1. Organization being certified
This is your company.
ISO 42001 is meant for organizations rather than individuals, although I suppose a sole proprietorship could get certified.
Size doesn’t matter here. StackAware has 1 full-time employee and we are certified.
The organization can build its AI Management System (AIMS) and implement the appropriate ISO 42001 Annex A controls itself by tasking employees. Or it can partially or entirely outsource it to an:
2. Advisor
Not required, but I strongly recommend having an experienced partner guide you through the process.
This partner can do any or all of the following:
Advice and consulting
AI risk and impact assessments
Control design, implementation, and verification (but not internal audit)
Obviously I’m biased, but seriously consider the advisor’s experience with ISO 42001.
There are a lot of folks hawking ISO 42001 prep, but how can they help you if they’ve never been through an ISO 42001 audit themselves (very few have at this point)?
3. Internal auditor
This person can be an employee of your organization or a contractor.
The key?
They cannot have designed or implemented your controls. They need to be independent players who can check the work of others.
Because we are deeply involved in control design, StackAware doesn’t offer internal (or external, for that matter) audit services.
We can, however, refer freelancers to help out here.
4. External auditor
This is the firm granting the certification.
Like the internal auditor, this organization needs to be independent of any ISO 42001 advisory work.
They generally do a:
gap assessment
Stage 1 audit focused on clauses 4-10
Stage 2 audit focused on Annex A controls
Although it is still in draft as of today, ISO 42006 is an auditor-specific standard that gives them guidance on how to examine an AIMS.
StackAware partners with (although gets no financial benefit from referrals to) Mastermind and Schellman to conduct ISO 42001 audits.
The reputation of your auditor can be important to some customers. And I would recommend ensuring they are accredited by the appropriate body.
This takes me to:
5. Accreditation bodies
These organizations authorize external auditors to grant certifications. In the United States, the two best-known are the:
American National Standards Institute (ANSI) National Accreditation Board (ANAB)
International Accreditation Service (IAS)
They perform quality control on the auditors themselves to keep standards high.
Need help navigating the ISO 42001 ecosystem?
StackAware guides you through the entire ISO 42001 certification process from start to finish. We have deep relationships with all of the players involved in the process. And work with firms in:
Financial services
Healthcare
B2B SaaS
to build their AIMS and have it certified.