#247 How do ISO 27001 Information Security and ISO 42001 AI Management compare? Podcast Por arte de portada

#247 How do ISO 27001 Information Security and ISO 42001 AI Management compare?

#247 How do ISO 27001 Information Security and ISO 42001 AI Management compare?

Escúchala gratis

Ver detalles del espectáculo
Information is increasingly becoming the number one priority for businesses. With so many of us reliant on tech to stay in operation, there is an inevitable increase in data breaches and incidents year-on-year. The addition of new AI driven technology has added a new layer of complexity to the information security landscape, regarding both the new risks using the technology brings as well as falling prey to more complex AI led scams. Thankfully ISO Standards are here to help, with ISO 27001 tackling general information security and ISO 42001 for effective AI Management. But how do these two compare, and is there merit in implementing both? In this episode, Ian Battersby is joined by Bas Von Hertom, Cyber Security Specialist at TUV Nord, to discuss what ISO 27001 and ISO 42001 are, the main differences between the Standards and how they can complement each other when integrated. You'll learn · Who is Bas Von Hertom? · Who are TUV Nord? · What are ISO 27001 and ISO 42001? · How does ISO 42001 support regulatory frameworks such as the EU AI Act? · How do ISO 27001 and ISO 42001 differ in managing information security risks? · Other key differences between ISO 27001 and ISO 42001 · How much more work is involved for Implementing ISO 42001 if you already have ISO 27001 in place? · Can ISO 27001 and ISO 42001 be integrated? · What organisations should be implementing both Standards? · How are Certification Bodies quoting for ISO 27001 and ISO 42001? · Bas's advice to leadership teams looking to build a case for full certification Resources · TUV Nord · Isologyhub In this episode, we talk about: [02:05] Episode Summary – Ian is joined by Bas Von Hertom, Cyber Security Specialist at TUV Nord, to explore the differences between ISO 27001 and ISO 42001 and the benefits of integrating both Standards. [02:30] Who is Bas Von Hertom? Bas is the Cyber Security Specialist at TUV Nord. He is a lead auditor for Standards including ISO 27001, ISO 42001, TISAX and standards specifically for industrial automation. Bas had once stated around 5 years ago that he would never pursue a career in auditing, but once he came into contact with TUV Nord he decided to give it a go. Before joining TUV, he was a very hands-on systems administrator and many of those skills transferred well into auditing. [04:45] Who are TUV Nord? TUV Nord are a UKAS accredited Certification Body. They also offer services for testing and inspection. TUV have worked with a large range of sectors, from manufacturing and energy to IT, healthcare and even space. [06:25] What are ISO 27001 and ISO 42001? ISO 27001 is the Standard for Information Security Management, with compliant management systems being called an ISMS. It provides structure for identifying, assessing, and managing risks related to the information security while also ensuring availability and resilience on the information security. ISO 42001 AI Management is a much more recent Standard, being published in December of 2024. It focuses on ethical and effective AI management, with a system that applies to relevant products in addition to the wider business. [07:30] How does ISO 42001 support regulatory frameworks such as the EU AI Act? The EU AI Act sets out legal obligations that organisations offering AI products must comply with, however it only defines the rules rather than providing any implementation guidance. This is where ISO 42001 can fill the gaps, by providing a framework that will meet these regulatory requirements. [08:45] How do ISO 27001 and ISO 42001 differ in managing information security risks? Both Standards take a risk-based approach to their subject matter, but the nature of the risks that each address are what differ. ISO 27001 focuses on risks that relate to the protection of information assets based on confidentiality, integrity and availability of information. It's also ensures that business objectives are clearly defined and aligned with business strategy. ISO 42001 on the other hand deals with a broader and more complex set of risks, because it also looks at ethical considerations. This can includes the monitoring and measurement of ethical risks such as AI bias and discrimination. It also looks at societal, legal and reputational risks as one of ISO 42001's key values is creating trust within the AI space. [10:10] Other key differences between ISO 27001 and ISO 42001: Besides their subject matter, another key difference is the way objectives are framed and evaluated. In ISO 42001 these objectives have to be aligned with the Annexes within the Standard, which is something not commonly done when implementing ISO 27001. ISO 42001 also requires an 'AI Impact Assessment', which again, aligns with the systems objectives as the results of the AI Impact Assessment will describe the ...
Todavía no hay opiniones