Home → News & Resources → Experts Talk
Expert Interview: The new area of regulations: ISO/IEC 42001 and EU AI Act
- 2024-10-01
In this expert interview, Graeme Parker and Roman Krepki discuss the role of ISO/IEC 42001 in the context of the EU AI Act. They explain how compliance with this standard helps organizations prepare for AI regulations. The discussion also identifies key trends such as the importance of AI literacy, the need for multidisciplinary risk management, and the rising focus on data governance.
1. How does compliance with the ISO/IEC 42001 standard aid organizations in anticipating and adapting to the current and potentially forthcoming AI regulations?
Graeme: Compliance with ISO/IEC 42001 can help organizations anticipate and adapt to new AI regulations by providing a structured management system. For instance, the precedent set by GDPR shows that organizations with established management systems were better prepared for emerging regulations. Similarly, ISO/IEC 42001 encourages regular review of external issues, such as upcoming legislation, helping organizations stay prepared. While the EU AI Act is expected to be influential, having a solid management system in place will position organizations to adjust more easily to new regulations. The key is to maintain the fundamental building blocks in areas such as risk and incident management, policy development, impact assessment, and training which will help in complying with various regulations globally.
Roman: Compliance with ISO/IEC 42001 alone does not guarantee adherence to the EU AI Act. Implementing the standard provides a management system framework but does not automatically ensure all necessary documentation and processes are in place. However, ISO/IEC 42001 can assist in managing the extensive documentation required by the EU AI Act. By breaking down complex regulatory requirements into manageable components, organizations can use the standard’s structure to address individual issues more effectively, thereby facilitating overall compliance.
2. What is the link between the EU AI Act recently agreed upon and issued by the European Commission and the International Standard ISO/IEC 42001?
Graeme: The EU AI Act includes several requirements for high-risk systems, such as those used in critical infrastructure, education, and law enforcement. It mandates comprehensive impact assessments and transparency for various AI systems. ISO/IEC 42001 provides a management system that aligns well with these requirements by addressing many of the risks and issues the Act aims to manage. While the Act does not specifically mandate ISO/IEC 42001, implementing this standard offers a solid foundation for compliance. Similar to how ISO 27001 supported GDPR compliance, ISO/IEC 42001 can help organizations build a management system that supports adherence to the EU AI Act.
Roman: The EU AI Act, which has been in development since early 2019 and was published in March 2024, will be applicable from 2026. It requires extensive documentation and processes to ensure AI systems do not harm people. ISO/IEC 42001 can help manage this vast amount of documentation by providing a structured approach, similar to how it helped with GDPR compliance. However, compliance with ISO/IEC 42001 does not automatically ensure adherence to the EU AI Act. Instead, it offers a framework for organizing and managing the necessary documentation and evidence, making it easier to demonstrate compliance.
3. Will there be ISO/IEC 42001 implementation challenges, and which will be the most appropriate way to ensure compliance with the EU AI Act via ISO/IEC 42001?
Roman: One major challenge with ISO standards, including ISO/IEC 42001, is that they are not mandatory in many countries. Companies might initially focus solely on complying with the EU AI Act and only later recognize the benefits of ISO standards. Convincing companies to adopt ISO/IEC 42001 can be difficult, and there may also be challenges in finding accredited certification bodies in all EU countries. For instance, Germany lacks a certification body for ISO 27701, which could be a similar issue to ISO/IEC 42001.
Graeme: I agree with these points. Additionally, there may be challenges related to resourcing and expertise. ISO/IEC 42001 is multidisciplinary, requiring input from various fields such as privacy, ethics, and security, which can be complex for organizations with siloed structures. Another challenge is the need for specialized knowledge in areas like the software development life cycle. To ensure compliance with both ISO/IEC 42001 and the EU AI Act, it is advisable to conduct a mapping exercise to align the requirements of both. Integrating the implementation efforts for both standards into a single project can streamline the process and address overlapping requirements effectively.
Scope creep occurs when the audit scope expands beyond its initial boundaries, often due to discovering additional issues or complexities during the audit process. Managing scope creep requires clear communication and alignment between auditors and the audited organization to maintain focus on key audit objectives. One element that may indicate this is the number of people who worked for the organization in year one and the subsequent surveillance audit numbers.
Solution: Establishing a well-defined audit scope from the outset is important. Regular communication and scope reviews during the audit process can help identify and address issues while maintaining the integrity of the audit scope. Always ask for organograms and the number of people in the scope.
4. What trends do you foresee in the intersection of the EU AI Act compliance and fulfillment of ISO/IEC 42001 in the coming years?
Graeme: Three key trends are emerging. First, the EU AI Act emphasizes AI literacy, requiring organizations to ensure employees understand AI systems. This aligns with ISO/IEC 42001’s focus on competence and training, suggesting a growing trend towards enhanced education about AI across all levels of an organization.
Second, both the AI Act and ISO/IEC 42001 focus on broad, multidisciplinary risk management. Organizations will need to address not only traditional risks like security and privacy but also societal and environmental impacts. This trend towards comprehensive risk management will become more prevalent.
Third, data governance is becoming increasingly important. Both the AI Act and ISO/IEC 42001 stress the need for high standards in data quality and addressing biases in AI systems. This focus on robust data governance and trustworthiness will continue to gain momentum.
Roman: Building on these points, I see a general trend where complex regulations from the European Union will lead to the creation of additional ISO standards to help translate legal requirements into practical guidance for companies. Just as ISO 27701 supported GDPR compliance, similar standards may emerge to aid in understanding and implementing new regulations. Additionally, software companies may develop tools to help ensure compliance with the AI Act, potentially based on standards like ISO/IEC 42001.
Â
5. What is your take on the EU AI Act and ISO 42001 implementation in areas that are outside the EU but have traffic from interconnected networks including Europe?
Graeme: Even if an organization is not based in the EU, the EU AI Act will still apply if their products or services impact individuals in the EU, such as processing or utilizing their data. The Act’s influence is global due to its broad applicability. Most systems are interconnected enough that it is rare to find one that is completely isolated from EU influence.
Roman: I agree. This situation is similar to how the UK and Switzerland, despite not being in the EU, adopted privacy laws like GDPR. The global impact of the EU AI Act will depend on whether other countries, like the UK, Switzerland, or nations outside Europe, adopt similar regulations. In the absence of local AI regulations, international standards like ISO/IEC 42001 will still be relevant and applicable globally, ensuring that organizations can meet high standards of compliance for both EU and international customers.
6. What other ML/AI-related standards do you recommend?
Graeme: Currently, ISO/IEC 42001 is the most notable standard in this area. While organizations like NIST are working on AI-related topics, there are not yet specific technical standards comparable to ISO/IEC 42001. Academic frameworks are focusing on AI ethics from UK universities that might be useful.
Roman: I agree. Besides ISO/IEC 42001, there are no other existing standards or guidelines that match its quality. Although some universities are developing frameworks and guidelines for AI, ISO/IEC 42001 stands out due to its comprehensive approach.
7. Do you foresee other standards such as HIPAA and PCI-DSS making changes to incorporate controls and requirements for the use of AI in their contexts?
In the long-term, yes, but I think it is more probable that the other norms reference the ISO42001, likewise, other functional and technical norms do not redefine Information Security rather just referencing the ISO27001 as a requirement.
About the Responders
Graeme Parker
Graeme Parker is a Technology, Security, and Risk Management professional with highly valuable business and technical skills. He has worked in both the private and public sectors, gaining extensive experience. His expertise includes successfully implementing information risk management solutions, developing effective security architectures and programs, and conducting audits for various standards such as ISO 9001, ISO/IEC 20000-1, ISO 20121, ISO 22301, ISO/IEC 27001, ISO/IEC 27701, and CSA STAR. Additionally, he has worked internationally, delivering projects and audits in more than twenty-five countries.
Roman Krepki
Roman Krepki is a Senior Manager at Forvis Mazars in Germany, specializing in Cyber Security & Risk. He holds a Brain-Computer Interface (BCI) doctorate from the Technische Universität Berlin. His expertise includes IT security, process management, IT governance, and business continuity planning. Roman has extensive experience in the field, having worked at Accenture and Bosch. He manages information security organizations, coordinates data protection officers, and serves clients across various industries. He is certified for conducting audits for ISO/IEC 27001.