Defining the scope of an ISO/IEC 42001 compliance audit is an important early step in aligning the audit with the standard’s requirements, organizational risk, and stakeholder expectations.
In creating the audit scope, organizations need to define their Artificial Intelligence Management System (AIMS) and the associated roles, develop a governance structure, and identify important AI-related risks and controls.
Throughout the scope determination process, organizations should keep risk management and responsible AI use in mind. This should include assessing the organization’s processes for identifying and managing AI-related risks, as well as evaluating different types of exposures (such as risks inherent to AI development and use, control risk, and detection risk).
Identify Roles and Systems
An important starting point in determining your scope is identifying the AI roles your organization performs. These will typically include being an AI provider, producer, or user (or a combination of these roles). Different AI roles have varying requirements and controls within the ISO/IEC 42001 standard. In addition, understanding these roles will provide valuable organizational context that will influence how the organization approaches AI risk assessment and management.
Once roles have been clarified, the next step is determining which AI systems will be included in the audit scope. Depending on the organization and the roles it performs, this may include specific AI products or services, third-party AI tools the organization uses, or systems or tools in development or testing phases.
Organizational Boundaries and Influences
After outlining the AI systems that will be reviewed during the audit, it’s time to consider the organizational boundaries of your AIMS. These can include:
- Departments or teams developing or using AI
- Relevant processes or activities
- Physical and virtual locations where AI work takes place.
You’ll next consider the inside and outside factors that can influence your AIMS. This list may include organizational objectives and strategies, regulatory requirements, or technology and industry trends affecting your AI use or plans.
Next up, consider anyone who could be interested in the responsible governance of your AI tools and systems. This may include, for instance, your internal users or customers, regulators, business partners, or suppliers.
The next phase of the audit scope definition process is ensuring your proposed audit scope aligns with your organization’s AI policies and objectives. Key steps in this phase include:
- Reviewing your AI governance framework
- Considering ethical guidelines and principles
- Assessing the impact of AI systems on individuals and society.
Drafting Your Scope Statement
After reviewing the items discussed above, it’s time to draft a clear and concise scope statement that:
- Describes the AI roles, systems, and activities to be reviewed
- Specifies relevant departments and locations
- Lists the factors that influenced the audit’s scope.
Understand the Statement
The ISO/IEC 42001 standard’s organizational structure can provide important insights in developing an effective audit scope. The standard includes 10 clauses outlining key requirements, such as:
- Understanding the standard’s purpose
- Related standards and documents
- Key terms and definitions
- Company-specific information such as leadership, planning, support, and other important considerations.
The standard, and the specific controls outlined in the standard’s Annex A, will influence the type of evidence auditors seek to assess how well the organization’s AIMS aligns with the standard’s core requirements.
For example, the standard outlines methodologies for effective audit planning such as gap analyses to identify discrepancies between current practices and the standard’s requirements, as well as evidence collection through interviews, system testing, and document reviews.
Sample Scope Statements
The following examples illustrate the types of information outlined in ISO/IEC 42001 audit scope statements:
The scope of certification encompasses the Artificial Intelligence Management System (AIMS) governing ABC Corp’s role as an AI Service/Product Provider, delivering solutions through the Debra AI Agent solution. This includes the deployment, monitoring, and continuous enhancement of AI models to deliver advanced analytics and decision-support capabilities for clients across diverse industries
The scope of certification encompasses the Artificial Intelligence Management System (AIMS) governing the organization’s role as an AI provider, delivering cutting-edge solutions through the ABC Corp Platform (SaaS). This includes the deployment, monitoring, and continuous improvement of AI models to provide advanced analytics and decision-support capabilities for clients across various sectors. The organization is headquartered in Pleasanton, California, United States, with remote employees located globally. This certification aligns with ISO 42001 standards and is based on the SoA version 2.0 dated October 19, 2024.
Learn More About Responsible AI
By taking time to review the standard and plan an appropriate audit scope, organizations can ensure a comprehensive evaluation of their AIMS that in turn promotes more effective and responsible AI system, development, management, and usage.
To learn more about ISO/IEC 42001 and strategies for responsible AI governance and use, contact us.