ISOIEC 42001 AI Management System Slides

1
June 2023
ISO 42001: 2023 AI
Management System (AIMS)
Fundamental Awareness
January 2025

Agenda
1 Introduction to AI, ML and AIMS
2 Understanding responsible AI and ISO/IEC 42001
3 Identifying who should implement ISO/IEC 42001
4 Understand the impact of AI on compliance within your organization
5 The framework of ISO/IEC 42001
Complimentary Webinar: ISO/IEC 42001: The Future of AI Security Webinar 2024-07-02 3

ISO/IEC 42001:2023 –
The AIMS Standard

ISO/IEC 42001
ISO/IEC 42001
Artificial Intelligence Management System
The International Organization for Standardization
(ISO) and the International Electrotechnical
Commission (IEC) define ISO 42001 as “an
international standard that specifies requirements for
establishing, implementing, maintaining, and
continually improving an artificial intelligence
management system (AIMS)”
The standard aims to bring stability to the
implementation and use of AI systems, considering
the inherent risks associated with AI technology.
According to McKinsey’s 2023 State of AI Report,
organizations globally are actively looking to
mitigate these AI issues , including:
• Inaccuracy of generated data
• Cybersecurity and regulatory compliance risks
• Intellectual property infringement
• Focused on responsible AI Development & Use
• Flexible Framework

ISO/IEC 42001:2023 specifies
• a set of requirements for establishing, implementing, maintaining and continually
improving an Al management system within the context of an organization.
• aligned to P-D-C-A cycle
An organisation’s Al management system (AIMS) is influenced by
• the organization’s needs and objectives, processes, size and structure as well as the
expectations of
various interested parties
• use cases for Al and the need to strike the appropriate balance between governance
mechanisms and innovation.
An organisation must use a risk based approach to implement controls meeting the
requirements specified in the standard.
ISO/IEC 42001:2023
What is ISO/IEC 42001:2023?

ISO/IEC 42001:2023
ISO/IEC 42001:2023 provides
• guidelines for the deployment of applicable controls
to support processes.
The Al management system (AIMS) provides requirements
specific to managing the issues and risks arising from
using Al in an organization.

Artificial Intelligence Management
Framework (AIMF)
ISO 42001
Requirements and
Guidance
Organisational
Policy
ISO 42005
(System Impact
Assessment Guidance)
Context of the
Organisation
Implement
MMS
Org’s Opr
Procedure
s
+
Controls
Risk
Assessmen
t
ISO 38507
(Governance
of IT)
ISO 23894 (Risk
Management)
ISO 42006
(Certification
Body
Requirements
)
Certification
/
Conformanc
e
Customer
Trust
Accountability
Transparency
ISO/IEC 22989:2022 (CONCEPT)

AI Related Standards

Some of the Standards
and Frameworks on AI
• ISO/IEC 24028:2020
• Information technology Artificial intelligence Overview
of trustworthiness in artificial intelligence
• ISO/IEC TR 24030:2021
• Information technology Artificial intelligence (AI) Use
cases
Complimentary Webinar: ISO/IEC 42001: The Future of AI
Security Webinar
2024-07-02 21

• ISO/IEC TR 27563:2023
• Security and privacy in artificial intelligence use cases
Best practices
• ISO/IEC 23053:2022 AI Framework
• Framework for Artificial Intelligence (AI) Systems Using
Machine Learning (ML)
Security Webinar
2024-07-02 22

• ISO/IEC TR 29119:2020
• Software and systems engineering Software testing Part
11: Guidelines on the testing of AI-based systems
• ISO/IEC 22989:2022
• Information technology Artificial intelligence Artificial
intelligence
concepts and terminology
Security Webinar
2024-07-02 23

• ISO/IEC TR 24029 : Part 1 : 2021
• Artificial Intelligence AI Assessment of the robustness of
neural networks Part 1: Overview
• ISO/IEC TR 24368:2022
• Information Technology Artificial Intelligence Overview Of
Ethical And Societal Concerns
• ISO/IEC TR 24372:2021
• Information Technology Artificial Intelligence AI Overview Of
Computational Approaches For AI Systems
Security Webinar
2024-07-02 24

Standards and Frameworks on AI
• ISO/IEC 24668:2022
• Information Technology- Artificial Intelligence- Process
Management Framework for Big Data Analytics
• ISO/IEC 38507:2022
• Information technology Governance of IT Governance
implications of the use of artificial intelligence by
organizations

• ISO/IEC TR 24027:2021
• Information technology Artificial intelligence (AI) Bias in
AI systems and AI aided decision making
• ISO/IEC 25010:2011
• Systems and software engineering Systems and software
Quality Requirements and Evaluation (SQuaRE) System
and software quality models
• ISO/IEC 25012:2008
• Software engineering Software product Quality Requirements
and Evaluation (SQuaRE) Data quality model

• ISO/IEC 5338:2023
• Information technology Artificial intelligence AI system life
cycle processes
• ISO/IEC CD 27090 (Draft)
• Cybersecurity - Artificial Intelligence - Guidance for
addressing
security threats and failures in artificial intelligence systems

Revisit - What is a management system
• Based on a common "High-Level Structure"
with required management clauses
• Focused/scoped to a particular
domain or sector
• Stresses an iterative process of
continuous improvement for an
organization
• Risk-based - Prioritises and addresses
risks systematically.
• Certification by a third-party to the applicable
management standards
Context of
the
organisatio
n
Plan
Check
Do
Act
Management Clauses
Context of organisation Leadership
Planning Support Operation
Improvement

ISO/IEC 42001 Structure
1. Scope
Establish, implement,
maintain and continually
improve an AIMS, Intended
to help the organization
develop, provide or use AI
systems responsibly in
pursuing its objectives and
meet applicable
requirements, obligations
related to interested parties
and expectations from them.
2. Normative references
Cites ISO/IEC 22989 as
indispensable for its
application
3. Terms and definitions
Terms, definitions and
concepts from ISO/IEC 22989
are used in
ISO/IEC 42001
Management Clauses Annex A Controls and
Annex B Guidance
(Normative)
Annex C – Potential AI-
Related Organisational
Objectives and Risk
Resources + Annex D
(information)
4) Context of the organisation
5) Leadership
6) Planning
7) Support
8) Operation
9) Performance Evaluation
10) Improvement
• Policies related to AI
• Internal Organisation
• Resources for AI Systems
• Assessing impact of the
AU systems
• AIU Systems life cycles
• Data for AI Systems
• Information for
interested parties for AI
Systems
• Use of the AI Systems
• Third Party
customer
relationships
• Organisational objectives
• Risk Sources
• Integration of AI
Management system
with other management
system standards.
ISO/IEC 42001 Structure
Requirement
s
Guidanc
e
Supplemental
Info

Annex A
ID CONTROL OBJECTIVE
A.2 Policies related to AI (3 controls)
A.3 Internal organization (2 controls)
A.4 Resources for the AI systems (5 controls)
A.5 Assessing impacts of AI systems (4 controls)
A.6 AI system life cycle (9 controls)
A.7 Data for AI systems (5 controls)
A.8 Information for interested parties of AI systems (4
controls)
A.9 Use of AI systems (3 controls)
A.10 Third-party and customer relationships (3 controls)
Sli
de
© PharmOut 2024

The harmonised approach with AIMS
4. Context of
the
organization
4.1
Understanding
the
organization
and its context
4.2
Understandin
g the needs
and
expectations
of interested
parties
4.3
Determining
the scope of
the AI
management
system
4.4
AI
management
system
5.
Leadership
5.1
Leadership
and
commitment
5.2
AI Policy
5.3
Roles,
responsibilitie
s and
authorities
6.
Planning
6.1 Actions to
address risks
and
opportunitie
s
6.2 AI
objectives
and planning
to achieve
them
6.3 Planning
of changes
7.
Support
7.1
Resources
7.2
Competence
7.3
Awareness.
8.
Operation
8.1
Operational
planning and
control
8.2 AI risk
assessmen
t
8.3 AI risk
treatmen
t
9.
Performanc
e Evaluation
9.2 Internal
audit
9.3
Manageme
nt review
10.
Improvemen
t
10.1
Continual
improvement
10.2
Nonconformi
ty and
corrective
action
7.4
Communicatio
n
7.5
Documented
information
8.4 AI
system
impact
assessment.
Pla
n
D
o
Chec
k
Action
9.1
Monitoring,
measurement
, analysis and
evaluation

4.3
Determining the
scope
4.3
Determining the
scope
Context of the Scope
4.2
Understanding the
needs and expectations
of the interested parties
4.1
Understanding
for Organization
and its Context
4.4
AI Management System
4.3
Determining the scope
Documentation is Key
Understand Documentation Needs Continuous
Improvement Leadership and Oversight
Understanding AI Roles Defining AI
Usage
External and Internal Factors
The defined scope determines what parts of
the organization and which AI activities are
covered by the management system.

Clause 5: Leadership
Integratio
n
Required
Commitme
nt
Policy and
objectives are
compatible
with the
strategic
direction
Leadershi
p
Promote and
Support
Accountabl
e

Clause 6: Planning- Actions to address risks and
Opportunities
Risk
sources
C.3.6
Technology
readiness
C.3.7 Risk sources
related to
machine
learning
C.3.1 Level of
automatio
n
C.3.4 System
life cycle
issues
C.3.3
Complexity of
environment
C.3.2 Lack of
transparenc
y
and
explainability
Risk
Treatment
Option
6.1.2 AI risk assessment
(Process)
Amount of Risk
ISO/IEC 38507
and
ISO/IEC 23894
Controls
Control
Objective
Sli
de

Risk of AI in Business
Image Generated by Dall-
E
Category Risk Description
Legal and
Compliance Risks
Regulatory Compliance: Data protection.
Intellectual Property (IP)
Bias and
Discrimination
Training Data Bias: AI models may produce
biased analysis and reports due to biased training
data.
Algorithmic Disgorgement
Input Risks User Input Confidentiality
Output Risks
Accuracy and Hallucinations: Risk of generating
inaccurate or misleading reports. Transparency
and Explainability; Cybersecurity and
Robustness
Customer Impact
Transparency and Communication: Informing
customers about the use of AI in data analysis
and reporting. Risk of customer mistrust if AI
use is not disclosed transparently.
Workforce Impact
Reskilling and Training: Need for reskilling employees
to work alongside AI tools. Acceptable Use Policies:
Updating policies to govern the use of AI tools in the
workplace.
Data Protection
Compliance
Personal Data Processing: Securing a lawful basis for
using personal data in AI training and ensuring
compliance with data protection laws.
Sli
de
© PharmOut 2024

Clause 6: Planning
• 6.2 Objectives and Planning to
Achieve them
• Examples:
• Accountability
• Objective: Implement a robust AI governance
framework to ensure accountability for AI-
driven decisions by Q4 2024. This includes
establishing clear guidelines for human
oversight and responsibility for actions taken
by AI systems.
• Specific: Implement AI governance framework.
• Measurable: Clear guidelines and oversight
mechanisms.
• Achievable: Utilize current best practices and
regulatory guidance.
• Relevant: Ensures accountability within the
organization.
C.2.2
Security
C.2.1
Fairness
C.2.11 AI
expertise
(Qualified
Practitioners
)
C.2.10
Availability
and quality
of training
data
C.2.9
Maintainabilit
y
C.2.8
Availabilit
y
C.2.3
Safety
C.2.4
Privac
y
C.2.5
Robustnes
s
C.2.6
Transparenc
y and
explainabilit
y
C.2.7
Accountabilit
y
Org AI
Objectives
Sli
de

Clause 7: Support
Competenc
e
Awarenes
s
Communicatio
n
Resource
s
7.5 Documented
information
4.3 Scope of AIMS (Shall
Statements)
5.2 AI Policy
1. Risks
2. AI Objective
7.2 Evidence of compliance
8.2 Results of AI Risk
Assessment
9.1 Evidence of results
10.2 Nonconformities

Clause 8: Operations
Operation
al
planning
and
control
AI system
impact
assessmen
t
AI risk
treatmen
t
AI risk
assessmen
t
DO

Clause 9: Performance evaluation and Clause 10:
Improvement
Monitoring,
measuremen
t, analysis
and
evaluation
Internal
Audit
Manageme
nt Review
Check
Improveme
nt
Continual
Improveme
nt
Correctiv
e
Action
Preventativ
e Action
Act

Learning Points
• ISO/IEC 42001 Overview: It sets standards for
establishing and improving AI Management
Systems (AIMS).
• Purpose: Ensures responsible AI
development, focusing on ethics,
transparency, and learning.
• Significance: First global AI
management standard, guiding AI risk
and opportunity management.
• AI Challenges: Addresses ethical,
transparency, and continuous learning
challenges in AI.
• Benefits: Enhances risk management,
traceability, transparency, reliability, and
efficiency in AI usage

1. Center of excellence
Conclusion| Identify use casesgain potential and assess strategic implications
of value proposition changes for impacted output
Identify and
implement
operational best
practices across
portfolio, function
by function
Screen for highly
impacted industries
and assess strategic
implications
Set objectives
Identify high
impact-sectors
Size the prize
Assess scenarios
Stand up
functional Org
Develop option
sets
Set up war room
Prepare for
implementation
•
•
Screen the portfolio for
high impact industries
Look for anticipated
changes in core
offerings, customer
demand, competitive
dynamics
• Determine sub-set of
PortCos and functions to
be evaluated
Consider the end-state
goal of the evaluation
(e.g, cost take out vs.
quality improvement)
•
•
•
•
•
Initiate deep-dive
analysis for prioritied
PortCos to estimate size
and scope of impact
Assess PortCo's positions
vs. key competitors
Aggregate headcount by
(sub-) function across
portfolio
Estimate the productivity
improvement potential
by (sub-) function
•
•
•
•
Evaluate options: e.g.
product dev., M&A,
partnerships
Estimate
costs/investments
required and potential
outcome
Identify & drive best
practices across PortCo
Set up GenAI focused
teams across key
impacted functions (e.g.
call centers)
• Assemble war room
involving mgmt & board
• Develop action plan and
execute with high
urgency
• Assess implications on
people, processes & tech
Consider extent which
productivity translates to
cost take out, workstream
reinvention or op model
enhancement
•
Productivity gain
potential:
Value proposition
impact:

Thank you

Who can use this standard?
• AI system developers
• AI system users
• Service providers who deliver services using AI systems
Identify the organisation’s role and then decide how AIMS
has to be established.
ISO/IEC 42001:2023

Annex A controls
Context (4), Leadership (5), Planning (6), Support (7), Operation (8), Performance
Evaluation (9),
Improvement (10)
Applicability of the standard (1), References (2), Terminologies (3)
Annex B (Control explanation), Annex C (Objectives and risk sources), Annex D (use of AIMS)
ISO/IEC 42001:2023
Structure of the standard

1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organization
1. Understanding the organization and its
context
2.Understanding the needs and
expectations of interested parties
3. Determining the scope of the Al
management system
4. Al management system
5. Leadership
1. Leadership and commitment
2. Al policy
3. Roles, responsibilities and
authorities
ISO/IEC 42001:2023

6. Planning
1. Actions to address nsks and
opportunmes
1. General
2. Al risk assessment
3. Al risk treatment
4. Al system impact assessment
2. Al objectives and planning to achieve
them.
3. Planning of changes
7. Support
1. Resources
2. Competence
3. Awareness
4. Communication
5. Documented information
1. General
2. Creating and updating
documented
information
3. Control of documented
information
ISO/IEC 42001:2023

8. Operation
1. Operational planning and control
2. Al risk assessment
3. Al risk treatment
4. Al system impact assessment
9. Performance evaluation
1. Monitoring, measurement, analysis
and
evaluation
2. Internal audit
1. General
2. Internal audit programme..
3. Management review
1. General
2. Management review inputs
3. Management review results
10.Improvement
1. Continual improvement
2. Non conformity and corrective
action
ISO/IEC 42001:2023

• Annex A (normative) Reference control objectives and controls
• Annex B (normative) Implementation guidance for Al controls
• Annex C (informative) Potential Al-related organizational objectives and risk
sources
• Annex D (informative) Use of the Al management system across domains or
sectors
ISO/IEC 42001:2023

Annex A Controls
Controls structure
In the standard, in Annex A, Table A.1 provides the organization with a reference set of
control objectives and controls to achieve those objectives, for meeting organizational
objectives and addressing risks related to the design and operation of Al systems.
• All the controls are not necessary to be implemented
• the organization can design and implement their own controls (Ref.: 6.1.3).
Annex B provides implementation guidance for all the controls listed in Table A.1.

Annex A Controls
Domains of controls
1. A.2
2. A.3
3. A.4
4. A.5
5. A.6
6. A.7
7. A.8
8. A.9
Policies related to Al
Internal organization
Resources for Al
systems
Assessing impacts of Al
systems Al system life cycle
Data for Al systems
Information for interested parties of Al
systems Use of Al systems
9. A.10 Third-party and customer relationships
Control objectives – 10 – specify the requirements and the Controls – 38 –
facilitate meeting the requirements.

AI Use Cases
Application domains (ISO/IEC TR 27563:2023)
1. Agriculture
2. Home/service robotics
3. Media and
entertainment
4. Construction
5. ICT
6. Mobility
7. Defence
8. Knowledge
management
9. Public sector
10.Digital marketing
11.Legal
12.Retail
14.Logistics
15.Security
16.Energy
17.Low-resource
communities
18.Social infrastructure
19.Fintech
20.Maintenance and
support
21.Transportation
22.Healthcare
23.Manufacturing
24.Work and life

Considerate Elements in
the Use of AI

• Ethical frameworks
• Human rights practices
• Fairness and non-
discrimination
• Accountability
• Transparency and
explainability
• Professional responsibility
• Promotion of human values
• Privacy
Ethical & Responsible Use of AI
Introduction
• Ethical & Responsible Use of AI (ISO/IEC TR 24368:2022)
• Safety and security
• Human control of technology
• Community involvement and
development
• Human centered design
• Respect for the rule of law
• Environmental sustainability
• Labour practices

• Transparenc
y
• Explainabilit
y
• Controllabilit
y
• Availability
• Resiliency
• Reliability
• Accuracy
• Safety
• Security
• privacy
Ethical & Responsible Use of AI
Introduction
• Trustworthiness of AI (ISO/IEC TR 24028:2020)
• Societal concerns

Determinatio
n
• Determine the organisation’s
role
• The elements of AIMS
Implementatio
n
• Definitions of policies, processes and
supporting elements
• Risk assessment
• Define and appoint personnel for AIMS
Audi
t
• Undergo an independent third
party endorsement
• Certification
AIMS Road Map

Artificial Intelligence
AIMS related trainings
Auditor/Lead Auditor Training on Artificial
Intelligence Management Systems based on
ISO/IEC 42001:2023
Lead Implementer Training on Artificial
Intelligence Management Systems based on
ISO/IEC 42001:2023

Artificial Intelligence AIMS related trainings
Training Title
Lead Auditor Training on AIMS
based on ISO/IEC 42001:2023
Lead Implementer Training on AIMS
based on ISO/IEC 42001:2023
Course Duration 5 Days 4 Days
Course Outline
What is AI and ML? Data science
concepts, AI terminologies, disruptive AI
(Gen AI, discriminative AI), regulatory
stipulations, transparency, ethical AI use,
ISO/IEC 42001:2023 standard, and its
applicability, & more.
Introduction to AI and ML, data science
concepts, AI terminologies, generative and
discriminative AI, how AI becomes
disruptive, AI considerations, and
regulatory stipulations, & more.
Who can Benefit?
AI developers, operators, business
managers, quality managers, Risk
managers (ERM or Infosec/AI RM)
Executive level stakeholders, Regulatory
Compliance Managers, MS Auditors
AI developers, operators, business
managers, quality managers, excellence
professionals, security professionals,
consultants, AI vendors, stakeholders,
and auditors.
Certificate Issued As
TÜV SÜD certificate on successful
completion of the exam for
“Auditor/Lead Auditor on AIMS ISO
/IEC 42001:2023”
TÜV SÜD certificate on successful
completion of the exam on “Lead
Implementor on AIMS ISO /IEC 42001:2023”

ISO/IEC 42001:2023
• Enhanced Brand
Reputation and Trust:
Demonstrate
responsible AI
development and
deployment, enhancing
your brand reputation.
• Achieve Compliance &
Manage Risks:
Implement a structured
AI management system
to manage risks,
enhance efficiency, and
navigate regulatory
landscapes with
confidence.
• Enhance Efficiency and
Innovation: Structured
AI management fosters
efficiency and drives
innovation, enabling
organisations to
capitalise on the full
potential of AI
technology.
• Future-Proofing:
Establish a foundation
for responsible AI
practices that ensure
adaptability and
resilience in a rapidly
evolving business
environment.
Your benefits at a glance
Certification to ISO/IEC 42001 is essential for
businesses in the AI domain due to its focus on
responsible AI management, which fosters
transparency and fairness while addressing ethical
concerns. ISO/IEC 42001 applies to any organisation,
regardless of size, type, and nature, that provides or
uses products or services that utilise AI systems.
Learn more on our website.
• ISO 42001 provides a framework for establishing,
implementing, maintaining, and continually
improving an Artificial Intelligence management
system within organisations
• Organizations of any size involved in
developing, providing, or using AI-based
products or services
• ISO 42001:2023 Certification Audit : TÜV SÜD
certificate will be provided
Navigate the exciting future of AI with ISO/IEC 42001
Certification
About the standard Our Offering
• At TÜV SÜD, we leverage our testing, inspection, and
certification expertise combined with deep knowledge
of Industry 4.0, AI, IoT and Cybersecurity. Our AI
experts are thought leaders in the AI ecosystem and
• significantly contribute to developing AI-related
standards. We at TÜV SÜD have vast experience in
management system certifications under various
accreditations.
• Our team has expertise in the fields of AI quality,
cloud security, data privacy, data
protection, and information security
management.
• Our experts will help you embrace the transformative
power of AI with confidence and responsibly navigate
your business's future.
Why choose TÜV SÜD?

Thank you

ISOIEC 42001 AI Management System Slides

More Related Content

What's hot

Similar to ISOIEC 42001 AI Management System Slides

Recently uploaded

ISOIEC 42001 AI Management System Slides