What Every CDO Should Know About ISO 42001
Today, the ISO published ISO/IEC 42001 (2023), a standard for AI management systems. While not the first standard the ISO has published related to AI, this is the comprehensive AI standard detailing how an organization can manage AI in such a way that values security, fairness, and transparency.
1. Quick Refresher on the Purpose and Benefits of Standards
Before even getting into ISO 42001, we should talk about the benefits of standards.
One of the benefits is developing a shared language and consistent terminology for discussing topics related to AI. By ensuring that everyone is on the same page, communications have less friction, and we reduce the risk of miscommunications.
And by virtue of being a standard – an agreed-upon set of best practices – there will be a broad consensus on what matters between different organizations.
Developing a standard like ISO 42001 involves reaching alignment between a varied group of stakeholders about which criteria matter and how they should be demonstrated. Because of this, we should expect wide adoption of the standard across different geographies and organization types.
2. ISO 42001 Is About Your Organization’s AI Management Broadly, Not Just Risk Management
Compared to previously released frameworks like ISO 23894 and the NIST AI Risk Management Framework, ISO 42001 is not strictly focused on managing the risks posed by AI. Rather, it covers the organization’s entire stance for how it manages AI, of which risk management is one part (albeit a critical one).
As a holistic framework for AI management, ISO 42001 covers:
- Procedures, policies, and responsibilities
- Evaluating the impact of AI systems
- Ongoing monitoring of systems
- The lifecycle of data and models
- Considering diversity and inclusion
- Continuously improving the organization’s AI governance
3. ISO/IEC 42001 (2023) Applies to All Organizations Using AI
The standard is industry-agnostic and intended for organizations of all sizes and types.
That’s the beauty of it all: If there’s one well-designed standard, there’s no need to understand multiple different frameworks for different industries, different countries, or different organization types.
4. ISO/IEC 42001 (2023) Is Operationalizable
Some standards, which can be called guidance standards, provide perspective on how to think about doing something but fall short of telling you what to do. ISO 42001, however, is an operationalizable standard that clarifies how an AI management system should be implemented.
Fewer details are left to the interpretation of standard guidelines.
5. ISO/IEC 42001 (2023) Is Certifiable
As an assessment-based standard, ISO 42001 provides a way for organizations to demonstrate that they have developed an AI management system to the specifications of this framework.
Holding such a certification is a considerable benefit for an organization: it’s a stamp of trust and confidence that potential customers and business partners can see that the organization is using AI in a well-managed manner.
6. ISO/IEC 42001 (2023) is Voluntary… For Now
Currently, ISO 42001 is a voluntary standard that organizations can use to develop a robust AI management system. But there’s a chance it could be made compulsory in certain scenarios. One instance of this is the recently passed EU AI Act, which is currently in the final stages of refinement. One possibility is that the EU makes compliance with ISO 42001 an option for demonstrating conformity with the AI Act. Or other governments could make certification with the standard a requirement for procuring AI tools.
Even if ISO 42001 isn’t required of an organization, it could still become an industry norm as customers and stakeholders expect companies to follow well-managed AI principles.
Are you wondering what ISO 42001 can do for your business? Let us know a little more about your organization and how we can help maximize your AI while minimizing your risk.