ISO/IEC 42001 is titled “Information technology – Artificial intelligence – Management system.” The first medical device manufacturers have set out to be certified according to this standard.
But are the efforts required to do so justified? Does ISO/IEC 42001 help to meet the requirements of the AI Act? This article provides answers.
1. ISO/IEC 42001: An overview of the key points
a. Scope of the standard
ISO/IEC 42001 is aimed at all organizations that use, develop, and/or provide devices incorporating artificial intelligence.
Affected, for example, are organizations that
- automate the processing of customer inquiries using AI,
- place AI-based medical devices or IVD on the market, or
- evaluate service data using AI to conclude the need to maintain and improve their devices.
According to destatis.de, over 20% of companies now use AI technologies. Among large companies (250 employees or more), the number is almost 50%. All these companies fall within the scope of ISO/IEC 42001.
b. Objectives of the standard
The standard aims to help organizations benefit from AI’s opportunities while managing its risks. The idea is to balance “governance mechanisms and innovation.”
c. Approaches of the standard
Process-oriented approach and integration into other management systems
ISO/IEC 42001 is a standard for an AI management system. Just like other management standards (e.g., ISO 9001, ISO 13485, ISO 27001), it describes process requirements. This concerns all types of processes:
- Management processes, e.g., for defining an “AI policy”
- Core processes, e.g., for the development of AI-based devices
- Support processes, such as ensuring AI competencies
The standard can and should therefore lead to an integrated management system.
Risk-based approach
The standard takes a risk-based approach. It, therefore, also refers to ISO/IEC 23894:2023 (“Information technology – Artificial intelligence – Guidance on risk management”) and ISO 31000.
d. “High level structure“ of the standard
The standard follows the “high level structure” (HLS) of management system standards.
ISO 13485 is still based on an old version of this structure, which comes from ISO 9001:1994. The new HLS was introduced with ISO 9001:2015.
The different HLS of ISO 13485 and ISO/IEC 42001 make it difficult for manufacturers of medical devices and IVD medical devices to consolidate the requirements of both standards into an integrated management system.
2. Requirements of the ISO/IEC 42001
Chapter 4 (Context of the organization)
First, the organization must determine who will be affected by the use of AI, how, what the expectations of these stakeholders are, and what the scope of the AI management system will be.
Chapter 5 (Leadership)
The requirements of chapter 5 will come as no surprise to companies with a management system certification. Management must
- be committed to the management system,
- provide the necessary resources,
- determine the “policy” (here the “AI Policy”), and
- define the necessary responsibilities.
Chapter 6 (Planning)
The standard takes a risk-based approach. Consequently, planning must begin with analyzing the opportunities and risks and defining risk-minimizing measures. For these measures, the standard refers to Annex A. However, some of the “controls” in this annex are unspecific.
Annex A requires: “The organization shall define and document verification and validation measures for the AI system and specify criteria for their use.”
Chapter 7 (Support)
When ISO/IEC 42001 uses the term “support,” it does not mean “customer support,” but rather the support necessary for the AI management system:
- Resources (in general)
- Competence and awareness of employees
- Internal and external communication
- Required documentation
Chapter 8 (Operation)
The manufacturers should now implement what they have planned in accordance with chapter 6. That is the essential demand of the eighth chapter.
Chapter 9 and 10 (Evaluation and improvement)
The requirements of the last two chapters are largely the same as those of other management systems.
3. Implementation of ISO/IEC 42001
Organizations that want to implement the standard should not establish another management system but expand the existing one into an integrated one. This can be done in seven steps.
Step 1: Define the scope
Before performing a gap analysis, manufacturers should define the scope of the application. The fourth chapter of ISO/IEC 42001 is helpful in this regard. The following should be determined as a result:
- Internal and external stakeholders
- Objectives of the stakeholders and the organization
- Affected organizational units
Step 2: Analyze risks (and opportunities)
Once the stakeholders and their objectives are known, the factors that endanger these objectives or even the stakeholders themselves can be identified. This also applies to the risks to fundamental rights.
Integrate ISO 27001 risk management as well. In other words, strive for a management system that also integrates this standard.
Step 3: Identify the processes involved
Once the factors that can lead to risks are known, the activities and, thus, the processes in which these problems occur should also be clear.
Manufacturers should add to this list of processes those that may otherwise be affected by the standard, such as HR processes.
Step 4: Gap analysis and closing the gaps
The owners of the affected processes can now carry out a gap analysis of their processes against the requirements of ISO/IEC 42001 and close these gaps.
Step 5: Implementing the changes
It is time to train in the modified processes and implement them.
Step 6: Internal audit and management review
The organization determines whether the new requirements are being met by conducting internal audits. At the latest, during the management review, it becomes clear whether further adjustments, e.g., regarding resources, are needed.
Audit plans and the audit program must be adapted.
Step 7: Certification
The last step is optional: certification according to ISO/IEC 42001 by a certifier. This certification should be carried out in parallel with the certification of the entire management system and, thus, simultaneously with the certification according to other standards, such as ISO 13485.
4. Reasonableness of implementation
a. Advantages of implementation
Strategic advantages
The standard should help to ensure clarity across the company about
- who uses which AI, where, and for what purpose,
- which rules are to be followed in doing so,
- the opportunities and risks associated with the AI, and
- how it contributes to the company’s success.
Regulatory advantages
The standard may be required by law in some areas. South Korea, among other countries, is considering such a step.
Operational advantages
ISO/IEC 42001 provides specific guidance on how to carry out tasks, such as the “Impact Assessment,” in the normative Annex B.
b. Challenges
Lack of “probative value” due to a lack of harmonization
ISO/IEC 42001 is not harmonized, neither with the MDR or IVDR nor with the AI Act. This is not to be expected, as the standard was not written with this objective and does not reference medical devices or IVD.
Therefore, conformity with the standard is only of limited help in demonstrating conformity with the above-mentioned EU regulations.
In particular, the standard falls short of the legal requirements for the development of AI-based medical devices.
Limited action line
The requirements are often too generic to be implemented directly. That also creates uncertainty during audits, as there is little experience with what and how certification organizations test.
In addition, some of the requirements are redundant with those of the other management standards.
The Johner Institute’s AI guideline lists detailed criteria that medical device and IVD manufacturers can use to verify that their processes and devices comply with the AI Act, MDR, and IVDR requirements.
Effort required to harmonize concepts
In some cases, the concepts in the standard do not match those in other regulatory documents. This applies, for example, to terms such as “risk” and “AI system.” That could lead to confusion in the organization.
It also follows that the AI Act and standard scopes are not identical.
Implementation efforts
Implementing the standard takes time and resources that many organizations and their affected departments do not have.
5. FAQ on ISO/IEC 42001
a. Is compliance with ISO/IEC 42001 required by law?
No. The standard is not required by law. It is neither harmonized nor sufficient to meet the requirements for AI-based medical and IVD medical devices.
However, there are considerations to make the standard a prerequisite for placing AI-based medical devices on the market.
b. When will ISO/IEC 42001 come into force?
The standard has already been officially adopted since the end of 2023.
c. How long does the implementation of ISO/IEC 42001 take?
No concrete experiences are yet available. The costs for implementing ISO/IEC 42001 are likely slightly lower than for implementing ISO 27001. That is because the latter usually affects all employees, whereas the use of AI does not yet(!) have the same level of distribution
Typical project duration is likely between nine and 18 months, plus the time required for certification.
d. What costs arise during implementation?
Here, too, experience is still lacking. The costs depend heavily on the size and complexity of the organization. Above all, internal expenses arise that can add up to one or more person-years
Factors influencing these efforts include:
- Number and quality of previous management systems
- Homogeneity and number of locations (different time zones complicate implementation), e.g., with regard to tasks, processes, regulatory frameworks, devices, employees
- Willingness of the individuals and organizational units concerned to change
- “AI literacy”
- Degree of AI penetration
- Risks (these are higher for medical devices than organizations that use AI only for sentiment analysis of customer feedback)
e. What are the alternatives to ISO/IEC 42001?
Manufacturers who achieve the standard’s objectives without seeking conformity can supplement their existing management system with aspects of the standard that they consider useful.
Existing management systems can be expanded in a variety of ways:
- The ISO/IEC 42001 requirements are incorporated into the quality management manual and standard operating procedures.
- The existing standard operating procedures are only extended to include references to AI-specific templates (e.g., for development plans) and checklists.
If you do not yet have a management system, ISO 9001 or ISO 27001 would be the first choice, for medical device and IVD medical device manufacturers ISO 13485.
It is likely to become increasingly difficult for companies to compete without the use of AI.
f. Can I get certified according to ISO/IEC 42001?
Yes. The first certification organizations are offering certification.
When selecting, make sure that the certifying organizations are accredited for ISO/IEC 42001, for example, in Germany by DAkkS. Otherwise, the certificates are of little value.
6. Conclusion and summary
a. Praise and criticism
ISO/IEC 42001 is THE standard for AI management systems. It applies to organizations that either use AI themselves or provide devices or services that use AI. The standard is easy to understand, and its requirements are sensible. It integrates well with other management systems.
However, the requirements are often generic, which somewhat reduces the standard’s benefit. That is particularly relevant because it is not yet a regulatory requirement and also lags behind more specific documents such as the TeamNB “Questionnaire” (which is based on the Johner Institute’s guideline).
b. Priority
Therefore, the Johner Institute advises manufacturers of AI-based medical devices and IVD medical devices to pursue compliance in the following order of priority:
- MDR, IVDR
- TeamNB questionnaire or Johner Institute guideline
- AI Act (which is already addressed in the Johner Institute guideline)
- Possibly other AI-specific standards, e.g.,
- ISO/IEC 25059 (“Quality model for AI systems”)
- ISO/IEC 5338 (“Information technology – Artificial Intelligence – Life cycle processes for AI systems”)
- ISO/IEC 23894 (“Information technology – Artificial intelligence – Guidance on risk management”)
- ISO/IEC 42001
ISO/IEC 42001 has a higher priority for organizations where the use of AI within their own organization is highly relevant.
The Johner Institute supports manufacturers of AI-based medical devices and IVD medical devices
- in designing, testing, integrating, and optimizing processes that are necessary to achieve compliance and to bring devices to market without problems,
- in reviewing, improving, and writing technical documentation, including the “AI file” and risk management,
- for internal and external audits,
- for employee training, e.g., with customized seminars, e-learning courses, and through individual coaching.
Contact us using the contact form or the channels provided there.
