ISO 42001 is the new Management System standard for governing AI systems, specifically the risks they present to your business, and providing a framework for how to make the most of the opportunities they present.
It comprises a set of requirements to establish an AI Management System and a mechanism to be certified to this internationally recognised standard. For organisations looking to integrate ISO 42001 with other standards, understanding these requirements is essential.
However, if you have experience with other Management System standards (such as ISO 9001, ISO 27001, or ISO 13485), the requirements within ISO 42001 may look familiar. Below, we’ll explain why this is the case and how you can integrate ISO 42001 with your current Management Systems to enhance governance and compliance.
Why do ISO Management System standards look the same?
A “Management System” is a technical way of saying the way in which a business operates – whether you have it written down or not, your company has a “Management System”.
ISO Management System standards (like ISO 42001) are intended to give organisations best practice for addressing specific areas within their management system (e.g. AI for ISO 42001, Information Security for ISO 27001).
ISO acknowledges that businesses face many different types of requirements that their Management System should address, so it creates Management System standards that are structured similarly (based on a document called Annex SL).
ISO intends for businesses to apply multiple Management System standards in a joined-up way.
ISO have created Annex SL and a guidance document on how to do it – fortunately, we’ve read these documents, so you don’t have to. They recommend “integrating” aspects of your Management System, not creating siloed Processes and Procedures to address each different aspect of your Management System
Why integrate your Management Systems?
A Management System is the way in which you run your business – integration is about looking for ways to make your processes more efficient by addressing requirements from multiple directions at once.
Creating a single place where documents are stored and agreeing on how to notify relevant people when they are changed, rather than maintaining different storage systems for information security, AI, and customer feedback, would be an example of integrating a Management System.
Is integrating every process essential? Absolutely not, but we frequently come across companies looking for new software systems to address a new regulatory requirement, when existing systems can be adapted to keep fees, maintenance work and duplication of effort down.
But, sometimes, it’s better not to integrate – if two teams have very different requirements from their processes or perform very different tasks, it can be helpful to keep them separate.
The best places to integrate
Often, policies and procedures will expand over time as companies take on new regulatory or compliance requirements, resulting in dozens or even hundreds of these documents. We always recommend a different approach – having 10-20 procedures that outline responsibilities and process flows across and between teams, then having specific guidance documents or templates maintained by key stakeholders only where needed to ensure an effective process – that is a process that delivers what your business wants, not just your auditor!
This means you end up with a single process for (for example) supplier onboarding and evaluation instead of having to refer to the AI supplier policy, the information security supplier policy, the finance supplier policy and all the rest – as well as a single evaluation form (preferably in a configurable system like Jira so you can control the process workflow) rather than multiple assessment forms.
Similarly, Risk Management is a major governance area for many companies, but having different risk assessment methods for different types of risk results in risks being missed or duplicated – why not have a single risk assessment method with different scoring systems for each risk type?
Another high-level place where integration and joined-up thinking can save duplication of effort is when considering resources, tools and infrastructure needed for your organisation. Many management system standards require compliance through recording and monitoring of the human, technological and external resources that the organisation requires to operate effectively. ISO 42001 adds the need to keep specific logs of the data and tooling resources needed for the AI. There’s no reason that these processes shouldn’t be combined into a single log, with careful use of labels and tracking, and any changes to resource requirements or risks posed to the organisation from ineffectively planned resource changes can be mitigated.
This approach does require setting appropriate accountabilities, as Process Owners will need to interact with Compliance Specialists to ensure their processes deliver what the company and its stakeholders need from them.
As ISO 42001 is structured similarly to other ISO Management System standards, simply lining up clauses between the standards can be very helpful. To integrate ISO 42001 into your existing management system, we would recommend:
Discuss and bring on board key stakeholders – senior management to assign and support any resources, existing process owners and staff who will have to follow the changes processes. Gaining feedback and input (to a point) should support a smoother transition.
If you already have a documented regulatory strategy, review it to ensure that making changes to your organisation does not require updating it or making changes to your interactions with external parties such as regulators.
Identify the gaps in your existing Management System to create a comprehensive list of the requirements you need to integrate
Don’t just add to Policies and/or Procedures – think about how the process should work and add fields to workforms with relevant guidance.
Use the comparison and gap analysis to create an “Implementation Plan” under your existing Management System to integrate the new requirements.
Follow the implementation plan to close the identified gaps.
Carry out internal audits to assess the impact the changes have had and identify any further improvement work.
If you’re looking to implement ISO 42001 to get a certificate, you’ll want to engage with your certification body as early as possible, as their timeline for auditing may inform your timeline for implementation.
It may be the case that your current certification body is not accredited to provide an ISO 42001 certificate, in which case, you will need to identify an accredited certification body.
The IAF has a list of accreditation bodies for each country, which in turn can give you a list of certification bodies in your country that can provide ISO 42001 certification. We don’t recommend getting certified by a certification body not accredited by an IAF member.
Top Tip
When speaking to your certification body, if you have integrated ISO 42001 with other standards, mention that you have an Integrated Management System and ask about Integrated Auditing. Some ISO standards allow for reducing auditing time in a certification/surveillance audit if multiple standards are being audited at once – this can reduce the cost of your certification and the number of surveillance visits. If you’ve integrated your Management System well, this can be a significant saving.
We’re the experts that have your back.
Let us help you find a route from from where you are, to where you need to go. We’re here to help.