Gavin Jones MBCS, Lead Standards Development Manager (AI and quantum) with BSI, tells Martin Cooper MBCS about the Information Technology: Artificial Intelligence Management System standard (BS ISO/IEC 42001:2023).
As AI systems rapidly become more widespread, the Information Technology: Artificial Intelligence Management System (AIMS) standard (BS ISO/IEC 42001:2023) intends to provide a certifiable AI management system framework within which AI products and services can be developed for organisations of all sizes and sectors, and delivered in a safe, secure and reliable way. Its objective is to help organisations and society benefit from AI by reassuring stakeholders that their systems are optimised and developed responsibly. As you read on, we’ll explore its genesis.
So, why don’t you introduce BSI and tell us about your organisational role?
The British Standards Institution (BSI) is a business improvement and standards company, and for over a century, it has been recognised for having a positive impact on organisations and society, building trust and enhancing lives. Today, BSI partners with more than 77,500 clients in 195 countries and engages with a 15,000 strong global community of experts, industry and consumer groups, organisations and governments. Utilising its extensive expertise in key industry sectors — including automotive, aerospace, built environment, food, retail and healthcare — BSI delivers on its purpose by helping its clients fulfil theirs. BSI gives organisations the confidence to grow by partnering with them to tackle society’s critical issues — from climate change to building trust in digital transformation and everything in between — in order to accelerate progress toward a better society and a sustainable world.
BSI is also appointed the National Standards Body (NSB) by the UK Government. It represents UK interests at the International Organization for Standardisation (ISO), the International Electrotechnical Commission (IEC) and the European Standards Organisations (CEN, CENELEC and ETSI).
BSI publishes an extensive programme of formal AI, quantum and other digital standards on industrial data, accessibility and software. As part of the digital committees team, I work with our dedicated UK experts to develop these international best practices and guidance. For AI, this includes identifying UK AI experts to ideate and write standards based on industry and consumer needs. The expert committee for AI is ART/1, which ‘mirrors’ the international ISO/IEC JTC 1/SC 42 committee of experts and regional European CEN/JTC 21.
In practice, mirroring means that the ART/1 experts provide these international and regional standards committees with a coherent set of technical content drawn from the consensus view of the UK committee; those standards are then published and adopted by BSI as ‘BSs’ (British Standards), which the UK market can then adopt voluntarily.
My role also entails market scanning and development to identify opportunities for promoting the standards so that all interested parties know the published content and how they would benefit from using and complying with it. This involves marketing and promotion, outreach work such as attending and speaking at events, webinars, and workshops and working with partners to engage their audiences with the standards and their benefits. With AI standards, there are naturally a lot of stakeholders to reach, including the UK government: standards are the industry's bedrock, so the AI standards are indeed far-reaching.
The other strategic expert committees I facilitate are ICT/1/1/2 quantum technologies, AMT/4 industrial data and manufacturing interfaces, ICT/2 accessibility and ICT/3 trustworthy software.
Let’s start with a critical definition: how do you define a standard?
Standards are an agreed way of doing something, whether making a product, managing a process, delivering a service or supplying a material. They are designed to help benefit the world and accelerate progress towards a better future and a sustainable world.
Who do you imagine using BS ISO/IEC 42001:2023 and how? What’s the problem they’re looking to solve?
The critical issues in the market for the adoption of AI include security, governance and policy, and how organisations can safely and securely use AI internally and externally to build their customer base and embed trust. The standard uses an established risk management system framework, includes provisions and guidance on AI risk treatments and AI controls, and draws on the expertise of hundreds of global AI standards makers and AI experts. AI can potentially be a force for good for society, and standards can help facilitate that.
As an organisation, how do you pick technologies or sectors to focus on? Yours is a broad church ranging from film speeds to food safety.
Published standards are the result of listening to industry and the public. If there is a new area of work or set of technologies, such as AI or quantum, BSI will set up an expert committee to write standards to help build that nascent sector. This can help inform regulation and facilitate compliance, testing and assurance services worldwide.
Tell us about a standard’s life cycle: when do you begin preliminary work? What are the key stages, and how long does a finalised document take to publish?
Standards take time to develop primarily because of the consensus model. In the case of
BS ISO/IEC 42001:2023, 38 countries have provided content based on their broad and deep AI technical expertise. The first stage of development involves identifying the industry gap and agreeing on a feasible scope for the standard so that desired outcomes plug the gap and so that the standard will be valuable for the public and industry. This is a process of agreement based on consensus, which is similar across the International Organisation for Standardisation (ISO), the European Committee for Standardisation (CEN) and standards of national origin.
For you
Be part of something bigger, join BCS, The Chartered Institute for IT.
The experts meet to discuss and write the content of that new standard on a consensus basis (which can take nine or more months) before it is edited and uploaded for public comment for two months (a process that is open to anyone who wishes to comment on any aspect of the draft standard). After that, the expert committee discusses all submitted comments. The draft is then balloted for another two months for editorial commenting, after which it is edited for the last time. Each of the NSBs then publishes it; ISO/IEC 42001, for example, published on the 18th of December 2023 for the UK as ‘BS ISO/IEC 42001:2023’.
And the team who put the standard together — who are they, and how big is the team?
38 participating countries lead the ISO committee responsible for BS ISO/IEC 42001:2023, with 23 additional observing countries. The ISO working group (WG1), which writes the content, includes 17 UK experts from ART/1 and upwards of 80 international participating experts from the other NSBs. ART/1 has around 150 AI experts from organisations such as Microsoft, Amazon Web Services, the British Computer Society, the UK Government’s Department for Science, Innovation and Technology, the UK Government’s National Cyber Security Centre, DLA Piper, Nvidia and Qualcomm to name but a few, and upward of 40 SMEs.
When it comes to deploying/using the standard within an organisation — what’s your advice? Is it a standard to read, consume and act on in totality? Or should organisations take a step-by-step approach?
Implementing the content guidance and provisions in standards is generally led by how each organisation wishes to adopt it. BS ISO/IEC 42001:2023, for example, stipulates that organisations can combine ‘generally accepted frameworks, other International Standards and its own experience to implement crucial processes such as risk management, life cycle management and data quality management which are appropriate for the specific AI use cases, products or services in scope’. This flexible approach allows organisations to select what is relevant to them. Also, if a certification scheme is available for organisations to prove compliance with the standard, the organisation will need to follow that scheme’s protocols.
As well as this flexible and certifications based approach, specific AI implementation guidance within
BS ISO/IEC 42001:2023 is also provided in tabular form, and throughout the standard, on the topics of AI:
- Policies
- Internal organisation roles and concern reporting
- Systems resources
- Impact assessments (including societal)
Talk to us about how the standard aligns with the European Sustainable Development Goals.
BS ISO/IEC 42001:2023 includes content covering Goal 8: Decent work and economic growth; Goal 9: Industry, innovation, and infrastructure; and Goal 12: Responsible consumption and production. Details on how all ISO standards support the United Nations' goals can be found here.
Learn more about BSI ISO/IEC 42001:2023 and use the discount code - BCS42001 – when buying your copy.