Who Needs ISO 42001?

Recent advancements in AI systems have prompted governments and regulatory agencies around the world to develop standards for secure and fair use of AI tools. Based on industrial context and location, some organizations will need to implement these standards sooner rather than later. ISO 42001 is an essential standard for the safe, efficient governance of AI systems, guiding organizations in their AI development and deployment practices. Continue reading to explore whether you should adopt ISO 42001 for your organization.

Is your team set up for success with AI governance? Schedule a consultation to find out!

 

 

Organizations That Need ISO 42001, Explained

The ISO 42001 standard is a new regulation that aims to unify sound information technology (IT) and cybersecurity practices for artificial intelligence (AI) governance. As AI tools continue to saturate markets and gain traction among professional and consumer users, many organizations are questioning whether they need to comply—and how to achieve compliance if they do.

Understanding whether ISO 42001 applies to your organization requires knowing:

• What ISO 42001 is and when/where it applies, now and in the future
• Which industries ISO 42001 is most directly applicable to (and why)
• Which national, local, or other jurisdictions may necessitate compliance
• How ISO 42001 compliance relates to other similar laws and regulations

Working with an advisor will help you prepare for, achieve, and maintain compliance.

 

ISO 42001’s Current and Future Applicability

ISO 42001 is a joint publication by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full official title, ISO/IEC 42001:2023 Information Technology — Artificial Intelligence — Management System, indicates its focus on the management of AI systems. The standard is intended to be used by any organization that uses or develops AI tools and wants or needs to do so in a way that’s safe, fair, and efficient.

In terms of legal mandates, the ISO 42001 standard is not yet mandatory for any business by any law or statute anywhere in the world. That may change over time, however, as governments create their own rulesets that borrow, adapt, or otherwise relate to the protections in ISO 42001.

Additionally, there are business reasons to consider implementing the standard irrespective of legal mandates. Current or potential partners and clients may expect your organization to use AI tools responsibly, and implementing a standard like this is one way to show you are.

 

Industries and Use Cases for ISO 42001

Operating in an industry with sensitive data concerns typically requires complying with a data security standard. Many of these standards already have language in place about using AI tools safely, and others may include them in the future. In any case, implementing ISO 42001 will help your organization ensure security across all parts of your IT system that AI touches.

If you operate in one of the following industries, you may need to safeguard your AI usage:

• E-commerce – Organizations that process card payments or cardholder data (CHD) need to comply with the Payment Card Industry Data Security Standard (PCI DSS).

• • Financial services – Service organizations may need to comply with the American Institute of Certified Public Accountants (AICPA) SOC 1, SOC 2, and/or SOC 3 rules.

• Healthcare services – Covered entities in healthcare and their business associates need to comply with the Health Insurance Portability and Accountability Act (HIPAA).

• Government contracting – Organizations working with the US government may need to comply with several National Institute of Standards and Technology (NIST) rulesets.

While industry-specific regulations may not presently incorporate AI controls, they all almost certainly will in the future. Implementing ISO 42001 now will help you stay ahead of the curve.

 

 

Location-based ISO 42001 Considerations

Aside from industry-specific regulations, there are also laws that apply to IT management based on where an organization operates and/or where its clients are based. These same jurisdictions may adopt ISO 42001 protections in the future, or adapt their own, similar rules for AI systems.

For example, one of the most widely applicable data privacy regulations in the world is the European Union’s General Data Protection Regulation (EU GDPR). It ensures data privacy for all EU residents, and it applies to all organizations that collect these individuals’ data, no matter where the organizations themselves are based.

Additionally, the European Union’s AI Act has come into force and will soon require compliance from organizations involved in AI development and deployment. This legislation aims to ensure the safe and ethical use of AI technologies and will apply to organizations regardless of their location. Just as many organizations utilized the ISO 27001 standard—which provides a framework for managing information security—to prepare for GDPR compliance, the ISO 42001 standard can be leveraged as a framework to help achieve compliance with the EU AI Act.

Beyond national and regional-level laws, there are also more localized protections. Several US states have their own rules with similar restrictions as the GDPR. The most notable and oldest among these is the California Consumer Privacy Act (CCPA), which can apply to a business that collects CA residents’ data irrespective of where its headquarters are located. Many states have bills or laws currently in the works that could incorporate AI-specific protections in the future.

 

Streamlined Compliance with Other Standards

Many contexts in which ISO 42001 may be needed involve industries with strict data sensitivity requirements or locations with data privacy laws. Many organizations are faced with multiple regulations at once, which requires mapping and streamlining controls to meet many different rules simultaneously while minimizing costly overlap—and oversights.

ISO 42001 can be beneficial in this regard because it is based on another widely applicable standard, ISO 27001. Rulesets such as HIPAA, PCI, and GDPR share ground with ISO 27001, which means that there is mutual intelligibility with several baseline ISO 42001 standards.

None of these standards offers full coverage for the others, unfortunately. But organizations that know they need to comply with two or more of the regulations named above can consider using an omnibus standard that does provide full coverage, like the HITRUST CSF. By implementing the CSF and becoming HITRUST certified, you can “assess once, report many,”

 

Optimize Your ISO 42001 Compliance Today

Securing AI systems and ensuring fair, reliabe service is challenging on its own. On top of that, there are also lingering questions about whether emerging standards like ISO 42001 apply to your organization and what you need to do to comply. While ISO 42001 is not yet legally required, it could be soon. And, if you operate in or around highly regulated industries, or are subject to other standards, complying sooner rather than later is advisable.

RSI Security has helped numerous organizations rethink their cyberdefenses and overall IT governance for compliance and cybersecurity assurance. We believe that discipline up front unlocks greater freedom down the road, and we’ll help you achieve that with expert guidance.

To learn more about our ISO 42001 compliance services, contact RSI Security today!

 

Contact Us Now!