Implement

ISO 42001
Demonstrate a commitment to ethical
and responsible AI use

Alex Shepherd, AI Client Manager

19 November 2024
Agenda

1 AI risk

2 Mitigating AI risk

3 Standards

4 ISO 42001

5 Implement ISO 42001

6 Panel discussion / Q&A

What is
AI risk?
AI risk examples

1 - In 2022, Air Canada's chatbot promised a discount that was,

according to their policies, not available to a customer. ​
“It should be obvious to Air Canada that it is responsible for all
the information on its website, … It makes no difference
whether the information comes from a static page or a chatbot.”

2 - Michael Cohen, former lawyer for Donald Trump, used

Google Bard to generate non-existent legal case citations. These
false citations were unknowingly included in a court motion by
Cohen's attorney, David M. Schwartz.

https://www.bbc.com/travel/article/20240222-air-canada-chatbot-misinformation-what-travellers-should-know
https://www.reuters.com/legal/ex-trump-fixer-michael-cohen-says-ai-created-fake-cases-court-filing-2023-12-29/
© 2024 BSI. All rights reserved. 4
How do we
mitigate AI risk?
Responsible AI framework
Creating an ecosystem of trust and collaboration

Governments,
Authority Bodies

Standards

Technical
Legal and Compliance,

Ethical
Legal
Technical / Data Teams
Leadership

End users / public

© 2024 BSI. All rights reserved. 6
Legal

How can we treat AI

risk through legal
compliance?

© 2024 BSI. All rights reserved. 7

Mitigating risk through legal compliance
The EU AI Act is the first piece of horizontal legislation focused on ensuring that deployed AI technologies
respect citizen’s health, safety, and fundamental rights.

Risk classification

Prohibited
GPAI

High
Download our EU AI
Act whitepaper
Limited
Transparency
Minimal

© 2024 BSI. All rights reserved. 8

 ”
Poll
Question
1
Standards

How can we deal with

AI risks through
International Standards?

© 2024 BSI. All rights reserved. 10

ISO 42001
The AI Management System Standard.

Enables an organization to achieve their objectives by

having processes in place to identify, manage and
treat AI risks.

How should AI be used, developed within the

organization?

How do we identify and treat AI risks?

How do we ensure that our organization is

prepared for the risk landscape of tomorrow?
How can we
implement
ISO 42001?
Starter Mode

Improvement Mode
ISO 42001 implementation
Starter Mode – building the foundation for compliance

4
Context of the
Organisation

9,10
5
Performance
Leadership
Evaluation

Start

8 6
Operation Planning

7
Support

© 2024 BSI. All rights reserved. 13

Context of the organisation

Goal Documentation

The scope of the organisation defines the start and

The (certification) scope of activity end points of AI development, usage within the
that is relevant to AI safety organisation.

• What activities does your organisation undertake?

• Where does AI used or developed?
• Who are the key external and internal influencers?

© 2024 BSI. All rights reserved. 14

Leadership

Goal Documentation

AI policy is document that should be made available

To ensure that leadership to relevant stakeholders (including end users and
commitment to Responsible AI is employees):
aligned with organisational goals
• What is the organisation’s attitude towards AI
usage and/or development?
Make sure efforts to achieve • Does it provide employees the relevant principles
Responsible AI usage and they should consider before using or developing?
development encompass all
• How does responsible AI usage/development align
activities within the scope
with strategic objectives?

© 2024 BSI. All rights reserved. 15

Planning

Goal Documentation

AI Risk Register is a tool organisation can use to have

Gain understanding of the an overview of their AI-related risks:
organisation’s AI risk landscape • How do you compute a risk score for each risk?
• How do you prioritise risk?
• What is the organisation’s acceptable risk appetite?

AI System Impact Assessments are key to

Define the success metrics understand the impacts these systems have on end
users:
• Are specific groups affected by the system? How?
• What are the consequences on (certain groups of)
end users? © 2024 BSI. All rights reserved. 16
Support

Goal Documentation

Data Handling and Classification Policy:

The resources around
• Which documents are confidential, and which are public?
Responsible AI is available to
achieve your goals
• Do you have enough competent people in the
organisation to achieve your Responsible AI goals?
• How do make sure that colleagues are aware of risks
of use or deploying AI technologies?
• How do we communicate all AI-relevant policies to
external and internal stakeholders?
• Do we have documentation of our procedures in place?

© 2024 BSI. All rights reserved. 17

Operation

Goal Documentation

Statement of Applicability is central to defining how an

Establish a risk mitigation organisation mitigate risk impact:
strategy for each AI risk • Which measures are applicable for the organisation to
use? Why?
• TIP: Use ISO 42001 Annex A as template
• Are there additional measures, which could be useful
to implement in the organisation?
AI Risk Register:
• Which measures did the organisation use to reduce
risk impact? Are they effective in reducing risk impact?

© 2024 BSI. All rights reserved. 18

Performance Evaluation

Goal Documentation

Internal Audit Programme:

Evaluate the gaps and improve
• Which aspects will you assess within the organisation?
on your existing management
system • How often will you conduct internal audits?
Internal Audit Reports:
• Are the audits impartial and offer an independent perspective?
Management Review:
• Is management involved in improving the way we
manage AI risks?
• Which results do you consider to evaluate the
management system’s performance?
© 2024 BSI. All rights reserved. 19
ISO 42001 implementation
Starter Mode – building the foundation for compliance
Scope

4
Context of the
Organisation
Internal Audit Programme
9,10
Internal Audit Reports 5
Performance AI Policy
Leadership
Management Review Evaluation

8 6 AI Risk Register
Statement of Applicability
Operation Planning
AI Risk Register AI Impact Assessments

7
Support

Data Handling Policy © 2024 BSI. All rights reserved. 20

ISO 42001 implementation
Starter Mode – building the foundation for compliance

What can we do now to prepare the road for Responsible AI tomorrow?

Short Term Medium Term Long Term

• Identify organisation’s scope • Develop mechanisms to • Implement an internal audit

for managing AI risks (key identify risk programme to identify areas
stakeholders and issues) • Develop a risk register to of improvement.
• Determine organisation’s enable effective oversight of AI • Feedback improvements to
attitude towards AI usage & risks. management through a
deployment via AI policy • Acquire the relevant talent management review.
• Determine key objectives to and resources to mitigate AI
measure success. risks

© 2024 BSI. All rights reserved. 21

ISO 42001 implementation
Improvement Mode – to boost AIMS performance
Scope

4
Context of the
Organisation
Internal Audit Programme
9,10
Internal Audit Reports 5
Performance AI Policy
Leadership
Management Review Evaluation

!
8 6 AI Risk Register
Statement of Applicability
Operation Planning
AI Risk Register AI Impact Assessments

7
Support

Data Handling Policy © 2024 BSI. All rights reserved. 22

 ”
Poll
Question
2
Your ISO 42001 Guide

3 – Compliment ISO
1 – Preparing for ISO 42001 2 – Implement ISO 42001
42001, coming in 2025

© 2024 BSI. All rights reserved. 24

Links

Download our EU AI Act Watch the ‘Prepare for ISO 42001’

whitepaper: webinar on demand:

© 2024 BSI. All rights reserved. 25

Panel Session
Thank you

bsigroup.com