(AI)SO 42001

While this is going to be specific to 42001, there's some useful general notes about the ISO management system frameworks that I want to cover first.

ISO provide a number of frameworks for governing different aspects of organisations, and they are all built with the same basic template. That universal approach is worth spending some time to learn (which I'm not going to do now) because it gives a huge head start on understanding:

• 9001 for Quality Management Systems (QMS)
• 14001 for Environmental Management Systems (EMS)
• 20000-1 for IT Service Management Systems (ITSMS)
• 27001 for Information Security Management Systems (ISMS)
• 28000 for Security Management Systems (SMS)
• 30201 for Human Resource Management Systems (HRMS)
• 30301 for Records Management Systems (RMS)
• 30401 for Knowledge Management Systems (KMS)
• I'm going to stop here because there are so, so many, covering just about anything you could imagine - the above are just a selection, so I'll skip to today's
• 42001 for Artificial Intelligence Management Systems (AIMS)

All of these frameworks are built on the same structure, and that structure is built on the Deming/Shewhart Cycle of Plan ?? Do ?? Check/Study ?? Act/Adjust (also a framework for the scientific method).

Each framework, then, shares 10 clauses (even if in some cases, such as 14001, a clause is empty and kept only so the numbering is consistent). The ones which give the requirements are clauses 4-10 for each, which consist of:

• Context of the organisation - external and internal environment
• Leadership - who is accountable
• Planning - identify risks and opportunities and how to treat them
• Support - who is responsible, consulted, or informed, and are they competent
• Operation - processes to run the management system
• Performance Evaluation - how do you measure the system
• Improvement - how do you act on performance findings to continuously improve the system

There are specifics for different domains under management, but the broad strokes are identical for each.

What about AI?

As with 27001 and many others, ISO 42001 has an Annex A which lists out suggested controls (note - suggested!) that you should consider implementing to control risks and exploit opportunities in your AI management system.

Also as with 27001, these controls are high-level guidelines rather than prescriptive technical measures. Low-level technical controls restrict a framework's broader applicability, and ISO leans very heavily towards being as broadly applicable as possible without resorting to bludgeoning organisations with the model of the Deming/Shewart Cycle instead of offering any guidance.

I don't make a secret of the fact that I appreciate ISO's approach to these frameworks, and one of the most important parts for me is their interoperability. As such, while I have a generally favourable impression of 42001, if asked to implement it I would only ever do so hand in hand with 27001 (or another ISMS) and 27701 (if personal data comes into the equation).

If we're talking AI development rather than just usage, I'd lean heavily towards bringing 9001 into the equation too.

And given the energy and environmental costs of AI, 14001 may be worth a look.

With all of the ISO standards, certification against them should only be considered if there's a business need. Focusing on certification can mean that benefits are lost in pursuit of box-checking in audits. It is much better to implement a management system using the framework as scaffolding because there are genuine benefits to the organisation.

A sincere effort to build a management system will bring those benefits, a superficial pursuit of compliance certificates usually just adds overheads and expense, to no wider benefit. This applies to 42001 as much as anything else.