ISO 42001: The standard for AI management systems

ISO 42001 is the world’s first international standard for AI management systems. The standard gives organisations a framework for managing risk, accountability, transparency and continual improvement in connection with the use of artificial intelligence (AI).

As artificial intelligence becomes an increasingly important part of organisations’ work processes, requirements for control, documentation and responsible use are also growing. At the same time, the EU is introducing new regulations through the AI Act. This is driving growing interest in establishing an AI management system based on ISO 42001.

In this article, we explain what ISO 42001 is, which organisations it is relevant for, what requirements it sets out, how it relates to the AI Act and how organisations can work towards certification.

ISO/IEC 42001:2023 is the world’s first international standard for artificial intelligence management systems. The standard has been developed by ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) and describes the requirements for an Artificial Intelligence Management System (AIMS).

In the same way that ISO 9001 provides a framework for quality management and ISO 27001 provides a framework for information security, ISO 42001 provides a framework for the governance of artificial intelligence.

The goal is to help organisations use AI in a responsible, documented and controlled manner. The standard covers the development, procurement, implementation and use of AI systems.

ISO 42001 can be used by organisations in all industries and of all sizes, whether they develop their own AI solutions or use AI technology supplied by others.

AI creates significant opportunities for efficiency, innovation and better decision support. At the same time, the technology introduces new types of risk that traditional management systems do not fully address.

Organisations must, amongst other things, address questions such as:

• How do we ensure that AI models produce reliable results?

• How do we detect bias or discrimination in AI systems?

• How do we document decisions that have been influenced by AI?

• How do we safeguard data protection and information security?

• Who is accountable if AI provides incorrect recommendations or decision support?

• How do we monitor AI systems that evolve over time?

ISO 42001 was developed to give organisations a structured method for addressing these challenges through established management principles, risk management and continual improvement.

Many assume that ISO 42001 is only relevant for technology companies that develop their own AI models. In practice, the target audience is far broader. The standard is relevant for all organisations that develop, supply or use AI in their products, services or work processes.

Organisations that use tools such as Microsoft Copilot, ChatGPT or other AI features in their day-to-day work processes.

Organisations that use AI for analysis, decision support or automation of work processes.

Companies that use AI for predictive maintenance, quality control or production optimisation.

Organisations that use AI for risk assessments, fraud detection or automated decision-making.

Organisations that develop AI-based products or build AI functionality into existing solutions.

Organisations that assist clients with AI advisory services, implementation or development.

Many organisations think of AI as advanced language models or purpose-built solutions. The reality is that many organisations are already using AI today without being consciously aware of it.

AI is becoming an integrated part of:

• Microsoft 365

• CRM systems

• ERP solutions

• Analytics and reporting tools

• Marketing platforms

• Customer service systems

• Recruitment tools

This means the need for AI governance applies not only to organisations that develop AI, but also to organisations that use AI as part of their work processes.

An AI management system — also referred to as an artificial intelligence management system — is the totality of processes, roles, guidelines, controls and documentation that ensures responsible use of AI within the organisation.

The goal is not to control the technology alone. The goal is to control how the organisation uses the technology.

An AI management system contributes, amongst other things, to:

• Clear roles and responsibilities

• Systematic risk management

• Control over data and models

• Documentation of decisions

• Monitoring of AI systems

• Non-conformity handling

• Continual improvement

In the same way as other ISO-based management systems, the AI management system should be an integrated part of the organisation’s leadership and operations.

ISO 42001 follows the same harmonised structure used in modern ISO standards. This makes it easier to integrate the standard with existing management systems such as ISO 9001 and ISO 27001.

The requirements are organised into the following main clauses.

The organisation must understand how AI affects stakeholders, business objectives and its environment.

Management must establish policy, responsibilities and objectives for the AI management system.

The organisation must identify risks, opportunities and necessary actions.

Requirements for competence, resources, communication and documentation.

Management of AI-related activities and processes.

Monitoring, measurement, internal audit and management review.

Handling of non-conformities and continual improvement of the management system.

Although the standard contains many detailed requirements, there are a number of central themes that recur throughout.

The organisation must establish clear governance mechanisms for the use of artificial intelligence. This includes, amongst other things, roles, responsibilities, decision-making processes and reporting.

AI-related risks must be identified, assessed and managed systematically. The risks may be technical, legal, ethical or commercial in nature.

The standard places significant emphasis on understanding the consequences AI systems may have for individuals, the organisation and society.

AI systems must be governed throughout their entire lifecycle:

• Planning
• Development
• Testing
• Implementation
• Operations
• Monitoring
• Decommissioning

The organisation must maintain control over the quality, provenance and use of data employed in AI systems.

Stakeholders must receive the necessary information about how AI is used and what consequences its use may have.

The AI management system must be evaluated and improved over time in the same way as other management systems.

Get in touch to find out how we can help your organisation!

There is no definitive answer, but certain organisations will have greater need than others.

An AI management system is particularly relevant if the organisation:

• Develops its own AI solutions
• Delivers AI-based services to customers
• Uses AI in decision-making processes
• Processes personal data through AI
• Operates in regulated industries
• Anticipates requirements from customers or authorities relating to AI

Many organisations are already finding that customers are asking questions about how AI is used, which data is employed and which controls are in place.

ISO 9001 is about quality management.

ISO 42001 is about the governance of artificial intelligence.

Both standards are built on risk-based thinking, management commitment and continual improvement. ISO 42001, however, introduces requirements that are specific to AI.

These include, amongst others:

• AI risk assessments
• Data governance
• Transparency
• Human oversight
• Impact assessments
• AI-specific governance

For organisations already certified to ISO 9001, much of the structure will be familiar.

ISO 27001 focuses on information security.

ISO 42001 focuses on the governance of artificial intelligence.

There is significant overlap between the standards, particularly in:

• Risk management
• Supplier management
• Documentation
• Internal audit
• Management review
• Continual improvement

Many organisations will therefore be able to integrate ISO 42001 with existing management systems based on ISO 27001.

AI governance describes the discipline or field concerned with the management of artificial intelligence.

ISO 42001 is a concrete standard that describes how organisations can establish a management system for AI governance.

One way to put it is:

• AI governance is the goal.
• ISO 42001 is the framework.

In the same way that information security is the field, whilst ISO 27001 is the standard that describes how the work can be organised.

The AI Act is the EU’s regulatory framework for artificial intelligence.

ISO 42001 is an international standard for AI management systems.

These are two different things, but they share many common themes.

The AI Act sets legal requirements for certain types of AI systems. ISO 42001 provides a governance framework that can help organisations establish the processes, responsibilities and documentation that support compliance with these requirements.

Both focus, amongst other things, on:

• Risk management
• Documentation
• Transparency
• Accountability
• Monitoring
• Human oversight

Yes. ISO 42001 is an international standard and can be certified through accredited certification bodies in the same way as ISO 9001 and ISO 27001.

Interest in ISO 42001 is still at an early stage, but many expect demand to increase significantly as the AI Act gains greater relevance and AI is adopted by a growing number of organisations.

The path to certification will vary between organisations, but typically involves the following steps:

Identify which AI systems are in use within the organisation.

Compare current practice against the requirements of ISO 42001.

Define roles, responsibilities, processes and the necessary documentation.

Carry out actions relating to risk management, data governance and governance.

Verify that the management system is functioning as planned.

Management must evaluate the system’s effectiveness and maturity.

An accredited certification body carries out an audit and assesses whether the requirements have been met.

For many organisations, the most important first step is to gain an overview.

Start by mapping:

• Which AI tools are in use within the organisation
• Who is using them
• Which data is being processed
• Which risks exist
• Which requirements customers or authorities are setting

The organisation can then establish a management system that builds on existing processes for quality, information security, data protection and risk management.

ISO 42001 is the world’s first international standard for AI management systems. The standard gives organisations a structured framework for managing risk, accountability, transparency and continual improvement in connection with the use of artificial intelligence.

As AI becomes an increasingly important part of how organisations work, make decisions and deliver services, the need for AI governance and documented management will grow.

For organisations wishing to establish an AI management system, prepare for the AI Act or document maturity in the responsible use of artificial intelligence, ISO 42001 is likely to become one of the most important standards in the years ahead.

ISO 42001 is the world’s first international standard for AI management systems. The standard gives organisations a structured framework for managing risk, accountability, transparency and continual improvement in connection with the use of artificial intelligence.

As AI becomes an increasingly important part of how organisations work, make decisions and deliver services, the need for AI governance and documented management will grow.

For organisations wishing to establish an AI management system, prepare for the AI Act or document maturity in the responsible use of artificial intelligence, ISO 42001 is likely to become one of the most important standards in the years ahead.

We help organisations with advisory services, establishment and further development of AI management systems. Get in touch to find out how we can help you!