Opinions expressed by Entrepreneur contributors are their own.
ISO 42001 creates a framework for AI management systems, providing organizations with a structured approach to integrating AI-related practices into their operations. This standard emphasizes risk management, continuous improvement and alignment with the requirements of all stakeholders, ensuring that businesses can adopt AI responsibly and constantly adhering to global best practices.
In this article, I will explain the implementation of ISO 42001, AI management systems, step by step using practical language.
Related: Balancing AI Innovation with Ethical Oversight
What is ISO 42001?
ISO 42001 is a required standard for AI management systems. A requirement standard means that if you, as a business, want to be issued a certificate to show stakeholders that your organization is following consistency in business practices through predefined processes that take into account the requirements of all parties interested.
ISO 42001, like other ISO requirements standards, does not provide a body of knowledge on what to do with AI. Instead, ISO management systems, including ISO 42001, provide a framework for sustainability in understanding your organization's context in a structured approach, identifying the boundaries of business practices that may be affected by AI exposure, commission risk assessment and management within the target area, implementing controls to manage risks to an acceptable level, monitoring the effectiveness of these controls in accordance with the requirements of all stakeholders and continuously improving the system accordingly.
Management systems, including AI management systems, are based on the PDCA cycle to support the principle of continuous improvement. ISO 42001, for AI management systems, is a general standard, meaning it can be applied by businesses regardless of their size or industry.
Today, all businesses, regardless of their size or the industry they serve, must consider their exposure to AI. By exposure, I mean the level of Approval of AI within their organization.
Step 1: Specify the scope of application
It is not efficient, or even possible, to implement an AI management system for the entire organization as a single project. Therefore, the first step in implementing ISO 42001 is to define the boundaries of implementation.
As a business organization, you deliver some products in the form of goods or services. Usually, you follow the defaults business processes for your products whether it is a good or a service.
The critical point is that the management system must be integrated into your business practices to be effective, rather than operating as a series of stand-alone processes added to existing practices. You will add structure to your business processes by integrating the management system into them, so no additional processes are created. The result is structured business processes with controls related to the management system seamlessly integrated.
The first step in implementing an AI management system is to specify the scope of processes with which the management system will be integrated.
The scope of the management system is the first question a certification body will ask when auditing your compliance with the standard. The boundaries of the management system should be clearly defined, as you will be certifying specific business practices consisting of their processes, not your entire organization.
It can be a product, good or service. It can also be a special project or an initiative, such as research and development joint venture. This refers to a practice that consists of a series of processes that can span different sections of your organization to produce a specific result. Therefore, the scope does not imply a business section, such as human resources or marketing.
Step 2: Specify stakeholders
When you specify your scope for implementation, you describe the processes that define the defined scope. Next, you identify all stakeholders related to these specified business processes—those that affect or can be affected by them. According to ISO, stakeholders include:
-
Internal partiesboth investors and employees, where maintaining corporate governance policies is essential to keep them satisfied.
-
External partiessuch as business partners or suppliers.
-
Regulatory partiesincluding all laws and regulations relevant to the defined processes, which is particularly critical in UA.
-
The standard itselfas you must meet its requirements to achieve certification.
Step 3: What are the stakeholder requirements?
What are the requirements of all stakeholders? For example:
What your governance policies require about your human resources practices?
What are the requirements of your business partners in an R&D initiative – are these contractual requirements?
What are the regulatory requirements that your defined processes must adhere to?
When you identify these requirements, you get the information you need to determine whether or not your current processes meet the requirements of all stakeholders.
In this step, you must determine the different types of controls, technical or administrative, that will be included in your business processes. These controls will add structure to your processes, enabling you to integrate the management system into your business practices. The result is a business scope consisting of processes that are controlled according to the expectations of all stakeholders. This means that you have successfully implemented the management system.
Related: I Consult Companies on AI Integration – Here are 2 ways it's making a big difference
Step 4: Monitoring and continuous improvement
The last step in each iteration is monitoring for continuous improvement. An implemented AI management system must be kept alive. Keeping a management system alive means you have to constantly repeat what you did during implementation at predetermined intervals. This ensures that your business practice remains in scope, you have an up-to-date understanding of who your stakeholders are, your understanding of their expectations is current, and your implemented controls continue to meet the expectations of all stakeholders.
Implementing ISO 42001 is not a one-time task, but a dynamic process that requires defining clear boundaries, addressing stakeholder needsand introducing controls into business processes. By maintaining a cycle of monitoring and improvement, organizations can align their AI practices with strategic goals and stakeholder expectations, driving both compliance and innovation.