As organizations prepare to undergo an ISO/IEC 42001 audit, identifying the employees, contractors, and business partners who should be included in the organization’s AI-related headcount is vital in determining the audit’s scope, complexity, and cost.
ISO/IEC 42001:2023, Artificial Intelligence Management Systems (AIMS), offers guidance and controls to help organizations deploy AI efficiently and mitigate related security risks.
Determining whether an organization’s AIMS meets the requirements spelled out in the standard requires an external audit. During this review, auditors will examine processes, policies, and practices to verify conformity with the standard’s requirements, such as maintaining ethical AI governance, risk management, transparency, accountability, privacy, fairness, and safety.
How Headcount Determines Audit Scope
The number of people directly involved in processes governed by the AIMS, such as AI development, deployment, risk management, and monitoring, plays a key role in defining how an audit is conducted.
Certification bodies use AI-related headcount as the basis for estimating the time required to perform an audit because a higher headcount generally means more complex workflows and dependencies, as well as a need to review more processes and documentation.
For example, a team of one to 10 people working as AI producers (defined in the standard as being “responsible for the full lifecycle of designing, developing, testing, and deploying products or services that utilize one or more AI systems”) would require an estimated 5.0 auditor days.
For the same-sized team of AI developers, providers, or users, that estimate drops to 3.5 days. If people on the team have multiple roles, the estimate increases to 6.5 auditor days. Organizations can also use the higher-value role in preparing estimates.
| AI Headcount | Auditor Days – AIMS for AI Producer | Auditor Days – AIMS for AI Developer or Provider | Auditor Days – AIMS for AI User | Auditor Days – AIMS for Clients with Multiple Roles |
| 1–10 | 5 | 3.5 | 3.5 | 6.5 |
| 11–15 | 6 | 4 | 4 | 8 |
| 16–25 | 7 | 4.5 | 4.5 | 9.5 |
| 26–45 | 8.5 | 6 | 6 | 11.5 |
| 46–65 | 10 | 7 | 7 | 13 |
| 66–85 | 11 | 7.5 | 7.5 | 15 |
| 86–125 | 12 | 8 | 8 | 16 |
| 126–175 | 13 | 9 | 9 | 17.5 |
These estimates are codified in the ISO/IEC 42006 standard, which provides guidelines to determine the number of expected audit days based on factors like headcount, organizational complexity, and AI roles. The standard ensures auditors apply consistent criteria when defining the scope of the AIMS audit, such as verifying that the in-scope headcount reflects the organization’s roles affecting AI governance accurately.
Determining Who to Include in the Audit Scope
Determining the in-scope headcount for an ISO/IEC 42001 audit involves reviewing job descriptions and identifying the team members whose roles directly or indirectly influence the organization’s AIMS. This is important to make sure the audit reflects the scale and complexity of AI-related activities.
For a more detailed breakdown of key AI roles and their importance in ISO 42001 compliance, refer to our article:
As a first step, organizations should map roles involved in the AI lifecycle, including development, deployment, monitoring, and maintenance (such as data scientists and product managers). They should include personnel responsible for risk management, ethical oversight, and compliance with AI governance frameworks.
From there, organizations should add teams providing indirect support such the IT function responsible for maintaining the AIMS infrastructure and access controls, and their cybersecurity team.
It’s also important to include contractors, third-party vendors, and part-time workers in the headcount total. Their hours should be totaled to establish how many fulltime equivalent hours they represent, with the FTE figure being included as part of the overall headcount.
For headcount purposes, someone’s duties and responsibilities are more important than their employment status. Similarly, if team members divide their time between AI and non-AI related tasks, their AI-related hours should be added to provide a fulltime equivalent for audit purposes.
Every team member’s role should be documented clearly, along with a narrative description explaining what the role entails and its reason for being included in the in-scope audit headcount.
Common Headcount Challenges
The following challenges and common oversights can increase audit time and cost while hindering the potential effectiveness of an ISO/IEC 42001 audit:
- Omitting support teams like IT, HR, or legal departments that are not directly involved in AI development or operations. If a function provides crucial support, consider how their role aligns with the standard’s requirements.
- Underestimating third parties, such as external vendors or consultants, involved in the AI life cycle and governance of outsourced systems or tools.
- Overcomplicating the headcount by including roles that don’t affect AIMS operations or support.
- Misaligning scope with organizational context. This can include adding all AI functions without prioritization or overlooking essential risks.
- Neglecting documentation, such as data acquisition and provenance logs.
With careful planning and by avoiding common mistakes, organizations can ensure their defined in-scope headcount aligns with ISO/IEC 42001 requirements, supports effective audits, and strengthens overall AI governance. To learn more about ISO/IEC 42001 and certification or recertification audit planning, contact us.
