Question:
A software development company values collaborative decision-making. The CEO often gathers input from employees but retains final decision authority.
Which type of leadership does the CEO most closely embody?
Scenario 2 (continued):
Empsy HR Solutions is a human resources consulting company that provides innovative HR solutions to diverse industries.Recognizing the significant impact of artificial intelligence Al in HR processes, including its ability to automate repetitive tasks, analyzevast amounts of data for insights, improve recruitment and talent management strategies, and personalize employeeexperiences, thecompany has initiated the implementation of an artificial intelligence management system AIMS based on ISO/IEC 42001.
Initially, the top management established an Al policy that was aligned with the company's objectives. The Al policy provided a frameworkfor defining Al objectives, a commitment to meeting relevant requirements, and a dedication to continually improve the AIMS. However, it
did not refer to other organizational policies, although some were relevant to the AIMS. Afterward, the top management documented thepolicy, communicated it internally, and made it accessible to interested parties.
The top management designated specific individuals to ensure that the AIMS meets the standard's requirements. Additionally, theyensured that these individuals were responsible for overseeing the AIMS, reporting its performance to the top management, andfacilitating continual improvement. Moreover, in its awareness sessions, the company focused exclusively on ensuring that all personnel
were informed about the Al policy, emphasizing their role in ensuring the effectiveness of the AIMS and the benefits of enhanced Alperformance.
The company also planned, implemented, and monitored processes to meet AIMS requirements. Additionally, it set clear criteria andimplemented controls based on them, ensuring effective operation, alignment with organizational objectives, and continual improvement.Empsy HR Solutions decided to implement strict measures to control changes to documented information within the AIMS. To ensure theintegrity and accuracy of documentation, the company adopted version control practices. Each document update was tracked using aversioning system, with clear records of what was modified, who made the changes, and when the updates occurred. Access to makechanges was restricted to authorized personnel, and any proposed modifications required approval from the designated managementteam before being implemented.
Moreover, considering past experiences where the company encountered unforeseen risks, Empsy HR Solutions established acomprehensive Al risk assessment process. This process involved identifying, analyzing, and evaluating Al risks to determine if it isnecessary to implement additional controls than those specified in Annex A. The company also referred to Annex B for guidance onimplementing controls and, ultimately, produced a Statement of Applicability SoA. The SoA contained the necessary controls, including allthe controls of Annex A and justifications for their inclusion or exclusion.
Lastly. Empsy HR Solutions decided to establish an internal audit program to ensure the AIMS conforms to both the company'srequirements and ISO/IEC 42001. It defined the audit objectives, criteria, and scope for each audit, selected auditors, and ensuredobjectivity and impartiality during the audit process. The results of the first audit were documented and reported only to the top
management of the company.
Question:
Does the company's implementation of version control practices for documented information align with the requirements of ISO/IEC 42001?
Question:
Who is responsible for reviewing the corrections, identified causes, and corrective actions of the auditee?
Auditors use the ______ as a benchmark to determine conformity.
Scenario 1 (continued):
To ensure the integrity of the AI system, Future Horizon Academy has implemented measures to ensure that training data remain isolated from data that could lead to harmful or undesirable outcomes. The institution adds significant data elements as metadata, transforms the data into a format usable by the AI system, and uses data from one or more trusted sources.
Committed to standardization and continual improvement, Future Horizon Academy decided to implement an artificial intelligence management system (AIMS) based on ISO/IEC 42001 that would help the institution increase operational efficiency, resulting in improved processes.
After having the AIMS in place for a year, the institution decided to apply for a certification audit to get certified against ISO/IEC 42001. Prior to the certification audit, the institution conducted an internal audit and management review to ensure that the AIMS aligns with the institution’s own requirements and that the system is being maintained effectively.
Question:
Based on Scenario 1, what category of AI systems did Future Horizon Academy utilize?
Question:
Which of the following should be considered when determining the feasibility of the audit?
Question:
During which phase of the certification process is confirmation of registration performed?
Scenario 9 (continued):
Scenario 9: Securisai, located in Tallinn.Estonia, specializes in the development of automated cybersecurity solutions that utilize AIsystems. The company recently implemented an artificial intelligence management system AIMS in accordance with ISO/IEC 42001. Indoing so, the company aimed to manage its Al-driven systems’ capabilities to detect and mitigate cyber threats more efficiently andethically. As part of its commitment to upholding the highest standards of Al use and management, Securisai underwent a certificationaudit to demonstrate compliance with ISO/IEC 42001.
The audit process comprised two main stages: the initial or stage 1 audit focused on reviewing Securisai's documentation, policies, andprocedures related to its AIMS. This review laid the groundwork for the stage 2 audit, which involved a comprehensive, on-site evaluation
of the actual implementation and effectiveness of the AIMS within Securisai's operations. The goal was to observe the AIMS in operation,ensuring that it not only existed on paper but was effectively integrated into the company's daily activities and cybersecurity strategies.
After the audit, Roger, Securisai's internal auditor, addressed the action plans devised to rectify nonconformities identified during thecertification audit. He developed a long term strategy, highlighting key AIMS processes for triennial audits. Roger's internal audits play a
key role in advancing Securisai's goals by employing a systematic and disciplined method to assess and boost the efficiency of risk
management, governance processes, and strategic decision-making. Roger reported his findings directly to Securisai's top management.
Following the successful rectification of nonconformities, Securisai was officially certified against ISO/IEC 42001.
Recently, the company decided to transfer its ISO/IEC 42001 certification registration from one certification body to another despitebeing initially bound by a long-term agreement with the current certification body. This decision was motivated by the desire to partnerwith a certification body that offers deeper insights and expertise in the rapidly evolving field of artificial intelligence in cybersecurity.
To ensure a smooth transition and uphold its certification status, Securisai is diligently compiling the required documentation forsubmission to the new certification body. This includes a formalrequest, the most recent audit report underscoring its adherence toISO/IEC 42001, the latest corrective action plan that highlights its continuous efforts toward improvement, and a copy of its current validcertification registration.
A year following Securisai's initial certification audit, a subsequent audit was carried out by the certification body on its AIMS. The
purpose of this audit was to assess compliance with ISO/IEC 42001 and verify the ongoing improvement of the AIMS. The audit team
concluded that Securisai's AIMS consistently meets the requirements set by ISO/IEC 42001.
Question:
Based on Scenario 9, what should Securisai’s certification be?
The process to assess the potential consequences for individuals or groups of individuals, or both, and societies that can result from the AI system throughout its life cycle is known as:
Scenario 9:
Scenario 9: Securisai, located in Tallinn.Estonia, specializes in the development of automated cybersecurity solutions that utilize AIsystems. The company recently implemented an artificial intelligence management system AIMS in accordance with ISO/IEC 42001. Indoing so, the company aimed to manage its Al-driven systems’ capabilities to detect and mitigate cyber threats more efficiently andethically. As part of its commitment to upholding the highest standards of Al use and management, Securisai underwent a certificationaudit to demonstrate compliance with ISO/IEC 42001.
The audit process comprised two main stages: the initial or stage 1 audit focused on reviewing Securisai's documentation, policies, andprocedures related to its AIMS. This review laid the groundwork for the stage 2 audit, which involved a comprehensive, on-site evaluation
of the actual implementation and effectiveness of the AIMS within Securisai's operations. The goal was to observe the AIMS in operation,ensuring that it not only existed on paper but was effectively integrated into the company's daily activities and cybersecurity strategies.
After the audit, Roger, Securisai's internal auditor, addressed the action plans devised to rectify nonconformities identified during thecertification audit. He developed a long term strategy, highlighting key AIMS processes for triennial audits. Roger's internal audits play a
key role in advancing Securisai's goals by employing a systematic and disciplined method to assess and boost the efficiency of risk
management, governance processes, and strategic decision-making. Roger reported his findings directly to Securisai's top management.
Following the successful rectification of nonconformities, Securisai was officially certified against ISO/IEC 42001.
Recently, the company decided to transfer its ISO/IEC 42001 certification registration from one certification body to another despitebeing initially bound by a long-term agreement with the current certification body. This decision was motivated by the desire to partnerwith a certification body that offers deeper insights and expertise in the rapidly evolving field of artificial intelligence in cybersecurity.
To ensure a smooth transition and uphold its certification status, Securisai is diligently compiling the required documentation forsubmission to the new certification body. This includes a formal request, the most recent audit report underscoring its adherence toISO/IEC 42001, the latest corrective action plan that highlights its continuous efforts toward improvement, and a copy of its current validcertification registration.
A year following Securisai's initial certification audit, a subsequent audit was carried out by the certification body on its AIMS. The
purpose of this audit was to assess compliance with ISO/IEC 42001 and verify the ongoing improvement of the AIMS. The audit team
concluded that Securisai's AIMS consistently meets the requirements set by ISO/IEC 42001.
During an AIMS audit at a cybersecurity company, the team found a major nonconformity — ineffective access controls for sensitive data.
Question:
Given this situation, what is the appropriate next step?
What is the main goal of the 'Transparency and Explainability' core element in AI?
Scenario 6:
Scenario 6: HappilyAI is a pioneering enterprise dedicated to developing and deploying artificial intelligence Al solutions tailored toenhance customer service experiences across various industries. The company offers innovative products like virtual assistants,predictive analytics tools, and personalized customer interaction platforms. As part of its commitment to operational excellence andinnovation, HappilyAI has implemented a robust Al management system AIMS to oversee its Al operations effectively. Currently.HappilyAI is undergoing a comprehensive audit process of its AIMS to evaluate its compliance with ISO/IEC 42001.
Under the leadership of Jess, the audit team began the audit process with meticulous planning and coordination, setting the groundworkfor the extensive on-site activities of the stage 1 audit. This initial phase was marked by a comprehensive documentation review. Theaudit scope encompassed a critical review of HappilyAI's core departments, including Research and Development (R&D), CustomerService, and Data Security, aiming to assess the conformity of HappilyAI's AIMS to the requirements of ISO/IEC 42001.
Afterward, Jess and the team conducted a formal opening meeting with HappilyAI to introduce the audit team and outline the auditactivities. The meeting set a collaborative tone for the subsequent phases, where the team engaged in information collection, executedaudit tests, identified findings, and prepared draft nonconformity reports while maintaining a strict quality review process.
In gathering evidence, the audit team employed a sampling method, which involved dividing the population into homogeneous groups toensure a comprehensive and representative data collection by drawing samples from each segment. Furthermore, the team employedobservation to deepen their understanding of the Al management processes. They verified the availability of essential documentation,including Al-related policies, and evaluated the communication channels established for reporting incidents.
Additionally, they scrutinized specific monitoring tools designed to track the performance of data acquisition processes, ensuring thesetools effectively identify and respond to errors or anomalies. However, a notable challenge emerged as the team encountered a lack ofaccess to documented information that describes how tasks about AIMS are executed. In addition to this, the team identified a potentialnonconformity within the Sales Department. They decided not to record this as a nonconformity in the audit report but onlycommunicated it to the HappilyAI's representatives.
During the stage 2 audit, the certification body, in collaboration with HappilyAI, assigned the roles of technical experts within the auditteam. Recognized for their specialized knowledge and expertise in artificial intelligence and its applications, these technical experts aretasked with the thorough assessment of the AIMS framework to ensure its alignment with industry standards and best practices,focusing on areas such as data ethics, algorithmic transparency, and Al system security.
Question:
Which level of documented information could the audit team NOT access?
Scenario 2 (continued):
Empsy HR Solutions is a human resources consulting company that provides innovative HR solutions to diverse industries.Recognizing the significant impact of artificial intelligence Al in HR processes, including its ability to automate repetitive tasks, analyzevast amounts of data for insights, improve recruitment and talent management strategies, and personalize employee experiences, thecompany has initiated the implementation of an artificial intelligence management system AIMS based on ISO/IEC 42001.
Initially, the top management established an Al policy that was aligned with the company's objectives. The Al policy provided a frameworkfor defining Al objectives, a commitment to meeting relevant requirements, and a dedication to continually improve the AIMS. However, it
did not refer to other organizational policies, although some were relevant to the AIMS. Afterward, the top management documented thepolicy, communicated it internally, and made it accessible to interested parties.
The top management designated specific individuals to ensure that the AIMS meets the standard's requirements. Additionally, theyensured that these individuals were responsible for overseeing the AIMS, reporting its performance to the top management, andfacilitating continual improvement. Moreover, in its awareness sessions, the company focused exclusively on ensuring that all personnel
were informed about the Al policy, emphasizing their role in ensuring the effectiveness of the AIMS and the benefits of enhanced Alperformance.
The company also planned, implemented, and monitored processes to meet AIMS requirements. Additionally, it set clear criteria andimplemented controls based on them, ensuring effective operation, alignment with organizational objectives, and continual improvement.Empsy HR Solutions decided to implement strict measures to control changes to documented information within the AIMS. To ensure theintegrity and accuracy of documentation, the company adopted version control practices. Each document update was tracked using aversioning system, with clear records of what was modified, who made the changes, and when the updates occurred. Access to makechanges was restricted to authorized personnel, and any proposed modifications required approval from the designated managementteam before being implemented.
Moreover, considering past experiences where the company encountered unforeseen risks, Empsy HR Solutions established acomprehensive Al risk assessment process. This process involved identifying, analyzing, and evaluating Al risks to determine if it isnecessary to implement additional controls than those specified in Annex A. The company also referred to Annex B for guidance onimplementing controls and, ultimately, produced a Statement of Applicability SoA. The SoA contained the necessary controls, including allthe controls of Annex A and justifications for their inclusion or exclusion.
Lastly. Empsy HR Solutions decided to establish an internal audit program to ensure the AIMS conforms to both the company'srequirements and ISO/IEC 42001. It defined the audit objectives, criteria, and scope for each audit, selected auditors, and ensuredobjectivity and impartiality during the audit process. The results of the first audit were documented and reported only to the top
management of the company.
Question:
Based on Scenario 2, has Empsy HR Solutions established a suitable internal audit program?
An audit team member is tasked with evaluating a sophisticated AI system used for autonomous driving. They lack the necessary expertise but proceed without consulting a specialist. Which principle is being neglected in this scenario?
A retail company wants to implement a system that can predict customer buying behavior based on their browsing history and past purchases. Which AI concept would be most suitable for developing this predictive system?
Scenario 1 (continued):
To ensure the integrity of the AI system, Future Horizon Academy has implemented measures to ensure that training data remain isolated from data that could lead to harmful or undesirable outcomes. The institution adds significant data elements as metadata, transforms the data into a format usable by the AI system, and uses data from one or more trusted sources.
Committed to standardization and continual improvement, Future Horizon Academy decided to implement an artificial intelligence management system (AIMS) based on ISO/IEC 42001 that would help the institution increase operational efficiency, resulting in improved processes.
After having the AIMS in place for a year, the institution decided to apply for a certification audit to get certified against ISO/IEC 42001. Prior to the certification audit, the institution conducted an internal audit and management review to ensure that the AIMS aligns with the institution’s own requirements and that the system is being maintained effectively.
Question:
Prior to the certification audit, the institution conducted an internal audit and management review. Is this acceptable?
Scenario 5 (continued):
Scenario 5: Aizoia, located in Washington, DC, has revolutionized data analytics, software development, and consulting by usingadvanced Al algorithms. Central to its success is an Al platform adept at deciphering complex datasets for enhanced insights. To ensure
that its Al systems operate effectively and responsibly, Aizoia has established an artificial intelligence management system AIMS basedon ISO/IEC 42001 and is now undergoing a certification audit to verify the AIMS’s effectiveness and compliance with ISO/IEC 42001.
Robert, one of the certification body's full-time employees with extensive experience in auditing, was appointed as the audit team leaderdespite not receiving an official offer for the role. Understanding the critical importance of assembling an audit team with diverse skills
and knowledge, the certification body selected competent individuals to form the audit team. The certification body appointed a team ofseven members to conduct the audit after considering the specific conditions of the audit mission and the required competencies.
Initially, the certification body, in cooperation with Aizoia, defined the extent and boundaries of the audit, specifying the sites (whetherphysical or virtual), organizational units, and the activities for review. Once the scope, processes, methods, and team composition hadbeen defined, the certification body provided the audit team leader with extensive information, including the audit objectives anddocumented details on the scope, processes, methods, and team compositions.
Additionally, the certification body shared contact details of the auditee, including locations, time frames, and the duration of the auditactivities to be conducted. The team leader also received information needed for evaluating and addressing identified risks andopportunities for the achievement of the audit objectives.
Before starting the audit, Robert wrote an engagement letter, introducing himself to Aizoia and outlining plans for scheduling initialcontact. The initial contact aimed to confirm thecommunication channels, establish the audit team's authority to conduct the audit, andsummarize the audit's key aspects, such as objectives, scope, criteria, methods, and team composition. Duringthis first meeting, Robertemphasized the need for access to essential information that would help to conduct the audit.
Moreover, audit logistics, such as scheduling, access, health and safety arrangements, observer attendance, and the need for guides orinterpreters, were thoroughly planned. The meeting also addressed areas of interest or concern, preemptively resolving potential issuesand finalizing any matters related to the audit team composition.
As the audit progressed, Robert recognized the complexity of Aizoia’s operations, leading him to conclude that a review of its Al-relateddata governance practices was essential for compliance with ISO/IEC 42001. He discussed this need with Aizoia's management,proposing an expanded audit scope. After careful consideration, they agreed to conduct a thorough review of the Al data governancepractices, but there was no mutual decision to officially change the audit scope. Consequently. Robert decided to proceed with the auditbased on the original scope, adhering to the initial audit plan, and documented the conversation and decision accordingly.
Based on the scenario above, answer the following question:
Question:
Based on Scenario 5, did the certification body provide all the necessary information to conduct the audit to the audit team leader?
Question:
Which of the following are the core functions of the NIST AI Risk Management Framework that help with addressing AI risks in practice?
Scenario 7:
Scenario 7: ICure, headquartered in Bratislava, is a medical institution known for its use of the latest technologies in medical practices. Ithas introduced groundbreaking Al-driven diagnostics and treatment planning tools that have fundamentally transformed patient care.
ICure has integrated a robust artificial intelligence management system AIMS to manage its Al systems effectively. This holisticmanagement framework ensures that ICure's Al applications are not only developed but also deployed and maintained to adhere to the
highest industry standards, thereby enhancing efficiency and reliability.
ICure has initiated a comprehensive auditing process to validate its AIMS's effectiveness in alignment with ISO/IEC 42001. The stage 1audit involved an on-site evaluation by the audit team. The team evaluated the site-specific conditions, interacted with ICure's personnel,
observed the deployed technologies, and reviewed the operations that support the AIMS. Followingthese observations, the findings weredocumented and communicated to ICure. setting the stage for subsequent actions.
Unforeseen delays and resource allocation issues introduced a significant gap between the completion of stage 1 and the onset of stage2 audits. This interval, while unplanned, provided an opportunity for reflection and preparation for upcoming challenges.
After four months, the audit team initiated the stage 2 audit. They evaluated AIMS's compliance with ISO/IEC 42001 requirements, payingspecial attention to the complexity of processes and their documentation. It was during this phase that a critical observation was made:
ICure had not fully considered the complexity of its processes and their interactions when determining the extent of documentedinformation. Essential processes related to Al model training, validation, and deployment were not documented accurately, hinderingeffective control and management of these critical activities. This issue was recorded as a minor nonconformity, signaling a need forenhanced control and management of these vital activities.
Simultaneously, the auditor evaluated the appropriateness and effectiveness of the "AIMS Insight Strategy," a procedure developed by
ICure to determine the AIMS internal and external challenges. This examination identified specific areas for improvement, particularly in
the way stakeholder input was integrated into the system. It highlighted how this could significantly enhance the contribution of relevant
parties in strengthening the system's resilience and effectiveness.
The audit team determined the audit findings by taking into consideration the requirements of ICure, the previous audit records and
conclusions, the accuracy, sufficiency, and appropriateness of evidence, the extent to which planned audit activities are realized and
planned results achieved, the sample size, and the categorization of the audit findings. The audit team decided to first record all the
requirements met; then they proceeded to record the nonconformities.
Based on the scenario above, answer the following question:
Question:
Which phase of the Stage 1 audit was NOT conducted by the audit team?
Question:
For which of the following activities are certification bodies responsible?
What type of evidence is an external audit report?
Which among the following core concepts of Artificial Intelligence uses artificial neural networks inspired by the human brain to process complex data like images, text, and speech?
Scenario 9 (continued):
Scenario 9: Securisai, located in Tallinn.Estonia, specializes in the development of automated cybersecurity solutions that utilize AIsystems. The company recently implemented an artificial intelligence management system AIMS in accordance with ISO/IEC 42001. Indoing so, the company aimed to manage its Al-driven systems’ capabilities to detect and mitigate cyber threats more efficiently andethically. As part of its commitment to upholding the highest standards of Al use and management, Securisai underwent a certificationaudit to demonstrate compliance with ISO/IEC 42001.
The audit process comprised two main stages: the initial or stage 1 audit focused on reviewing Securisai's documentation, policies, andprocedures related to its AIMS. This review laid the groundwork for the stage 2 audit, which involved a comprehensive, on-site evaluation
of the actual implementation and effectiveness of the AIMS within Securisai's operations. The goal was to observe the AIMS in operation,ensuring that it not only existed on paper but was effectively integrated into the company's daily activities and cybersecurity strategies.
After the audit, Roger, Securisai's internal auditor, addressed the action plans devised to rectify nonconformities identified during thecertification audit. He developed a long term strategy, highlighting key AIMS processes for triennial audits. Roger's internal audits play a
key role in advancing Securisai's goals by employing a systematic and disciplined method to assess and boost the efficiency of risk
management, governance processes, and strategic decision-making. Roger reported his findings directly to Securisai's top management.
Following the successful rectification of nonconformities, Securisai was officially certified against ISO/IEC 42001.
Recently, the company decided to transfer its ISO/IEC 42001 certification registration from onecertification body to another despitebeing initially bound by a long-term agreement with the current certification body. This decision was motivated by the desire to partnerwith a certification body that offers deeper insights and expertise in the rapidly evolving field of artificial intelligence in cybersecurity.
To ensure a smooth transition and uphold its certification status, Securisai is diligently compiling the required documentation forsubmission to the new certification body. This includes a formal request, the most recent audit report underscoring its adherence toISO/IEC 42001, the latest corrective action plan that highlights its continuous efforts toward improvement, and a copy of its current validcertification registration.
A year following Securisai's initial certification audit, a subsequent audit was carried out by the certification body on its AIMS. The
purpose of this audit was to assess compliance with ISO/IEC 42001 and verify the ongoing improvement of the AIMS. The audit team
concluded that Securisai's AIMS consistently meets the requirements set by ISO/IEC 42001.
Question:
What type of audit is described in the last paragraph of Scenario 9?
Which control in Annex A emphasizes the importance of security measures in AI system operations?
Question:
Which of the following examples depicts frequent analysis?
Scenario 3 (continued):
ArBank is a financial institution located in Brussels, Belgium, which offers a diverse range of banking and investment servicesto its clients. To ensure the continual improvement of its operations, ArBank has implemented a quality management system QMS based
on ISO 9001 and an artificial intelligence management system AIMS based on the requirements of ISO/IEC 42001.
Audrey, an experienced auditor, led an internal audit focused on the AIMS within ArBank. She assessed the chatbots integrated into thebank's website and mobile app, analyzing communications using big data technology to identify potential noncompliance, fraud, orunethical conduct. Instead of relying solely on the information provided by the chatbots, Audrey sought out evidence that would eitherconfirm or challenge the validity of the data, ensuring her conclusions were based on reliable and accurate information. Her review ofselected chatbot interactions confirmed they met their intended purpose.
For the specific context of ArBank's operations, Audrey utilized an Al system to assess the efficiency of the bank's digital infrastructure,focusing on tasks critical to the Finance Department. This Al system was able to analyze the functionality of chatbots integrated intoArBank's website and mobile app to determine if it adheres to ISO/IEC 42001 requirements and internal policies governing customerservice in the banking sector.
In addition, Audrey conducted a deeper assessment of the bank’s AIMS. Her evaluation included observing different stages of the AIMSlife cycle, from development to deployment, to ensure that roles and responsibilities were clearly defined and aligned with ArBank’soperational goals. She also evaluated the tools used to monitor and measure the performance of the AIMS.
Audrey continued the audit process by auditing ArBank's outsourced operations. Upon checking the contractual agreements between thetwo parties, Audrey decided that there was no need to gather audit evidence regarding the contractual agreement. She reviewed thecompany's processes for monitoring the quality of outsourced operations, determined whether appropriate governance processes are inplace with regard to the engagement of outsourced persons or organizations, and reviewed and evaluated the company's plans in case ofexpected or unexpected termination of the outsourcing agreement.
Based on the scenario above, answer the following question:
Question:
Based on Scenario 3, which of the following AI technologies did Audrey employ to assess the efficiency of the bank's digital infrastructure?
Scenario 8 (continued):
Scenario 8:
Scenario 8: InnovateSoft, headquartered in Berlin, Germany, is a software development company known for its innovative solutions andcommitment to excellence. It specializes in custom software solutions, development, design, testing, maintenance, and consulting,covering both mobile apps and web development. Recently, the company underwent an audit to evaluate the effectiveness and
compliance of its artificial intelligence management system AIMS against ISO/IEC 42001.
The audit team engaged with the auditee to discuss their findings and observations during the audit's final phases. After evaluating theevidence, the audit team presented their audit findings to InnovateSoft, highlighting the identified nonconformities.
Upon receiving the audit findings, InnovateSoft accepted the conclusions but expressed concerns about some findings inaccuratelyreflecting the efficiency of their software development processes. In response, the company provided new evidence and additionalinformation to alter the audit conclusions for a couple of minor nonconformities identified. After thorough consideration, the audit teamleader clarified that the new evidence did not significantly alter the core conclusions drawn for the nonconformities. Therefore, thecertification body issued a certification recommendation conditional upon the filing of corrective action plans without a prior visit.
InnovateSoft accepted the decision of the certification body. The top management of the company also sought suggestions from theaudit team on resolving the identified nonconformities. The audit team leader offered solutions to address the issues, fostering acollaborative effort between the auditors and InnovateSoft.During the closing meeting, the audit team covered key topics to enhance transparency. They clarified to InnovateSoft that the auditevidence was based on a sample, acknowledging the inherent uncertainty. The method and time frame of reporting and grading findingswere discussed to provide a structured overview of nonconformities. The certification body's process for handling nonconformities,including potential consequences, guided InnovateSoft on corrective actions. The time frame for presenting a plan for correction was
communicated, emphasizing urgency. Insights into the certification body’s post-audit activities were provided, ensuring ongoing support.
Lastly, the audit team briefed InnovateSoft on complaint and appeal handling.
InnovateSoft submitted the action plans for each nonconformity separately, describing only the detected issues and the correctiveactions planned to address the detected nonconformities. However, the submission slightly exceeded the specified period of 45 days setby the certification body, arriving three days later. InnovateSoft explained this by attributing the delay to unexpected challengesencountered during the compilation of the action plans.
InnovateSoft received minor nonconformities. After the closing meeting, the audit team leader suggested solutions for resolving the nonconformities, at the request of the auditee.
Question:
Was the audit team leader’s decision to suggest solutions for the identified nonconformities acceptable?
Scenario 3 (continued):
ArBank is a financial institution located in Brussels, Belgium, which offers a diverse range of banking and investment servicesto its clients. To ensure the continual improvement of its operations, ArBank has implemented a quality management system QMS based
on ISO 9001 and an artificial intelligence management system AIMS based on the requirements of ISO/IEC 42001.
Audrey, an experienced auditor, led an internal audit focused on the AIMS within ArBank. She assessed the chatbots integrated into thebank's website and mobile app, analyzing communications using big data technology to identify potential noncompliance, fraud, orunethical conduct. Instead of relying solely on the information provided by the chatbots, Audrey sought out evidence that would eitherconfirm or challenge the validity of the data, ensuring her conclusions were based on reliable and accurate information. Her review ofselected chatbot interactions confirmed they met their intended purpose.
For the specific context of ArBank's operations, Audrey utilized an Al system to assess the efficiency of the bank's digital infrastructure,focusing on tasks critical to the Finance Department. This Al system was able to analyze the functionality of chatbots integrated intoArBank's website and mobile app to determine if it adheres to ISO/IEC 42001 requirements and internal policies governing customerservice in the banking sector.
In addition, Audrey conducted a deeper assessment of the bank’s AIMS. Her evaluation included observing different stages of the AIMSlife cycle, from development to deployment, to ensure that roles and responsibilities were clearly defined and aligned with ArBank’soperational goals. She also evaluated the tools used to monitor and measure the performance of the AIMS.
Audrey continued the audit process by auditing ArBank's outsourced operations. Upon checking the contractual agreements between thetwo parties, Audrey decided that there was no need to gather audit evidence regarding the contractual agreement. She reviewed thecompany's processes for monitoring the quality of outsourced operations, determined whether appropriate governanceprocesses are inplace with regard to the engagement of outsourced persons or organizations, and reviewed and evaluated the company's plans in case ofexpected or unexpected termination of the outsourcing agreement.
Based on the scenario above, answer the following question:
Question:
Did Audrey conduct the audit process for the outsourced operation correctly? Refer to Scenario 3.
What is the purpose of conducting an opening meeting in the audit process?
A social media platform wants to automatically detect and remove inappropriate content from images and videos uploaded by users. Which AI concept is most appropriate for this task?
Which among the following is NOT a level of AI?
Scenario 9:
Scenario 9: Securisai, located in Tallinn.Estonia, specializes in the development of automated cybersecurity solutions that utilize AIsystems. The company recently implemented an artificial intelligence management system AIMS in accordance with ISO/IEC 42001. Indoing so, the company aimed to manage its Al-driven systems’ capabilities to detect and mitigate cyber threats more efficiently andethically. As part of its commitment to upholding the highest standards of Al use and management, Securisai underwent a certificationaudit to demonstrate compliance with ISO/IEC 42001.
The audit process comprised two main stages: the initial or stage 1 audit focused on reviewing Securisai's documentation, policies, andprocedures related to its AIMS. This review laid the groundwork for the stage 2 audit, which involved a comprehensive, on-site evaluation
of the actual implementation and effectiveness of the AIMS within Securisai's operations. The goal was to observe the AIMS in operation,ensuring that it not only existed on paper but was effectively integrated into the company's daily activities and cybersecurity strategies.
After the audit, Roger, Securisai's internal auditor, addressed the action plans devised to rectify nonconformities identified during thecertification audit. He developed a long term strategy, highlighting key AIMS processes for triennial audits. Roger's internal audits play a
key role in advancing Securisai's goals by employing a systematic and disciplined method to assess and boost the efficiency of risk
management, governance processes, and strategic decision-making. Roger reported his findings directly to Securisai's top management.
Following the successful rectification of nonconformities, Securisai was officially certified against ISO/IEC 42001.
Recently, the company decided to transfer its ISO/IEC 42001 certification registration from one certification body to another despitebeing initially bound by a long-term agreement with the current certification body. This decision was motivated by the desire to partnerwith a certification body that offers deeper insights and expertise in the rapidly evolving field of artificial intelligence in cybersecurity.
To ensure a smooth transition and uphold its certification status, Securisai is diligently compiling the required documentation forsubmission to the new certification body. This includes a formal request, the most recent audit report underscoring its adherence toISO/IEC 42001, the latest corrective action plan that highlights its continuous efforts toward improvement, and a copy of its current validcertification registration.
A year following Securisai's initial certification audit, a subsequent audit was carried out by the certification body on its AIMS. The
purpose of this audit was to assess compliance with ISO/IEC 42001 and verify the ongoing improvement of the AIMS. The audit team
concluded that Securisai's AIMS consistently meets the requirements set by ISO/IEC 42001.
Question:
Roger followed up on action plans resulting from external audits. Is this acceptable?
Which among the following is NOT a core element of AIMS?
Which core element of AIMS is defined as: “Organizations are responsible for the development, deployment, and use of AI systems, and their potential impacts”?
Question:
Which of the following describes a joint audit?
Question:
A multinational technology corporation has initiated an audit process to assess compliance with ISO/IEC 42001. The audit team drafted an audit schedule after the initiation of the audit.
Which aspect of the audit schedule prepared by the audit team is NOT correct?