Opinions expressed by Entrepreneur contributors are their own.
ISO 42001 establishes a framework for AI management systems, providing organizations with a structured approach to integrating AI-related practices into their operations. This standard emphasizes risk management, continuous improvement, and alignment with the requirements of all stakeholders, ensuring businesses can adopt AI responsibly and consistently while adhering to global best practices.
In this article, I will explain the implementation of ISO 42001, AI management systems, step by step using practical language.
Related: Balancing AI Innovation with Ethical Oversight
What is ISO 42001?
ISO 42001 is a requirement standard for AI management systems. A requirement standard means that if you, as a business, want to be issued a certification to show your stakeholders that your organization is pursuing consistency in business practices through predetermined processes that take into consideration the requirements of all interested parties.
ISO 42001, like other ISO requirement standards, doesn't provide a body of knowledge on what you should do with AI. Instead, ISO management systems, including ISO 42001, provide a framework for consistency in understanding the context of your organization in a structured approach, identifying the boundaries of business practices that might be impacted by AI exposure, conducting risk assessment and management within the targeted scope, implementing controls to manage risks to an acceptable level, monitoring the effectiveness of these controls in alignment with the requirements of all interested parties, and continually improving the system accordingly.
Management systems, including AI management systems, are based on the PDCA cycle to uphold the principle of continuous improvement. ISO 42001, for AI management systems, is a generic standard, meaning it can be implemented by businesses regardless of their size or industry.
Today, all businesses, regardless of their size or the industry they serve, need to consider their exposure to AI. By exposure, I mean the level of AI adoption within their organization.
Step 1: Specify the implementation scope
It is not efficient, or even possible, to implement an AI management system for the entire organization as a single project. Therefore, the first step in implementing ISO 42001 is to define the boundaries of the implementation.
As a business organization, you deliver some products in the form of goods or services. Usually, you follow predetermined business processes for your productions whether a good or a service.
The critical point is that the management system needs to be integrated into your business practices to be effective, rather than functioning as a series of independent processes added to existing practices. You will add structure to your business processes by integrating the management system into them, so no additional processes are created. The result is structured business processes with the management system's related controls seamlessly integrated.
The first step in implementing an AI management system is to specify the scope of the processes with which the management system will be integrated.
The scope of the management system is the first question the a certification body will ask when auditing your conformance to the standard. The boundaries of the management system need to be clearly defined, as you will be certified for specific business practices consisting of their own processes, not for your entire organization.
It can be a product, good or service. It can also be a special project or an initiative, such as a research and development joint venture. This refers to a practice consisting of a series of processes that may span across different sections of your organization to produce a specific result. Therefore, the scope does not mean a business section, such as human resources or marketing.
Step 2: Specify the interested parties
When you specify your scope for implementation, you map out the processes that define the determined scope. Next, you identify all interested parties related to these specified business processes — those who impact or might be impacted by them. According to ISO, interested parties include:
Internal parties, such as investors and employees, where maintaining corporate governance policies is essential to keep them satisfied.
External parties, such as business partners or suppliers.
Regulatory parties, encompassing all laws and regulations relevant to the defined processes, which is especially critical in AI.
The standard itself, as you need to meet its requirements to achieve certification.
Step 3: What are the requirements of interested parties?
What are the requirements of all interested parties? For example:
What do your own governance policies require in relation to your human resources practices?
What are the requirements of your business partners in an R&D initiative — these being contractual requirements?
What are the regulatory requirements that your determined processes must adhere to?
When you identify these requirements, you gain the information needed to determine whether your current processes meet the requirements of all interested parties or not.
In this step, you need to define different types of controls, whether technical or administrative, to be incorporated into your business processes. These controls will add structure to your processes, enabling you to integrate the management system into your business practices. The result is a business scope consisting of processes that are controlled in alignment with the expectations of all interested parties. This signifies that you have successfully implemented the management system.
Related: I Consult With Companies On Integrating AI — Here Are the 2 Ways It's Making a Big Difference
Step 4: Monitoring and continual improvement
The final step in each iteration is monitoring for continuous improvement. An implemented AI management system needs to be kept alive. Keeping a management system alive means you must continuously repeat what you did during the implementation at predetermined intervals. This ensures that your business practice remains within scope, you have an up-to-date understanding of who your interested parties are, your understanding of their expectations is current, and your implemented controls continue to meet the expectations of all interested parties.
Implementing ISO 42001 is not a one-time task but a dynamic process that requires defining clear boundaries, addressing stakeholder needs, and embedding controls into business processes. By maintaining a cycle of monitoring and improvement, organizations can align their AI practices with strategic goals and stakeholder expectations, driving both compliance and innovation.