ISO 42001: 2023 - A.2.3 Alignment with Other Organisational Policies

ISO 42001 Control Description

The organisation shall determine where other policies can be affected by or apply to, the organisation's objectives with respect to AI systems.

Control Objective

To provide management direction and support for AI systems according to business requirements.

Purpose

To ensure consistency and integration between the AI policy and other organisational policies, avoiding conflicts, gaps, or duplication. AI systems intersect with multiple domains (quality, security, safety, privacy, HR, procurement), and this control ensures the organization identifies and addresses these intersections systematically.

Guidance on Implementation

Domains That Intersect with AI

The organisation should conduct a thorough analysis to identify where AI objectives and activities intersect with existing policies. Common intersections include:

a) Information security policy (ISO 27001)

Security of AI systems, models, and training data
Access controls for AI resources
Security incident management involving AI systems

b) Privacy and data protection policy (ISO 27701, GDPR)

Personal data used in AI training and operation
Data subject rights (access, erasure, portability)
Privacy-enhancing technologies for AI
Consent management

c) Quality management policy (ISO 9001)

Quality assurance for AI system outputs
Continuous improvement of AI performance
Customer satisfaction with AI-enabled services

d) Safety policy (ISO 45001, domain-specific safety standards)

Safety-critical AI systems
Human-AI interaction safety
Fail-safe mechanisms

e) HR and competence policies

Competence requirements for AI roles
Training and awareness on AI systems
Ethical use of AI in HR decisions (recruitment, performance evaluation)

f) Procurement and supplier management policies

Acquiring AI systems, tools, or services from third parties
Supplier assessment criteria for AI providers
Contractual obligations for AI components

g) Risk management policy (ISO 31000)

AI-specific risk identification and treatment
Integration with enterprise risk management

h) Ethics and responsible AI policies

Ethical principles guiding AI development and use
Bias prevention and fairness considerations
Accountability and transparency requirements

i) Environmental sustainability policy

Energy consumption of AI model training
Carbon footprint considerations
Sustainable AI practices

j) Business continuity and disaster recovery policies

Continuity planning for AI-dependent processes
Backup and recovery of AI models and data

Implementation Steps

Organisations should:

Inventory existing policies - Compile a complete list of all organisational policies that might intersect with AI activities
Conduct gap analysis - For each policy, determine:
- Does it currently address AI-related aspects?
- Does it conflict with AI objectives or activities?
- Are there gaps where AI is not addressed but should be?
- Does the AI policy duplicate provisions already in other policies?
Determine integration approach - For each intersection, decide whether to:
- Update the existing policy to incorporate AI-specific provisions
- Cross-reference from the AI policy to the existing policy
- Include provisions in the AI policy with references to related policies
- Create supplementary guidance that bridges both policies
Document the analysis - Maintain a record showing:
- Which policies have been reviewed
- What intersections were identified
- What actions were taken (updates, cross-references, etc.)
- Justification for approach chosen
Ensure consistency - When updating multiple policies, ensure consistent terminology, aligned requirements, and no contradictions
Communicate changes - If existing policies are updated to address AI, communicate these changes to affected personnel
Establish coordination - Designate responsibility for maintaining alignment as policies evolve over time

Key Considerations

Avoid duplication: Don't repeat provisions from other policies in the AI policy - use cross-references instead. For example, if the information security policy already covers access controls, the AI policy should reference it rather than duplicate the requirements.

Address gaps, not just overlaps: The analysis should identify not only where policies overlap but also where gaps exist. For instance, if no existing policy addresses bias in AI systems, the AI policy should include this.

Governance alignment: Ensure the AI policy aligns with governance policies set by the organization's governing body. ISO/IEC 38507 provides guidance for governance of AI systems that should inform this alignment.

Dynamic process: Policy alignment is not a one-time activity. As the organization adopts new AI systems or as regulations change, the alignment analysis should be revisited.

Practical application: The analysis should be practical and proportionate. Small organizations with simple AI use may have limited policy intersections, while large organizations with complex AI deployments will have many.

Common Intersections to Address

Security and AI:

How are AI models protected from adversarial attacks?
What security controls apply to training data?
How are AI system vulnerabilities managed?

Privacy and AI:

How is personal data used in AI training handled?
What privacy impact assessments are required?
How are data subject rights exercised for AI systems?

Procurement and AI:

What criteria apply when purchasing AI tools or services?
How are third-party AI systems assessed for risk?
What contractual terms are needed for AI suppliers?

HR and AI:

What competencies are required for AI roles?
How is AI used ethically in HR decisions?
What training is provided on responsible AI use?

Related Controls

Within ISO/IEC 42001:

A.2.2 AI policy
A.2.4 Review of the AI policy
A.3.2 AI roles and responsibilities
A.4.7 Competence

Integration with ISO 27001 (if applicable):

A.5.1 Policies for information security
A.5.10 Acceptable use of information and assets

Integration with ISO 27701 (if applicable):

5.2.1 Privacy policy