April 26, 2024

Last Updated on July 30, 2024

AI creates massive business opportunities but introduces new types of risk that many organizations do not fully understand or manage. At the same time, new AI regulations and requirements are rapidly emerging.

Are you using AI in a secure, compliant, and ethical manner? The ability to prove it is rapidly becoming a contractual and/or regulatory obligation for growing businesses.

The new global AI management system standard, ISO 42001:2023, “Information technology – Artificial intelligence – Management system,” creates a certification pathway for organizations that want to demonstrate strong AI governance, ethical use, and accountability. But to certify that you also have robust cybersecurity and privacy controls to protect sensitive data within and beyond your AI systems, you need more.

That’s where ISO 27001:2022, “Information security, cybersecurity and privacy protection—Information security management systems—Requirements,” and ISO 27701:2019, “Security techniques—Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management—Requirements and guidelines,” come in.

This article shares insight on how leading organizations are linking ISO 42001, ISO 27001, and ISO 27701 compliance and certification efforts to drive competitive differentiation, risk reduction, and peace of mind for stakeholders on all fronts.

 

ISO 42001, ISO 27001 and ISO 27701—designed to be combined

Due to their “harmonized structure” as ISO management system standards, organizations can combine ISO 42001 with ISO 27001 and optionally also ISO 27701 to create a unified management system. ISO 27001 and ISO 42001 have very similar structures, and much of the guidance in their clauses 4 through 10 is applicable to both.

For companies looking to holistically address AI, information security, and privacy risk to meet internal and/or external obligations, an integrated management system offers many advantages. Businesses that are already ISO 27001 certified can extend their current information security management system (ISMS) scope, documentation, policies, and processes to include the AI management system (AIMS). Most of the additional ISO 42001 certification effort would focus specifically on ISO 42001 controls, while reusing many of the management system constructs.

Another area of natural overlap between ISO 42001, ISO 27001, and ISO 27701 concerns the many AI risks relating to the security and protection of personal data, especially within training data sets as they are aggregated and processed through an AI system.

Leveraging ISO 27701 for privacy within an integrated risk management framework

ISO 27701 is specifically structured to extend an ISO 27001 conforming ISMS to encompass privacy, yielding a unified “privacy information management system” (PIMS). Should organizations pursuing certification against all three standards integrate all three management systems within a single construct?

According to Ariel Allensworth, Senior GRC Consultant at CBIZ Pivot Point Security, “Generally yes, but it depends. It’s more efficient and there’s a lot less duplicative effort if you integrate most things together.”

This is especially true on the management plane. But it can make sense to operationalize policies or processes separately at the tactical level. For example, depending on your business size and your AI footprint, you might have an AI subcommittee under your information security, privacy, and AI management committee, while keeping the leadership commitment, accountability, roles, and responsibilities integrated.

 

Integration guidance in ISO 42001 Annex D

Another support for integrating management system constructs across the “Big 3” is found in ISO 42001’s Annex D. This informational section of the standard includes guidance on integrating an AIMS with other management systems, including ISO 27001, ISO 27701, and even ISO 9001 (for quality management within AI development where life and safety may be at stake).

“It goes above and beyond what ISO 27001 does,” says Ariel.

 

What’s next?

For more guidance on this topic, listen to Episode 136 of The Virtual CISO Podcast with guest Ariel Allensworth, Senior GRC Consultant at CBIZ Pivot Point Security.