• Content Type

Lessons from businesses on implementing ISO/IEC 42001 in practice
Share on XShare on LinkedIn
Blog post by:
JulianĀ Adams,Ā British Standards Institution

This is the third part of our blog series on Lessons from Business in Adopting ISO/IEC 42001:2023ā€”Information technologyā€”Artificial intelligenceā€”Management system. For the preceding parts, see:

In this blog we share organizationsā€™ experiences of implementing ISO/IEC 42001:2023 Information technologyā€”Artificial intelligenceā€”Management system, in practice. We start by discussing early adoptersā€™ expectations of the standard.Ā Ā 

Utlizing a common standards frameworkĀ 

With most organizations already familiar with mature standards and regulations, it is argued that implementation will be relatively straightforward. Early adopters were asked about their expectations of the standard. Largely, organizations expect the standard to be similar to other standards, which was found to be the case. Specifically, organizations note that the standard shares a common framework, clauses, requirements and is written in the same style to BS ISO/IEC 27001:2023 Information security, cybersecurity and privacy protection and BS ISO 9001:2015 Quality Management System.Ā 

Ease of integrating the standard with existing processes

Early adopters were asked how easy they thought it would be to integrate this standard into existing processes, policies, procedures and best practices. Overall, most feel integration will be relatively easy. Key to this argument is the belief that the standard does not require a completely new policy or management system but rather adjustments to existing processes.Ā Ā 

With many organizations compliant (and often certified) to ISO standards, such as ISO/IEC 27001 and ISO 9001, along with various sector-specific standards and associated legislation, most are keen to use the standard to identify possible gaps in existing policies and procedures rather than develop new policy in totality.Ā Ā 

Many organizations value the reference to the integration of other management systems and standards, acknowledging that ISO/IEC 42001 would not operate in a vacuum but augment existing procedures and management systems. Indeed, the standard is developed using a harmonized structure (identical clause numbers, clause titles, text and common terms and core definitions) to ensure alignment with other management systems. This common approach helps facilitate implementation and consistency with other management systems related to quality, safety, security and privacy.Ā Ā 

BSI has also published a white paper explaining what a management system standard is, within the context of ISO/IEC 42001 in comparison to ISO 9001 and offers guidance on the best way to implement a management system standard and identify the next steps for integrating the implementation of the standards together.Ā Ā 

It was also noted that AI is just another source of risk that the organization needs to control, and its governance would, in principle, be an extension of the information security risk addressed with ISO/IEC 27001.Ā 

The extent of compliance to the standard

Early adopters were about the extent to which their organization would be compliant to the standard. Many organizations believed they had a strong culture of compliance and expected to be fully compliant to the standard. Nonetheless, the extent to which the organization could be compliant comes down to company-wide commitment, accountability, and universal adherence to stated practices. Further, with an emphasis on augmenting existing systems, many organizations expect to be compliant within the ā€œspirit of ISO/IEC 42001ā€, rather than developing an entirely new management system.Ā Ā 

Challenges ahead

Although organizations are mostly confident about implementing ISO/IEC 42001 a few concerns surface, namely:Ā 

  1. How to identify and manage supplier risk?

Most organizations except to reach out to their supply chain to discuss with suppliers what processes and procedures they have in place to mitigate against the risk of AI in the systems they used a part of their offer

  1. How to align to international legislation?

Those operating in international markets are keen to understand what the legislative requirement will be. Mostly, organizations expect that compliance to ISO/IEC 42001 will ensure they are largely in line with up-and-coming legislation such as the EU AI Act and wider policy.

  1. How to identify risk benchmarks?

Currently, there is very limited data on what might constitute standardized risk benchmarks and performance metrics that organizations can align their risk controls to. That said, the US National Institute of Standards and Technology (NIST) has developed a Cyber Risk Scoring (CRS) solution that provides quantitative risk-based analysis, assessment, and reporting.

  1. How to manage reputational risk?

There are concerns about how organizations will manage the possible reputational damage of failures in AI systems and technologies.

 

Many businesses are keen to better understand opportunity, innovation and compliance, but are mindful of the complexities of AI systems, BSI has developed The Little Book of AI, a guide designed to support organizations in navigating the intricacies of AI implementation. This Little Book provides valuable insights for businesses of all sizes interested in using AI technology to improve business operations and support their workforce.

Whatā€™s next in the Lessons from Business blog series?

In the final blog of this series, we will look at how organizations are using ISO/IEC 42001 to help in adopting responsible AI management.

        • Ā 

0 Comments

Submit a Comment