Artificial Intelligence
Artificial Intelligence
Artificial intelligence is used by many employees, either by permission or without it. What you can’t prevent, take the lead.
The AI related ISO 27001 standard requirement sounds like this: “…” – umm, nope.
In fact, currently there are no words on artificial intelligence in the standard. Does this mean that information security has nothing to do with AI? Of course not, I’m sure that this is only a temporary shortcoming of the standard and future editions will contain control(s) related to that as well.
Still without mentioning AI explicitly, many of the controls in the current edition of the ISO 27001 may be interpreted in relation to AI development and use, including creating policies, secure development, protection of intellectual property rights and PII.
One has to consider, that the current edition of the information security standard was issued in October 2022 and the main driver of the current hype, Open AI, was released a couple of weeks later. ISO of course comprehends the importance of the topic, thus by the end of 2023 issued the AIMS (ISO 42001) standard. This standard however is primarily aimed at organizations that develop and provide AI services, so ISMS and AIMS focuses differ.
For those many, who are using AI in less critical processes, implementing an AIMS would be an overkill. They still can benefit from ISO 42001 controls if they interpret them on themselves and create policies and controls that address AI related security issues. It wouldn’t be unique; many standards and other sources of requirements build on the ISMS framework to embed their specific controls.
Would these controls be integral parts of the ISMS? Yes, they will, the ISMS standard itself states, that organizations must consider all the requirements that influence their information security, not just the ones in Annex A. These controls (depending on the scope) will become part of the statement of applicability and subject to internal and 3rd party audits.
30/09/2024