View all detail and faqs for the ISO-IEC-42001-Lead-Auditor exam
What should an auditor do to evaluate the auditee’s conformity to control A.9 Use of AI systems?
While preparing for an AIMS audit, a technology company faced an issue with the auditor assigned by the certification body. The auditor lacked a security clearance, which is mandatory for accessing certain sensitive information involved in the audit due to the company's government contracts and proprietary technology. The company requested to replace the auditor with someone who meets the security requirements to ensure the audit can proceed without compromising sensitive information or violating government regulations. Is this acceptable?
Question:
Which of the following statements regarding the organization's requirement to address risks and opportunities based on ISO/IEC 42001 is correct?
Which among the following is NOT a core element of AIMS?
Based on Scenario 6, which aspect of assigning roles and responsibilities to the audit team is incorrect?
Scenario 6: AfrinovAl, based in Nairobi, Kenya, develops Al tools to improve agriculture in Africa. The company uses Al to address challenges faced by African farmers,
offering tools for analyzing satellite images to monitor crop health, predicting pest and disease outbreaks, and automating irrigation to use water more efficiently.
AfrinovAl has implemented an artificial intelligence management system AIMS based on ISO/IEC 42001, reflecting its commitment to ethical and effective
management practices in its Al solutions.
AfrinovAl is undergoing a certification audit to obtain certification against ISO/IEC 42001. Samuel, an expert in Al technologies and management systems, is heading
the audit team. Before initiating the audit process, Samuel reviewed and approved the audit plan, which served as a basis for the agreement between the certification
body and the auditee.
During the stage 1 audit, the audit team focused on a detailed evaluation of AfrinovAI's documented information, critically assessing both their format and content.
Samuel held a meeting with his team to prepare for the stage 2 audit. During this meeting, responsibilities were allocated among team members, assigning specific
processes, functions, sites, areas, or activities based on each auditor's expertise and the audit requirements. He also assigned auditing roles to technical experts to
leverage their specialized knowledge in specific areas.
In the stage 2 audit, Samuel and his team held an opening meeting during which Samuel explained how the audit activities will be undertaken. AfrinovAI's also
participated in the meeting. Afterward, the audit team conducted on-site activities to closely inspect the physical locations of the audited processes. The interviewed
individuals from the auditee's personnel regarding the AIMS and observed some of the operations of the auditee. They also used sampling and technical verification to
assess the implementation of Al-related controls, verify compliance with established procedures, and identify any gaps in adherence to the AIMS requirements. They
skipped the review of documented information related to the AIMS since some documents had already been reviewed during the stage 1 audit. This comprehensive
approach ensured a thorough evaluation of AfrinovAI's AIMS against the ISO/IEC 42001.
Scenario 9 (continued):
Scenario 9: Securisai, located in Tallinn. Estonia, specializes in the development of automated cybersecurity solutions that utilize AI systems. The company recently implemented an artificial intelligence management system AIMS in accordance with ISO/IEC 42001. In doing so, the company aimed to manage its Al-driven systems’ capabilities to detect and mitigate cyber threats more efficiently and ethically. As part of its commitment to upholding the highest standards of Al use and management, Securisai underwent a certification audit to demonstrate compliance with ISO/IEC 42001.
The audit process comprised two main stages: the initial or stage 1 audit focused on reviewing Securisai's documentation, policies, and procedures related to its AIMS. This review laid the groundwork for the stage 2 audit, which involved a comprehensive, on-site evaluation
of the actual implementation and effectiveness of the AIMS within Securisai's operations. The goal was to observe the AIMS in operation, ensuring that it not only existed on paper but was effectively integrated into the company's daily activities and cybersecurity strategies.
After the audit, Roger, Securisai's internal auditor, addressed the action plans devised to rectify nonconformities identified during the certification audit. He developed a long term strategy, highlighting key AIMS processes for triennial audits. Roger's internal audits play a
key role in advancing Securisai's goals by employing a systematic and disciplined method to assess and boost the efficiency of risk
management, governance processes, and strategic decision-making. Roger reported his findings directly to Securisai's top management.
Following the successful rectification of nonconformities, Securisai was officially certified against ISO/IEC 42001.
Recently, the company decided to transfer its ISO/IEC 42001 certification registration from one certification body to another despite being initially bound by a long-term agreement with the current certification body. This decision was motivated by the desire to partner with a certification body that offers deeper insights and expertise in the rapidly evolving field of artificial intelligence in cybersecurity.
To ensure a smooth transition and uphold its certification status, Securisai is diligently compiling the required documentation for submission to the new certification body. This includes a formal request, the most recent audit report underscoring its adherence to ISO/IEC 42001, the latest corrective action plan that highlights its continuous efforts toward improvement, and a copy of its current valid certification registration.
A year following Securisai's initial certification audit, a subsequent audit was carried out by the certification body on its AIMS. The
purpose of this audit was to assess compliance with ISO/IEC 42001 and verify the ongoing improvement of the AIMS. The audit team
concluded that Securisai's AIMS consistently meets the requirements set by ISO/IEC 42001.
Question:
Based on Scenario 9, what should Securisai’s certification be?
Why is it important to have a clear and agreed audit scope?
A few months after an audit, the auditor returns to the company to verify that corrective actions have been effectively implemented and that the issues identified have been resolved. Which step of the management system audit process does this activity correspond to?
What is one of the key objectives of conducting an audit according to ISO 19011?
Which aspect of the previous certification of VeridicAI is NOT correct? Refer to scenario 8.
Scenario 8: VeridicAI. based in San Francisco. USA, specializes in market research using Al technologies to analyze customer behavior. Founded in 2023, the company
employs natural language processing, machine learning, and predictive analytics to provide real time insights to a range of businesses. VeridicAI has implemented an
artificial intelligence management system AIMS based on ISO/IEC 42001 to manage its Al technologies effectively. The AIMS scope includes select departments within
the company, for which it has received a four-year certification against ISO/IEC 42001. Committed to transparency. VeridicAI publicly shares details of this certification.
As the certification nears its end, VeridicAI is preparing for an audit to renew its certification.
The audit process was led by Sharona, the audit team leader, who is a full-time employee of the certification body. Sharona and the audit team undertook all planned
audit activities. Afterward, they organized the closing meeting with VeridicAl’s management. During the meeting, Sharona and the team made a recap on audit
objectives and scope, presented the audit findings and conclusions, presented identified nonconformities, and organized a session for questions and answers for the
auditee.
VeridicAI received a conditional recommendation for certification, underscoring its compliance with the industry's standards. Sharona confirmed that the company met
the essential requirements but noted some identified minor nonconformities. In response, VeridicAI compiled and submitted a comprehensive action plan that
addresses all identified nonconformities within a designated timeframe. Because of the comprehensive action plan, Sharona did not see the need for an additional on-
site visit to verify the effectiveness of the action plan.
Sharona played an integral role in the certification decision process. Her thorough understanding of VeridicAI's operations, gained from the audit, guided the
certification body towards a well-informed certification decision.
