7 AI-specific controls in ISO 42001 that distinguish it from ISO 27001

Many organisations working with ISO 27001 find that ISO 42001 feels familiar. Both standards are built on the same principles of management commitment, risk management and continual improvement.

Nevertheless, ISO 42001 is more than an AI version of ISO 27001. The standard introduces several controls developed specifically for the challenges that artificial intelligence creates. It is not only about information security, but also about consequences for people, data quality, transparency and the responsible use of AI.

Here are seven of the most important control areas that distinguish ISO 42001 from traditional management systems.

A central requirement in ISO 42001 is that the organisation must assess the consequences AI systems may have for individuals, groups and society as a whole.

An AI system can function technically as expected whilst simultaneously creating unintended consequences. For example, it may affect recruitment processes, customer handling or the basis for decisions in ways the organisation had not foreseen.

This perspective is far less prominent in ISO 27001, where the primary focus is on protecting information and reducing security risk.

ISO 42001 places significant emphasis on how AI systems are developed.

The organisation must define objectives and processes for responsible development, so that considerations such as quality, reliability, security and ethical factors become an integral part of the development work.

This is an important distinction from traditional IT systems. For AI, risk is not only about the technology itself, but also about how the system is designed, trained and deployed.

Traditional software is tested to ensure it functions as expected. For AI, this is not sufficient.

An AI system can be technically correct and still produce misleading or undesirable results. ISO 42001 therefore requires verification and validation throughout the entire lifecycle.

The organisation must be able to document how the AI system has been tested, which criteria have been used and how the results have been assessed.

A common misconception is that AI risk is assessed once at the point of implementation.

In practice, AI systems can change in character over time. The underlying data can evolve, usage patterns can shift, and results can deteriorate below expectations.

ISO 42001 therefore requires the organisation to establish processes for ongoing monitoring of AI systems’ performance and behaviour.

This is an area in which many organisations currently have limited experience.

The quality of an AI system is closely linked to the quality of the data it is built on.

ISO 42001 therefore includes several controls relating to data collection, data quality, data management and documentation of data provenance.

For many organisations, this will be one of the most demanding areas. It is often easier to procure an AI tool than to document the quality of the data used to train, configure or operate it.

Poor data rarely produces good AI results.

Users and other stakeholders must understand how AI systems affect them.

ISO 42001 therefore emphasises documentation, information for users and reporting of unintended consequences.

This is not necessarily about explaining every technical detail, but about providing sufficient information for users to understand the system’s purpose, limitations and risks.

Transparency is becoming increasingly important as AI is adopted in more business-critical processes.

An AI system should be used for the purpose for which it was developed or assessed.

This may seem self-evident, but in practice many organisations find that employees start using AI tools in new areas without the risks having been assessed in advance.

A tool approved to assist with content production suddenly gets used as a decision-support tool, analytical tool or source of professional judgements.

ISO 42001 addresses this challenge by requiring the organisation to maintain control over what AI systems are actually being used for.

Organisations already working with ISO 27001 will recognise many of the principles in ISO 42001. Both standards are concerned with governance, accountability and risk management.

At the same time, ISO 42001 introduces several new perspectives specific to artificial intelligence. Impact assessments, data quality, transparency and responsible use are areas that rarely receive the same degree of attention in traditional management systems.

It is precisely these controls that make AI governance something more than information security. The goal is not only to protect the organisation against risk, but also to ensure that AI systems are developed and used in a responsible, verifiable and trustworthy manner.

We help organisations with advisory services, establishment and further development of AI management systems. Get in touch to find out how we can help you!