I recently spoke with Ryan Patrick, VP of Adoption at the Health Information Trust Alliance (HITRUST). We discussed HITRUST’s cybersecurity certification for deployed AI systems1 as it compares to ISO 42001.

Here are the similarities:

• Both focus on AI

• Both are certifications, so

• An external auditor/assessor must grant them

• Either can build customer trust and reduce risk

• Neither is a silver bullet for regulatory compliance

Here are the differences:

Focus

• HITRUST AI certification is a security-specific standard

• ISO 42001 is for responsible AI (which includes security)

Scope

• HITRUST AI certification applies to specific AI systems

• ISO 42001 applies to the AI Management System (AIMS)

Prerequisites

• HITRUST AI requires an existing Cybersecurity Framework (CSF) v. 11.4 cert.

• ISO 42001 has no prerequisites (but ISO 27001 helps)

Applicability

• HITRUST AI certification applies only to certain companies

• ISO 42001 can be achieved by almost any

Prescriptiveness

• HITRUST AI certification is highly prescriptive for controls

• ISO 42001 is less so

Quality control

• HITRUST does quality control (QC) on certifications

• ISO does not QC (but auditors and accreditors do)

Current status (as of publication date)

• No firm is HITRUST AI security certified right now

• Some (like StackAware) are ISO 42001 certified

How do they work together?

The HITRUST AI security certification can be part of a broader AIMS. Achieving it can implement ISO 42001 Annex A controls like:

• A.5.4 (Individual impact assessment)

• A.6.1.2 (Responsible AI development)

• A.7.3 (Acquisition of data for AI systems)

• A.8.4 (Communication of AI and other incidents)

• A.9.3 (Objectives for responsible use of AI systems)

Need help navigating the AI governance, risk, and compliance landscape?

Book a call