Managing AI Technology in a Way That Makes Your Clients Trust You-Part 2

In part 2 of this series, we will look to break down how the ISO 42001:2023 has organisations manage the Leadership and Planning sections for the standard.

Read Article
three men looking at a computer talking about cyber security

Thomas Dold I 23rd October 2024

The explosion of Artificial Intelligence (AI) technology is taking the world by storm. However, there is a lot of apprehension around the amount of data it possesses, the confidentiality of the data and the potential impacts of the data. 

Here in comes ISO 42001:2023 – Artificial Intelligence Management System. This ISO Standard looks to ensure organisations are appropriately controlling their use or development of AI by taking in the potential “Impacts” the AI technology could have. 

In part 2 of this series, we will look to break down how the ISO 42001:2023 has organisations manage the Leadership and Planning sections for the standard. 

Leadership

Leadership and Commitment

When managing the use of AI Technology, the organisation needs to demonstrate that there is top level management involvement and commitment to achieving and maintaining an AI Management System (AIMS).

There are several ways in which this can be demonstrated such as but not limited to:

  • Ensuring there is an AI Policy in place with appropriate AI objectives in line with the organisations strategic direction that can be monitored and tracked for success.
  • Ensuring that the relevant business processes get integrated with the AIMS by removing any blockers.
  • Ensuring that the appropriate resources needed to maintain the AIMS are made available.
  • Ensuring the importance of managing and conforming to the AIMS is communicated to everyone involved.
  • Promoting continual improvement throughout the AIMS lifecycle.

Artificial Intelligence Policy

The AI policy needs to be set by top level management and ensure it is appropriate for the purpose of the organisation. This is where the Scope of the Organisation discussed in Part 1 becomes important in helping to ensure policy is made revenant to your needs and reflective of your use and involvement with AI technology.

The policy will provide the framework to which the AI objectives can be set and emphasise the organisations commitment to continual improvement.  

In ISO42001:2023 much like all other ISO standards there are 4 key requirements to the policy which are:

  • The Policy must be available as documented information.
  • The Policy must refer to other relevant organisational policies.
  • The Policy must be communicated within the organisation  
  • The Policy must be made available to interested parties, as appropriate.

Roles, Responsibilities and Authorities

This section is simply to ensure that top level management have assigned appropriate responsibilities and authority to ensure that the AI Management System is maintained and that reporting on the performance of it is carried out to top level management.

Planning

AI Risk Management

Now that we understand the context of the organisation and the issues affecting it, and have the appropriate commitment and authority from senior management, we can now look to determine the risks and opportunities related to the AI management system.

This is to give us assurance that the AIMS can achieve it’s intended goals, prevent or reduce any undesired effects and achieve continual improvement.

The risk management framework needs to include a risk appetite, this is a level of risk you are willing to accept without the need for any or further treatment.

Once you have your risk appetite you will then conduct risk assessments based on the organisations risk methodology. This is the manner in which score your risks I.e. likelihood X impact.

Once you have conducted the risk assessment there will likely be several risks which fall above the acceptable level to which you will need to decide a course of treatment to lower the risk or remove the risk completely. Common treatment actions are:

  • Tolerate (accept the risk as it is)
  • Treat (put a plan in place to reduce it)
  • Transfer (put a plan in place to move the risk to a 3rd party)
  • Terminate (put a plan in place to remove the risk altogether)

Then lastly something which is a bit more specific within ISO42001:2023, is assessing the risk impacts of the AI technology being used. These impacts will be in areas such as but not limited to legal, physical well-being, mental well-being and universal human rights of individuals.  

AI Objectives

All organisations will need to determine the objectives of the AI technology at all levels, these objectives need to be consistent with the AI Policy and take into account any applicable requirements for maintaining the AIMS. The objectives need to be communicated to all relevant personnel, be monitored and kept updated as appropriate for reporting to senior management.

When setting these objectives, the organisation needs to ensure that the objectives are:

  • Clear on what needs to be done.
  • What resources are needed to achieve it.
  • Who is responsible for achieving the objective.
  • When it should be completed by.

 

Looking For Cyber Security?

Enquire about our comprehensive Cyber Security Services today.

Talk To UsOur Services

Related posts

Get the latest news and insights on cyber security.

Articles
2
min read

Understanding Cyber Essentials Plus

In a previous article, we explained an overview of Cyber Essentials and how the self-assessment process works. The next step in completing your Cyber Essentials self-assessment is to explore the Cyber Essentials Plus certification. This is the technical verification of your self-assessment and demonstrates that your organisation has correctly implemented the Cyber Essentials controls.
Read more
Partnership
4
min read

D&D Network Services & 3CT Security: Bolstering Managed Service Providers Security Offerings

Through this partnership with D&D Network Services, we aim to build compliance and resilience without burden for companies with Managed Services, further fortifying our place in the market as a specialist in providing affordable managed cybersecurity services to all businesses in the UK.
Read more
Articles
2
min read

Introduction to Cyber Essentials

Today's business world has evolved to rely heavily on data transfer, making all businesses increasingly vulnerable to cyber threats. Cyber Essentials is a government-backed certification program in the UK designed to help organisations protect themselves from common online threats and improve their overall cyber security posture.
Read more
Articles
3
min read

Managing AI Technology in A Way That Makes Your Clients Trust You – Part 1

The explosion of AI technology is taking the world by storm. However, there is a lot of apprehension around the amount of data it possesses, the confidentiality of the data and the potential impacts of the data. Here in comes ISO 42001:2023 – Artificial Intelligence Management System. This ISO Standard looks to ensure organisations are appropriately controlling their use or development of AI by taking in the potential “Impacts” the AI technology could have.
Read more
Articles
5
min read

Stay Ahead of Cyber Threats: Get Ready for the 2025 Cyber Essentials Updates

The NCSC has announced upcoming updates to the Cyber Essentials certification that could impact how organisations complete the self-assessment process. Although these changes won’t officially take effect until April 2025, we’re sharing the details now to help businesses prepare for any applications starting on or after April 28, 2025.
Read more
Blog
3
min read

What Makes 3CT Security The Preferred Choice for Attaining Cyber Essentials?

In today's competitive market, selecting the right partner for your business’s information security needs is crucial and with multiple consultancies out there, customers have more choice than ever before.
Read more
Blog
2
min read

How to Obtain Cyber Essentials Certification

Have you ever wondered what's involved in the process of obtaining Cyber Essentials Certification? The process is quick and simple and involves three easy steps, which we've detailed in this blog.
Read more
Blog
4
min read

How Cyber Essentials Can Power You To New Growth

As you know, Cyber Essentials is an effective, Government backed scheme that will help you to protect your organisation, against a range of the most common cyber-attacks.
Read more
Case Studies
5
min read

Code Software Achieves ISO 27001 with 3CT Security

"We knew we needed to consult experts in the field to help solve this potential challenge in the most efficient way with minimal impact on the day to day running of the company." Mark Armstrong, CEO | Code Software
Read more
Blog
2
min read

Empowering Tomorrow: The Rise of 3CT Security

Three years ago, Cameron Lewis and Thomas Dold recognised the pressing need for cyber security services and embarked on a journey to establish 3CT Security.
Read more
Partnership
4
min read

3CT Security & Validato Forge Strategic Partnership

3CT Security are excited to announce our strategic partnership with Validato, a leading provider of security control validation technology.
Read more
Blog
5
min read

Understanding Cyber Essentials Certification

Cyber Essentials, a government-backed scheme, provides a framework to help organizations protect themselves against common online threats. But who exactly needs this certification, and who actively uses it? Let’s dive in
Read more
View all