ISO 42001: responsible use of AI

ISO 42001 is the international standard for organizations that want to seriously work on responsible AI use and development. It is a management system standard, similar to, for example ISO 27001 for information security, but specifically focused on AI.

The standard provides guidance on how to develop, implement and manage AI systems, with an eye for things like:

• safety*;
• ethics;
• transparency; and
• privacy.

In other words, you lay a solid foundation for reliable AI. After a successful audit, the certification offers numerous benefits, including:

1. Implementation of AI with proof of responsibility and liability
2. Consideration of safety, transparency, fairness, and quality throughout the AI lifecycle.
3. Clear objectives and strong governance with a balance between innovation and management.
4. Ensuring the responsible use of AI, with continuous learning processes.
5. Integration with other management standards for a similar approach.

Why is this relevant to you?

AI offers huge opportunities, but it also comes with risks. Think of biased algorithms, lack of control, or uncertainty about how decisions are made. ISO 42001 helps you identify and control these risks.

An important part of the standard is the AI System Impact Assessment (AISA). This way, you can visualize the effects of your AI applications on individuals and groups. It's a bit like the Data Protection Impact Assessment (DPIA) from the AVG, but specifically for AI. So you can say with confidence: “Our AI system does what it should do and we've carefully thought out the consequences”.

What's in ISO 42001?

A few highlights:

• 38 control measures, divided into 9 domains.
• Clear overlap with ISO 27001's Harmonized Structure (useful if you already have one).
• Focus on comprehensive risk management, from technical measures to governance and policy.

The 9 domains of Annex A

As just mentioned, there are 38 control measures that are part of the ISO 42001, which can be divided into 9 different areas:

• A.2 - AI-related policies
• A.3 - Internal organization
• A.4 - AI systems resources
• A.5 - Impact Assessment of AI Systems
• A.6 - AI systems lifecycle
• A.7 - Data for AI systems
• A.8 - Information for parties interested in AI systems
• A.9 - Using AI systems

Five examples of control measures

1. AI policy (A.2.2) — Direction and responsibility

Every organization that uses or develops AI must have a formal AI policy port. This policy specifications why country how the organization uses AI: what the goals are, what values and principles (such as honesty, transparency, privacy) apply, and who is responsible for what.

2. AI System Impact Assessment (A.5.2) — Understand the effects

This is a mandatory process that must be implemented in order to be able to assess in advance what consequences can have an AI system for people, groups or society. Think of risks related to privacy, discrimination or abuse.

3. Data quality (A.7.4) — Without good data, no good AI

AI systems are only as good as the data they are trained with. This control measure requires that organizations define and monitor criteria for data quality — such as completeness, accuracy, representativeness and topicality.

4. Transparency and explainability (A.8.2/A.8.5) — Make AI understandable

Organizations must ensure that AI systems understandable and explainable are for users, customers and supervisors. They must be able to explain how decisions are made and what the limitations are.

5. Human supervision and intervention (part of A.6.2.6/A.9.2) — Man in the Loop

AI may support decisions, but people must be able to intervene when the system makes errors or engages in inappropriate behavior.

ISO 42001 Accreditation

There are now official accreditation rules for certifying bodies. This means that you can obtain your ISO 42001 certificate quickly.

Learn and do together

At Fendix, together with Brush AI and Tidal Control, we recently looked at how to approach an ISO 42001 implementation. That was educational and inspiring. Read how we tackled that here: Fendix x Brush AI x Tidal Control: Towards a successful ISO 42001 implementation together.

In short: ISO 42001 helps you use AI responsibly. It builds trust — with your customers, employees and society. And that trust is perhaps the most important prerequisite for truly taking advantage of AI's opportunities.

‍