ISO 42001 vs. HITRUST AI security certification
The former is very broad and the latter quite narrow.
Check out this video for a summary.
I recently spoke with Ryan Patrick, VP of Adoption at the Health Information Trust Alliance (HITRUST). We discussed HITRUST’s cybersecurity certification for deployed AI systems1 as it compares to ISO 42001.
Here are the similarities:
Both focus on AI
Both are certifications, so
An external auditor/assessor must grant them
Either can build customer trust and reduce risk
Neither is a silver bullet for regulatory compliance
Here are the differences:
Focus
HITRUST AI certification is a security-specific standard
ISO 42001 is for responsible AI (which includes security)
Scope
HITRUST AI certification applies to specific AI systems
ISO 42001 applies to the AI Management System (AIMS)
Prerequisites
HITRUST AI requires an existing Cybersecurity Framework (CSF) v. 11.4 cert.
ISO 42001 has no prerequisites (but ISO 27001 helps)
Applicability
HITRUST AI certification applies only to certain companies
ISO 42001 can be achieved by almost any
Prescriptiveness
HITRUST AI certification is highly prescriptive for controls
ISO 42001 is less so
Quality control
HITRUST does quality control (QC) on certifications
ISO does not QC (but auditors and accreditors do)
Current status (as of publication date)
No firm is HITRUST AI security certified right now
Some (like StackAware) are ISO 42001 certified
How do they work together?
The HITRUST AI security certification can be part of a broader AIMS. Achieving it can implement ISO 42001 Annex A controls like:
A.5.4 (Individual impact assessment)
A.6.1.2 (Responsible AI development)
A.7.3 (Acquisition of data for AI systems)
A.8.4 (Communication of AI and other incidents)
A.9.3 (Objectives for responsible use of AI systems)