ISO 42001: A Compass for Trustworthy Artificial Intelligence

ISO 42001 is an international standard that provides specific requirements for an information security management system (ISMS) for the development and operation of products. This standard is particularly relevant for companies and organizations that develop software, embedded systems or other IT products. The organization ensures a tailored integration of AI by implementing an AI management system (AIMS) that is aligned with the specific requirements and structure of the organization. In doing so, it takes into account relevant legal frameworks as well as the interests of all affected stakeholders.

What are the Objectives of ISO 42001?

• Security from the outset: The standard requires that security be taken into account in the early phases of the development process.
• Risk management: It prescribes systematic procedures for identifying, assessing and addressing security risks.
• Compliance: The standard helps companies to comply with legal and regulatory requirements in the area of information security.
• Improving security: A continuous improvement process is intended to steadily increase the security of products and processes.

Differences to Other AI Frameworks

• Specificity: While some frameworks formulate very general principles, ISO 42001 provides specific requirements and instructions for action.
• Focus on organizations: The standard is primarily aimed at organizations that develop and use AI systems. Other frameworks may also be aimed at individuals or society in general.
• International consensus: ISO 42001 is the result of an international consensus and thus reflects global best practices.
• Standard vs. framework: ISO 42001 is an international standard developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It establishes mandatory requirements that can be certified. Other frameworks are often more guidelines or guides, which are less formal.
• Comprehensive approach: ISO 42001 offers a comprehensive approach to AI management that covers the entire lifecycle of an AI application. It includes requirements for governance, risk management, data quality, model development, monitoring, and evaluation. Many other frameworks focus on individual aspects of AI ethics, such as fairness or transparency.
• Certifiability: A major advantage of ISO 42001 is that it can be certified. Certification signals to customers and partners that a company is actively engaged in the ethical development and use of AI.
• Integration into existing management systems: ISO 42001 is designed to be easily integrated into existing management systems, such as ISO 9001 (quality management) or ISO 27001 (information security). This facilitates implementation and reduces effort.

ISO 42001 vs EU AI Act

ISO 42001 and the EU AI Act are two important instruments that aim to regulate the development and use of artificial intelligence (AI) and ensure that AI systems are ethical, safe and trustworthy. Both provide a framework to help organizations make their AI systems compliant and minimize risk.

Synergies

• Shared objectives: Both ISO 42001 and the EU AI Act aim to regulate the development and use of AI and ensure that AI systems respect fundamental rights, safety, and ethical principles.
• Quality management: Both call for robust quality management for AI systems, including requirements for documentation, monitoring, and continuous improvement.
• Risk management: Both the standard and the act emphasize the importance of comprehensive risk management. Potential risks must be identified, assessed and mitigated.
• Transparency and traceability: Both require a high degree of transparency and traceability of AI systems. This includes the documentation of development processes, the explainability of models and the possibility of understanding decisions.

Extensions

• Character: ISO 42001 is an international standard that can be voluntarily adopted. The EU AI Act, on the other hand, is a legal regulation that is binding for companies operating in the EU.
• Focus: ISO 42001 provides a comprehensive framework for the management of AI systems. The EU AI Act focuses on the regulation of high-risk AI systems and sets out specific requirements for these systems.
  Level of detail: ISO 42001 provides more detailed instructions for implementing an AI management system. The EU AI Act rather sets out the fundamental requirements and leaves companies some leeway in how to implement them.