo University Hospital and others demonstrates that the right structure, clearly defined roles and active use deliver lasting benefits for the organisation as a whole.

Marte Sunde

Marte Sunde

Business Consultant

Marte Sunde is a Business Consultant for Certain QMS, specialising in quality management and HSE systems. She works at the intersection of operational practice and digital solutions, helping organisations implement and improve management systems that ensure compliance, structure, and continuous improvement.

EU AI Act readiness: the first step towards compliance with the AI Act

EU AI Act readiness: the first step towards compliance with the AI Act

EU Act readiness

The AI Act (EU AI Act) has been adopted in the EU and is expected to be incorporated into the EEA Agreement. At the same time, the use of artificial intelligence is growing rapidly in both the public and private sectors.

For many leaders, the question is no longer whether the organisation uses AI, but how much it is used, which processes it affects, and which requirements may become relevant when the regulation takes effect.

The challenge is that many organisations lack sufficient visibility to be able to answer these questions. This is where AI Act readiness comes in.

What is AI Act readiness?

AI Act readiness is a structured assessment of an organisation’s use of artificial intelligence, with the aim of identifying how the AI Act may affect the organisation.

The assessment gives leadership a basis for understanding:

  • which AI systems are in use
  • which processes are affected by AI
  • which parts of the organisation may be subject to stricter requirements
  • which actions should be prioritised going forward

The goal is not to document full compliance with the AI Act. The goal is to gain sufficient visibility and understanding to plan further work in a risk-based manner.

AI Act readiness rådgivere

Why should organisations start now?

For most organisations, the greatest challenge will not be writing documentation or establishing new procedures. The greatest challenge will be understanding how artificial intelligence is actually being used within the organisation.

The larger the organisation, the more difficult this becomes.

AI is used today through:

  • generative AI tools such as ChatGPT, Copilot and Gemini
  • AI features in existing business systems
  • analytical and decision-support tools
  • supplier solutions that contain AI functionality

Many organisations may therefore have a significantly larger AI portfolio than leadership is aware of.

The AI Act does not affect all organisations equally

The AI Act is risk-based, and the implications of the regulation depend largely on how AI is used. This means no one can determine how significant the AI Act will be without first mapping the organisation’s AI portfolio.

What does an AI Act readiness assessment include?

A typical assessment will cover the following.

Mapping the AI portfolio

Which AI solutions exist within the organisation?

Analysis of use cases

Which processes, decisions and tasks are affected by AI?

Assessment of regulatory exposure

Could any of the solutions fall within the high-risk categories of the AI Act?

Assessment of governance and control

Does the organisation have adequate guidelines, roles and processes for AI use?

Identification of measures

Which areas should be prioritised going forward?

AI Act readiness provides a basis for decision-making

It is easy to jump straight into discussions about AI governance, AI policy or ISO 42001.

For many organisations, however, it is difficult to know which actions are necessary before they have gained an overview of the current situation.

An AI Act readiness assessment gives leadership a fact-based foundation for assessing risk, priorities and further work.

For some organisations, the assessment will show that current AI use represents limited regulatory risk. For others, it may reveal the need for more extensive action relating to governance, documentation and internal control.

Vurdering av AI Act

Start with an overview

The AI Act will not affect all organisations in the same way. The significance of the regulation depends on the organisation’s AI portfolio, use cases and risk profile.

Therefore, the first and most important step is to establish visibility.

Organisations that begin this work early will be better placed to meet both regulatory requirements and the continued development of artificial intelligence.

Talk to us about AI management systems

We help organisations with advisory services, establishment and further development of AI management systems. Get in touch to find out how we can help you!

Mirjam Meling

Mirjam Meling

Marketing & Communication Manager

Produces content for Certain QMS on management systems, quality management, information security and AI governance. She works with subject matter experts to communicate complex topics in a clear and practical way.

Quality management with a central framework and local adaptations

Quality management with a central framework and local adaptations

Quality management central frameworks in QMS

When multiple organisations need to collaborate on quality management, a shared challenge frequently arises: how to share structure, requirements and best practice whilst allowing each organisation to adapt the system to its own operations. Whether it involves a group with established HSEQ functions or collaboration between independent organisations, the goal is to strike the right balance between standardisation and local control.

Certain QMS has been developed precisely for this purpose, with a solution that makes it possible to build on a shared quality framework whilst each organisation retains ownership of its own quality management system.

When multiple organisations need to benefit from the same quality framework

In groups and larger organisations with dedicated HSEQ resources, established structures and extensive documentation in the management system typically already exist. The challenge is often to ensure that this content is accessible and straightforward to adopt across all parts of the organisation — across departments and business units.

In alliances and industry collaborations, the starting point is often different. Here, the collaboration typically consists of organisations with limited capacity to develop and maintain a fully functioning quality management system on their own. The need is therefore access to ready-made structures, templates and recommended working methods that can serve as a starting point within their own organisation.

Both situations require a solution that enables quality content to be shared in a structured way, whilst allowing each organisation to adapt the system to its own circumstances and responsibilities.

Support for a shared quality framework with local adaptations

Certain QMS has been developed to support both of these scenarios. The solution can be used both in organisations where shared quality frameworks are defined centrally, and in collaborations where independent organisations have agreed to develop and use shared structures, templates and working methods for quality management.

One master solution – separate quality management systems

A central “master solution” is established, functioning as a shared quality framework with structure, templates and a recommended configuration for the quality management system. The content of the master solution is developed and maintained by a central HSEQ function or a working group with representatives from the various organisations.

Each company receives its own installation of Certain QMS, based on and integrated with the master solution. This provides a shared structure and content, whilst each company has its own users, its own data and full ownership of its own quality work.

In this way, multiple organisations can work within the same quality framework, whilst the system can be adapted to local operations.

How it works

The master solution in Certain QMS can be configured and adapted at several levels, functioning both as a template for system configuration and as a shared starting point for governing documents. These two elements are handled somewhat differently.

Master solution as a template for system structure and modules

Certain QMS consists of several modules for quality management. The master solution can contain ready-made configurations, structures and templates, for example for:

  • Document structure and folder structure
  • Processes and workflows
  • Non-conformity handling and categorisation
  • Risk analyses and risk templates
  • Checklists
  • Annual planners and scheduled activities

When a local installation is created, this configuration is copied from the master solution and used as the starting point for the organisation’s own quality management system.

Once the local installation has been established, the organisation is free to:

  • Modify structures
  • Adjust processes
  • Add or remove content
  • Adapt the system to its own operations

If improvements or changes are subsequently made to the master configuration, these can be transferred to local installations as required — but this is carried out as a managed update, initiated by the system administrator.

This gives the organisation full control over its own quality management system, whilst retaining the option to adopt improvements developed centrally.

Governing documents: continuous synchronisation and local extension

For governing documents, the solution is more dynamic — precisely because this is content that often needs to be kept up to date across organisations.

Documents managed in the master solution are shared with local installations through continuous synchronisation. The system checks at regular intervals whether there are new or revised documents to be made available locally.

 

Examples of governing documents often managed centrally:

  • Top-level policies for quality, HSE and internal control
  • Shared procedures for non-conformity handling and improvement work
  • Guidelines for risk assessment and use of risk matrices
  • Requirements for documentation, traceability and archiving
  • Emergency procedures and notification routines
  • Routines for training and competence assurance
  • Audit programmes and methodology for internal audits
  • Guidelines for supplier follow-up and procurement
  • Templates for work instructions and checklists

 

When documentation is updated centrally:

  • Local users are notified by email
  • They are informed which documents are new or changed
  • It can be assessed whether local adaptations need to be updated

At the same time, each organisation is free to add its own local documents that are not linked to the master solution.

How local extensions work in governing documents

For documents originating from the master, a simple and clear model is used for local adaptation:

The main body of the document is locked for editing, but a dedicated field is available for local clarifications and additions. When this is used, the document is referred to as an extended document.

In this way, the following are preserved:

  • Shared wording and requirements in the main document
  • Whilst local practice can be clearly and correctly documented
Certain QMS eksempel styrende dokument med lokal tilpasning

Example of a governing document where the main content is managed centrally, whilst local clarifications are added in a dedicated field as part of an extended document.

Two purposes – one solution

The master solution in Certain QMS thus supports two distinct needs:

  • as a template for system configuration and quality structure, where local installations are built on a shared foundation
  • and as a shared source for governing documents, with ongoing updates and clear handling of local adaptations

This provides both flexibility in system use and confidence that shared requirements and procedures can genuinely be kept up to date across organisations.

Mirjam Meling

Mirjam Meling

Marketing & Communications Manager

Produces content for Certain QMS on management systems, quality management, information security, and AI governance. She collaborates with subject matter experts to communicate complex topics in a clear and practical way.

Hallucinations, bias and black boxes: the AI risks leaders need to understand

Hallucinations, bias and black boxes: the AI risks leaders need to understand

AI risk

Artificial intelligence is finding its way into an ever-growing number of business processes. Employees use AI to write, analyse, summarise, search for information and generate decision support. Many organisations are also experimenting with AI solutions that integrate with internal systems, documents and workflows.

For many leaders, AI feels primarily like a new type of software. But this is precisely where much of the challenge lies. AI works in a fundamentally different way from most of the systems organisations are accustomed to managing and controlling.

Traditional software follows rules. AI works with probabilities. Traditional systems are built to be predictable. AI is built to handle uncertainty. This gives rise to risks that many leaders have not previously had to contend with.

Lack of determinism and predictability

Most IT systems are deterministic. This means that the same input normally produces the same output.

If a customer orders a product, the order is recorded. If an invoice is overdue, a reminder is sent. If a user lacks access, they cannot log in. The system does what it is programmed to do.

Modern AI works differently. A language model is not built around fixed rules for every possible situation. It is trained on enormous volumes of text and calculates which responses are statistically most likely based on what it has learned.

The result is that AI can solve tasks it has never explicitly been programmed to handle. At the same time, its behaviour becomes less predictable. Two people can ask roughly the same question and receive different answers. Small changes in phrasing or context can significantly affect the outcome.

This is not necessarily a flaw in the technology. It is a characteristic of how modern AI works. But it means that AI must be assessed differently from traditional systems built around fixed rules and predictable processes.

Hallucinations and factual errors

One of the most widely discussed risks of generative AI is hallucinations.

The term describes situations where an AI model produces information that appears plausible and convincing but is actually incorrect. The model can fabricate sources, references, events, quotations or facts without understanding that the information is false.

For many leaders, this is an unfamiliar type of error. When an accounting system calculates the wrong VAT, it is perceived as a system fault. When an AI model presents incorrect information, it can do so in a way that appears both logical, well-structured and professionally credible.

The problem is therefore not simply that AI can be wrong. The problem is that the errors are often difficult to detect.

This is because language models are not built to assess what is true. They are built to generate the most probable answer based on the patterns they learned during training. In most cases, this produces impressive results. But when the model lacks information or misunderstands the context, it can produce answers that appear correct without being so.

Diskusjon om AI risiko

Data quality, bias and skewed outcomes

AI models are a product of the data they learn from.

If the underlying data is incomplete, outdated or contains systematic biases, this will often affect the results the model produces. This applies both to general language models and to organisation-specific AI solutions that are trained or fine-tuned on internal data.

Bias is one of the most commonly used terms in AI risk. It describes situations where a model systematically favours or discriminates against certain groups, perspectives or outcomes.

In practice, the challenge is often more complex than the model simply being “biased”. The model largely reflects the patterns it finds in the data it has been exposed to. If historical data contains biases, AI can perpetuate or amplify them.

Data quality is therefore not only about having correct data. It is also about representativeness, relevance and context. Two models using the same technology can produce very different results depending on the data they are built on.

Lack of explainability and transparency

In many organisations, it is important to be able to explain why a decision was made. This is particularly true in quality, audit, compliance, information security and other areas where traceability is central. AI challenges this principle.

Many modern models function as what is often referred to as a “black box”. You can observe which data goes in, and you can see the result that comes out. But it is not always possible to explain exactly how the model arrived at its conclusion.

This does not mean that AI is necessarily uncontrollable. But it does mean that explainability is often weaker than in traditional rule-based systems.

The more advanced the model becomes, the more difficult it can be to understand which factors influenced the result. For organisations that depend on documentation, audit trails and verifiability, this represents a new type of challenge that many have not previously encountered.

AI risikostyring rådgiver

Automation bias and over-reliance

Perhaps the most underestimated AI risk is not about algorithms or technology. It is about people.

Automation bias is an established term in decision support research, describing people’s tendency to place excessive trust in recommendations from technological systems.

This phenomenon is not new. It has been observed in everything from aviation to medical diagnostics. But generative AI makes the issue more pressing than ever.

When an AI model delivers fast, well-formulated and apparently intelligent responses, it is natural to attribute high value to its recommendations. Over time, people can become less critical and spend less effort on their own assessments.

The risk is therefore not necessarily that AI makes decisions independently. The risk is that people gradually begin to trust the technology without carrying out the professional quality assurance the situation demands.

The better AI becomes at communicating, the more important it becomes to remember that a persuasive answer is not necessarily a correct one.

A technology with new strengths – and new weaknesses

Artificial intelligence represents a significant technological leap, but it also introduces a risk landscape that differs from that of traditional software.

Hallucinations, bias, lack of explainability and automation bias are not necessarily signs that the technology is performing poorly. On the contrary, they are often a consequence of how modern AI is built and why it is so powerful.

For leaders, the task is therefore not to become experts in machine learning or neural networks. It is to understand that AI has different characteristics from the systems organisations have traditionally worked with.

The better one understands these characteristics, the better placed one is to assess both the opportunities and the limitations the technology brings.

Talk to us about AI management systems

We help organisations with advisory services, establishment and further development of AI management systems. Get in touch to find out how we can help you!

Mirjam Meling

Mirjam Meling

Marketing & Communication Manager

Produces content for Certain QMS on management systems, quality management, information security and AI governance. She works with subject matter experts to communicate complex topics in a clear and practical way.