Alright, I know that headline will raise eyebrows. Before you suggest it’s clickbait, let’s break this down together.
As you may know, ISO released a new standard on “Artificial Intelligence Management Systems” called ISO 42001:2023. The standard was rushed to publication and then — even worse — rushed to the certification bodies (CBs), who are already offering certification to the standard even though normative references in the standards are still in draft and haven’t been formally published.
Beyond that, though, ISO 42001 is problematic for a number of reasons, which I will go into in future articles. The first and possibly biggest problem is that ISO 42001 was not written with any real insight into AI but instead was a rushed copy-and-paste of the ISO 27001 standard on Information Security Management Systems (or, more crudely, cybersecurity.)
AI is Not Cybersecurity
To get ISO 42001 to print fast, the committee that wrote 42001 (the “Joint Technical Committee ISO/IEC JTC 1” on information technology, specifically Subcommittee SC 42 on AI) took the ISO 27001 standard and copied it for their own work product. Pause on that thought.
The 42001 standard, like ISO 27001, is broken roughly into two main parts: the body, which contains requirements, and then a set of Annexes that provide specific “controls.” The JTC1 group seems to have spent some time on the controls part, but nearly none at all on the requirements, relying instead on language that had been developed specific to the cybersecurity field.
I suspect I will be saying this a lot in the coming years, so get ready for “Chris Paris to have another dead horse to beat“: AI is not cybersecurity. There are overlaps, yes, but the two are entirely different industries, professions, fields of study, and disciplines. However, the usual suspects (underqualified private consultants who then dominate ISO committees) have started rebranding themselves as overnight experts in AI, using prior cybersecurity credentials to do so. Because the average person doesn’t understand either cyber or AI, they get away with it. This is a problem because AI will desperately need regulations and standards, and if the standards are written by people who think AI and cybersecurity are the same thing, we are off on the wrong foot.
And, yes, it’s ironic that a standard covering a subject (AI) being highly criticized for plagiarism has relied on plagiarism to get published.
Here’s why this is important: the ISO 42001 standard will be enshrined in laws, at least in Europe. The European Commission will, as it has done with other ISO standards, incorporate it as an “EN 42001” standard and publish it in the Official Journal of EU standards, thus tying it into the new AI Act. The EC has not done due diligence on the development of ISO 42001, and — as always — just blindly trusts ISO standards. So any problems within ISO 42001 are about to get much, much worse when folks rely on it to comply with Europe’s AI Act.
Those of you outside the EU will not escape, either. The AI Act will tie into the CE Mark requirements, so any AI products will have to be certified or they won’t be allowed to be sold in the EU. That applies to everyone, in every country.
More Fallout
One of the problems with the copy-and-pasting of ISO 27001 into ISO 42001 is that the standard then borrows the “positive risk” nonsense that has infected so many ISO standards. ISO 42001, like 27001, suggests you analyze risk based on two factors: consequence and likelihood. This was the old approach used when risk was (rightly) understood as being solely negative. You would work to mitigate risks by reducing the likelihood the risk would occur, and then reducing the harm caused by any consequences. When ISO adopted “positive risk,” it created another conundrum: it has you mitigating opportunities. But you don’t “mitigate” opportunities; instead, you work to increase the likelihood of the opportunity and then work to increase the benefits that might result. The math between risk and opportunity is backward because they are opposites. But now, thanks to 42001 copying 27001, AI companies will create a “risk matrix” that is designed to rank and manage harms and then blindly apply it to benefits. It makes no sense.
It appears the “positive risk” theory was created by a single consultant who published his own papers on the subject without peer review. That later got incorporated into the PMI’s PMBOK, which was then cribbed for certain Australian Standards, which were then converted into full ISO standards (ISO Guide 73 and ISO 31000.) This then was carried over to Annex SL, affecting all ISO management system standards, which ended up in ISO 27001. By copying that standard, it now appears — again — in ISO 42001.
So we see this “cribbing” of someone else’s material going back for some time now, and when we research the original source, we find it was dubious at best. Not peer-reviewed. (I’m still researching that, so I have not published my own findings yet, but I should have something soon.)
This dilutes the impact of ISO 42001, cripples its usefulness, and adds suspicion to the idea that a company can get certified to it.
Plagiarism, Though?
But is it all plagiarism?
Technically, yes. There are two types of plagiarism: illegal and unethical. From Cornell University’s Legal Information Institute:
Plagiarism is the act of taking a person’s original work and presenting it as if it was one’s own. Plagiarism is not illegal in the United States in most situations. Instead it is considered a violation of honor or ethics codes and can result in disciplinary action from a person’s school or workplace. However, plagiarism can warrant legal action if it infringes upon the original author’s copyright, patent, or trademark.
ISO has already set a precedence that allows copy-and-pasting from one standard to another, but only in the context of the “Core Text” defined in Annex SL. That, by ISO’s own rules, must be included in every management system standard. So, it makes sense that the Core Text will appear in each standard.
However, ISO rules don’t necessarily allow for copying non-core text from one standard to another because ISO rules say that standards are to be relevant to the subject matter and written by subject matter experts. Taking text from a cybersecurity standard means that (a) ISO 42001 was not written by AI subject matter experts and (b) the content is not relevant to AI management systems.
Now, ISO owns the sole copyright for its standards. So, can a publishing company “plagiarize” content from one of its books for another one? Legally, the answer is, “yes.” They haven’t broken any laws.
But ISO pretends to be a nongovernmental organization (NGO) — even though it legally isn’t — and also pretends to operate in accordance with principles and ethics defined in the World Trade Organization’s “Technical Barriers to Trade” (TBT) regulations. Ethics and credibility are crucial for ISO to be taken seriously.
What ISO has done here absolutely constitutes unethical plagiarism, even if they are unlikely to sue themselves for legal violations.
The ISO 27001 / 42001 trick meets the definition of plagiarism, whether or not it lands in court. The material was taken from one work, used without permission (of the original authors), and then put into a second work without any attribution to the original authors. For any standards body other than ISO, this should have been a huge ethical red flag. Serious professional and ethical lines were not only crossed but obliterated. As an international organization whose work products are then incorporated into laws and affect entire economies, ISO should be obsessively concerned with the ethics of its work.
But ISO has no ethics, obeys no rules, and ignores all international laws. It is a commercial publishing company that has carved out a unique space in the world to make itself supralegal, largely because governments are too lazy to care. ISO simply does not care about ethics or legality; it just wants to get documents published on its portal as quickly as possible so it can start making money. The rushed nature of ISO 42001’s development and publication proves this yet again.
It should not be tolerated, but no one wants to do what ISO does, so nations of the world are willing to let ISO run roughshod over professional ethics and decency. If they didn’t, nations would have to write their own standards, and — as I said — governments are simply too lazy for such things.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world