Figuring out how to implement ISO 42001 controls from Annex A is a challenge. While Annex B provides some guidance, what this should look like in the real world isn’t always clear.

Specifically for control A3.3, here are the measures StackAware uses (and advises our clients to use) to meet the standard’s requirements:

1. Coordinated vulnerability disclosure

StackAware has a coordinated vulnerability disclosure program (CVD a.k.a VDP) through which we give safe harbor to ethical security researchers.

We also include as in-scope any AI outputs that are:

• illegal

• offensive

• unethical

or have otherwise adverse impacts.

We advise all of our clients to do the same.

A bug bounty program would be the next step. I encourage any company that can afford it to start one.

2. Whistleblowing

Sometimes only people inside or working with the organization know its worst flaws.

In addition to financial or other wrongdoing, we encourage reporting misuse of AI via our anonymous portal.

We tell all:

• Customers

• Employees

• Consultants

about the program as part of our standard contract language.

If you decide to implement A3.3, you’ll need an anonymous way to submit reports. This is easy to implement via Zapier or Google Forms.

Pro tip: make sure it actually WORKS, though; auditors may test!

3. External review

NIST’s AI Risk Management Framework (RMF) recommends you “collect, consider, prioritize, and integrate feedback from those external to the team that developed or deployed the AI system” (GOVERN 5.1).

That’s why we make our entire software bill of materials (SBOM) publicly-available. It shows all (known) AI training and processing in our supply chain.

And we encourage public feedback.

Clients can also do this through:

• customer and stakeholder interviews

• webinars

• surveys

Need to get the right controls in place to get ISO 42001 ready?

We specialize in working with AI-powered companies working in:

• Financial services

• Healthcare

• B2B SaaS

If you work at one of these and are looking to get ISO 42001 certified to:

• Build customer trust and meet new Microsoft supplier requirements

• Reduce the risk of AI-related hacks, leaks, and incidents

• Meet a growing range of regulatory requirements

then please:

Book a call