Back to the list

HLS structure within ISO-IEC 42001

MD, AI and Cybersecurity

Introduction

The HLS structure was introduced by the International Organization for Standardization (ISO) to give management system standards a uniform structure and similar basic content. Articles 4 to 10 cans be gathered in a Plan-Do-Check-Act template (PDCA). The goal is to improve the alignment of the different ISO standards by means of an inter-standard structure.


ISO 13485 is currently not under the HLS, but changes are coming... ISO-IEC 42001 and ISO 27001 are following the HLS structure.



The HSL structure is based on Annex SL / Appendix 2 of the ISO/IEC Directives, Part 1 – Consolidated ISO Supplement – ISO-specific procedures. https://www.iso.org/committee/54996.html?t=-Duqtv8H-DoUiDQTNCpLN0UhREpjaZ130Orwm4_WLY97n2yln9bslL_OpNRJZCit&view=documents#section-isodocuments-top


High Level Structure and the PDCA cycle

The HLS structure is based on 10 chapters:

  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Context of the organization
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance evaluation
  10. Improvement


The first 3 are general and without requirements.

The 7 following chapters are based on the PDCA cycle (Plan-Do-Check-Act) . They are assigned to the different PDCA phases:

  • Plan: Chapters 4, 5 and 6
  • Do: Chapters 7 and 8
  • Check: Chapter 9
  • Act: Chapter 10



Example of norms already following HLS structure

  • ISO-IEC 27001 : Information security, cybersecurity and privacy protection; HLS from 2013 release
  • ISO 9001: Quality management systems; HLS from 2015 release
  • ISO 14001: Environnemental management; HLS from 2015 release
  • ISO-IEC 17025: General requirements for the competence of testing and calibration laboratories; HLS from 2017 release
  • ISO 45001: Occupational health and safety management systems; HLS from 1st release (2018)
  • ISO-IEC 42001: Information technology - Artificial intelligence - Management system; HLS from 1st release (2023)

Below we have drawn the example of the HLS structure for the standard ISO-IEC 42001:




Advantage of the HLS structure

The objectives of the HLS structure are to:

  • Provide a common set of requirements that are consistent with each standards.
  • Allow the requirements to be easier to read by structuring them according to the principle of continuous improvement (PDCA).
  • Improved performance by understanding the overall context of the organization and the expectations of interested parties.
  • Emphasis on risks and opportunities management,
  • Manage changes within increasingly complex environments.


High level description of the chapters within the HLS structure

Chapter 1 –  Scope (general purpose, out of the PDCA)

This chapter defines the scope means defining what the standard aims and who is the target for this standard.


For example, in ISO-IEC 42001, the standard specifies the requirements and provides guidance for establishing, implementing, maintaining and continually improving an AI (artificial intelligence) management system within the context of an organization. It is applicable to any organization, regardless of size, type and nature, that provides or uses products or services that utilize AI systems.


Chapter 2 – Normative references (general purpose, out of the PDCA)

This chapter contains the list of standards, dated, necessary for the implementation of the relevant standard.


For example, IISO-IEC 42001 refers to “ISO/IEC 22989:2022, Information technology — Artificial intelligence — Artificial intelligence concepts and terminology” for the principles and vocabulary used in the standard.


Chapter 3 – Terms and definitions (general purpose, out of the PDCA)

This chapter lists the definitions that are useful for understanding and applying the standard. It includes basic common terms (e.g. organization, interested party, top management, non conformity, etc.) and specific therms for the considered field.


For example, ISO-IEC 42001 lists terms like information security, AI system impact assessment, data quality or statement of applicability, etc. And many more in ISO/IEC 22989.



Chapter 4 – Context of the organization

This chapter is related to planning within the PDCA. It will define what is an Organization regarding the standard, in which Context this organization evolves, and will list the Stakeholders (legal context, applicable standards, suppliers, customers, etc.).


The goal is to get a high level view of the context that will help define the scope of the management system.


For example, ISO-IEC 42001 will list the different roles an organization can have relatively with AI system (e.g. AI providers, AI producers,AI customers, AI partners,AI subjects, relevant authorities, etc.)

ISO-IEC 42001 will also list the external and internal contexts related considerations such as: applicable legal requirements, policies, guidelines and decisions from regulators that have an impact on the interpretation, incentives or consequences associated with the intended purpose and the use of AI systems, culture, traditions, values, norms and ethics with respect to development and use of AI, competitive landscape and trends for new products and services using AI systems, intended purpose of the AI system, etc.

Then ISO-IEC 42001 will focus on understanding the needs and expectations of interested parties, in order to finally ask the organization to determine the scope of the AI management system.



Chapter 5 – Leadership

This chapter is related to planning within the PDCA. It will define the leadership notions, around commitment to achieve the goals, the objectives themselves, and resources management to reach the goals. The commitment will be communicated and recorded through the organization policy.


This chapter emphasizes the role of Leadership and its commitment. Management sets the policy, and ensures the availability and the quality of the resources. Leadership promotes the management system and ensures its proper implementation within the organization.


For example, ISO-IEC 42001 will broach:

  • Leadership and commitment,
  • AI policy, and
  • Roles, responsibilities and authorities



Chapter 6 – Planning

This chapter is related (obviously) to planning within the PDCA. It will define the Objective notions, characterize the Risks and Opportunities, and Actions to implement to reach the goals.


The organization plans the objectives and also the actions implemented to reduce the risks and the opportunities. Planning requires defining what has to be done, the resources to reach the goals, responsibilities, deadlines, and criteria of evaluation of the effectiveness.


For example, ISO-IEC 42001 will broach:

  • Actions to address risks and opportunities
  • AI objectives and planning to achieve them
  • Planning of changes



Chapter 7 – Support

This chapter is related to do (implementation) within the PDCA. It will define the notions of Competence (knowledge and know-how), Communication (internally and externally) and Documented information (recorded, controlled and maintained).


Resources are described in chapter 5, and can be very various. In the case of human resources the competencies must be defined and proven. The article emphasizes the awareness and the involvement of the employees.


For example, ISO-IEC 42001 will broach:

  • Resources
  • Competence (determine the necessary competence, ensure that these persons are competent on the basis of appropriate education, training or experience; and where applicable, take actions to acquire the necessary competences)
  • Awareness (AI policy, consequences of not conforming to the AI management system requirements, etc.)
  • Communication (what, when, with whom, and how to communicate)
  • Documented information



Chapter 8 – Operation

This chapter is related to do (implementation) within the PDCA. It will define the notions of Process (inputs to produce outputs) and Criteria.


Activities of the organization are break down into processes (internal and external) on which criteria are placed. This chapter will list the numerous requirements on the Operation of the organization, and is deeply related to the topic of the standard.


For example, ISO-IEC 42001 develops requirements around AI, AI risk assessment and treatment, and AI impact assessment.



Chapter 9 – Performance evaluation

This chapter is related to check (evaluation) within the PDCA. It will define the notions of Management review and Internal audit.


Activities of monitoring, measurement, analysis, and evaluation (what, when, how) are defined by the organization. Internal audits are planned and performed to assess the management system efficiency. Management meetings allow management to  review the management system, focusing on the organization’s issues, performance, actions, etc.


For example, ISO-IEC 42001 will broach:

  • Monitoring, measurement, analysis and evaluation (what needs to be monitored, when to monitor, and when to evaluate the results)
  • Internal audit (planning and performing the audits)
  • Management review



Chapter 10 – Improvement

This chapter is related to act (improvement) within the PDCA. It will define the notions of Nonconformity, Corrective action and Continual improvement.


The organization shall control, correct and deal with the consequences of nonconformities. The organization shall take corrective actions to avoid the nonconformity to occur again. The organization shall be committed to continual improvement.


For example, ISO-IEC 42001 will broach:

  • Continual improvement
  • Nonconformity and corrective action (react, evaluate, implement any action needed, review the effectiveness, etc.)



Conclusion

ISO-IEC 42001 is built on the HLS system. ISO 13485 is not yet following the HLS system. How can your organization marry both standards? CSDmed is already trained to  ISO-IEC 42001 new requirements and can help you to build an Integrated Management System, combining ISO 13485 and ISO-IEC 42001.


CSDmed brings its expertise and a methodical approach to its clients, start-ups, manufacturers, importers and distributors of medical devices, thanks to a team of specialized experts and consultants, who will be able to address the ISO-IEC 42001 for AI Management in its entirety, and take into account the future requirements of IA Act.


🔗 Contact us and find out how we can help you.