S3 E19: How Your ISO 27001 Certification can Accelerate ISO 42001 Compliance

Audio version

How Your ISO 27001 Certification can Accelerate ISO 42001 Compliance

Transcript

Jordan Eisner (00:00)

All right, here we are. Once again, Brandon, you’re in the hot seat.

Brandon Breslin (00:05)

We’re here for number 10, right? It’s the 10th episode.

Jordan Eisner (00:11)

Back by popular demand Brandon Breslin, Director of CompliancePoint’s Assurance group. Master of PCI, HITRUST, SOC 2, an ISO.

Brandon Breslin (00:22)

Thanks for having me on again, I appreciate it.

Jordan Eisner (00:24)

I’m surprised you didn’t correct me on the master.

Brandon Breslin (00:27)

I’m no master. I’m no master.

Jordan Eisner (00:32)

No, in all seriousness, Brandon, it’s good to have you back. I think it’s always a wealth of information when you join and especially with the emergence of AI, in particular to your space, auditing around information security, cybersecurity. I think that’s one of the real industry areas where we’ve seen measurable impact, right? I think there are a lot of search engine.

You know on steroids with AI and a lot of cool things are being done with it, but you’re seeing some pretty meaningful changes in your space and how organizations can conduct audits in real time.

Brandon Breslin (01:12)

Yeah, it is. you know, this landscape in the AI world, if you will, is changing on a day-to-day basis right now. I would say even generative AI is behind, is in the past now. We’ve moved on to agentic AI, right? And who knows, that’s going to be gone in the next couple months too. this, you know, landscape is very quickly evolving and you really got to stay ahead of it.

Jordan Eisner (01:40)

Yeah, so we’re going to talk about that a little bit today. We’re going to talk about leveraging an ISO 27001 certification as an ISO 42001 springboard and for our listeners that are unaware, 42001 is ISO’s AI standard where you’re certifying your AI management system. You may or may not be familiar with ISO 27001, which is a security standard for data security really. It has to do with how you certify and how you build an information security management system. 42001 has some consistencies that we’re gonna explore, but also some different approaches and different methodology and things that you need to do as an organization to achieve that certification. I think there are not a lot of certified, 42001-certified companies right now at this point or AI systems. In fact a fraternity brother of Brandon’s and a friend of mine David Foreman over at Mastermind anytime I hear him talk about he says somewhere in the twenties I think yeah.

Brandon Breslin (02:52)

We’re definitely in the early adopter phase and you know, I do think it’s good. I love that you already we’re starting to call out some of the differences, right? Because it is important for those that are thinking about ISO 42001 to not just jump right into it. Really explore what’s meaningful to you as an organization. First, what are your goals and objectives? So maybe it does make sense to call out some of those similarities and differences before we go into the springboard, so I’m happy to do that.

Jordan Eisner (03:22)

Yeah, tell us what are some of the fundamentals required of 42001 that if you already have in place because of 27001, maybe you don’t have to reinvent the wheel on.

Brandon Breslin (03:35)

Yeah, you that’s that you hit the nail on the head, right? You don’t want to have to reinvent the wheel. You don’t. You want to work smarter, not harder. You want to leverage what you’ve already done before you jump into a new framework or a new standard. For those that are not familiar with 27001, right? I think you started to go into it. Jordan, it’s it’s focused on the ISMS. It’s focusing on building core security principles to be able to be in a more robust security position for your organization similar to any other security framework out there. ISO 42001 is more targeted specifically on the AI risks. the AI systems that you use, modules, applications, models, right? Any of those risks associated with the AI systems that you use, this framework is targeted around those specific types of systems and models.

So I do want to call out kind of that difference of, if you’re just looking for if you’re looking to more establish a security program for your organization, it’s best to go through 27001 first. You don’t want to jump right into 42001 because there are, to your point, there are some of those core elements that you need first before you go to 42001. Before I get into that, maybe I can just hit on a couple other things. The control set, know a common question that I get is, are the controls prescriptive?

27001 and 47002, there’s an Annex A of controls that you can select from. They’re not all mandatory. You want to select the ones that are applicable for your organization, and you want to make sure you alignment with your strategic goals and objectives, get executive buy-in for any of these controls that you go down the route of. You want to make sure it’s relevant for your organization. You want to have the regular audits and all of that. Did just want to call that out first.

Jordan Eisner (05:33)

Well, think it’s a common misconception maybe. People will look at the ISO 27001 standard, or maybe they’re looking at 42001 one this way and they’ll look at, you call it out, Annex A controls and say, okay, that’s not too hard. Here’s 100 controls or whatever. We do a lot of this already. We’ll just put these controls in place, but it’s the clause requirements. It’s the first half of the document and some of those governance and strategic to your point and alignment organizationally on how you’re going to manage this system. Are you going to manage those controls in the program that I think is different from a lot of what we? Well, I shouldn’t say different from a lot of what we see in this space. I don’t think that’s an accurate statement, but it’s still unique compared to a framework where you’re simply meeting control obligations.

Brandon Breslin (06:23)

Right, exactly. Yeah. some of those core elements specifically that are built on the ISMS or built for the ISMS are relevant before you even venture down 42001. So I would go as far as to say, do not even venture down 42001 without at least exploring 27001 first to make sure you have each of the common criteria, if you will, if you want to use some of the terms in SOC, but kind of those common security framework clauses that are relevant for both standards. Number one is risk management process, right? You need to have a robust risk management process, not just for one specific area of the organization. You need to cover all security controls, the organization that’s relevant for what you’re processing, right? What business you’re in, what your industry is in. Specifically for 42001, you need to take that risk management process and include the risk for AI systems, right? Bias, transparency, potential negative impacts on the results of the models that you’re using. So you kind of need to tweak that risk management process to include some of those risks for AI systems.

Jordan Eisner (07:35)

Can all of that? Yeah, so. Maybe this is a silly question, but. Can the risk manage can their risk assessment? Well, maybe that’s not what I asked him out here, but some of the governance and policies is it. Is it maybe one document or one risk assessment and it’s got like? Bolt-ons for 42001 or do they need to be? You need to run a separate risk assessment and you need to have a separate policy that governs this and separate statement of applicability and like core document requirements.

Brandon Breslin (08:08)

I think it’s evaluate what’s best for the organization. If it’s a larger organization, it probably makes sense to do a standalone process. If you’re a smaller organization, it probably makes sense to just bolt on to what you got or tack on. As long as it’s documented and implemented and it’s appropriate and relevant for the control, then that’s okay. I think when it comes to any of these security frameworks, but especially the ISO ones.

Jordan Eisner (08:22)

You can do it

Brandon Breslin (08:37)

Don’t just look at it from a compliance lens, look at it from a security and an audit lens or a security and compliance lens, right? You want to look at what’s relevant for the control, but also what’s relevant for the organization to put yourself in a good security posture. On the policies and procedures front, I think that’s a great, that’s a common question we get a lot. You can develop your own AI policies, you can create your own policies and procedures for AI, or you can add separate sections. Like we see customers that have one large information security policy that covers each of the common provisions that are out there of access control, governance, administration, system handling, system hardening, Like network management, server management, all those things. You can tack on AI risks and handling of those systems or management of those systems into those policies, but you need to be careful that you’re covering each of the provisions that are outlined within 42001.

If you’re a larger organization, it probably makes sense for you to go down the path of establishing an AI governance committee or some type of role within the organization. This individual, this team is going to be responsible for governance and handling the risks of AI systems, ⁓ so that nothing falls through the cracks.

Yeah. And then of course with 42001 as well, there is still the same requirements as 27001 of internal audits, management reviews on a recurring basis. The ISO standard is very robust when it comes to ⁓ the scrutiny of ensuring you’re compliant with the controls.

Jordan Eisner (10:16)

Yeah, yeah, that’s part of those clause requirements. So the basic setup of 42001 just like 27001 clauses and then your annex controls and. Yeah. Documentation I really needs to check out as a first line audit when you have an external body coming in before they even start to dig into the functionality controls.

Brandon Breslin (10:41)

It does, and I cannot overstate enough. The documentation, however, also the implementation, right? Like we see time and time again, many organizations, not just in the ISO frameworks, but outside in the other security frameworks that you see out there as well, PCI, SOC, NIST, some of the other ones, many organizations will write up a policy or write up a procedure, but it’s never shared with the organization. It’s never implemented, it’s never communicated to other employees of the organization, so they don’t know about it, right? So they’re not aware that they could be ⁓ using AI systems that are non-compliant with the policy for the organization. They have no idea they even have a policy because it’s not put out on their company internet or communicated or disseminated to other employees within the organization, right? So it’s important to have that communication with you know, with your organization if you go down the route of establishing new policies and procedures.

Jordan Eisner (11:37)

Yeah, yeah, good point. Alright, well, let’s talk about what’s new with 42001, right? What’s different? think. Historically, and we’ve probably even done a podcast where we’ve compared 27001 with 27701, which is the privacy one lot of overlap there. Of course, new particulars, but this is like a different animal of an audit and you start talking about an AI audit and 42001. So expand on some of that.

Talk about the new efforts here, things that maybe are a bit outside the norm of a security audit, maybe even. You know, what you’ve seen historically.

Brandon Breslin (12:18)

That’s a great question. I think the big piece again to remember is this landscape is changing, right? So something you develop now, for example, let’s take one of the requirements, know, an AI specific risk assessment. You may conduct a risk assessment in the beginning of the year and six months down the road, the landscape has already changed. There are new models out there that you’ve adopted and you need to change your, you know, security controls or you need to change your business model or you need to account for new risks to the organization based on some of the new systems you’ve implemented. I really want to hammer home that point that this is different. I saw an article that if you look at every era of human life over the last 1,000 years, the information age to the AI age is moving 10x faster than any era that we’ve had in the last 1,000 years, which is incredible.

It’s just important to be thinking about the speed of how this is moving. The AI specific risk assessment is number one. Really want to account for any technological, operational, or non-personnel related risks to the organization. From a system perspective, that could be bias, explainability, the robustness of the system, the safety of the system.

But from a personnel standpoint, as well as a technical standpoint, ethical considerations, top of mind needs to be for every organization, especially as you’re developing. Whether you’re developing an AI system or leveraging a third party AI system or leveraging a third party model, you really want to make sure that you are incorporating ethical concerns, fairness, transparency, bias, accountability, all of those that you’ve seen it in the news with other organizations have hit by some of these models that do not have those boundaries in place. So really make sure you’re doing your research. I saw the latest stat was 20,000 models around that per day are being developed that are open source. So it’s insanity for how many are out there. Really take your time, do your research, make sure you’re using a reputable source. If you’re not gonna go down the development route make sure you’re following your robust vendor management system and process for doing due diligence.

Jordan Eisner (14:49)

Yeah, yeah. OK. What about like? So in speaking with some people, it’s interesting to talk about ethical considerations and that sort of stuff. That’s what really was like a records crash for me like what?

Brandon Breslin (15:06)

Yeah, it’s insane. You have to think about AI systems as any other additional platform or application or ⁓ usage model in the organization. If you were to deploy a new system or use a new third party, you would go through that entire vendor due diligence process. You would want to make sure that all users are comfortable with the platform or at least the important folks that are going to be using it are comfortable and the organization is comfortable with the usage of that platform or the vendor, you need to adopt that same methodology for AI systems as well. Objectively, I’ve already seen many organizations just go out and adopt new models or new applications with just awful whim, right? With no consideration, no vendor management process, just right out of the gate, take it and use it, right? That’s very concerning to see because kind of going away.

I think the industry is moving a little bit away from the robust processes that we’re used to seeing with vendor management. So we really want to hone in on that as a feature set for when we’re selecting a platform. A couple other ones, life cycle approach. I think this covers any type of system, right? If you’re looking to adopt a new platform or looking to understand the risks or adopt new controls, related to new platforms, what’s the life cycle, right? What’s the adoption rate? What’s the change management process? If you have to change away from that platform or decommission that platform, what’s going to be the process, right? Thinking through all of those.

Jordan Eisner (16:48)

Sure. Anything else?

Brandon Breslin (16:53)

I those are the ones that come to mind. I would say I do want to rehash the executive buy-in piece. Really want to make sure that if you’re a compliance officer or on a compliance team, make sure you’re not operating in a silo when it comes to selecting controls and compliance with controls or establishing new security measures within the organization. Make sure you’re getting executive buy-in. Really want to avoid any costly errors down the road or misalignment with business objectives for the organization.

Jordan Eisner (17:30)

Yeah, yeah. Alright, so what are the first steps a company takes if they want to be ISO 42001? Let’s say two scenarios. If a company’s already got 27001 and they want to become 42001 certified, or if they don’t have 27001 and they want to become 42001 certified.

Brandon Breslin (17:50)

Yeah, good question. So like you just outlined there, kind of two paths. If you are an organization that’s already gone through the robust framework, if you will, of 27001, the ISO process is not going to be new to you, right? The selection of controls, the Annex A, kind of the plan, do, check, act, right, process, that is not going to be new for you.

When it comes to 42001, think you can if the if the process went well with 26,001, you can adopt the same methodology and just have a different frame of mind of thinking with relation to AI systems, right? If you have strong policies, strong procedures, strong governance processes in place, you can just add on AI system risks or considerations to those, or you can establish a new committee and start to go down these controls and select a new process.

The former would be my recommendation. If you have not gone down the route of 27001 or 42001 before, definitely want to start with 27,000 because it covers more areas of the organization from a security perspective. 42,000 is just one targeted area. There’s so many ISO standards out there, but 42001 is just specifically for addressing AI risks a multitude of areas within the organization from a security perspective.

 I will say for those maybe going from one to the next, doing a bridge or a gap assessment or a readiness to rehash out not only the controls you have in place now, but also seeing where you can tie in some of the new 42001 controls. If you’re using a GRC tool, for example, and you have a central hub for your controls, you can start to see where there’s some crosswalk or overlap in some of the new controls as you’re going through that selection process. So I’d say a gap or a bridge or a readiness, whether you’re going through 42001 for the first time as its own framework or going through as an add-on to 27001, doing a bridge or readiness is still critical. You don’t want to go down the process of going right into an audit because you’re but you’re likely going to be running into a situation of having non-conformities.

Jordan Eisner (20:17)

Yeah, yeah, ill-prepared,

Brandon Breslin (20:19)

ill-prepared. You want to make sure that you work with a partner. You mentioned Mastermind earlier. We have a program at CompliancePoint where we can do the readiness and pass the customer off to Mastermind so they can do the audit with them. If you’re working with a customer, you have the ability to get them in a comfortable state before the audit makes it such a smoother process. So that’s something that we do at CompliancePoint, but I know other organizations do something similar too.

Jordan Eisner (20:50)

Yeah. Well, good stuff, Brandon. Appreciate you and walking through this and hopefully this has been pretty meaningful information for our listeners and watchers, especially those of 27001 considering 42001. I will say if that is you as a listener or a watcher, please don’t hesitate to reach out. We produce content like this regularly. Brandon and his team are regularly and actively working with clients on these frameworks and more.

We’d love to be a sounding board for you. We’d love to hear your use case, your drivers and advice, you know, one way or the other, whether we’re involved or not. You can reach us at compliancepoint.com. Connect at compliancepoint.com is an email that goes directly to our marketing channels. You’ll hear back from that pretty quickly, especially during business hours. And Brandon and I are both pretty active on LinkedIn, so please don’t hesitate to reach out there.

And if you’re liking this information that we produce on this podcast, please make sure to subscribe, leave us a review and we hope to ⁓ keep having to come back till next time. Absolutely everybody. Yeah, see you Brandon.