Skip to content
ey black woman working in office and futuristic graphical user interface

Understanding the role of ISO 42001 in achieving responsible AI

EY Americas
EY Americas

Multidisciplinary professional services organization

8 minute read 17 Jan 2025

AI reshapes sectors, boosting customer interactions and driving innovation. ISO 42001 promotes ethical AI development and risk mitigation.

In brief
  • AI is transforming sectors with personalized experiences and automation, but responsible practices are crucial to mitigating risks.
  • Introduced in 2023, ISO 42001 promotes ethical AI development, application and delivery, emphasizing trustworthiness and risk management.

Artificial intelligence (AI) is catalyzing a major shift across various sectors, reshaping customer interactions and propelling innovation at a remarkable rate. AI brings a wealth of possibilities for companies, including highly personalized experiences, robust automation, enhanced decision-making capabilities, and forward-looking analytics.

However, the extraordinary potential of AI also necessitates the adoption of responsible development practices, adherence to ethical standards and establishment of a uniform framework to mitigate AI-related risks. 2023 stands out as a milestone with the introduction of the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 42001 standard.

In this article, we delve into the critical importance of ISO/IEC 42001 in defining the future of AI, so that the creation, application and delivery of AI technologies and services are conducted ethically.

How EY can help

  • Risk

    Discover how leading risk management practices create value and a competitive advantage by embracing disruption with trust and confidence.

    Read more

ISO/IEC 42001: forging the path for ethical AI implementation

ISO/IEC 42001 was crafted to tackle the concerns and obstacles associated with the conscientious deployment of AI technologies by providing a set of criteria for the establishment, maintenance and continuous enhancement of an AI management system.

 

Incorporating an AI management system within an organization’s pre-existing operational and management frameworks is crucial.

 

Nevertheless, it is imperative for organizations to align the utilization of AI with their broader objectives and ethical standards while adhering to the stipulations of ISO/IEC 42001.

 

The standard underscores the significance of maintaining the responsible use of AI throughout the lifespan of an AI system, from its creation to its rollout and subsequent phases. To achieve this, it is essential to institute solid procedures that safeguard the following fundamental elements around the responsible use of AI.

 

  • Security: protecting AI systems from unauthorized access and threats
  • Safety: safeguarding that AI operations do not pose risks to humans or property
  • Fairness: promoting unbiased decision-making and preventing discrimination
  • Transparency: providing clear insights into AI processes and decisions
  • Data quality: overseeing the accuracy and integrity of data used by AI systems

Core concepts of ISO/IEC 42001

The fundamental principles of ISO/IEC 42001 encompass:

  • Decision-making enhancement: An AI management system (AIMS) serves as a pivotal tool for decision-makers, supplying organizations with precise and timely data that empowers them to make choices in harmony with their objectives.
  • Strategic edge: Organizations that adeptly weave an AIMS into their business practices can secure a strategic advantage by becoming more nimble, innovative, and attuned to shifts in the marketplace.
  • Resource optimization: An AIMS aids in the strategic deployment of resources such as human capital, financial assets and time by pinpointing areas for enhancement and detecting underutilized resources.
  • Proactive risk management: An AIMS enables organizations to spot and address risks effectively by examining data patterns and trends, thereby equipping them to tackle potential challenges in advance.
  • Process efficiency and optimization: An AIMS contributes to the automation of monotonous tasks, the analysis of extensive data sets and the generation of insights that can streamline and refine organizational processes.

Overview of ISO 42001 framework

  • Comparable to ISO 27001: For those acquainted with ISO 27001, the structure of ISO 42001 will be quite intuitive. Elements such as policies, governance and risk management will appear strikingly similar.
  • AI management: Sections 4-10 of ISO 42001 delineate the AI management system, outlining the governance of the program.
  • AI policy requirements: The standard specifies a range of policy requirements, including a comprehensive AI policy, guidelines for AI use in products, appropriate use and others.
  • AI risk evaluation: It mandates conducting AI risk assessments and impact evaluations.
  • 38 specific controls: ISO 42001 includes 38 distinct controls that organizations will need to comply with during assessment.

ISO/IEC 42001 advocates for the seamless incorporation of AI within the governance structures of organizations. It encourages entities to view AI deployment as a strategic initiative, thereby guaranteeing congruence with corporate objectives and risk management policies. This strategy promotes a decision-making framework that is both enlightened and prudent, nurturing a harmonious relationship between innovation and accountability.

The structure of ISO/IEC 42001

ISO/IEC 42001 is structured to encompass 10 comprehensive clauses:

Four annexes complement the standard:

  • Annex A, reference control objectives and controls
  • Annex B, implementation guidance for AI controls
  • Annex C, potential AI-related organizational objectives and risk sources
  • Annex D, use of the AI management system across domains or sectors

Harmonizing ISO/IEC 42001 with ISO/IEC 27001

As organizations grapple with the dual challenges of AI technology management and information security, merging ISO/IEC 42001 with ISO/IEC 27001 presents a cohesive strategy to strengthen their governance and risk management frameworks.

By pinpointing synergies between these standards, organizations can craft a consolidated governance structure that aligns policies, processes and controls within both realms. This method maintains uniformity in protecting sensitive data and cultivating a security-conscious and -compliant organizational culture.

Additionally, synchronizing risk management protocols between ISO/IEC 42001 and ISO/IEC 27001 empowers organizations to embrace an all-encompassing risk management strategy. This holistic approach aids in the thorough identification, evaluation and reduction of risks, thus curtailing vulnerabilities and bolstering defenses against evolving threats.

The clauses and controls of ISO/IEC 42001 and ISO/IEC 27001 exhibit considerable overlap. By capitalizing on these commonalities, organizations can streamline their operational and documentation processes, achieving a more efficient approach to managing AI and information security. This integration helps eliminate redundant efforts and guarantees a consistent approach to documenting AI management and information security measures.

Integrated training and awareness initiatives are also crucial, equipping staff with a clear understanding of their roles in maintaining AI systems and handling sensitive data securely. Comprehensive education on AI ethics, risk management and information security builds a skilled workforce adept at managing the intricacies of AI governance and of adherence to regulations.

Moreover, this integration extends to areas such as incident response and continuity planning, where coordination is vital to addressing disruptions that could affect AI and information security systems. By aligning response teams, communication plans and recovery procedures, organizations can reduce operational downtime and lessen the impact of incidents on business continuity.

For entities already compliant with ISO/IEC 27001, integrating ISO/IEC 42001 brings additional advantages. The congruent structures and aims of both standards facilitate a seamless management process, enhancing efficiency across the board in information security and AI system governance.

Conclusion

The newly introduced AI management system standard assists organizations in adopting a responsible approach to AI, regardless of whether they are users or developers of AI technologies. It is designed to guide organizations in the responsible provision or utilization of AI systems while striving to achieve their goals and comply with relevant regulatory mandates. Additionally, it aids in fulfilling obligations to stakeholders and aligning with their expectations.

For certain organizations, the integration of management system standards such as ISO 9001, ISO/IEC 27001 and ISO/IEC 42001 could be an optimal strategy. Such integrated management systems lay a robust groundwork for organizations to attain high standards of performance across multiple disciplines, thereby securing enduring success in the dynamic landscape of business and technology.

The field of AI is experiencing rapid development of international standards within the ISO/IEC framework. While ISO/IEC 42001 lays out a comprehensive system for implementation, there is a growing suite of other standards in the works that offer insights, guidance, and specific requirements on a variety of AI-related topics. These topics include, but are not limited to, explainability, transparency, bias and testing.

One notable example is ISO/IEC 25059, which presents a quality model for AI systems. This standard can be particularly beneficial when formulating quality objectives within AI management systems. Additionally, there are ongoing efforts such as ISO/IEC 42105, which expands upon previous work regarding controllability and aims to provide guidelines on human oversight and intervention in AI systems.

Special thanks to Eeshan Pandey for authoring this article, and to Michael Tippett and Sarah Liang for their contributions.

Summary 

Standards like the ISO’s are invaluable resources for organizations that are in the process of implementing an AI management system. They offer supplementary information that can enhance an organization’s understanding and management of AI, so that their practices are in line with the latest international benchmarks for quality and responsibility in AI deployment.

About this article

EY Americas
EY Americas
Multidisciplinary professional services organization
Related topics
Consulting
AI
Risk

Our latest thinking

‘Braking’ the risk speed limit: move fast, confidently

Discover how EY's AI-enabled platforms provide the 'brakes' for risk management, enabling organizations to innovate rapidly with confidence and control.

21 Aug 2024 Sinclair Schuller + 3

How to reimagine your TPRM program with GenAI and scalable operations

Transform third-party risk management with GenAI for enhanced coverage, streamlined processes and predictive analytics in a tech-led era. Learn more.

02 Aug 2024 Scott McCowan + 2

How to embrace AI in risk management

Discover how the rise of GenAI promises both unprecedented opportunities and new challenges for risk management.

12 Jun 2024 Sinclair Schuller + 2

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.