1. Organization being certified

This is your company.

ISO 42001 is meant for organizations rather than individuals, although I suppose a sole proprietorship could get certified.

Size doesn’t matter here. StackAware had 1 full-time employee when first certified.

The organization can build its AI Management System (AIMS) and implement the appropriate ISO 42001 Annex A controls itself by tasking employees. Or it can partially or entirely outsource it to an:

2. Advisor

Not required, but I strongly recommend having an experienced partner guide you through the process.

This partner can do any or all of the following:

• Advice and consulting

• AI risk and impact assessments

• Control design, implementation, and verification (but not internal audit)

Obviously I’m biased, but seriously consider the advisor’s experience with ISO 42001.

There are a lot of folks hawking ISO 42001 prep, but how can they help you if they’ve never been through an ISO 42001 audit themselves (very few have at this point)?

3. Internal auditor

This person (or group) can be an employee of your organization or a contractor.

The key?

They cannot have designed or implemented your controls. They need to be independent players who can check the work of others.

A common question I get asked is whether the organization must implement recommendations from the internal auditor. People make mistakes. Which is why internal audit is so important.

But internal auditors also:

• can make mistakes

• don’t have full context

• might misinterpret internal policies

According to the ISO 42001 standard:

“The organization shall conduct internal audits at planned intervals to provide information on whether the AI management system:”

• conforms to ISO 42001’s requirements; and

• the organization’s own requirements; and is

• effectively implemented and maintained

And the key output is that audits results are reported to relevant managers.

It’s the job of "top management" to ensure the AI management system (AIMS) achieves its intended result. So they have room for interpretation.

My recommendation?

Make sure to address every internal audit finding, in writing, with a clear plan (which can include risk acceptance, if otherwise compliant with ISO 42001).

But you don’t need to treat every recommendation as a hard requirement. Just be prepared to explain your logic to the:

4. External auditor

This is the firm granting the certification.

Like the internal auditor, this organization needs to be independent of any ISO 42001 advisory work.

They generally do a:

• gap assessment

• Stage 1 audit focused on clauses 4-10

• Stage 2 audit focused on Annex A controls

Although it is still in draft as of today, ISO 42006 is an auditor-specific standard that gives them guidance on how to examine an AIMS.

StackAware partners with (although gets no financial benefit from referrals to) Mastermind and Schellman to conduct ISO 42001 audits.

The reputation of your auditor can be important to some customers. And I would recommend ensuring they are accredited by the appropriate body.

This takes me to:

5. Accreditation bodies

These organizations authorize external auditors to grant certifications. In the United States, the two best-known are the:

• American National Standards Institute (ANSI) National Accreditation Board (ANAB)

• International Accreditation Service (IAS)

They perform quality control on the auditors themselves to keep standards high.

Need help navigating the ISO 42001 ecosystem?

StackAware guides you through the entire ISO 42001 certification process from start to finish. We have deep relationships with all of the players involved in the process. And work with firms in:

• Financial services

• Healthcare

• B2B SaaS

to build their AIMS and have it certified.

Book a call