ORO Blog

What is ISO 42001 and why does it matter for procurement?

Written by Timothy Harfield | July 17, 2024

On July 16, 2024, ORO was recognized as the first company in the world to earn an accredited ISO 42001 certification for an Artificial Intelligence Management System (AIMS) scope.  According to the International Organization for Standardization, ISO 42001 “is the world’s first AI management system standard, providing valuable guidance for this rapidly changing field of technology. It addresses the unique challenges AI poses, such as ethical considerations, transparency, and continuous learning. For organizations, it sets out a structured way to manage risks and opportunities associated with AI, balancing innovation with governance.” But what does this mean in practice? And what does this mean for procurement organizations?

In this blog post, we’ll explore the new standard, explain the certification process, and describe the practical implications for procurement departments as they seek to make informed decisions about AI investments, both for themselves and as stewards of responsible AI for the rest of the organization.

What Is ISO 42001?

ISO 42001 “is an international standard that specifies requirement for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS) within organizations.” It was released in December 2023.

What is an AIMS? Again, according to ISO, an AIMS is “a set of interrelated or interacting elements of an organization intended to establish policies and objectives, as well as processes to achieve those objectives, in relation to the responsible development, provision or use of AI systems.” In other words, an AIMS is not a piece of technology. It is a governance framework for ensuring responsible oversight of all AI technologies produced, developed, provided, or used by a given organization.

Most large enterprises already have an AIMS or are in the process of establishing one. But in the absence of a recognized global standard for what an ideal framework looks like, these systems can differ significantly from organization to organization. They may also be incomplete or lacking in critical areas. For instance, an organization’s AIMS may address issues of data governance, while neglecting other important aspects like ethical considerations. As an international standard, ISO 42001 serves as both (1) a rubric for creating and maintaining an AIMS, making it easier for more organizations to adopt a more complete and systematic approach to AI governance, and (2) a benchmark against which any AIMS might be evaluated. 

Companies with an accredited ISO 42001 certification have to be rigorously evaluated by an impartial management systems certification body which, in turn, needs to be accredited by an accreditation body. In order to earn the very first accredited ISO 42001 certification, ORO completed an internal audit by Geels Norton, and an external audit by Mastermind observed by the International Accreditation Service (IAS).

What is covered by ISO 42001?

The ISO 42001 standard covers several key elements that are essential to the responsible management of AI systems:

AI Management Systems (AIMS)

Does the organization have AI policies and practices in place to ensure both continuous improvement and alignment with other relevant ISO standards?

In terms of technical specifications, ISO 42001 provides clear requirements to ensure that AI management systems are aligned to organizational goals and standards, ensuring respect for privacy, security, and ethical considerations.

AI Risk and Systems Impact Assessment: 

Does the organization have a systematic approach to identifying and mitigating risks throughout the AI lifecycle? How does the organization evaluate the consequences of AI on individuals and societies?

ISO 42001 requires organizations to conduct comprehensive risk and impact assessments to identify potential consequences for users, communities, and societies in general.  More than a mere assessment, the standard requires organizations to develop and implement strategies to mitigate identified risks and minimize potentially negative implications of its AI systems.

Data Protection and AI Security: 

Do policies, practices, and tools comply with privacy laws? How does the organization safeguard AI systems against potential threats?

ISO 42001 strongly emphasizes the need for AI systems to comply with data protection laws and regulations, including the implementation of security measures to protect systems from unauthorized access, data breaches, and other cyber-security threats. Of particular note is a focus on maintaining transparency in AI decision-making to promote trust and accountability.

Implications for procurement

Procurement departments benefit from this new standard in a number of ways:

  1. Trust and Reliability: ISO certifications represent conformity with globally recognized standards that ensure quality and reliability. The ISO 42001 certification specifically addresses AI systems management, and validates that companies with AI solutions meet these high standards of quality, safety, and efficiency. At a time when procurement leaders are determining the best ways to deploy AI-based technology, working with a certified vendor provides assurance that both current and future solutions will be guided by a commitment to robust AI governance.
  2. Risk Management: Procurement departments need to minimize risks in their supply chain and ensure that they are working with reliable and compliant vendors. This is especially important when it comes to managing security around the use of supplier and spend data. The ISO 42001 certification indicates that a vendor has robust processes in place to manage risks associated with AI systems.
  3. Compliance and Regulation: As regulations around AI and data management become more strict, working with a certified vendor can simplify compliance efforts. Procurement departments can be assured that certified vendors adhere to international schemes, potentially reducing the burden of compliance across their supply chain.
  4. Innovation and Competitiveness: Utilizing certified AI systems can enhance a company's competitive edge. It signals that the organization is leveraging cutting-edge technology that meets rigorous benchmarks, which can improve efficiency, decision-making, and overall performance.
  5. Cost Efficiency: Reliable AI solutions can optimize procurement processes, reduce errors, and streamline operations. Certified AI systems are likely to be more efficient and effective, leading to cost savings in the long run. 

Taken together, these advantages translate into higher ROI through cost avoidance and risk elimination, increased efficiency by minimizing effort on the part of organizational resources, system stability and coherence, and continuous improvement guided by a clear vision for responsible AI.

 

Overall, the ISO 42001 standard and certification can reassure procurement departments of the quality and reliability of their AI systems, enhancing trust, compliance, and operational efficiency. The standard sets the bar for evaluating the quality of AI governance within organizations and should be used to evaluate vendors as well as internal AI governance initiatives.  

The current AI boom presents both promise and risk, and we are pleased that ISO has released this important international standard. ORO Labs is proud to have earned the world’s first accredited ISO 42001 certification and lead the way in demonstrating the responsible development and use of AI systems in the service of humanizing the procurement experience for all.