AI Audit plan leveraging ISO27001 to meet GDPR Compliance

IT auditors face potential challenges in auditing AI. There some solutions that can convert these challenges into successes. In this paper, the author discusses an audit plan for AI audit that leverages ISO27001 to meet GDPR Article 22 compliance.

Impact of AI in organizations

Organizations are incorporating into most of their business assets and processes.

Despite AI’s exponential rise and adoption in the business world, there is yet to be an established regulatory and compliance framework for AI design and implementation life cycle. A mature auditing framework that details AI sub processes, AI-specific regulations, mandates, and standards will go a long way to help AI auditors. Adopted standards for handling AI use cases will help provide auditors with ways to perform AI audits successfully.

Also, there is no audit process in place. This is probably related to the fact that AI stakeholders have come up with a unanimous definition of AI, and there no explicit standards for everyone to follow. This leaves room for subjective definition and implementation of AI. Researchers and industry experts have worked on some frameworks that provide guidance or serve as a springboard towards establishing AI standards. Though, there are no standards yet. Organizations such as UK ICO have been doing an essential job of building some framework for AI.

This paper aims to contribute to the literature on AI audit and the establishment of world-class standards. The focuses on using the author’s knowledge of AI algorithm design, ISO27001, to design an AI audit plan that meets GDPR Article 22 compliance.

This paper’s rationale is that individual pieces of work on the AI audit plan can be combined to form an entire audit plan. The author also believes that using an already established framework like ISO27001 and regulations like GDPR will provide a starting pointing (SP) for AI audit and the target or ending point (EP), respectively.

So, AI audit plan = AI design goal+ explaining AI + ISO27001 = GDPR + AI algorithm

ISO 27001 is an international standard used to establish, implement, maintain, and continuously improve an Information Security Management System(ISMS). Its focus is to perform a risk assessment and then apply specific security controls to protect the organization’s critical information assets. The implementation of ISO 27001 leads to a systemic Information Security Management System. The ISMS helps identify the information security risk assessment of the system, critical information, and the implementation of security controls. These help to create a secure culture in the organization.

ISO 27001 comprises 11 main clauses (7 are mandatory) and 114 controls in Annex A (selected based on risk management results). ISO 27001 is an international standard that focuses on security.

Some essential requirements of ISO 27001

ISO 27001 has some critical requirements, including operational security, asset management, access control, information security and incident management, business continuity, and human resource security.

Asset management

For asset management, organizations should maintain proper protection of their assets. This implies that organizations identify assets, classy information in terms of its legal requirements, value, sensitivity, and criticality. The organization should also document rules for acceptable use of information (Controls A.8)

Operation security

A.12 controls address Operation security. The A.12 includes a set of controls that outline necessary operational procedures and responsibilities, such as change management, testing, and working environments, documenting the operating processes and separation of development.

Information security incident management

A.16 control delineates the rules for reporting IT security events and vulnerabilities, managing IT security incidents and enhancing these processes. Here organizations are expected to communicate security incidents to allow for a timely and effective response.

Access control

The A.9 controls highlight the guidelines for controlling the use of data within the organization and preventing unauthorized access to network systems or services, operating systems, information processing facilities, storage systems, etc. This includes user access management rules, management of privileged access rights, user responsibilities, and system and application access control.

Human resource security

The A.7 controls involve organizations to ensure that employees and contractors know and comply with their information security responsibilities. Organizations should provide staff members with awareness training and take proper disciplinary action against personnel who commit an information security breach.

Business continuity

The A.17 controls family delineates information security attributes of business continuity management. Organizations need to outline the requirements for information security management continuity in case of adverse situations. Organizations should also document and maintain security controls to maintain the required level of continuity and check these controls frequently.

What is the GDPR?

The General Data Protection Regulation, GDPR, is a compliance standard that seeks to bolster data protection. It applies to all organizations both inside and outside the EU, storing or processing the EU resident’s personal data. The standard went into force on May 25, 2018. The GDPR expands individuals’ rights to their personal data, mandates new methods of handling data such as data protection by design and default, and involves large penalties for violations. GDPR is a global standard that offers a strategic vision of how organizations need to ensure data privacy

Some essential requirements of GDPR

The scope of data that needs protection under GDPR

GDPR protects a broader set of data. The data covered by GDPR include personally identifiable information(PII), personal health information(PHI), political opinions, biometric data, etc. (Articles 5–11).

Expanded rights of data subjects

Under Chapter 3 of GDPR, an individual is provided with rules that help them retain control over their data. Under this chapter, EU residents have the right to obtain information about whether their personal data is being processed (Article 15). The residents can easily transfer their data between service providers (Article 20) and object to their data processing (Article 21). The “right to be forgotten” (Article 17) is one of the most critical GDPR requirements. This requirement empowers individuals to compel companies to remove their data from all systems. The GDPR is possibly the only compliance standard that places control of data into consumers’ hands and puts their interests first.

Explicit consent required for the use of data

Under Article 6 of the GDPR, organizations must get explicit consent from the individual to collect and use these individuals’ data. To comply with this requirement, organizations must preserve documented evidence that permission was given and prove that all consent requests are clear and concise.

GDPR levies Massive fines for non-compliance

Fines for compliance failures range from 2 to 4% of the company’s annual worldwide turnover or €10–20 million, whichever is higher. The most severe violations include accidental destruction, loss, change or transmission of personal data, and failure to show explicit data processing consent (Articles 83–84).

Stringent data breach notification regulations under GDPR

Under Article 33, data controllers must report data breaches to supervisory authorities within 72 hours of discovery. A company that fails to report will have to provide valid reasons for the delay.

The intersection of GDPR and ISO27001

We have seen (at a high level) the essential requirements included in GDPR and ISO27001. Now, what are some features that are common to these two? The principal area where the two overlaps is information security, particularly data protection. GDPR outlines data protection in articles 5, 24, 25, 28, 30, and 32. Similarly, IS)27001 has similar rules. Some essential requirements present in both standards include data CIA( data confidentiality, integrity, and availability).

Comparing ISO 27001 and GDPR

There are differences between ISO27001 and GDPR. ISO27001 does not address specific issues related to data privacy that are presented in GDPR chapter 3. Some of the data privacy-related matters not discussed in ISO27001 include data portability, data subject consent, the right to be forgotten, the right to restrict processing, the right to object, and the international transfer of personal data.

Each company must design a plan that leverages ISO27001 to meet GDPR compliance while meeting their business requirements. At the GRC Center for Intelligent Ecosystems, the analysts work with companies to build these plans. Dr. Celestin Ntemngwa is an analyst at the GRC Center for Intelligent Ecosystems.