AI has been integrated into almost every aspect of our lives, from everyday software we use at work, to the algorithms that determine what content is recommended to us at home.

While extraordinary in its capabilities, it isn’t infallible and will open up everyone to new and emerging risks. Legislation and regulations are finally catching up to the rapid adoption of this technology, such as the EU AI Act and new Best Practice Standards such as ISO 42001.

For those looking to integrate AI in a safe and ethical manner, ISO 42001 may be the answer.

Today Rachel Churchman, Technical Director at Blackmores, explains what ISO 42001 is, why you should conduct an ISO 42001 Gap analysis and what’s involved with taking the first step towards ISO 42001 Implementation.

You’ll learn

· What is ISO 42001?

· What are the key principles of ISO 42001?

· Why is ISO 42001 Important for companies either using or developing AI?

· Why conduct an ISO 42001 Gap Analysis?

· What should you be looking at in an ISO 42001 Gap Analysis?

Resources

· Register for our ISO 42001 Workshop

· Isologyhub

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Rachel Churchman joins Steph to discuss what ISO 42001 is, it’s key principles and the importance of implementing ISO 42001 regardless of if you’re developing AI or simply just utilising it.

Rachel will also explain the first step towards implementation – an ISO 42001 Gap Analysis.

[02:45] Upcoming ISO 42001 Workshop– We have an upcoming ISO 42001 workshop where you can learn how to complete an AI System Impact Assessment, which is a key tool to help you effectively assess the potential risks and benefits of utilising AI.

Rachel Churchman, our Technical Director, will be hosting that workshop on the 5th December at 2pm GMT, but places are limited so make sure you register your place sooner rather than later!

[03:20] The impact of AI – AI is everywhere, and has largely outpaced any sort of regulation or legislation up until very recently. These are both needed as AI is like any other technology, and will bring it’s own risks, which is why a best practice Standard for AI Management has been created.

If you’d like a more in-depth breakdown of ISO 42001, check out our previous episodes: 166 & 173

[04:30] A brief summary of ISO 42001 – ISO 42001 is an Internationally recognised Standard for developing an Artificial Intelligence Management System. It provides a comprehensive framework for organisations to establish, implement, maintain, and continually improve how they implement and develop or consume AI in their business. It aims to ensure that AI risks are understood and mitigated and that AI systems are developed or deployed in an ethical, secure, and transparent manner, taking a fully risk-based approach to responsible use of AI.

Much like other ISO Standards, it follows the High-Level Structure and therefore can be integrated with existing ISO Management systems as many of the core requirements are very similar in nature.

[05:45] Why is ISO 42001 important for companies both developing and using AI? – AI is now becoming commonplace in our world, and has been for some time. A good example is the use or Alexa or Siri - both of these are Large Language AI Models that we all use routinely in our lives. But AI is now being introduced in many technologies that we consume in our working lives - all designed to help make us more efficient and effective. Some examples being:

· Microsoft 365 Copilot

· GitHub Copilot

· Google Workspace

· Adobe Photoshop

· Search Engines i.e. Google

Organisations need to be aware of where they're consuming AI in their business as it may have crept in without them being fully aware. Awareness and governance of AI is crucial for several reasons:

For companies using AI they need to ensure they have assessed the potential risks of the AI such as unintended consequences and negative societal impacts, or potential commercial data leakage. They also need to ensure that if they are using AI to support decision making, that they have ensured that decisions made or supported by AI systems are fair and unbiased. It's not all about risk - organisations can also use AI to streamlining processes helping to become more efficient and effective, or it could support innovation in ways previously not considered.

For companies developing AI, the standard promotes the ethical development and deployment of AI systems, ensuring they are fair, transparent, and accountable. It provides a structured approach to risk assessment and governance associated with AI, such as bias, data privacy breaches, and security vulnerabilities.

And for all, using ISO 42001 as the best practice framework, organisations can ensure that their AI initiatives are aligned with ethical principles, legal requirements, and industry best practices. This will ultimately lead to more trustworthy, reliable, and beneficial AI systems for all.

[10:00] Clause 7.4 Communication – The organisation shall determine the internal and external communications relevant to the system, and that includes what should be communicated when and to who.

[09:00] What are the key principles outlined in ISO 42001? –

· Fairness and Non-Discrimination - ensuring AI systems treat all individuals and groups fairly and without bias.

· Transparency and Explainability - Making AI systems understandable and accountable by providing clear explanations of their decision-making processes.

· Privacy and Security - Protecting personal data and privacy while ensuring the security of AI systems.

· Safety and Security - Prioritising the safety and well-being of individuals and the environment by mitigating potential risks associated with AI systems.

· Environmental & Social - Considering the impact of AI on the environment and society, promoting sustainable and responsible practices.

· Accountability and Human Oversight - Maintaining human control and responsibility for AI systems, ensuring they operate within ethical and legal boundaries. You'll often hear the term 'Human in the loop'. This is vital to ensure that AI is sanity checked by a human to ensure it hasn't hallucinated or result ‘drifted’ in any way.

[11:10] Why conduct an ISO 42001 Gap Analysis? What is the main aim? – Any gap analysis is a strategic planning activity to help you understand where you are, where you want to be and how you’re going to get there. The ISO 42001 gap analysis will identify gaps and pinpoint areas where your AI practices need to meet the ISO 42001 requirements.

It aims to conduct a systematic review of how your organisation uses or develops AI to then assess your current AI management practices against the requirements of the ISO 42001 standard. This analysis will then help you to identify any "gaps" where your current practices do not fully meet the standard's requirements. It also helps organisations to understand 'what good looks like' in terms of responsible use of AI.

It will help you to prioritise improvement areas that may require immediate attention, and those that can be addressed in a phased approach.

It will help you to understand and mitigate the risks associated with AI.

It will also help you to develop a roadmap for compliance to include plans with clear actions identified that can then be project managed through to completion, and as with all ISO standards it will support and enhance AI Governance.

[13:15] Does an ISO 42001 gap analysis differ from gap analysis for other standards? – Ultimately, no. The ISO 42001 gap analysis doesn't differ massively from other ISO standard gap analysis, so anyone who already has an ISO Standard and has been through the gap analysis process will be familiar with it.

In terms of likeness, ISO 42001 is similar in nature to ISO 27001 in as much as there is a supporting 'Annex' of controls and objectives that need to be considered by the organisation. Therefore the questions being asked will extend beyond the standard High Level Structure format.

Now is probably a good time to note that the Standard itself is very informative and includes additional annex guidance information to include

· implementation guidance for the specific AI controls,

· an Annex for potential AI-related organisational objectives and risk sources,

· and an Annex that provides guidance on use of the AI management system across domains and sectors and integration with other management system standards.

[14:55] What should people be looking at in an ISO 42001 gap analysis? – The Gap Analysis will include areas such as looking at the 'Context' of your organisation to better understand what it is that you do, or the issues you are facing internally and externally in relation to AI - both now and in the reasonably foreseeable future, and also how you currently engage with AI in your business. This will help to identify your role in terms of AI.

It will also look at all the main areas typically captured within any ISO standard to include leadership and governance, policy, roles and responsibilities, AI Risks and your approach to risk assessment and treatment and AI system impact assessments. It also looks at AI objectives, the support resources you have in place to manage requirements, awareness within your business for AI best practice and use, through to KPI's, internal audit, management review and how you manage and track issues through to completion in your business.

The AI specific controls look more in-depth at Policies related to AI, your internal organisation in relation to key roles & responsibilities and reporting of concerns, The resources for AI Systems, how you assess the impacts of AI Systems, The AI system lifecycle (AI Development), Data for AI Systems, Information provided to interested parties of AI Systems, and the use of AI Systems and 3rd party and customer relationships.

[18:10] Who should be involved in an ISO 42001 Gap analysis? – An ISO 42001 gap analysis looks at AI from a number of different angles to include organisational governance that includes strategic plans, policies and risk management, through to training and awareness of AI for all staff, through to technical knowledge of how and where AI is either used or potentially developed within the organisation. This means that it is likely that there will need to be multiple roles involved over the duration of a gap Analysis.

At Blackmores we always provide a Gap Analysis 'Agenda' that clearly defines what will be covered over the duration of the gap analysis, and who typically could be involved in the different sessions. We find this is the best way to help organisations plan the support needed to answer all the questions required.

It's also important to treat the gap analysis as a 'drains up' review, to help get the most benefit out of the gap analysis. This will ensure that all gaps are identified so that a plan can then be devised to support the organisation to bridge these gaps, putting them on the path to AI best practice for their business.

If you’d find out more about ISO 42001 implementation, register for our upcoming Workshop on the 5th December 2024.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

● Share the ISO Show on Twitter or Linkedin

● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List