Industrial Generative AI Development

This document specifies the requirements and provides guidance for establishing, implementing, maintaining and continually improving an AI (artificial intelligence) management system within the context of an organization.

This document is intended for use by an organization providing or using products or services that utilize AI systems. This document is intended to help the organization develop, provide or use AI systems responsibly in pursuing its objectives and meet applicable requirements, obligations related to interested parties and expectations from them.

This document is applicable to any organization, regardless of size, type and nature, that provides or uses products or services that utilize AI systems.

This document provides a data quality governance framework for analytics and machine learning (ML) to enable governing bodies of organizations to direct and oversee the implementation and operation of data quality measures, management, and related processes with adequate controls throughout the data life cycle (DLC) model according to ISO/IEC 5259-1.

This document can be applied to any analytics and ML. This document does not define specific management requirements or process requirements according to ISO/IEC 5259-3 and ISO/IEC 5259-4 respectively.

This document provides guidance on how organizations that develop, produce, deploy or use products, systems and services that utilize artificial intelligence (AI) can manage risk specifically related to AI. The guidance also aims to assist organizations to integrate risk management into their AI-related activities and functions. It moreover describes processes for the effective implementation and integration of AI risk management.

The application of this guidance can be customized to any organization and its context.

This document provides guidance for members of the governing body of an organization to enable and govern the use of Artificial Intelligence (AI), in order to ensure its effective, efficient and acceptable use within the organization.

This document also provides guidance to a wider community, including:

—    executive managers;

—    external businesses or technical specialists, such as legal or accounting specialists, retail or industrial associations, or professional bodies;

—    public authorities and policymakers;

—    internal and external service providers (including consultants);

—    assessors and auditors.

This document is applicable to the governance of current and future uses of AI as well as the implications of such use for the organization itself.

This document is applicable to any organization, including public and private companies, government entities and not-for-profit organizations. This document is applicable to an organization of any size irrespective of their dependence on data or information technologies.

This document provides guidance for organizations performing artificial intelligence (AI) system impact assessments for individuals and societies that can be affected by an AI system and its foreseeable applications. It includes considerations for how and when to perform such assessments and at what stages of the AI system life cycle, as well as guidance for AI system impact assessment documentation.

Additionally, this guidance includes how this AI system impact assessment process can be integrated into an organization’s AI risk management and AI management system.

This document is intended for use by organizations developing, providing or using AI systems. This document is applicable to any organization, regardless of size, type and nature.

This document establishes an Artificial Intelligence (AI) and Machine Learning (ML) framework for describing a generic AI system using ML technology. The framework describes the system components and their functions in the AI ecosystem. This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that are implementing or using AI systems.

This document establishes general common organizational approaches, regardless of the type, size or nature of the applying organization, to ensure data quality for training and evaluation in analytics and machine learning (ML). It includes guidance on the data quality process for:

—     supervised ML with regard to the labelling of data used for training ML systems, including common organizational approaches for training data labelling;

—     unsupervised ML;

—     semi-supervised ML;

—     reinforcement learning;

—     analytics.

This document is applicable to training and evaluation data that come from different sources, including data acquisition and data composition, data preparation, data labelling, evaluation and data use. This document does not define specific services, platforms or tools.

This document provides guidance for identifying the context, opportunities and processes for developing and applying AI applications. The guidance provides a macro-level view of the AI application context, the stakeholders and their roles, relationship to the life cycle of the system, and common AI application characteristics and considerations.

This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving the quality of data used in the areas of analytics and machine learning.

This document does not define a detailed process, methods or metrics. Rather it defines the requirements and guidance for a quality management process along with a reference process and methods that can be tailored to meet the requirements in this document.

The requirements and recommendations set out in this document are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

This document specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. This document also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this document are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

Guidance is also provided to assist in the implementation of the requirements in this document.

This document is intended for personally identifiable information (PII) controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

This document provides an introduction to AI-based systems. These systems are typically complex (e.g. deep neural nets), are sometimes based on big data, can be poorly specified and can be non-deterministic, which creates new challenges and opportunities for testing them.

This document explains those characteristics which are specific to AI-based systems and explains the corresponding difficulties of specifying the acceptance criteria for such systems.

This document presents the challenges of testing AI-based systems, the main challenge being the test oracle problem, whereby testers find it difficult to determine expected results for testing and therefore whether tests have passed or failed.

This document specifies additional requirements to ISO/IEC 17021-1. The requirements contained in this document, when implemented, support the demonstration of competence, consistency and reliability by the bodies performing auditing and certification of an artificial intelligence management system (AIMS) according to ISO/IEC 42001 for organizations that provide, develop or use AI systems.

Certification of AIMS is a third-party conformity assessment activity (as described in ISO/IEC 17000:2020, 4.5), and bodies performing this activity are third-party conformity assessment bodies.

This document also provides the necessary information and confidence to customers about the way certification has been granted.

NOTE            This document can be used as a criteria document for accreditation or peer assessment.

This document provides a detailed description and implementation guidance for the Application Security Management Process.

This document specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021-1.

The requirements contained in this document are demonstrated in terms of competence and reliability by bodies providing ISMS certification. The guidance contained in this document provides additional interpretation of these requirements for bodies providing ISMS certification.

NOTE       This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

This document provides guidelines to plan and prepare for incident response and to learn lessons from incident response. The guidelines are based on the “plan and prepare” and “learn lessons” phases of the information security incident management phases model presented in ISO/IEC 27035-1:2023, 5.2 and 5.6.

The major points within the “plan and prepare” phase include:

—    information security incident management policy and commitment of top management;

—    information security policies, including those relating to risk management, updated at both organizational level and system, service and network levels;

—    information security incident management plan;

—    Incident Management Team (IMT) establishment;

—    establishing relationships and connections with internal and external organizations;

—    technical and other support (including organizational and operational support);

—    information security incident management awareness briefings and training.

The “learn lessons” phase includes:

—    identifying areas for improvement;

—    identifying and making necessary improvements;

—    Incident Response Team (IRT) evaluation.

The guidance given in this document is generic and intended to be applicable to all organizations, regardless of type, size or nature. Organizations can adjust the guidance given in this document according to their type, size and nature of business in relation to the information security risk situation.

This document defines and establishes a framework for access management (AM) and the secure management of the process to access information and information and communications technologies (ICT) resources, associated with the accountability of a subject within some contexts.

This document provides concepts, terms and definitions applicable to distributed access management techniques in network environments.

This document also provides explanations about related architecture, components and management functions.

The subjects involved in access management can be uniquely recognized to access information systems, as defined in the ISO/IEC 24760 series.

The nature and qualities of physical access control involved in access management systems are outside the scope of this document.

This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701, in addition to the requirements contained within ISO/IEC 17021-1.

The requirements contained in this document are demonstrated in terms of competence and reliability by bodies providing PIMS certification. The guidance contained in this document provides additional interpretation of these requirements for bodies providing PIMS certification.

NOTE       This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

This document describes the properties, related risk factors, available methods and processes relating to:

—     use of AI inside a safety related function to realize the functionality;

—     use of non-AI safety related functions to ensure safety for an AI controlled equipment;

—     use of AI systems to design and develop safety related functions.

This document specifies a basic framework with principles, characteristics and approaches for the realization and enhancement for automated artificial intelligence (AI) systems’ controllability.

The following areas are covered:

—     state observability and state transition;

—     control transfer process and cost;

—     reaction to uncertainty during control transfer;

—     verification and validation approaches.

This document is applicable to all types of organizations (e.g. commercial enterprises, government agencies, not-for-profit organizations) developing and using AI systems during their whole life cycle.

Describes an Access Control Security Model and the management information necessary for creating and administering access control associated with OSI System Managements. Security policy adoped for any instance of use is not specified and is left as an implementation choise. This Specification is of generic application and is applicable to the security management of many types of application.

Defines the information model of managed objects and their attributes that corresponds to the information aspects of the systems management model introduced in the systems management overview CCITT Rec. X.701 / ISO/IEC 10040; prescribes the principles of naming managed objects and their attributes; defines the logical structure of systems management information; defines the concepts of managed objects in the information model; describes the concept of managed object classes and the relationships into which managed objects and managed object classes can enter.