Upcoming Webinar | AI Meets ISO: What Makes ISO 42001 Different from ISO 27001 & 27701 on August 14th @ 1:00 PM ET

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

How ISO 42001 “AIMS” to Promote Trustworthy AI Blog Feature
Danny Manimbo

By: Danny Manimbo

Print/Save as PDF

How ISO 42001 “AIMS” to Promote Trustworthy AI

ISO Certifications | Artificial Intelligence

Published: Nov 3, 2023

Last Updated: Feb 5, 2025

NOTE: This blog was originally published on 11/3/2023 based on the ISO/IEC DIS 42001 and has been updated as of 1/5/2024 as a result of ISO/IEC 42001:2023 (ISO 42001) being officially published on 12/18/2023.

The regulation and responsible use of artificial intelligence (AI) has been a hot topic of 2023, prompting the release of NIST’s AI Risk Management Framework to help organizations secure this emerging tech. More standards are on the way that will address the need to implement safeguards addressing the security, safety, privacy, fairness, transparency, and data quality of AI systems throughout their life cycle—including ISO/IEC 42001.

ISO is already well-known among those interested and invested in cybersecurity, as it offers frameworks for the implementation of different management systems that can help you improve different aspects of your organization. Now—through the release of ISO 42001—ISO is getting into the AI game with what are the best practices for an AI management system (AIMS). 

In this blog post, we’ll break these details down into ISO 42001’s structure, objectives, and intent so that you have a better idea of whatthe standard looks like and whether it suits your organization.

What is ISO 42001?

As a new AI management system standard (MSS), ISO 42001 is expected to ask organizations to take a risk-based approach in applying the requirements to AI use (as applying the AIMS more broadly to all use cases within an organization can harm other business objectives without realizing any tangible benefits or raising additional concerns).

The other, and perhaps most exciting, initial takeaway may be that, while ISO 42001 will be a certifiable, management system framework—the aforementioned AIMS—the standard has been drafted in such a way as to facilitate integration with other, existing MSS, such as:

Since the issues and risks surrounding AI in those areas of security, privacy, and quality, among others, should not be managed separately for AI—but rather holistically—the adoption of an AIMS can enhance both the effectiveness of an organization’s existing management systems in those areas and your overall compliance posture.

That being said, it’s important to note that ISO 42001 does not require other MSS to be implemented / certified as a prerequisite, nor is it the intent of ISO 42001 to replace or supersede existing quality, safety, security, privacy, or other MSS.

Still, the potential for such integration will help organizations who need to meet the requirements of two or more such standards, though the focus of each implemented MSS must remain unique—e.g., information security with ISO 27001. Should you opt to adhere to ISO 42001, you’ll be expected to focus your application of the requirements on features that are unique to AI and the resulting issues and risks that arise with its use.

Sign up to discover more ISO content from Schellman’s Weekly Read delivered every Friday morning.

ISO 42001 Structure

What’s more, the structure of the eventual ISO 42001 will appear very familiar to those who’ve already been ISO 27001 certified, as ISO 42001 also features:

  • Clauses 4-10; and
  • An Annex A (normative1) listing of controls that can help organizations* both:
    • Meet objectives as they relate to the use of AI; and
    • Address the concerns identified during the risk assessment process related to the design and operation of AI systems.

* These particular controls are not intended to be exhaustive—rather, they’re meant to be a reference to ensure that no necessary controls have been overlooked / omitted, and you are free to design (or leverage from existing sources) and implement different or additional controls as needed, beyond those in Annex A.

 

Within the current draft of ISO 42001, the 38 Annex A controls touch on the following areas:

  • Policies related to AI
  • Internal organization (e.g., roles and responsibilities, reporting of concerns)
  • Resources for AI systems (e.g., data, tooling, system and computing, human)
  • Impact analysis of AI systems on individuals, groups, & society
  • AI system life cycle (e.g., system requirements, development, operation, monitoring)
  • Data for AI systems (e.g., quality, provenance, preparation)
  • Information for interested parties of AI systems (e.g., external reporting, communication of incidents)
  • Use of AI systems (e.g., responsible / intended use, objectives)
  • Third-party relationships (e.g., suppliers, customers)

ISO 42001 also contains an Annex B and Annex C:

Annex B (Normative)

Annex C (Informative2)

Provides the implementation guidance for the controls listed in Annex A

(Think of this similar to the separate ISO 27002 standard for ISO 27001’s Annex A.)

Outlines:

  • The potential organizational objectives
  • Risk sources
  • Descriptions that can be considered when managing risks related to the use of AI

ISO 42001 Objectives and Risk Sources

Those potential objectives and risk sources referenced in Annex C address the following areas:

Objectives

Risk Sources
  • Accountability
  • AI expertise
  • Availability and quality of training data
  • Environmental impact
  • Fairness
  • Maintainability
  • Privacy
  • Robustness
  • Safety
  • Security
  • Transparency and explainability
  • Complexity of environment
  • Lack of transparency and explainability
  • Level of automation
  • Risk sources related to ML
  • System hardware issues
  • System life cycle issues
  • Technology readiness

1 Normative elements are those that are prescriptive, that is they are to be followed in order to conform with scheme requirements.
2 Informative elements are those that are descriptive, that is they are designed to help the reader understand the concepts presented in the normative elements.

And finally, ISO 42001 contains an Annex D (Informative) that speaks to the use of an AIMS across domains or sectors.

The Intent of ISO 42001

Organizations meeting those objectives and mitigating those risk sources as outlined in the ISO 42001 framework will be helpful as AI use overall continues to expand—this tech is increasingly being applied across all sectors utilizing IT and trends demonstrate that it’s expected to be one of the main economic drivers over the coming years.

As such, the intent of ISO 42001 is to help organizations responsibly perform their roles in the use, development, monitoring, or provision of products or services that utilize AI so as to secure the technology. 

Special focus through the ISO 42001 framework can help organizations implement the different safeguards that may be required by certain features of AI—features that raise additional risks within a particular process or system (in comparison to how the same task would traditionally be performed without the application and use of AI).

 Examples of these “certain features” that would warrant specific safeguards are:

  • Automatic Decision-Making – When done in a non-transparent and non-explainable way, may require specific administration and oversight beyond that of traditional IT systems.
  • Data Analysis, Insight, and Machine Learning (ML) – When employed in place of human-coded logic to design systems, these change the way that such systems are developed, justified, and deployed in ways that may require different protections.
  • Continuous Learning – AI systems that perform continuous learning change their behavior during use and require special considerations to ensure their responsible use continues in their state of constantly changing behavior. 

Available AI Cybersecurity Guidance / Regulation That Can Help

Organizations need to get started on securing their AI use as soon as possible, and while ISO 42001 can now help, there are other important developments you may want to also consider:

  • EU AI Act (In Progress): At the time of this blog’s publication, the EU is also in the process of finalizing its own AI use regulation that is centered around excellence and trust and aims to boost research and industrial capacity while ensuring safety and fundamental rights.
  • HITRUST CSF v11.2.0 AI Requirements: To accommodate the ever-evolving cybersecurity threat landscape, HITRUST has released HITRUST CSF v11.2.0, updating its framework to include more pertinent concepts—including additions around AI risk management content.

What’s Next for ISO 42001 (Including  Schellman’s Accreditation)

Even with all these major new milestones regarding AI, America appears to be firmly committed to moving further toward, if recent comments from Vice President Kamala Harris are any indication:

“History has shown in the absence of regulation and strong government oversight, some technology companies choose to prioritize profit over the wellbeing of their customers, the security of our communities and the stability of our democracies…One important way to address these challenges – in addition to the work we have already done – is through legislation. Legislation that strengthens AI safety without stifling innovation.”

 

While not legislation per se, ISO 42001 still represents the next major development in AI security. Now that it's published, Schellman intends to begin the process of extending its MSS accreditation and suite of ISO services to include this standard in January 2024. We’ll be sharing updates regarding how that process progresses, and we hope to receive accreditation to begin performing certification audits for our clients in mid-to-late Q2 / early Q3 2024.

In the meantime, we know that you'll be kickstarting your preparation for ISO 42001, and as part of that we highly recommend having an ISO 42001 gap assessment performed—and that's something we're ready to help you with right now. So, if you'd like to learn more about that assessment—or if you have any other questions regarding AI security—contact us today. 

About Danny Manimbo

Danny Manimbo is a Principal with Schellman based in Denver, Colorado. As a member of Schellman’s West Coast / Mountain region management team, Danny is primarily responsible for leading Schellman's AI and ISO practices as well as the development and oversight of Schellman's attestation services. Danny has been with Schellman for 10 years and has over 13 years of experience in providing data security audit and compliance services.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.