What are the steps to get ISO/IEC 42001 certified?

To achieve ISO/IEC 42001 certification, an organization must implement and maintain an AI Management System (AIMS) that adheres to the standard's requirements, following a Plan-Do-Check-Act structure. This involves establishing documented governance, defining roles, managing lifecycle data, monitoring performance, and continually improving the system.

The process generally involves:

• Establishing Context and Leadership: The organization must determine its internal and external context, identify interested parties, and define the scope of its AIMS [2, ISO/IEC 42001 Cl.4 Context]. Top management needs to demonstrate leadership by creating an AI policy, documenting the AIMS, and assigning roles, responsibilities, and authorities for AI governance [2, ISO/IEC 42001 Cl.5 Leadership].
• Planning and Support: This includes addressing risks and opportunities, establishing an AI risk assessment and AI impact assessment process, and setting AI objectives [2, ISO/IEC 42001 Cl.6 Planning]. Adequate resources, competence, awareness, communication, and control over documented information are essential to operate the AIMS [2, ISO/IEC 42001 Cl.7 Support].
• Operation and Performance Evaluation: The organization must implement operational planning and control, ensuring AI systems are operated under defined controls based on risk and impact assessments [2, ISO/IEC 42001 Cl.8 Operation]. Monitoring, measurement, analysis, and evaluation of the AIMS are required, along with internal audits and management reviews [2, ISO/IEC 42001 Cl.9 Performance evaluation]. This cross-maps to NIST-MEASURE-3.1 and OWASP LLM10 (abuse/consumption monitoring).
• Continual Improvement: The AIMS must undergo continual improvement and corrective actions, addressing nonconformities and enhancing the system over time [2, ISO/IEC 42001 Cl.10 Improvement].
• AI-Specific Controls (Annex A): Beyond the management system clauses, organizations must implement AI-specific controls, such as defining an AI policy [3, ISO/IEC 42001 A.2 AI policy], establishing internal organization with defined AI roles and responsibilities [3, ISO/IEC 42001 A.3 Internal organization], and managing resources for AI systems [3, ISO/IEC 42001 A.4 Resources for AI systems].
• Lifecycle and Data Governance: Key AI-specific controls include conducting AI impact assessments [3, ISO/IEC 42001 A.5 AI impact assessment], ensuring responsible design, development, deployment, operation, and retirement of AI systems across their lifecycle [3, ISO/IEC 42001 A.6 AI system lifecycle], and implementing robust data governance for data used by AI systems, covering provenance, quality, preparation, and management [3, ISO/IEC 42001 A.7 Data for AI systems]. This data governance cross-maps to OWASP LLM04 data poisoning and NIST GenAI "Data privacy".
• Transparency and Third-Party Management: Organizations need to provide information for interested parties about AI systems' capabilities, limitations, and intended use [3, ISO/IEC 42001 A.8 Information for interested parties]. Additionally, third-party relationships with suppliers and vendors in the AI value chain must be controlled [3, ISO/IEC 42001 A.10 Third-party relationships], which cross-maps to NIST-GOVERN-6.1 and OWASP LLM03 supply chain.