S3 E47: Is ISO 42001 Right for Your Business?

Audio version

Is ISO 42001 Right for Your Business?

Transcript

Jordan Eisner  
All right, we are here for another episode of Compliance Pointers, coming down to the wire here as we finish 2025. Put a bow on it, unintended and get ready to open up 2026 and what has emerged is a popular topic in the marketplace, but I would say also amongst our clients and prospective customers alike is ISO 42001 or some sort of AI security framework. We’re seeing a lot of momentum around that. So we’ve invited our security assurance practice lead, Brandon.
Brandon Breslin, who’s all too familiar to those of you watching and listening to this podcast to come on and just add some color on ISO 42001. Some of this we’re going to probably revisit that we’ve done podcasts on previously, but I think that’s OK because I do think this is.
Maybe going to be on the wish list for organizations in 2026. I’ll try and stop with the holiday puns, I promise. But as a reminder for anybody maybe listening for the first time or haven’t heard a podcast or watched one with Brandon previously.
Brandon’s over 10 years of experience inside of what we call security assurance and really that’s attestation frameworks like PCI, SOC 2, HITRUST, ISO and so CompliancePoint provides audit services but also readiness services around.
Most of these frameworks and so he manages the team here. He has a plethora of experience over those 10 years working in and out of these frameworks and he’s going to add some color on 42001 today for us. So Brandon, good to have you on.

Brandon Breslin  
Yeah, thanks for having me on again, Jordan. I’m glad that we’re talking about ISO 42001 because you’re absolutely right, it’s it seems to be getting more traction in the marketplace now and that’s also just a natural byproduct in general, right. It’s a buzzword for every organization.

Jordan Eisner 
Yeah, and you didn’t take the opportunity to wear any Georgia stuff. I know that’s a national championship football right back there. That’s what that is. But.

Brandon Breslin 
Yes, I should have. I should have worn something Georgia-related. We just won the SEC Championship, so super excited about that. But we’re not done. Hopefully we can get another Natty under our belt this year. But who knows, it might have been the last year of conference championships, so hopefully.

Jordan Eisner  
That was just a stepping stone.

Brandon Breslin  
Those are still to stay, but they seem to be diminishing in value a little bit.

Jordan Eisner  
They gotta figure something out with that.

Brandon Breslin  
But yeah, for they do. They get, they got to rework. They get, they need to rework a few things for sure. But no, I’m glad we’re talking about 40s doesn’t want it. It really is a buzzword right now. It’s a framework that a lot of organizations are looking at to your point for over the next year or two.
And I do think it offers some unique value separately from the other frameworks that are out there that are common at this point that the NIST AI RMF, the HITRUST AI controls or AI add-on if you will for high trust. I think those are the two that that come to mind, right?

Jordan Eisner  
That’s what, that’s what I was gonna ask basically to start. I think you’re already going down that path a little bit. It could be coincidence that that’s just the sort of work that compliance point clients and prospective customers are seeking or asking about, but it seems.

Brandon Breslin  
Yeah.

Jordan Eisner  
42001 is the topic of interest way more often than the other two. I’d say maybe HITRUST next. We do a lot of HITRUST work. Maybe that’s why, but NIST here or there, but it’s really been primarily 42001. Maybe that’s because it’s got an attestation tied to it, but sounded like you were.
We’re about to get into a little bit why you think that might be.

Brandon Breslin  
No, you’re absolutely right that that’s the number one reason is the attestation piece, right. It’s a certifiable framework. It can be easily tacked on to 27001 or any of the other 27000 series, most commonly 27001 that we see if an organization has already has global customers that that are looking.
Looking for an ISO report that they can provide that organization can provide them, then 42001 the AI based controls is an easy add-on and it follows the same ISO clause based structure if you will, right?

Jordan Eisner  
Right.

Brandon Breslin  
Similar to 27001, so there’s a familiarity, there’s a level of comfort already for the organization that’s undergoing that assessment with, you know, an assessor firm to to eventually get certified against that new standard.

Jordan Eisner 
OK, that makes sense. So for those, so this is probably going to be more so tailored than for organizations. We’re not going to talk too much about the HITRUST AI framework or NIST AI RMF, it’s really gonna be 42001 as the topic of the podcast would indicate. So not saying jump off now if you’re if you’re only concerned about the other two are definitely not gonna pursue 42001 but it is what we’re gonna get into. Yeah it is what we’re gonna get into now so.

Brandon Breslin  
Yeah.
We’ll do another one for those.

Jordan Eisner 
Let’s talk about what an organization. So besides those things that I think are low hanging fruit, they’re already 27001 certified or they’re already down the path in some sort of regard. They’re familiar with the clause, they’ve done it elsewhere. What else jumps out to you as a reason why organizations should consider?
ISO 42001 when looking at some sort of demonstration of compliance or security around their AI systems.

Brandon Breslin  
Yeah, it’s a good question. I think the first step is you need to if you’re if you’re in some type of compliance officer role or you’re charged with governance, or you’re you know an executive of some level or have some authority in regards to the compliance efforts that your organization is going to go down, you need to first look internally.
And see, are we using AI already in some form or fashion in any capacity, right? Even if it’s small, mundane tasks that are you’re looking to automate or even quick efficiency gains in the processes that you’re doing all the way up to developing AI systems or writing your own language models, both are all different options that people are using AI right now. So I think that’s the first step. Look internally at what you’re doing now already and then as well as what are your goals to use AI in the future, right? Are you looking to scale those capabilities over the next year or two, five years, 10 years or are you looking to?
Kind of stay in the same baseline or or maybe you’re looking to move to a different segment. Maybe you’re looking to to maybe you haven’t even started using AI yet and you want to know the best approach to go down. That’s where 42001 comes in. Because similar to any venture that you’re going to go down the path as a business, you want to make sure that you’re doing it the right way.
You’re being strategic with it and you’re not just jumping right in with no plan. The ISO 42001 can be part of that architecture, part of that plan for ensuring that you’re going down the right path and to ensure that your organization in general is focused on security and compliance as it relates to the use of AI.

Jordan Eisner  
So one thing you mentioned there was even, you know, small productivity usage and that sort of thing. So some basic usage of it. Double down on that a little bit. So you still think right, 42001 could be relevant even for small task and light usage of AI across an organization.

Brandon Breslin 
Absolutely. Yeah, I love your thought of doubling into that or drilling into that here. So if we’re looking at just to enhance productivity across your team or across your organization, you need to take it a step further and look at what type of data or what type of processes are they going to be using the tools for, right? Is there going to be sensitive or confidential information?
Input it into those tools or is there going to be internal information that still could be considered confidential, right? Or are you going to be using it for other third parties’ data, right? Customer data, that’s even more sensitive if you’ve got customers and you’re looking to use it for analytics or something like that, right? So I do think.
That even if you’re using an AI tool just to enhance productivity, you’ve got to be looking at the security and compliance aspect, not just looking at the operational side. You’ve got to look at the compliance and security side as well.

Jordan Eisner  
So it’s it seems like.
If you’re the type of organization, and I don’t want to put words in your mouth, so say no, not at all, Jordan, that’s not what I’m saying. But if you’re the type of organization that operates in a pretty low-risk playing field anyway, not really processing sensitive data, anything to that degree, you don’t have any sort of obligations from a regulatory stamp. Well, everybody has obligations for regulatory, but you don’t have more rigorous obligations from a regulatory standpoint or external pressures around the information you’re processing. Then that’s where, OK, well, AI is not further maybe exacerbating some of the nature on that, but.

Brandon Breslin  
Sure.

Jordan Eisner  
If you are an organization that’s processing what’s sometimes deemed sensitive information, or even certain data sets that have regulatory requirements around them or external pressures, even the most basic usage of AI.
You need to consider, OK, it’s basic, it’s for productivity, but the data that we’re ingesting and leveraging or using inside these AI systems, there are other obligations around that, which probably brings in some added scrutiny to the actual usage of even the most basic AI models.

Brandon Breslin  
Absolutely, Yep. I mean, when you you’re talking about data, you need to understand the accountability, the risk, the oversight, the safeguards related to that data, the classification, right? I mentioned sensitive and confidential data, but even non sensitive data and also who’s to say what’s sensitive and what’s not.

Jordan Eisner 
OK.

Brandon Breslin 
Sensitive, right? You need to have a process in place, and I know we’re kind of getting outside the realm of 42001. But before you even go down the path of using some of these tools as a governance structure in your organization, you need to define somebody that’s charged with governance or compliance or security in the organization needs to define the rules and boundaries.
For employees in the organization to use these tools in the right manner, right? Let’s say you have customers and you determine that you do not want any customer data within these third-party tools or in your own internally developed AI tool.
You need to define that. That needs to be documented and operationalized throughout the organization, right? Everybody needs to be aware of that, trained on it and that’s kind of going back into the risk management piece. So yes, even if you’re not inputting sensitive data into the tool, you need to understand the safeguards and you need to understand the risk.
With introducing a new tool anyways into the organization and this also covers third-party tools. I mentioned that briefly, even if you’re a company that just wants to use ChatGPT or Gemini or Claud or one of these tools that are readily available to anybody on the planet right now with the laptop.
Connection or a mobile device, right? You still need to, you know, establish those safeguards, establish those boundaries for use.

Jordan Eisner  
Yeah, well put. OK. All right. So we’re continuing to kind of come across the why and considerations and so continuing on that path, assuming this is still applicable to the organizations that we’re talking about here. Where do you start?

Brandon Breslin  
Yeah, it’s a great point. You know, going back to the first comment I mentioned here in this one in this episode is if you’re somebody charged with governance, charged with compliance, look internally, what are you guys using right now as well as what are your goals for the organization?
Inventory all of your AI tools. If you’re already using multiple tools or if you’re already down the path of creating models or using, you know, third-party language models that are already out there or even more in-depth machine learning or deep, you know, deep learning models out there. Inventory all of those, right? Understand what’s out there.
And where you’re looking to go from there, establish a, you know, a readiness assessment or a gap assessment of what’s going well, what do we need to strengthen? You know, where are our weak points from a security perspective? Do we have controls in place? Do we have policies, procedures, central governance around this?
Have we even developed an AI policy or a provision within our Infosec policy, right? All of these things. And it’s not just documenting, it’s implementing, you know, policies as well, but it’s also implementing technical controls, operational controls in the organization, training employees on those policies and procedures.
Procedures establishing an AI management system, which is to tie it into 42001, all about that. Establishing roles for who’s going to be charged with managing the processes and the systems, right? Kind of building a structured road map for the goals, you know, institutionalizing some of those goals that you have.
As as someone charged with governance or a compliance officer, work with the C-suite. We work with your executives, work with your key stakeholders to establish a road map and a plan for how you’re going to go about this.

Don’t just dive in, plan it out, right? Crawl, walk, run in these types of situations.

Jordan Eisner  
You know, looking at the closeout of this podcast, you know, really two things and one might be pretty hard to answer, but.
Two-part here. What are we seeing as a benefit of implementing ISO right and getting certified against it for organizations? You know, what would you count as the benefits of doing that or things that are going to be realized pretty soon after that?
And then, so I guess it’s a two-fold question and this might be hard to say, what do you perceive as the risk for companies where this is something they should consider and this is pretty applicable to them not getting 42001 certified or or some sort of certification or attestation?
Around their AI systems. So two-fold question there, right? What are what are the benefits you’re seeing from companies taking it on and being early adapters and adopters and doing it? And what do you see as a risk to companies that continue to, you know, kick the bucket and maybe be late adopters?

Brandon Breslin  
Yeah, great questions. Benefits that immediately come to mind, right? Key stakeholder trust, improving the security or the maturity and security of your environment, right of your organization you want to.
Continue to mature the, you know, the level of, you know, compliance within the organization, the level of controls, the established control set within your organization, right. So tacking on another framework will naturally improve the level of security that you’ve got within your organization if done right.
Right. The other piece is just staying ahead of the current landscape, right. You know, we’re talking about a global AI regulation here. This is not just a small subset. This can be applied to your entire organization and it also is an easy add-on like I mentioned at the beginning of 27001.
If you’ve already established you know a key information security management program through 27001, you can add on the AI management system pretty easily and it just it’s in the same format already. So you know your organization if you already have this as you know something that’s.
That’s a forefront or a key objective or a key, you know, goal for the organization to stay ahead of these regulations. That’s something that could be easily added on. And it’s also a scalable framework as well. It grows as AI adoption expands.
Other benefits, you know differentiation in the marketplace. If you’re a service provider for example and you’re trying to sell a certain service or product and you’ve got 42001 certification, that’s a huge benefit that you can market as well to your customers. So you know I know we’re focusing on the the maturity of the organization or improving the security posture of the organization, but it’s also a marketable, you know framework that you can show if you’re if you got that certification already that that compliant report there improve visibility right to to also to third parties if you’re marketing that.
That process, the risks of not going down 42001, right? I honestly, the visibility could be a benefit or a risk if you’re an organization that a third party expects to be, you know, undergoing an ISO 42001 assessment or at least going down that path and you’re not, you may be.
Falling behind your competitors, there’s there could be additional regulatory pressure depending on what industry you’re in. There’s always the risk, the security risk of, you know, holes within the environment, if you will, of if you don’t know, if you haven’t done an inventory of the AI tools that you have out there, you may not even be aware if you’re.
A CTO or even hire a CEO, right? You may not even be aware of something, what tools your employees are using or where your data or where your customers data for for worse is being inputted into if you don’t set those safeguards those.

Jordan Eisner  
Right.

Brandon Breslin  
Those guardrails, then you know a lot of most more times often than not, employees will exploit those situations.

Jordan Eisner  
Right. Yeah, those are great for my side.

Brandon Breslin  
Reputational risk of data breaches and all of that is also just the common.

Jordan Eisner  
Continue to not know what you don’t know, yeah.

Brandon Breslin  
Right, exactly.

Jordan Eisner  
Correct. Well, this was, this is quick but meaningful. Good updates there. You know, I think this would be great for anybody on the fence or considering this as a line item on their budget for 2026 and how to pursue and.

Brandon Breslin  
Yeah, of course.

Jordan Eisner  
If that happens to be you listening or watching, let’s have a conversation. We’d love to an RN. We’d inform you around the steps getting involved and introduce you to, you know, organizations that certify against this compliance point doesn’t. We’re ready in the shop. So we help organizations from an advisory standpoint prepare for, put documentation in place.
Even conduct internal audits, risk assessments and other things that are clause requirements under not only 42001 but ISO 27001, 27701 and others. So would be very interested in conversations with anybody going down this path or anything on the security assurance front I would add.
And Brandon, I know you would welcome that too. So look us up on LinkedIn, Brandon or myself or you can many ways to contact us through our website compliancepoint.com. But the easiest is just to e-mail connect@compliancepoint.com. We thank you for listening and subscribing.