Walter Haydock (@haydock): "Does ISO 42001 certification require you to have ISO 27001 in place first (like ISO 27701:2019 did)? No. ISO 42001 𝘤𝘦𝘳𝘵𝘪𝘧𝘪𝘤𝘢𝘵𝘪𝘰𝘯 𝘴𝘵𝘢𝘯𝘥𝘴 𝘢𝘭𝘰𝘯𝘦 and does not require ISO 27001 to be in place first. But if you have an Information Security Management System…"

Does ISO 42001 certification require you to have ISO 27001 in place first (like ISO 27701:2019 did)?

No.

ISO 42001 𝘤𝘦𝘳𝘵𝘪𝘧𝘪𝘤𝘢𝘵𝘪𝘰𝘯 𝘴𝘵𝘢𝘯𝘥𝘴 𝘢𝘭𝘰𝘯𝘦 and does not require ISO 27001 to be in place first.

But if you have an Information Security Management Systems (ISMS) in place, building an Artificial Intelligence Management System (AIMS) is easier.

With that said, here are 3 key mistakes to avoid:

1. Using different risk criteria for each standard

ISO 42001 and 27001 both require identifying acceptable and unacceptable risks.

It's tempting to create different standards for each.

I wouldn't.

Instead, use this as an opportunity to kick off your quantitative risk management program.

Establish a risk appetite in terms of dollars of annual loss expectancy (ALE) and measure risks against that.

You can also create qualitative risks for each standard that are also unacceptable, like:

-> Knowingly violating laws, regulations, or contracts

-> Deploying AI that reduces human lifespan (net)

-> Training AI on pirated data

2. Creating "AI-specific" policies and procedures

AI risk doesn't live in a vacuum. It overlaps with cyber risk. So don't create separate approaches for:

-> Measuring

-> Assessing

-> Treating

risk.

The only possible exception is the AI impact procedure. This requires looking outside the organization much more than ISO 27001 does.

3. Using generic risks instead of system-specific ones

Based on the wording of ISO 27001, it’s acceptable to analyze risks to the entire ISMS, like:

-> Outages

-> Insider threats

-> Software vulnerabilities

This generic approach doesn’t actually help manage risk, but it might get you certified under 27001.

42001 is different, however, because it requires risk assessments for specific systems. So you can’t just say "hallucination" is a risk.

Tie it to a given AI system.

TL;DR - ISO 42001 stands apart from ISO 27001. But if combining the two management systems, do NOT:

1. Use different risk criteria for each standard

2. Create "AI-specific" policies and procedures

3. Use generic risks instead of system-specific ones

How are you integrating ISO 27001 with ISO 42001?

Mar 18

12:10 PM