ISO 42001 Certification

The evolution in Artificial Intelligence is driving the governance requirements for commercial use of AI. Developing and using AI technology has its risks for society. Hence society and governments are demanding AI to be regulated. A growing number of organisations are implementing an Artificial Intelligence Management System (AIMS). This where certification bodies can provide accredited ISO 42001 Certification. You can apply for an audit of your AIMS according to the current standard ISO 42001:2023.

We conduct certification audits for organisation located in USA, Europe, Middle East, Africa and Asia.
If you are based in a developing country, ask about our AIFOD scheme to enter into our special program for startups in developing countries.

Who needs an ISO 42001 Certificate?

If your organisation is using artificial intelligence or even developing aI based technology, an increasing number of jurisdictions are requiring a proof of compliance with AI related legislation (e.g., European AI Act). Based on national interpretations of the AI Act, the usage of AI in companies without a certified AIMS could lead to legal problems. The AI Act expects companies to assign one of the available risk categories to their AI activities. If AI is not properly regulated inside the organization, it could lead to the inevitable termination of all AI activity. The situation is worse for companies developing Business Solutions or Consumer Products that have AI built inside. If their AI models are within a forbidden catergory, the product needs to be taken from the market within 6 months or one will face legal prosecution. For those innovative companies in less problematic sectors will still need to implement a credible management system. It is not enoguh to take some template from the web and paste the company name into every document. The management system needs to match the business model and its activities and products related to AI technology. Only then an AIMS has a realistic chance of passing an accredited certification audit by being compliant with ISO 42001.

Secure your Certification slot by requesting a quote

ISO 42001 Certification Areas

Within the ISO 42000 Standard is the main core standard 42001. If your organisation has never been through an audit and you have just recently introduced your AIMS, then focus on increasing the detail of your SOPs. Once your AIMS has an acceptable maturity, you can go for achieving your ISO 42001 certificate.

AI Users
Secure usage of AI

AIMS: Implement a management system to regulate how employees use aI within the organisation. 

Learn more about AI Usage
AI Developers
Ethical Models and sets

AIMS: Develop AI models with an ethical approach towards sustainability and avoidance of discrimination.

Learn more about AI Dev
AI in Products
Trustworthy AI Products

AIMS: Protecting your clients data from being misused inside aI products and confirm a trustwothy compliance.

Learn more about AI in SaaS
Secure your Certification slot by requesting a quote

What is ISO 42001?

The international Standards Organisation (short: ISO) introduced the ISO 42001 standard in order to help organisations protect society from adverse activities within AI technology.

Auditors will want to make sure, that a artificial intelligence management System (AIMS) has been truly set up and is operating in a congruent manner.

An AIMS is there to help leadership ensure the protection society from roge, illegal, discrimnating usage of artificial intelligence (AI)

The ISO 42001:2023 standard has following structure:

  1. Introduction – the standard describes a process for systematically managing information risks.
  2. Scope – it specifies generic AIMS requirements suitable for organisations of any type, size or nature.
  3. Normative references – only ISO/IEC 22989:2022 is considered absolutely essential reading for users.
  4. Terms and definitions – see ISO/IEC 22989:2022.
  5. Context of the organisation – understanding the organisational context, the needs and expectations of ‘interested parties’ and defining the scope of the AIMS. Section 4.4 states very plainly that “The organisation shall establish, implement, maintain and continually improve” the AIMS, meaning that it must be operational, not merely designed and documented.
  6. Leadership – top management must demonstrate leadership and commitment to the AIMS, mandate policy, and assign appropriate roles, responsibilities and authorities.
  7. Planning – outlines the process to identify, analyse and plan to treat AI related risks (6.1.2), to clarify the objectives of AI in the Organization (6.2), and to manage AIMS changes.
  8. Support – adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled.
  9. Operation – more detail about assessing and treating AI risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors).
  10. Performance evaluation – monitor, measure, analyse and evaluate/audit/review the AI controls, processes and management system, systematically improving things where necessary.
  11. Improvement – address the findings of audits and reviews (e.g. nonconformities and corrective actions), systematically refining the AIMS
Secure your Certification slot by requesting a quote

Why can an ISO 42001 certification be beneficial to you?

When an organisation decides to become ISO 42001 certified, they undergo a journey towards building their AIMS documentation and preparing all people inside the business for applying the new security measures. Thereby, the organisational processes achieve a greater maturity. Once the certification audit is successfully completed, the ISO 42001 certificate will show to outsiders following positive aspects:

  • Greater AI safety
  • Regular AI improvements
  • Greater trustworthiness
  • Greater reliability
  • Lower risk to client assets and IP

Furthermore, an organisation also experiences following inner improvements:

  • Information flow inside company is secure and efficient
  • Information is available and reliable at all times
  • Loss, theft, misuse, manipulation of AI activities related data is less likely
  • Only authorised persons have access to confidential data and AI core technology
  • Greater compliance with laws, regulations and contractual obligations
Secure your Certification slot by requesting a quote

What is required for ISO 42001:2023 certification?

The ISO 42001:2023 standard requires following 14 items to be compliant within the AIMS documentation in order to issue a certificate:

  1. AIMS scope (as per clause 4.3)
  2. AI policy (clause 5.2)
  3. AI risk assessment process (clause 6.1.2)
  4. AI risk treatment process and the Statement of Applicability (clause 6.1.3)
  5. AI objectives (clause 6.2)
  6. Evidence of the competence of the people working with AI technology (clause 7.2)
  7. Other AIMS-related documents deemed necessary by the organisation (clause 7.5.1b)
  8. Operational planning and control documents (clause 8.1)
  9. The AI risk assessment outputs i.e. the assessed risks (clause 8.2)
  10. The AI risk treatment decisions (clause 8.3)
  11. Evidence of the monitoring and measurement of AI (clause 9.1)
  12. The AIMS internal audit program and the results of audits conducted (clause 9.2).
  13. Evidence of management reviews of the AIMS (clause 9.3)
  14. Evidence of nonconformities identified and corrective actions arising (clause 10.2)

How will the audit plan be influenced by the statement of applicability?

 

Our audit teams follow an audit plan which takes your organisation’s specific industry sector and business model into consideration. The compliance of your AIMS will be reviewed in relation to the different chapters and parts of Annex A. In order to conduct  a proper audit, it is necessary for the audit client to name staff members, who can answer questions in relation to parts of the audit plan. Such an example would be naming the HPC administrator for the security controls related to access controls. During the audit  the lead auditor will then request the AI officer of the organisation to arrange with the HPC admin to be available for the session regarding access control. 

An organisation must review regularly its statement of applicability (SoA), in order to decide which controls are necessary. Auditors will will review the SoA and question in particular controls that have been stated as not applicable. The controls marked as applicable will also be inspected but in a different way.

Secure your Certification slot by requesting a quote

How much will the audit and ISO 42001:2023 certification cost?

The cost of an ISO 42001:2023 certification process is dependent on the size and risk profile of the organisation. The ISO 27006 Standard provides an average number of audit days for an organisation of average risk and certain number of included staff. Our audit estimators evaluate the to be expected audit time in relation to company specific parameters. Some factors allow for a reduction of audit duration and thereby positively reducing the audit costs.

Where risks require additional depth of audit activities, the audit plan will have to allocate extra time for it. This increases the audit time and the audit related costs. In addition if auditors have to travel to the client’s operational locations, the client organisation will incur additional travel expenses. The ISO standard allows for up to 30% of the audit to be conducted as remote audit. If the company structure (home office) or the situation (e.g. pandemic) required a 100% remote audit, the certification body is required to gain consent from the respective accreditation body. Remote audits avoid travel costs and are usually ideal for “virtual organizations” (e.g. 100% home office based teams)

Number of persons doing work under the organization’s control AIMS audit time for initial audit (auditor days)
1~10 0.5
11~15 1
16~25 1.5
26~45 2,0
46~65 2.5

Above table is based on the ISO 27006 Standard document (Table B1), displaying additional time for AIMS audit during a combinded ISO 42001 audit.

The audit time allocated for AIMS inspection is at least:

  • 30% of the audit time as AI controller
  • 30% of the audit time as AI processor
  • 50% of the audit time, if the organisation is a AI controller and AI processor

The  ISO 42001 audit (stage 1 + Stage 2) must then be at least 2.5 days for AI controllers and 3 days for AI processors. If an organisation is acting on both the controller and the processor role then the audit duration should not be less than the recommended 3.5 days.

This requirement is because an ISO 42001 audit will have display similarities with an ISO 27001 audit.

If the organisation already has an ISO 27001 certificate and wants to upgrade its commitment, then a separate audit for AIMS documentation may be conducted. In such a case the minimum of 0.5 days must be added to the audit duration time.

Secure your Certification slot by requesting a quote

FAQ for ISO 42001 Certification

The cost of your ISO 42001 certification will be quoted based on organization size and risk profile. The offer will contain a fixed fee basis and the estimated audit days. This will allow you to better budget your certification project.

The cost of certification will depend on:

  • your organisation’s total size
  • the sector you operate in
  • the number of locations you operate from and their particular activities
  • your organisation risk profile

You will be assigned an account manager who coordinates the first stage of your journey towards the ISO 42001 certificate. This person will get you a fixed fee quote and gather the key details of your desired scertification scope.

The lead auditor will then arrange with you a 1-2 hour call to check that all aspects of your sik profile have been considered and that the audit plan structure matches the availability of the key people in your organization.

Once you have completed the audit, the account manager will keep you updated while the audit documentation is being processed by the compliance team in the certification body. After a positive review the ISO 27001 certificate will be issued to you.
We will also help you understand how to best use the certificate and associated logos, in order to avoid conflicts with the ISO rules.

Stratlane's accreditation is a key part of the assurance we can guarantee those who trust you by trusting your certificate.

Our accredited ISO 42001 certificates include not only your logo but also the logo of the accreditation body and respective accreditation associations.

Let's Get Your Company Certified!

Make use of our certification services so that your businesss gains the competitive advantage of having accredited ISO certifications.