Scenario 9:
Scenario 9: Securisai, located in Tallinn.Estonia, specializes in the development of automated cybersecurity solutions that utilize AIsystems. The company recently implemented an artificial intelligence management system AIMS in accordance with ISO/IEC 42001. Indoing so, the company aimed to manage its Al-driven systems’ capabilities to detect and mitigate cyber threats more efficiently andethically. As part of its commitment to upholding the highest standards of Al use and management, Securisai underwent a certificationaudit to demonstrate compliance with ISO/IEC 42001.
The audit process comprised two main stages: the initial or stage 1 audit focused on reviewing Securisai's documentation, policies, andprocedures related to its AIMS. This review laid the groundwork for the stage 2 audit, which involved a comprehensive, on-site evaluation
of the actual implementation and effectiveness of the AIMS within Securisai's operations. The goal was to observe the AIMS in operation,ensuring that it not only existed on paper but was effectively integrated into the company's daily activities and cybersecurity strategies.
After the audit, Roger, Securisai's internal auditor, addressed the action plans devised to rectify nonconformities identified during thecertification audit. He developed a long term strategy, highlighting key AIMS processes for triennial audits. Roger's internal audits play a
key role in advancing Securisai's goals by employing a systematic and disciplined method to assess and boost the efficiency of risk
management, governance processes, and strategic decision-making. Roger reported his findings directly to Securisai's top management.
Following the successful rectification of nonconformities, Securisai was officially certified against ISO/IEC 42001.
Recently, the company decided to transfer its ISO/IEC 42001 certification registration from one certification body to another despitebeing initially bound by a long-term agreement with the current certification body. This decision was motivated by the desire to partnerwith a certification body that offers deeper insights and expertise in the rapidly evolving field of artificial intelligence in cybersecurity.
To ensure a smooth transition and uphold its certification status, Securisai is diligently compiling the required documentation forsubmission to the new certification body. This includes a formal request, the most recent audit report underscoring its adherence toISO/IEC 42001, the latest corrective action plan that highlights its continuous efforts toward improvement, and a copy of its current validcertification registration.
A year following Securisai's initial certification audit, a subsequent audit was carried out by the certification body on its AIMS. The
purpose of this audit was to assess compliance with ISO/IEC 42001 and verify the ongoing improvement of the AIMS. The audit team
concluded that Securisai's AIMS consistently meets the requirements set by ISO/IEC 42001.
Question:
Roger followed up on action plans resulting from external audits. Is this acceptable?
In which step are the audit findings, including nonconformities, documented and reviewed?
Question:
Can ISO/IEC 42001 be integrated into an integrated management system (IMS) with ISO/IEC 27001 and ISO 9001?
Scenario 8 (continued):
Scenario 8:
Scenario 8: InnovateSoft, headquartered in Berlin, Germany, is a software development company known for its innovative solutions andcommitment to excellence. It specializes in custom software solutions, development, design, testing, maintenance, and consulting,covering both mobile apps and web development. Recently, the company underwent an audit to evaluate the effectiveness and
compliance of its artificial intelligence management system AIMS against ISO/IEC 42001.
The audit team engaged with the auditee to discuss their findings and observations during the audit's final phases. After evaluating theevidence, the audit team presented their audit findings to InnovateSoft, highlighting the identified nonconformities.
Upon receiving the audit findings, InnovateSoft accepted the conclusions but expressed concerns about some findings inaccuratelyreflecting the efficiency of their software development processes. In response, the company provided new evidence and additionalinformation to alter the audit conclusions for a couple of minor nonconformities identified. After thorough consideration, the audit teamleader clarified that the new evidence did not significantly alter the core conclusions drawn for the nonconformities. Therefore, thecertification body issued a certification recommendation conditional upon the filing of corrective action plans without a prior visit.
InnovateSoft accepted the decision of the certification body. The top management of the company also sought suggestions from theaudit team on resolving the identified nonconformities. The audit team leader offered solutions to address the issues, fostering acollaborative effort between the auditors and InnovateSoft.During the closing meeting, the audit team covered key topics to enhance transparency. They clarified to InnovateSoft that the auditevidence was based on a sample, acknowledging the inherent uncertainty. The method and time frame of reporting and grading findingswere discussed to provide a structured overview of nonconformities. The certification body's process for handling nonconformities,including potential consequences, guided InnovateSoft on corrective actions. The time frame for presenting a plan for correction was
communicated, emphasizing urgency. Insights into the certification body’s post-audit activities were provided, ensuring ongoing support.
Lastly, the audit team briefed InnovateSoft on complaint and appeal handling.
InnovateSoft submitted the action plans for each nonconformity separately, describing only the detected issues and the correctiveactions planned to address the detected nonconformities. However, the submission slightly exceeded the specified period of 45 days setby the certification body, arriving three days later. InnovateSoft explained this by attributing the delay to unexpected challengesencountered during the compilation of the action plans.
InnovateSoft submitted corrective action plans for nonconformities three days past the certification body’s deadline of 45 days.
Question:
Based on Scenario 8, is InnovateSoft eligible for certification?
Copyright © 2021-2025 CertsTopics. All Rights Reserved
