SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

Should You Get an ISO 42001 Gap Assessment?

ISO Certifications | Artificial Intelligence | ISO 42001

Now that ISO 42001 has been published, organizations are looking more closely at possible adherence to this new standard for artificial intelligence (AI). But those familiar with established ISO standards will know that this new framework for regulating AI will be similarly rigorous and any opportunity to streamline certification—like a gap assessment—will be enormously advantageous.

ISO 42001 has arrived at an opportune time, as in less than a year, AI has emerged as the highest beacon of innovation. No longer just an imagined concept, this technology has already transformed industries and continues to reshape the way we live and work. But as AI grows exponentially more and more enmeshed within the business landscape, so too have widespread concerns around its trustworthiness and what constitutes responsible AI management.

So where to go from here? With so many companies building out their own AI capabilities, how can you prove to your customers and stakeholders that they can trust your systems?

Enter ISO 42001, which addresses these concerns through comprehensive requirements. Published in December 2023, this new framework will provide a roadmap to satisfying security and safety concerns about your AI, but how should you get started? One way is through a gap assessment, and in this article, we’re going to expound on why having one performed can pave an easier way for you to ISO 42001 certification.

 

What is ISO 42001?

A readiness assessment will begin to make more sense when you understand the holistic nature of ISO 42001. As the world’s first AI management system standard, the framework asks that you take a risk-based approach for the application of its specific requirements regarding the:

  • Establishment;
  • Implementation;
  • Maintenance; and
  • Continuous Improvement of an Artificial Intelligence Management System (AIMS).

As part of these phases and their requirements, you’ll be asked to:

  • Define the context in which your AI system(s) operates,
  • Identify relevant external and internal stakeholders; and
  • Understand their expectations and requirements.

A significant part of building out your comprehensive, ISO 42001-certified AI management system will also require you to standardize the fairness, accessibility, safety, and various impacts of your AI systems. The framework also stresses the integration of your AI management systems with your established organizational structures—it’s drafted in such a way as to facilitate further integration with any other, existing management systems and their standards, such as:

All in all, ISO 42001—and its requirements regarding responsible AI and data management processes—can help you enhance the quality, security, and reliability of your AI systems while also ensuring that you develop and use said systems ethically.

 

How to Prepare for ISO 42001 Certification

While there are other AI frameworks and regulations already out there or coming soon that can also help secure your AI—like the NIST AI RMF and the EU AI ActISO 42001 is the first and only certifiable standard over an AIMS currently.

So, it’s no shock that organizations are already preparing to stand up their AIMS and obtain the certification that will reassure their customers. (In fact, we’ve had conversations with clients that make it seem like it’s already “a race” to certification and gaining the market advantage over competitors.)

In preparing for ISO 42001, the obvious first step is to simply sit down with the standard itself. And if you’ve already undergone ISO 27001 certification, there’s good news—ISO 42001, with its seven primary clauses and four annexes, is laid out very similarly to ISO 27001.

(The seven ISO 42001 clauses define the requirements that you must meet and its Annex A lists controls that can be implemented to satisfy those requirements. For more information, check out our more detailed article on ISO 42001’s clauses and annexes.)

All that information should get you well down the road to full compliance with ISO 42001 and in position for certification, but—just as with ISO 27001—it’s a big lift to implement a fully compliant AIMS. And that’s why there’s one more preparatory step that we’re recommending to organizations we’re speaking with—an ISO 42001 gap assessment (otherwise known as a readiness assessment).

 

Do You Need an ISO 42001 Readiness Assessment?

While this step is not required for certification, a readiness assessment can be tremendously valuable for any compliance initiative, they are particularly so in the case of a new standard such as ISO 42001.

Here are two very good reasons why you should invest in a gap assessment as part of your ISO 42001 preparation:

  • You’ll Be Much Better Prepared for Your Certification Audit:
    • Because this is a brand new standard and no one has undergone the full rigamarole and come out with lessons to share regarding problem area trends, etc., going through a gap assessment can help you discern where your organization’s remaining and specific areas of concern are regarding fulfilling ISO 42001’s requirements, as well as where you need to focus your efforts for full compliance as you stand up your AIMS.
  • You Can Make a Quicker Demonstration of Your Commitment to High Standards for AI:
    • As we mentioned earlier, concerns about AI are already swirling—and while achieving full ISO 42001 certification will take some time, if you opt to have a gap assessment performed, you’ll be able to communicate your proactive efforts and provide at least a preemptive degree of reassurance to your customers while you work toward full certification.

(Something to Keep in Mind: The amount of effort that is required to prepare for an ISO 42001 readiness assessment will greatly depend on the implementation, management processes, and controls that are already in place in your AIMS—so, the more robust the security controls upon implementation, the lighter the lift will be to achieve ISO 42001 certification.)

 

Take a Proactive Approach to ISO 42001

Whether you’re hearing it directly from your customers or leading economic experts, AI seems to be the number one topic of conversation, and that conversation always ends up leading to a discussion around whether these systems are secure, trustworthy, and responsibly managed.

But ISO 42001 certification represents a comprehensive initiative to prove that your AI systems are all of those things, and now that it’s published, it’s time to start preparing for that process so that you don’t fall behind as AI continues to expand across the business landscape. One key step that will definitely position you well for successful ISO 42001 certification will be a gap assessment, and Schellman is ready now to help.

Start your compliance journey for AI today—contact us to learn more about an ISO 42001 readiness assessment and whether we’re the right partner for you.

About DANNY MANIMBO

Danny Manimbo is a Principal with Schellman based in Denver, Colorado. As a member of Schellman’s West Coast / Mountain region management team, Danny is primarily responsible for leading Schellman's AI and ISO practices as well as the development and oversight of Schellman's attestation services. Danny has been with Schellman for 10 years and has over 13 years of experience in providing data security audit and compliance services.