08.11.2024
Reading time: 5-6 minutes

AI governance: Relevant ISO Standards for AI

Software Improvement Group

In this article​

Summary

The International Organization for Standardization (ISO) is one of the world’s oldest non-governmental organizations, bringing global experts together to establish the best way of doing things—from making a product to managing a process.

ISO has a series of standards dedicated to making Artificial Intelligence development, deployment and use in the world of business as safe, risk-free, and optimal as possible.

Business leaders who choose to adopt ISO standards for AI help to ensure AI governance, and compliance with current and future AI legislations.

This article explores different ISO standards that are specifically relevant to AI. Here is a brief overview:

  • ISO/IEC 27001 looks at making organizations more risk aware by addressing the confidentiality, information integrity, and data availability of AI systems.
  • ISO/IEC 31700 establishes “privacy by design” as the default setting for AI development, deployment, and use.
  • ISO/IEC 5338, co-developed by Software Improvement Group, is the new global standard for AI lifecycle management, providing business leaders with a framework through which to control, manage, execute, and improve AI systems throughout their lifecycles.
  • ISO/IEC 42001 is the first international standard which establishes, implementing, maintaining, and improving an Artificial Intelligence Management System (AIMS) within organizations.
Image of a skyscraper.

Exploring the growth of AI in business

It’s safe to say that the growth of AI has been nothing short of explosive. According to IDC, worldwide spending on artificial intelligence (AI), including AI-enabled applications, infrastructure, and related IT and business services, will more than double by 2028 when it is expected to reach $632 billion.

Additionally, around 77% of businesses today are incorporating AI models into their systems. This rapid adoption emphasizes the technology’s transformative impact which is comparable to the revolutionary introduction of electricity. However, alongside these significant opportunities, there are also considerable challenges and uncertainties to navigate.

Standardization of AI can help to ensure that wherever in the world AI systems are developed or deployed, processes are optimized, and risks are minimized.

To this end, ISO, the International Organization for Standardization, has published several standards related to AI integration in business, regardless of industry or sector.

This article explores these ISO Standards so that organizations of all shapes, sizes, and budgets can better adopt, develop, and deploy AI systems.

What is ISO?

The International Organization for Standardization (ISO) is one of the world’s oldest non-governmental organizations, bringing global experts together to establish the best way of doing things—from making a product to managing a process.

ISO has been promoting safer, more secure, and profitable global trade and cooperation since 1946, by publishing standards designed to make lives “easier, safer, and better.”

ISO compliance holds significant value because its standards are widely respected within the global business community.

Compliance with these standards, particularly in AI, will foster the adoption of best practices. This, in turn, can be key in achieving improved performance, regulatory adherence, and operational efficiency—all of which contribute to building a stronger, more trusted brand.

Image of a man walking inside an office building with the view of another office building outside.

What is the International Electrotechnical Commission (IEC)?

In this article, you’ll often come across the abbreviation IEC. The IEC, short for the International Electrotechnical Commission, is a global not-for-profit membership organization dedicated to setting international standards, like the ISO.

The IEC’s standards are developed specifically to enable quality infrastructure and trade in electrical and electronic goods, including technological innovations like AI.

In the context of ISO standards for AI, the IEC has been joint publisher of the standards set out in this guide. That’s why you’ll see the standards written as “ISO/IEC XXXXX.”

Is becoming ISO compliant a legal requirement?

In short: No, ISO compliance is not a legal requirement. However, it’s important to note that ISO standards are designed to provide guidance to organizations that want to improve and are written to align with different regulations across industries. Thus, whilst compliance might not be mandatory, it is highly recommended.

Overview of relevant ISO standards for AI implementation in business

Image of a male office worker going through the ISO standards on his laptop.

Below, we delve into the existing ISO standards for AI—examining the standards and what they could mean for your business.

Note: Not all the standards listed below deal specifically with AI, but they all play a part in ensuring the safe, secure, and trustworthy development and use of AI systems in business.

ISO/IEC 27001

With cybercrime on the rise along with the constant emergence of new threats, managing cyber risks can be challenging.

ISO/IEC 27001 is an ISO standard for AI designed to enable organizations to become more risk-aware and take proactive steps to identify and mitigate weaknesses/vulnerabilities. It does so by following a holistic approach to information security. An information security management system established in accordance with this standard serves as a valuable tool for risk management, enhancing cyber resilience, and achieving operational excellence.

This holistic approach is governed by three principles key to ISO/IEC 27001, known as the CIA triad:

  1. Confidentiality: Only the right people can access info held by the organization
  2. Information integrity: Reliable and safe storage and backup of the data organizations use to pursue business goals, or data which is stored for others.
  3. Availability of data: Ensuring the organization and relevant clients have ready, reliable access to data and information wherever and whenever necessary.

Business benefits of ISO/IEC 27001 adoption

Organizations will be able to confidently put into place systems which manage risks relating to the security of data owned or handled by their company—including the data used to train, develop, and operate AI.

A female employee explaining a concept.

ISO/IEC 31700

The ISO/IEC 31700 standard is beneficial for defining high-level requirements for privacy by design, ensuring that privacy is safeguarded throughout the entire lifecycle of a consumer product, including the data processed by the consumer.

The core principle of ISO/IEC 31700 is “privacy by design,”. Privacy by design encompasses various methodologies for developing products, processes, systems, software, and services. These methodologies prioritize consumer privacy throughout the design and development phases, considering the entire lifecycle of the product.

Business benefits of ISO/IEC 31700 adoption

Organizations implementing ISO/IEC 31700 can improve regulatory compliance, enhance innovation and business agility, and reduce privacy- and data-breaches related risk.

ISO/IEC 5338

AI should not be treated in isolation, but an extension of the existing software lifecycle.

ISO/IEC 5338, co-developed by the Software Improvement Group, is the new global standard for AI lifecycle management and builds on known software best practices, for example, described in ISO/IEC/IEEE 12207.

ISO/IEC 5338 is important because it builds on these pre-existing software lifecycle best practices in an AI-specific context.

ISO/IEC 5338’s processes can be applied within an organization or project when developing or acquiring AI systems. It emphasizes the unique considerations for AI in every stage of the lifecycle process. These include:

  • The need to protect sensitive training data used by engineers to create models, unlike regular software engineering that uses only anonymous test data.
  • Addressing new risk factors such as transparency, unwanted bias, and purpose-binding.
  • Understanding that AI projects can be unpredictable during experimental stages, which is important for project managers.
  • Recognizing the requirement for different skill sets in HR for AI projects.
  • Continuously validating the performance of models in production to detect issues and prevent them from becoming ‘stale’.

For traditional software or system elements within an AI system, the software life cycle processes in ISO/IEC/IEEE 12207 and the system life cycle processes in ISO/IEC/IEEE 15288 can also be used.

Business benefits of ISO/IEC 5338 adoption

Organizations gain high-quality standardized guidance on what to consider when developing AI applications, with emphasis on risk management, quality assurance, project management, data and model engineering, continuous validation, human resources and more.

ISO/IEC 42001

ISO/IEC 42001 is the first international standard for establishing, implementing, maintaining, and improving an Artificial Intelligence Management System (AIMS) within organizations.

Two employees having a discussion.

The standard offers crucial guidance in the rapidly evolving field of AI, addressing unique challenges such as ethical considerations, transparency, and continuous machine learning. It also provides organizations with a structured approach to manage AI-related risks and opportunities, balancing innovation with effective governance.

Moreover, ISO/IEC 42001 provides an integrated approach to managing AI projects designed to be future-proof—essential as AI technology continues to evolve rapidly. It provides an integrated approach to managing AI projects, from risk assessment to mitigation.

Business benefits of ISO/IEC 42001 adoption

ISO/IEC 42001 can help businesses increase their trust and credibility by ensuring that AI is used safely and responsibly, especially concerning its continuous learning.

ISO/IEC 42001 combines key frameworks with experience to implement crucial processes like risk, life cycle and data quality management, when adopted, it can also help with achieving better operational efficiency.

An employee looking through the business benefits of ISO standards.

Conclusion

As the technological breakthrough of Artificial Intelligence continues to take the world by storm, businesses seek to benefit. Promises of improved turnover, ROI, efficiency, productivity, and product performance invite leadership across the global spectrum of industries to consider adopting AI systems—if not develop their own.

Yet, AI implementation in business also carries its fair share of risks. Poor-quality AI applications, a lack of understanding as to what AI is and how it operates and, at present, limited regulation of this exciting new technology all contribute to a technological environment filled with risks.

Whilst regulatory bodies around the world move to shape the future legal framework of AI, organizations and leaders currently using or planning to use AI to optimize their operations should consider adopting ISO standards for AI before they do.

Learn more about AI in business with the Software Improvement Group blog.

With the rise of AI, adopting ISO standards is crucial for secure, responsible implementation. Our AI readiness guide, authored by Rob van der Veer, offers 19 actionable steps for board members, GRC leaders, and IT professionals to align AI adoption with ISO/IEC standards. The guide ensures your organization leverages AI effectively while staying compliant in a fast-evolving regulatory landscape.

Align your AI strategy with global standards. Download our AI readiness guide and discover how ISO compliance can safeguard your AI initiatives.

Read our artificial intelligence in business toolkit

The importance of standardized practices for safe and responsible AI implementation in business cannot be overemphasized. Read our latest executive toolkit to get a summarized overview of the key ISO standards ensuring regulatory compliance.

Experience Sigrid live

Request your demo of the Sigrid® | Software Assurance Platform:
  • This field is for validation purposes and should be left unchanged.

Free AI readiness guide for organizations

Practical steps for executives and IT leaders to successfully implement AI in business