COMPEL Certification Body of Knowledge — Module 4.3: Cross-Organizational Governance and Policy Harmonization
Article 2 of 10
ISO/IEC 42001:2023 — Artificial Intelligence Management System (AIMS) — is the first international standard for establishing, implementing, maintaining, and continually improving an AI management system. Published by the International Organization for Standardization and the International Electrotechnical Commission, it provides a certifiable framework for the responsible development and use of AI. For the EATP Lead, ISO 42001 is simultaneously a governance requirement to satisfy, a legitimacy credential to obtain, and a structural framework to integrate with COMPEL's transformation methodology.
Understanding ISO 42001
ISO 42001 follows the High-Level Structure (HLS) common to all modern ISO management system standards (ISO 9001, ISO 14001, ISO 27001, ISO 45001). The HLS provides a consistent structure organized into ten clauses:
- Scope
- Normative References
- Terms and Definitions
- Context of the Organization: Understanding the organization's context, stakeholders, and the scope of the AIMS
- Leadership: Leadership commitment, AI policy, roles and responsibilities
- Planning: Risk assessment, objectives, and planning for the AIMS
- Support: Resources, competence, awareness, communication, and documentation
- Operation: AI system lifecycle management, AI risk assessment and treatment, data management
- Performance Evaluation: Monitoring, measurement, analysis, evaluation, internal audit, management review
- Improvement: Nonconformity, corrective action, continual improvement
ISO 42001 extends the HLS with AI-specific requirements organized in two normative annexes:
Annex A provides AI controls and control objectives — 39 controls across nine categories that address AI policy, organizational roles, risk management, data management, system lifecycle management, third-party management, monitoring, and documentation.
Annex B provides implementation guidance for the controls in Annex A.
COMPEL-ISO 42001 Alignment
The EATP Lead designs the alignment between COMPEL and ISO 42001 at three levels:
Structural Alignment
COMPEL's 18-domain maturity model maps comprehensively to ISO 42001's requirements and controls. The EATP Lead establishes a formal mapping that demonstrates how an organization implementing COMPEL at mature levels simultaneously satisfies ISO 42001 requirements:
| ISO 42001 Clause/Control Category | COMPEL Domains | Alignment Notes |
|---|---|---|
| Clause 4 — Context of the Organization | Domains 1-2 (Strategy, Leadership) | COMPEL's Calibrate stage assessment addresses organizational context |
| Clause 5 — Leadership | Domains 1-3 (Strategy, Leadership, Culture) | COMPEL's leadership and cultural maturity directly support leadership clause |
| Clause 6 — Planning | Domains 14-16 (Risk, Ethics, Compliance) | COMPEL's governance domains address AI risk assessment and treatment |
| Clause 7 — Support | Domains 4-5 (Talent, Literacy) | COMPEL's people domains address competence and awareness |
| Clause 8 — Operation | Domains 8-13 (Process, Technology) | COMPEL's process and technology domains cover AI system lifecycle |
| Clause 9 — Performance Evaluation | Domain 17 (Performance) | COMPEL's measurement domain addresses monitoring and evaluation |
| Clause 10 — Improvement | Domain 18 (Learning) | COMPEL's learning domain addresses continual improvement |
Process Alignment
COMPEL's lifecycle stages align with ISO 42001's management system lifecycle:
Calibrate aligns with Clauses 4 and 6 — understanding the organizational context and planning the management system. The maturity assessment provides the contextual understanding that ISO 42001 requires.
Organize aligns with Clauses 5 and 7 — establishing leadership commitment, defining roles, and provisioning resources. COMPEL's organizational design work directly produces the organizational structures that ISO 42001 demands.
Model aligns with Clause 8 — designing the AI system lifecycle management processes. COMPEL's target state design includes the operational processes that ISO 42001 requires for AI system development and deployment.
Produce aligns with Clause 8 — executing the AI system lifecycle. COMPEL's execution governance ensures that AI systems are developed and deployed in compliance with ISO 42001 operational requirements.
Evaluate aligns with Clause 9 — monitoring, measuring, and evaluating AI system performance and management system effectiveness. COMPEL's evaluation methodology provides the measurement framework that ISO 42001 requires.
Learn aligns with Clause 10 — identifying nonconformities, taking corrective action, and driving continual improvement. COMPEL's learning stage directly addresses ISO 42001's improvement requirements.
Control Alignment
The EATP Lead maps each of ISO 42001's Annex A controls to specific COMPEL governance practices:
AI Policy Controls: COMPEL's governance framework produces the AI policies — ethical AI principles, data governance policies, model governance standards — that ISO 42001 requires.
AI System Impact Assessment: COMPEL's maturity assessment methodology provides the impact assessment capability that ISO 42001 demands. The EATP Lead extends the assessment to specifically address the impact categories that ISO 42001 defines.
Data Management Controls: COMPEL's data governance practices (Domain 11) address the data management controls in Annex A — data quality, data provenance, data bias assessment, and data lifecycle management.
Third-Party Management Controls: COMPEL's ecosystem governance practices address the third-party management controls — ensuring that AI systems developed or operated by third parties meet the organization's AI governance standards.
The Certification Journey
The EATP Lead guides organizations through the ISO 42001 certification journey, leveraging COMPEL's existing governance capabilities:
Gap Assessment
The EATP Lead conducts a gap assessment that compares the organization's current AI governance practices (as documented through COMPEL's maturity assessment) against ISO 42001 requirements. This gap assessment identifies the specific areas where additional governance controls, documentation, or processes are needed to achieve certification.
Organizations at COMPEL Maturity Level 3 (Defined) or above in governance domains will typically have most ISO 42001 requirements already addressed. The primary gaps are usually in formal documentation, internal audit processes, and management review cadences.
Implementation
The EATP Lead designs an implementation plan that closes the gaps identified in the assessment. Implementation activities typically include:
- Developing formal AI policies and objectives (if not already documented through COMPEL)
- Establishing AI risk assessment and treatment processes (extending COMPEL's risk governance)
- Implementing AI system lifecycle documentation (extending COMPEL's process governance)
- Establishing internal audit capability for AI governance (new for most organizations)
- Instituting management review processes for AI governance (extending COMPEL's executive reporting)
Certification Audit
The EATP Lead prepares the organization for the two-stage certification audit conducted by an accredited certification body:
Stage 1 (Documentation Review): The auditor reviews the AIMS documentation to assess readiness for the Stage 2 audit. COMPEL's governance documentation — policies, procedures, assessment reports, governance records — provides the evidence base.
Stage 2 (Implementation Audit): The auditor assesses the implementation effectiveness of the AIMS through interviews, observations, and evidence review. COMPEL's governance practices — running governance boards, active risk management, functioning control processes — provide the operational evidence.
Surveillance and Recertification
After initial certification, the organization undergoes surveillance audits (typically annually) and recertification audits (typically every three years). COMPEL's continuous governance improvement processes ensure that the organization maintains and evolves its AI management system between audits.
Multi-Organization ISO 42001
In cross-organizational contexts, ISO 42001 presents particular challenges. Each organization in a multi-entity relationship may seek its own certification, but the shared AI activities must be governed consistently. The EATP Lead designs governance architectures that enable each organization to achieve and maintain its own ISO 42001 certification while ensuring that shared AI activities meet the governance requirements of all participating organizations.
This may involve:
- Shared governance policies that satisfy the requirements of all participating organizations' AIMS
- Mutual recognition of audit results and governance assessments
- Joint governance reviews for shared AI activities
- Coordinated improvement programs that address governance gaps identified across the partnership
The next article, Module 4.3, Article 3: NIST AI RMF Implementation at Enterprise Scale, addresses the integration with the NIST AI Risk Management Framework — the U.S. government's primary AI risk governance framework, increasingly adopted by private sector organizations globally.
© FlowRidge.io — COMPEL AI Transformation Methodology. All rights reserved.