The 8 steps to certification

ISO/IEC 42001- the artificial intelligence management system standard

To ensure safe, reliable and ethical AI development, implementation and use, having robust governance in place is of the essence. An artificial intelligence management system (AIMS) certified to the ISO/IEC 42001 standard provides peace of mind that you have the adequate processes in place to govern the journey and manage any existing risks or those occurring along the way. It bridges any trust gaps between developers and users and helps companies prepare for and ensure legal compliance with existing and upcoming legislations, such as the EU AI Act.

If you have decided to implement an ISO/IEC 42001 compliant management system and get certified, there are 8 main steps we in DNV suggest you follow:

Step 1: Buy the standard

Obtain a copy of the ISO/IEC 42001 standard to familiarize yourself with its objectives and requirements. You may also benefit from other key standards, such as ISO/IEC 22989 (AI concepts and terminology), which is a normative accompanying reference to ISO/IEC 42001. The standards can be downloaded from the ISO website. There is also other valuable literature available that can assist you in implementing the standard.

Step 2. Ensure top management commitment

Get commitment from management by including main stakeholders in learning about the potential risks and harms of your AI systems as well as the opportunities using AI offers. This is crucial step to the success of the certification process, as it sets the tone for the entire organization.

Step 3. Select your certification body/registrar

Your relationship with the certification body you choose will exist for many years as your certification will have to be maintained. When choosing your certification body/registrar, consider a partner with a partnership approach and digital tools that help you manage risks, continually improve and build trust.

Step 4: Identify gaps

Analyse your internal and external AI context and position. Select the AI role your organisation has. For example, are you a user, producer or provider of AI? Or perhaps you have multiple roles? Conduct a gap analysis to assess the current state of processes and systems against ISO/IEC 42001 requirements and identify areas that need to be improved. This kind of pre-assessment is a great way to get a snapshot of where your organisation currently is when it comes to complying with the ISO/IEC 42001 requirements.

Step 5: Undergo training and build awareness

This is a crucial step within the ISO/IEC 42001 road to certification as it builds internal knowledge and competence in the core team that will play an important part in implementing a management system compliant with the standard. Training and workshops will equip them with relevant skills, tools and a clear understand of the objectives and roles they will have. For the implementation team to understand the ins and outs of the standard will help prepare the organization, guide the change and ensure that internal auditors, lead developers and others have the necessary expertise. Training is essential to navigate your journey toward ISO/IEC 42001 compliance and safe, responsible and ethical AI.

Your ISO/IEC 42001 training should cover:

• Artificial intelligence management system (AIMS)
• Objectives/policies
• Risks/mitigations
• Organizational benefits
• Importance of compliance

Step 6: Establish the artificial intelligence management system

Develop the AIMS in compliance with ISO/IEC 42001. This will include objectives, policies, process, controls, measures and implementation guidance. If you have already a management system certified to ISO 9001 or ISO/IEC 27001, for example, it is very likely that this implementation will go easier.

Step 7: Perform internal audits

Conduct internal audits to assess the artificial Intelligence management system process implementation as you go along. It helps you understand progress made and whether you are ready for the certification audit. This should include a senior management review to assess the effectiveness of the management system.

Step 8: Conduct the certification audit

When ready, DNV auditors will come in and assess the compliance of your management system using our Risk Based Certification™ methodology. As a DNV customer you also get full access to our suite of digital tools that can help you before, during and after the audit. These are designed to help you prepare, align with the requirements of the standard and enable continuous improvement of your AIMS.

DNV – Your partner before, during and after the audit

As a third-party certification body, we cannot help you implement your management system. However, we do have digital tools, services and training available to aid you along the way. Go to our website or contact us to speak to one of our experts or learn more about AI governance, the ISO/IEC 42001 standard and certification.

Check out DNV’s comprehensive training portfolio on ISO/IEC 42001 including an Awareness course on the requirements, Foundation course and Internal auditor course.

Learn  more about DNV’s digital customer tools, like the self-assessment to help you measure your current compliance with the ISO/IEC 42001 requirements, as well as Lumina™ and Boost My Audit to be used before, during and after the audit itself.