ISO/IEC 42001:2023 Artificial Intelligence Management System

 Author: Santiago Gonzalez Esparza, Eng.

 

With the exponential growth of information technologies in recent years, different tools have emerged that modify the way we work; minimizing the time it takes to execute an action and opening new perspectives on how to solve a particular problem. Among all these tools, there is one that has had an incredible boom in recent times and continues to grow: Artificial Intelligence.

 

Artificial intelligence (AI) refers to the ability of machines or computer systems to perform tasks that regularly require human intelligence. This includes the ability to learn from experience “machine learning“, reason, understand natural language, recognize patterns, and adapt to new situations. The lack of knowledge and distrust of applications and their capabilities has generated the need to manage the risks of AI and its applications.

 

That is why the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have published ISO/IEC 42001:2023 Information Technology – Artificial Intelligence – Management System. This is the first international standard for the development and implementation of reliable AI management systems, balancing innovation with governance.

 

Previously ISO had standards such as ISO/IEC 22989 where AI terminology and the field of AI are established, ISO/IEC 23053 which establishes an AI and ML (Machine Learning) framework, as well as ISO/IEC 23894 which provides guidance on AI-related risk management for organizations.

 

Implementing this standard means activating policies and procedures for good governance of an organization concerning AI, using PHVA methodology, rather than looking at the details of specific AI applications, provides a practical way to manage AI-related risks and opportunities across an organization.

 

The objectives of ISO/IEC 42001:2023 are as follows:

 

• Cost savings and efficiency gains.
• Promote the development and use of reliable, transparent, and accountable artificial intelligence systems.
• Use of data analytics, knowledge, and machine learning.
• Framework for risk and opportunity management.
• Build confidence in the management of artificial intelligence by encouraging organizations to prioritize human well-being, safety, and user experience during the AI design and implementation process.

 

The benefits of implementing ISO/IEC 42001:2023 are as follows:

 

• Responsible AI: guarantees the ethical and responsible use of artificial intelligence.
• Reputation management: enhances trust in AI applications.
• AI governance: supports compliance with legal and regulatory standards.
• Practical guidance: effectively manage AI-specific risks.
• Identify opportunities: fosters innovation within a structured framework.

 

ISO/IEC 42001:2023 specifies the requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS) within organizations.

 

Like other ISO standards, the standard can be implemented in companies and organizations of any type, regardless of size, line of business, sector, etc. The AI management system provides specific requirements for managing the issues and risks arising from the use of AI in an organization. This common approach facilitates implementation and consistency with other management system standards, for example, those related to Quality (ISO 9001:2015) and/or Security and Privacy (ISO 27001:2022).

 

The structure of this standard is like the other ISO standards, consisting of 10 chapters:

 

1.- Scope: the objective is to provide clarity on the limits and application of the standard – (Informative)

 

2.- Normative references: lists the standards and reference documents for the application – (Informative)

 

3.- Terms of reference: key terms used in the standard are provided, along with their definitions. – (Informative)

 

4.- Context of the organization: focuses on understanding the context in which the organization operates – (Normative)

 

5.- Leadership: sets out the requirements for leadership and top management commitment to the system – (Normative)

 

6.- Planning: describes the requirements for the planning of the management system, including the identification of risks and opportunities that may affect the organization. (Normative)

 

7.- Support: addresses the requirements to provide the necessary resources for the system – (Normative)

 

8.- Operation: addresses the execution of planned activities to satisfy customer requirements and quality objectives. – (Normative)

 

9.- Performance evaluation: establishes the requirements for monitoring, measuring, analyzing, and evaluating the performance of the system – (Normative)

 

10.- Improvement: addresses the fundamental principle of continuous improvement. It establishes the requirements for identifying opportunities for improvement and taking action to address them. – (Normative)

 

 

As with any ISO standard, ISO/IEC 42001:2023 is no exception and has a high-level structure, meaning that it is a standardized model established by the ISO Committee so that all new management standards respect and share a common objective: the standardization of management standards that supports the synchronization of different standards, adopting a common language to make it easier for organizations to integrate different management systems and enjoy certain advantages, such as the elimination of duplicate documentation.

 

As previously mentioned, there is an established model, although depending on the scheme, it is the approach that will be given to such a structure. In this standard the changes that are presented, compared to the ISO 9001 scheme, are found in chapter 8 of this standard, this chapter only has 4 subtopics:

 

• 1 Operational planning and control: discusses how the organization is required to plan, implement, and control the processes necessary to comply with the requirements.

 

• 2 AI risk assessment: shall conduct AI risk assessments and keep all documented information of such results.

 

• 3 AI risk treatment: implement the AI risk treatment plan as required.

 

• 4 IA system impact assessment: IA system impact assessments must be conducted as established, at planned intervals, or when significant changes are proposed.

 

 

This standard has four annexes, divided into two Normative and two Informative:

 

 Normative (Annex A and B)

 

• Annex A: provides a reference for meeting organizational objectives and addressing risks related to the design and operation of IA systems, which are detailed in Table A.1.
• Annex B: guides the implementation of the controls mentioned in Table A.1.

 

Informative (Annex C and D)

 

• Annex C: describes the possible organizational objectives, sources of risk and descriptions to be considered for managing risks, this annex is not intended to be exhaustive or applicable to all organizations.
• Annex D: mentions that the management system applies to any organization that develops, provides, or uses products or services using an IA system.

 

In conclusion, we can say that we are in a place where guidelines have been set or paths have been opened that have not been used or traveled yet, these advances are promising in all areas, but like any other tool, this must be used correctly, to get the most out of it in all organizations that want to implement this innovative management system.