Which control in Annex A of ISO 42001:2023 focuses on the need for stakeholder engagement in AI system development?
Scenario 5 (continued):
Scenario 5: Aizoia, located in Washington, DC, has revolutionized data analytics, software development, and consulting by using advanced Al algorithms. Central to its success is an Al platform adept at deciphering complex datasets for enhanced insights. To ensure
that its Al systems operate effectively and responsibly, Aizoia has established an artificial intelligence management system AIMS based on ISO/IEC 42001 and is now undergoing a certification audit to verify the AIMS’s effectiveness and compliance with ISO/IEC 42001.
Robert, one of the certification body's full-time employees with extensive experience in auditing, was appointed as the audit team leader despite not receiving an official offer for the role. Understanding the critical importance of assembling an audit team with diverse skills
and knowledge, the certification body selected competent individuals to form the audit team. The certification body appointed a team of seven members to conduct the audit after considering the specific conditions of the audit mission and the required competencies.
Initially, the certification body, in cooperation with Aizoia, defined the extent and boundaries of the audit, specifying the sites (whether physical or virtual), organizational units, and the activities for review. Once the scope, processes, methods, and team composition had been defined, the certification body provided the audit team leader with extensive information, including the audit objectives and documented details on the scope, processes, methods, and team compositions.
Additionally, the certification body shared contact details of the auditee, including locations, time frames, and the duration of the audit activities to be conducted. The team leader also received information needed for evaluating and addressing identified risks and opportunities for the achievement of the audit objectives.
Before starting the audit, Robert wrote an engagement letter, introducing himself to Aizoia and outlining plans for scheduling initial contact. The initial contact aimed to confirm the communication channels, establish the audit team's authority to conduct the audit, and summarize the audit's key aspects, such as objectives, scope, criteria, methods, and team composition. During this first meeting, Robert emphasized the need for access to essential information that would help to conduct the audit.
Moreover, audit logistics, such as scheduling, access, health and safety arrangements, observer attendance, and the need for guides or interpreters, were thoroughly planned. The meeting also addressed areas of interest or concern, preemptively resolving potential issues and finalizing any matters related to the audit team composition.
As the audit progressed, Robert recognized the complexity of Aizoia’s operations, leading him to conclude that a review of its Al-related data governance practices was essential for compliance with ISO/IEC 42001. He discussed this need with Aizoia's management, proposing an expanded audit scope. After careful consideration, they agreed to conduct a thorough review of the Al data governance practices, but there was no mutual decision to officially change the audit scope. Consequently. Robert decided to proceed with the audit based on the original scope, adhering to the initial audit plan, and documented the conversation and decision accordingly.
Based on the scenario above, answer the following question:
Question:
According to Scenario 5, was Robert's decision to proceed with the audit without changing its scope appropriate?
Scenario 2 (continued):
Empsy HR Solutions is a human resources consulting company that provides innovative HR solutions to diverse industries. Recognizing the significant impact of artificial intelligence Al in HR processes, including its ability to automate repetitive tasks, analyze vast amounts of data for insights, improve recruitment and talent management strategies, and personalize employee experiences, the company has initiated the implementation of an artificial intelligence management system AIMS based on ISO/IEC 42001.
Initially, the top management established an Al policy that was aligned with the company's objectives. The Al policy provided a framework for defining Al objectives, a commitment to meeting relevant requirements, and a dedication to continually improve the AIMS. However, it
did not refer to other organizational policies, although some were relevant to the AIMS. Afterward, the top management documented the policy, communicated it internally, and made it accessible to interested parties.
The top management designated specific individuals to ensure that the AIMS meets the standard's requirements. Additionally, they ensured that these individuals were responsible for overseeing the AIMS, reporting its performance to the top management, and facilitating continual improvement. Moreover, in its awareness sessions, the company focused exclusively on ensuring that all personnel
were informed about the Al policy, emphasizing their role in ensuring the effectiveness of the AIMS and the benefits of enhanced Al performance.
The company also planned, implemented, and monitored processes to meet AIMS requirements. Additionally, it set clear criteria and implemented controls based on them, ensuring effective operation, alignment with organizational objectives, and continual improvement. Empsy HR Solutions decided to implement strict measures to control changes to documented information within the AIMS. To ensure the integrity and accuracy of documentation, the company adopted version control practices. Each document update was tracked using a versioning system, with clear records of what was modified, who made the changes, and when the updates occurred. Access to make changes was restricted to authorized personnel, and any proposed modifications required approval from the designated management team before being implemented.
Moreover, considering past experiences where the company encountered unforeseen risks, Empsy HR Solutions established a comprehensive Al risk assessment process. This process involved identifying, analyzing, and evaluating Al risks to determine if it is necessary to implement additional controls than those specified in Annex A. The company also referred to Annex B for guidance on implementing controls and, ultimately, produced a Statement of Applicability So A. The SoA contained the necessary controls, including all the controls of Annex A and justifications for their inclusion or exclusion.
Lastly. Empsy HR Solutions decided to establish an internal audit program to ensure the AIMS conforms to both the company's requirements and ISO/IEC 42001. It defined the audit objectives, criteria, and scope for each audit, selected auditors, and ensured objectivity and impartiality during the audit process. The results of the first audit were documented and reported only to the top
management of the company.
Question:
Based on Scenario 2, was the awareness session conducted in accordance with the requirements of Clause 7.3 Awareness of ISO/IEC 42001?
Question:
Can the work assignments of audit team members be changed during the audit?
Question:
During an audit, the auditor employed data analytic technology to identify anomalies and unusual patterns in the decision-making processes of an AI system used by a financial institution to approve or reject loan applications. Which data analytic technology did the auditor use?
Scenario 1 (continued):
To ensure the integrity of the AI system, Future Horizon Academy has implemented measures to ensure that training data remain isolated from data that could lead to harmful or undesirable outcomes. The institution adds significant data elements as metadata, transforms the data into a format usable by the AI system, and uses data from one or more trusted sources.
Committed to standardization and continual improvement, Future Horizon Academy decided to implement an artificial intelligence management system (AIMS) based on ISO/IEC 42001 that would help the institution increase operational efficiency, resulting in improved processes.
After having the AIMS in place for a year, the institution decided to apply for a certification audit to get certified against ISO/IEC 42001. Prior to the certification audit, the institution conducted an internal audit and management review to ensure that the AIMS aligns with the institution’s own requirements and that the system is being maintained effectively.
Question:
Based on Scenario 1, what category of AI systems did Future Horizon Academy utilize?
Scenario 3: Heala specializes in developing AI-driven solutions for the healthcare sector. With a keen focus on leveraging AI to revolutionize patient care, diagnostics, and treatment planning, the company has implemented an Artificial Intelligence Management System (AIMS) based on ISO/IEC 42001. After a year of having the AIMS in place, the company decided to apply for a certification audit.
It contracted a local certification body, who established the audit team and assigned the audit team leader. Augustine, the designated audit team leader, has a wide range of skills relevant to various auditing domains. His proficiency encompasses audit principles, processes, and methods, as well as standards for management systems and additional references. Furthermore, he is knowledgeable about Heala’s context and relevant statutory and regulatory requirements.
Augustine first gathered management review records, interested party feedback logs, and revision histories for Heala's AIMS. This crucial step laid the groundwork for a deeper investigation, which included conducting comprehensive interviews with key personnel to understand how feedback from interested parties directly influenced updates to the AIMS and its strategic direction. Augustine's thorough evaluation process aimed to verify Heala's commitment to integrating the needs and expectations of interested parties, a critical requirement of ISO/IEC 42001.
Augustine also integrated a sophisticated AI tool to analyze large datasets for patterns and anomalies, and thus have a more informed and data-driven audit process. This AI solution, known for its ability to sift through vast amounts of data with unparalleled speed and accuracy, enabled Augustine to identify irregularities and trends that would have been nearly impossible to detect through manual methods. The tool was also helpful in preparing hypotheses based on data.
During the audit, Augustine failed to fully consider Heala’s critical processes, expectations, the complexity of audit tasks, and necessary resources beforehand. This oversight compromised the audit’s integrity and reliability, reflecting a significant deviation from the diligence and informed judgment expected of auditors.
Based on the scenario above, answer the following question:
Did Augustine possess the knowledge and skills required to be appointed as an audit team leader?
In which step are the audit findings, including nonconformities, documented and reviewed?
Scenario 6 (continued):
Scenario 6: HappilyAI is a pioneering enterprise dedicated to developing and deploying artificial intelligence Al solutions tailored to enhance customer service experiences across various industries. The company offers innovative products like virtual assistants, predictive analytics tools, and personalized customer interaction platforms. As part of its commitment to operational excellence and innovation, HappilyAI has implemented a robust Al management system AIMS to oversee its Al operations effectively. Currently. HappilyAI is undergoing a comprehensive audit process of its AIMS to evaluate its compliance with ISO/IEC 42001.
Under the leadership of Jess, the audit team began the audit process with meticulous planning and coordination, setting the groundwork for the extensive on-site activities of the stage 1 audit. This initial phase was marked by a comprehensive documentation review. The audit scope encompassed a critical review of HappilyAI's core departments, including Research and Development (R&D), Customer Service, and Data Security, aiming to assess the conformity of HappilyAI's AIMS to the requirements of ISO/IEC 42001.
Afterward, Jess and the team conducted a formal opening meeting with HappilyAI to introduce the audit team and outline the audit activities. The meeting set a collaborative tone for the subsequent phases, where the team engaged in information collection, executed audit tests, identified findings, and prepared draft nonconformity reports while maintaining a strict quality review process.
In gathering evidence, the audit team employed a sampling method, which involved dividing the population into homogeneous groups to ensure a comprehensive and representative data collection by drawing samples from each segment. Furthermore, the team employed observation to deepen their understanding of the Al management processes. They verified the availability of essential documentation, including Al-related policies, and evaluated the communication channels established for reporting incidents.
Additionally, they scrutinized specific monitoring tools designed to track the performance of data acquisition processes, ensuring these tools effectively identify and respond to errors or anomalies. However, a notable challenge emerged as the team encountered a lack of access to documented information that describes how tasks about AIMS are executed. In addition to this, the team identified a potential nonconformity within the Sales Department. They decided not to record this as a nonconformity in the audit report but only communicated it to the HappilyAI's representatives.
During the stage 2 audit, the certification body, in collaboration with HappilyAI, assigned the roles of technical experts within the audit team. Recognized for their specialized knowledge and expertise in artificial intelligence and its applications, these technical experts are tasked with the thorough assessment of the AIMS framework to ensure its alignment with industry standards and best practices, focusing on areas such as data ethics, algorithmic transparency, and Al system security.
Question:
According to Scenario 6, which sampling method did the audit team use?
Scenario 2: OptiFlow is a logistics company located in New Delhi, India. The company has enhanced its operational efficiency and customer service by integrating AI across various domains, including route optimization, inventory management, and customer support. Recognizing the importance of AI in its operations, OptiFlow decided to implement an Artificial Intelligence Management System (AIMS) based on ISO/IEC 42001 to oversee and optimize the use of AI technologies.
To address Clauses 4.1 and 4.2 of the standard, OptiFlow identified and analyzed internal and external issues and needs and expectations of interested parties. During this phase, it identified specific risks and opportunities related to AI deployment, considering the system's domain, application context, intended use, and internal and external environments. Central to this initiative was the establishment and maintenance of AI risk criteria, a foundational step that facilitated comprehensive AI risk assessments, effective risk treatment strategies, and precise evaluations of risk impacts. This implementation aimed to meet AIMS’s objectives, minimize adverse effects, and promote continuous improvement. OptiFlow also planned and integrated strategies to address risks and opportunities into AIMS’s processes and assessed their effectiveness.
OptiFlow set measurable AI objectives aligned with its AI policy across all organizational levels, ensuring they met applicable requirements and matched the company’s vision. The company placed strong emphasis on the monitoring and communication of these objectives, ensuring they were updated annually or as needed to reflect changes in technology, market demands, or internal processes. It also documented the objectives, making them accessible across the company.
To guarantee a structured and consistent AI risk assessment process, OptiFlow emphasized alignment with its AI policy and objectives. The process included ensuring consistency and comparability, identifying, analyzing, and evaluating AI risks.
OptiFlow prioritizes its AIMS by allocating the necessary resources for its comprehensive development and continuous enhancement. The company carefully defines the competencies needed for personnel affecting AI performance, ensuring a high level of expertise and innovation.
OptiFlow also manages effective internal and external communications about its AIMS, aligning with ISO/IEC 42001 requirements by maintaining and controlling all required documented information. This documentation is meticulously identified, described, and updated to ensure its relevance and accessibility. Through these strategic efforts, OptiFlow upholds a commitment to excellence and leadership in AI management practices.
To comply with Clause 9 of ISO/IEC 42001, the company determined what needs to be monitored and measured in the AIMS. It planned, established, implemented, and maintained an audit program, reviewed the AIMS at planned intervals, documented review results, and initiated a continuous feedback mechanism from all interested parties to identify areas of improvement and innovation within the AIMS.
Which of the following requirements of Clause 6.1.2 AI risk assessment did OptiFlow NOT consider?
TESTED 18 Aug 2025
