Depending on the field in which you work, you’ve almost definitely encountered an ISO standard.
- ISO 9001 for product quality assurance
- ISO 14001 for environmental management
- ISO 27001 for information security
- ISO 45001 for occupational health and safety
While these might not seem like they have much to do with one another, the chain that binds them all together is ISO itself. ISO, the International Organization for Standardization, and the 800+ committees that serve as expert boards in different fields, develop international standards to which businesses and organizations can be held.
Fun fact: ISO is not actually an acronym; it’s a derivation of the Greek word Isos, meaning Equal.
There are many, many different ISO standards. Over 25,000 of them, in fact! While many of them are stand-alone, some have related standards that serve as additional standards for tertiary elements or optional standardization for various elements of an industry.
One big one that is gaining attention, particularly in information security circles, is ISO 42001. As you’ve probably guessed from the title of the post and the fact that we’re writing about it, ISO 42001 is related to ISO 27001. So what is this new standard, how does it tie into ISO 27001, and do you need to worry about it for your business?
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontISO sets international standards such as ISO 27001 for information security and ISO/IEC 42001:2023 for AI management. ISO 27001 creates an Information Security Management System; ISO 42001 creates an Artificial Intelligence Management System that addresses ethics, transparency, risk, traceability, and reliability. Both use Plan, Do, Check, Act and allow certification. ISO 42001 audits have document review and functional evaluation plus annual surveillance. Ignyte Platform centralizes documentation for audit readiness.
First Up: What is ISO 27001?
First, a very brief refresher on what ISO 27001 is. ISO 27001 is the international standard for information security. It’s similar in many ways to domestic frameworks like those provided by NIST.
ISO 27001 is a set of guidelines and goals, with the intent of being a flexible and multipurpose framework that businesses of all sizes and in all industries can use to ensure a minimum level of security for the information they handle.
The goal of ISO 27001 is the development and establishment of an Information Security Management System. The ISMS is the combination of tools, policies, configurations, and other elements of your information security that combine to form a secure whole. ISO 27001 is not prescriptive; it tells you to use strong encryption, but not which specific encryption standard to use, for example.
To validate, ISO 27001 is certified with an audit. The audit validates your implementation of each security domain and control as specified in the standard. They’re deep and complex, but the end result is a validated and secure business suitable for trust on the international stage.
Tens of thousands of businesses worldwide are ISO 27001 certified, and that number grows every year.
What is ISO 42001?
ISO 42001 is one of the newest standards developed by ISO. With good reason; it’s a standard that covers technology that, until just a few years ago, didn’t exist.
ISO 42001 is formally known as ISO/IEC 42001:2023 – Information Technology – Artificial Intelligence – Management System. It was developed throughout the early 2020s and was first published in 2023. The full text can be purchased from ISO directly here.
ISO 42001 is the world’s first management standard for artificial intelligence systems. As the field of AI changes rapidly, keeping up with the realities of the technological environment and the threats the technology poses is immensely difficult. This standard serves as a way to set up a management system capable of building awareness of and resilience to those threats. To quote them directly:
“ISO/IEC 42001 is the world’s first AI management system standard, providing valuable guidance for this rapidly changing field of technology. It addresses the unique challenges AI poses, such as ethical considerations, transparency, and continuous learning. For organizations, it sets out a structured way to manage risks and opportunities associated with AI, balancing innovation with governance.”
Notably, ISO 42001 is not just about security. It covers risk management, innovation opportunity, traceability, transparency, reliability, and responsibility.
It is designed to apply to all AI systems, whether they’re broad-scale LLMs, narrowly-focused task AIs, or anything in between.
ISO also has several other AI-focused standards, which may also be useful to obtain and learn.
- ISO 22989 – Information Technology – Artificial Intelligence – Artificial Intelligence Concepts and Terminology, which defines the unique terminology used in the AI space for reference within other ISO standards.
- ISO 23053 – Framework for Artificial Intelligence Systems Using Machine Learning, which sets up a framework for determining and describing AI systems.
- ISO 23894 – Information Technology – Artificial Intelligence – Guidance on Risk Management, which provides informative guidance on what kinds of risks and challenges AI poses that organizations need to know.
While these other standards are largely informative, ISO 42001 is a major standard that sets up an MSS (management system standard) similar to standards like ISO 27001. It’s not strictly an ISMS (which is an information security management system, a type of MSS), but it’s similar in concept. You’ll often see the ISO 42001 system referred to as AIMS, the Artificial Intelligence Management System.
The implementation of ISO 42001 uses the standard four-step methodology that other ISO standards use. That is, the Plan, Do, Check, Act methodology. It’s not about looking at, say, OpenAI’s LLM and trying to manage its specific security risks. Rather, it’s about looking at AI as a whole, learning how to identify and evaluate risks, and manage them proactively.
How Do ISO 27001 and ISO 42001 Compare?
How do these two standards relate to one another? You can already intuit how something like an AI management standard has an impact on information security, and vice versa, but let’s go through the specifics.
Both Standards Create Management Systems
First of all, the overarching goals of both ISO standards are the same: the development and establishment of management systems. With ISO 27001, it’s an information security management system; with ISO 42001, it’s a more generalized management system.
Overall, the concept is the same. You’re taking a broad and complex environment, distilling it down to the things that matter specifically to your organization, and setting up a network of policies, rules, and technological controls to enforce it.
These rules and policies can cover various domains, including physical and digital security, safety, privacy, fairness, transparency, ethics, and more. There’s a lot to consider, from a lot of different angles, so the standards serve to give you the outline necessary to cover all your bases.
The Scope of Each Standard Varies
With ISO 27001, the scope is broad, but also fairly well fixed. It’s all about the identification and securing of sensitive information, whether it’s user personal information, employee private information, business information, government information, or another kind of sensitive information.
As such, it encompasses all of the kinds of security that can be relevant. While this is largely focused on things like digital security today, it also encompasses user behavior, the design of a business to use concepts like the principle of least privilege/access, or policies centered around proactive removal of unnecessary permissions and more. Aspects like physical security are also part of it, as necessary.
ISO 42001 is less about the specific security and challenges posed by AI. The main reason for this is simply the speed at which the AI space is evolving and changing. It’s more difficult to pin down specific challenges when the very foundation of the technology changes several times a year.
Instead, it focuses on more conceptual concerns and how to translate those concerns into tangible risk analysis. It also covers business-relevant considerations that may not be technical in nature; things like the ethical use of AI, the impacts on things like carbon neutrality or environmental impact, and even the reputational considerations of AI use.
Establishment of Terminology
One of the biggest benefits of using standards like ISO 27001 or ISO 42001 is the standardization of terminology. Both of these standards reference other standards, like ISO 22989 mentioned above, to pin down specific terms and references.
The goal here is to get everyone on the same page. Putting standard definitions to terms ranging from “risk” and “control” to “AI policy” and “AI objective” helps make sure that discussions internally and externally are all consistent. It’s a powerful way to eliminate miscommunications, particularly between your organization and others that adhere to the same standards, and with auditing organizations.
Planning for Future Success
A huge aspect of both ISO 27001 and ISO 42001 is the establishment of the systems, not just in how they work now, but in how they will continue to work in the future.
If you’ve used ISO 27001 in the past, you know that a big part of it is using the ISMS you develop to evaluate the risks, challenges, benefits, and opportunities that can come from a new tool, technology, or system. You can use your ISMS to evaluate the potential risks, calculate the risk-benefit analysis, and determine if and how you want to implement that new tool or system.
ISO 42001 does the same thing, but with a focus on AI specifically. AI has many unique concerns that are not part of previous kinds of technologies, from its black box operation to the ethical and reputational ramifications of using it. A normal ISMS from ISO 27001 is not equipped to evaluate AI in the way it needs to be examined.
Auditing and Certification
ISO 27001 is a well-established framework with many companies capable of providing auditing services to validate the rules and issue certifications. We’ve covered this a lot on our blog in the past.
Not every ISO standard is one that offers certification or requires an audit. The previously mentioned ISO 22989, for example, is more akin to a dictionary; your goal in purchasing the document and using it is the standardization of language, but it’s just a tool, not itself a certification.
ISO 42001 is, however, a certifiable standard. As such, the management system you establish can be checked by an external auditing organization, validated according to the standards of ISO 42001, and a certification can be issued.
ISO 42001 audits are two-stage audits. The first stage is a documentation review, which evaluates your AIMS in documents, policies, and design. The second stage is the functional evaluation, which examines your AIMS in terms of effective risk management, organizational governance, and adherence to security controls.
Like most ISO certifications, the big audit can issue a certification that is valid for three years, with the added requirement of annual surveillance audits to ensure continued adherence.
Unlike ISO 27001, the surveillance audits are a huge deal. While the ISO 27001 surveillance audits are definitely important, the general information security field doesn’t change nearly as rapidly as the field of AI changes. ISO 42001 surveillance audits can be looking at almost entirely different technologies by the time a year has passed, and while the core concepts and framework are the same, the implementation requires serious oversight.
As a very new standard, there are both relatively few certifying bodies capable of performing ISO 42001 audits and very few companies that have successfully obtained the certification. While there are over 75,000 companies with ISO 27001 certification worldwide, there are fewer than 100 companies with ISO 42001 certification.
In other words, if you are interested in pursuing an ISO 42001 certification, you can be on the cutting edge of international security for AI. How useful that is, however, remains to be seen.
Can Ignyte Help with ISO 42001?
Of course!
We initially built the Ignyte Assurance Platform with certain specific security frameworks in mind, but the tool itself is system-agnostic. Today, you can use it for dozens of different frameworks, because the goal of the platform is to track goals and aggregate documentation in a central, collaborative location.
Considering the first stage of the ISO 42001 audit is a thorough review of documentation, ensuring that you have it all tracked and available in one place is a huge benefit all on its own.
To discuss the Platform and what we can do for you, for ISO 27001, ISO 42001, or any other framework you could desire, reach out and talk to our team. We can book you a demo and show you what our Platform can do. So, whether you’re looking to establish systems early or get in on the cutting edge of a new certification, we can help.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.