Scenario 1 (continued):
To ensure the integrity of the AI system, Future Horizon Academy has implemented measures to ensure that training data remain isolated from data that could lead to harmful or undesirable outcomes. The institution adds significant data elements as metadata, transforms the data into a format usable by the AI system, and uses data from one or more trusted sources.
Committed to standardization and continual improvement, Future Horizon Academy decided to implement an artificial intelligence management system (AIMS) based on ISO/IEC 42001 that would help the institution increase operational efficiency, resulting in improved processes.
After having the AIMS in place for a year, the institution decided to apply for a certification audit to get certified against ISO/IEC 42001. Prior to the certification audit, the institution conducted an internal audit and management review to ensure that the AIMS aligns with the institution’s own requirements and that the system is being maintained effectively.
Question:
Based on functionality, what type of AI system did Future Horizon Academy establish?
What type of evidence is an external audit report?
Scenario 4 (continued):
BioNovaPharm, a German biopharmaceutical company, has implemented an artificial intelligence management system AIMS based on ISO/IEC 42001 to optimize various aspects of drug discovery, including analyzing extensive biological data, identifying potential drug candidates, and streamlining clinical trial processes. After having the AIMS in place for over a year, the company contracted a certification body and is now undergoing an AIMS audit to obtain certification against ISO/IEC 42001.
Adopting a risk-based approach, the audit team focused on risk throughout their activities. The level of detail outlined in the audit plan corresponded to the scope and complexity of the audit. The team employed a ranking system for detailed audit procedures, prioritizing those with the highest risk.
Once the stage 1 audit began, the audit team started reviewing the auditee's documented information. To assess whether BioNovaPharm complies with the legal and regulatory requirements related to incident communication, the audit team examined evidence provided by the company’s external legal office. The evidence confirmed that BioNovaPharm applies the requirements of the EU Al Act, which mandates that providers of high-risk Al systems report serious incidents to relevant authorities.
Following the completion of the stage 1 audit, John, an audit team member, documented the stage 1 audit outputs, including the observations of the audit team that could result in nonconformities during the on-site audit. However, the audit team leader, Emma, who was overseeing the audit activities, observed that John failed to document significant observations related to the lack of transparency in the Al decision-making processes of BioNovaPharm. Considering that Emma observed John's lack of competence in undertaking some
audit activities, a disciplinary note was recorded for John.
Question:
What level of negligence did Emma observe regarding John’s audit documentation failures?
A financial institution has integrated AI systems into its operations and has adopted risk management principles from an internationally recognized standard to specifically mitigate AI-related risks effectively. Which standard has the institution applied in this case?
Scenario 9:
Scenario 9: Securisai, located in Tallinn. Estonia, specializes in the development of automated cybersecurity solutions that utilize AI systems. The company recently implemented an artificial intelligence management system AIMS in accordance with ISO/IEC 42001. In doing so, the company aimed to manage its Al-driven systems’ capabilities to detect and mitigate cyber threats more efficiently and ethically. As part of its commitment to upholding the highest standards of Al use and management, Securisai underwent a certification audit to demonstrate compliance with ISO/IEC 42001.
The audit process comprised two main stages: the initial or stage 1 audit focused on reviewing Securisai's documentation, policies, and procedures related to its AIMS. This review laid the groundwork for the stage 2 audit, which involved a comprehensive, on-site evaluation
of the actual implementation and effectiveness of the AIMS within Securisai's operations. The goal was to observe the AIMS in operation, ensuring that it not only existed on paper but was effectively integrated into the company's daily activities and cybersecurity strategies.
After the audit, Roger, Securisai's internal auditor, addressed the action plans devised to rectify nonconformities identified during the certification audit. He developed a long term strategy, highlighting key AIMS processes for triennial audits. Roger's internal audits play a
key role in advancing Securisai's goals by employing a systematic and disciplined method to assess and boost the efficiency of risk
management, governance processes, and strategic decision-making. Roger reported his findings directly to Securisai's top management.
Following the successful rectification of nonconformities, Securisai was officially certified against ISO/IEC 42001.
Recently, the company decided to transfer its ISO/IEC 42001 certification registration from one certification body to another despite being initially bound by a long-term agreement with the current certification body. This decision was motivated by the desire to partner with a certification body that offers deeper insights and expertise in the rapidly evolving field of artificial intelligence in cybersecurity.
To ensure a smooth transition and uphold its certification status, Securisai is diligently compiling the required documentation for submission to the new certification body. This includes a formal request, the most recent audit report underscoring its adherence to ISO/IEC 42001, the latest corrective action plan that highlights its continuous efforts toward improvement, and a copy of its current valid certification registration.
A year following Securisai's initial certification audit, a subsequent audit was carried out by the certification body on its AIMS. The
purpose of this audit was to assess compliance with ISO/IEC 42001 and verify the ongoing improvement of the AIMS. The audit team
concluded that Securisai's AIMS consistently meets the requirements set by ISO/IEC 42001.
Question:
Roger followed up on action plans resulting from external audits. Is this acceptable?
Which of the following statements regarding the interested parties related to the AIMS is correct?
Scenario 3:
ArBank is a financial institution located in Brussels, Belgium, which offers a diverse range of banking and investment services to its clients. To ensure the continual improvement of its operations, ArBank has implemented a quality management system QMS based
on ISO 9001 and an artificial intelligence management system AIMS based on the requirements of ISO/IEC 42001.
Audrey, an experienced auditor, led an internal audit focused on the AIMS within ArBank. She assessed the chatbots integrated into the bank's website and mobile app, analyzing communications using big data technology to identify potential noncompliance, fraud, or unethical conduct. Instead of relying solely on the information provided by the chatbots, Audrey sought out evidence that would either confirm or challenge the validity of the data, ensuring her conclusions were based on reliable and accurate information. Her review of selected chatbot interactions confirmed they met their intended purpose.
For the specific context of ArBank's operations, Audrey utilized an Al system to assess the efficiency of the bank's digital infrastructure, focusing on tasks critical to the Finance Department. This Al system was able to analyze the functionality of chatbots integrated into ArBank's website and mobile app to determine if it adheres to ISO/IEC 42001 requirements and internal policies governing customer service in the banking sector.
In addition, Audrey conducted a deeper assessment of the bank’s AIMS. Her evaluation included observing different stages of the AIMS life cycle, from development to deployment, to ensure that roles and responsibilities were clearly defined and aligned with ArBank’s operational goals. She also evaluated the tools used to monitor and measure the performance of the AIMS.
Audrey continued the audit process by auditing ArBank's outsourced operations. Upon checking the contractual agreements between the two parties, Audrey decided that there was no need to gather audit evidence regarding the contractual agreement. She reviewed the company's processes for monitoring the quality of outsourced operations, determined whether appropriate governance processes are in place with regard to the engagement of outsourced persons or organizations, and reviewed and evaluated the company's plans in case of expected or unexpected termination of the outsourcing agreement.
Based on the scenario above, answer the following question:
Question:
Which audit principle did Audrey demonstrate while assessing the chatbots?
Which among the following core concepts of Artificial Intelligence uses artificial neural networks inspired by the human brain to process complex data like images, text, and speech?
A tech company has decided to apply ISO/IEC 42001 specifically to integrate the AIMS with existing management systems, such as the Information Security Management System and the Business Continuity Management System. Which part of ISO/IEC 42001 should the company use as guidance on aligning the AIMS with these systems to ensure cohesive objectives, streamlined processes, and unified documentation?
Did the audit team conduct their meetings in accordance with best practices? Refer to Scenario 7.
Scenario 7: TastyMade. headquartered in Hamburg, Germany, is an established company in the food manufacturing industry that applies Al technologies in its
operations. It has implemented an artificial intelligence management system AIMS based on ISO/IEC 42001 to further strengthen its Al management and ensure
compliance with international standards. As part of its commitment to excellence and continual improvement, TastyMade is undergoing an audit process to achieve
certification against ISO/IEC 42001.
In preparation for the audit, TastyMade collaborated closely with the audit team leader to develop a detailed audit plan. This plan encompassed objectives, criteria,
scope, and logistical arrangements for both on-site and remote audit activities. Recognizing the specialized nature of Al integration, a technical expert was brought in
to support the audit team and ensure comprehensive coverage of relevant aspects. Upon discussion with the audit team leader, it was mutually decided that not every
audit team member would need a guide throughout the audit process. At times, the TastyMade itself would assume the role of the guide, actively facilitating audit
activities.
A formal opening meeting was held with TastyMade's management to provide an overview of the audit process and set expectations. During this meeting, key
interested parties were briefed on the audit objectives and the methodologies that would be employed during the audit. Following the meeting, the audit team
proceeded with their work, collecting information and conducting tests to evaluate the effectiveness of TastyMade's AIMS.
Daily evening meetings were held to review progress, discuss encountered issues, and facilitate collaboration among audit team members. The audit team leader
adopted an open communication approach, encouraging all auditors to share their findings and challenges. The communication regarding the progress of the audit
was informal, allowing for a fluid exchange of information and updates among team members.
To verify adherence to some requirements of clause 4.1 Understanding the organization and its context, the audit team arbitrarily selected for analysis a representative
sample of Al management practices across different departments and functions within the company.
During the audit process, the technical expert uncovered certain technical and operational findings related to the integration and governance of Al systems.
Recognizing the significance of these findings, the expert promptly informed the audit team leader. Understanding the need for further clarification and direct
communication, the audit team leader authorized the technical expert to address the findings directly with the auditee. However, to ensure proper oversight, the expert
was supervised by one of the audit team members.
Throughout the audit, it became apparent that TastyMade promoted a culture of autonomy and decentralized decision-making in Al integration processes. Employees
were empowered to set goals, allocate responsibilities, and devise methodologies independently, with management providing guidance and support as needed. This
approach fostered innovation and agility within the company
