ADAPTING EXISTING PRACTICES FOR ISMS-CERTIFIED ORGANIZATIONS IN SUPPORT OF RESPONSIBLE AI
DOI:
https://doi.org/10.11113/aej.v16.23881Keywords:
Artificial Intelligence, ISMS, Risk Management, Responsible AI, FrameworkAbstract
Prior to adoption of Artificial Intelligence (AI), organizations may be required to comply with certain industry standards to ensure customer confidence and interoperability of their products, which demands resource allocation and designated responsibilities. For Malaysian public offices certified under the Information Security Management System (ISMS), compliance with a new standard in support of Responsible AI would entail further resources and new reporting structures. Hence, this study proposed the adaptation of current practices for these organizations at the early stages of AI adoption. Ten sources, chosen for authenticity, credibility, representativeness, and meaning, provide the basis for the relevant proposals, including context establishment, risk identification, risk prioritization, and focus area for each control in Annex A of ISO/IEC 27001:2022. The results outlined key actions to support Responsible AI, with future research focusing on validating this framework in ISMS-certified settings.
References
H. AI, 2019. "High-level expert group on artificial intelligence," Ethics guidelines for trustworthy AI, 6.
S. Feuerriegel, J. Hartmann, C. Janiesch, and P. Zschech, 2024. "Generative ai," Business & Information Systems Engineering. 66(1): 111-126.
N. Gupta, S. K. Gottapu, R. Nayak, A. K. Gupta, M. Derawi, and J. Khakurel, 2022. "Human-machine interaction and IoT applications for a smarter world," CRC Press.
R. Perrault and J. Clark, 2024. "Artificial intelligence index report 2024." [Online].
World Economic Forum, 2019. "Guidelines for AI procurement." [Online].
E. Hunt, 2016. "Tay, Microsoft's AI chatbot, gets a crash course in racism from Twitter." [Online].
OWASP, 2023. "OWASP top 10 for large language model applications." [Online].
MITRE, 2024. "ATLAS matrix." [Online].
L. N. Tan, 2024. "Event-triggered distributed H∞ secure control for nonholonomic agents with dead-zone inputs under attacks on sensors and actuators," International Journal of Robust and Nonlinear Control. 34(2): 1238-1256.
K. Jia and N. Zhang, 2022. "Categorization and eccentricity of AI risks: a comparative study of the global AI guidelines," Electronic Markets. 32(1): 59-71.
B. Li, P. Qi, B. Liu, S. Di, J. Liu, J. Pei, J. Yi, and B. Zhou, 2023. "Trustworthy AI: from principles to practices," ACM Computing Surveys. 55(9).
A. Daly, T. Hagendorff, L. Hui, M. Mann, V. Marda, B. Wagner, W. Wang, and S. Witteborn, 2019. "Artificial intelligence governance and ethics: global perspectives," arXiv preprint arXiv:1907.03848.
A. Jobin, M. Ienca, and E. Vayena, 2019. "The global landscape of AI ethics guidelines," Nature Machine Intelligence. 1(9): 389-399.
Montréal Declaration for a Responsible Development of Artificial Intelligence, 2019. [Online].
K. Yeung, 2020. "Recommendation of the council on artificial intelligence (OECD)," International Legal Materials. 59(1): 27-34.
The British Standards Institution, 2023. "What is a standard?" [Online].
A. Asosheh, P. Hajinazari, and H. Khodkari, 2022. "A practical implementation of ISMS," In 7th International Conference on e-Commerce in Developing Countries: with focus on e-Security. IEEE. 1-17.
The Alan Turing Institute, 2022. "AI Standards Hub." https://aistandardshub.org/ai-standards-search/ accessed Nov 8, 2023.
A. Felländer, J. Rebane, S. Larsson, M. Wiggberg, and F. Heintz, 2022. "Achieving a data-driven risk assessment methodology for ethical AI," Digital Society. 1(2): 13.
ISO, 2018. "ISO 31000:2018 risk management — guidelines."
S. Tjoa, P. K. M. Temper, J. Zanol, M. Wagner, and A. Holzinger, 2022. "AIRMan: an artificial intelligence (AI) risk management system," In Proceedings of the 2022 2nd International Conference on Advanced Enterprise Information System. IEEE. 72-81.
E. Vyhmeister and G. G. Castane, 2024. "TAI-PRM: trustworthy AI — project risk management framework towards Industry 5.0," AI and Ethics. 1-21.
European Parliament, 2023. "EU AI act: first regulation on artificial intelligence." [Online].
H. Mustroph and S. Rinderle-Ma, 2024. "Design of a quality management system based on the EU artificial intelligence act," arXiv preprint arXiv:2408.04689.
E. Bogucka, M. Constantinides, S. Šćepanović, and D. Quercia, 2024. "Co-designing an AI impact assessment report template with AI practitioners and AI compliance experts," arXiv preprint arXiv:2407.17374.
D. Golpayegani, H. J. Pandit, and D. Lewis, 2022. "Airo: an ontology for representing AI risks based on the proposed EU AI act and ISO risk management standards," In Towards a Knowledge-Aware AI. IOS Press. 51-65.
A.F. Mohd Nasran, N.S. Nor Aztawaal, A.A. Thaib, N.A. Idris, 2023. "ISO/IEC 27001:2022 — An Overview of the New ISMS version, "In eSecurity 2023: 12-15.
S. A. Jalil and R. A. Hamid, 2003. "ISMS pilot program experiences: benefits, challenges and recommendations," CyberSecurity Malaysia.
ISO/IEC, 2010. "Directive for the implementation of MS ISO/IEC 27001:2007 certification in public sector."
ISO/IEC, 2022. "ISO/IEC 27001:2022 Information Security Management system."
Cybersecurity Malaysia, 2013. "ISMS Implementation Guideline."
SIRIM QAS International, 2022. "ISO/IEC 27001 information security management system (ISMS)." [Online].
CyberSecurity Malaysia, 2023. "CSM27001: scheme background." [Online].
AI-Global, 2024. "Where in the world is AI." [Online].
AI, Algorithmic, and Automation Incidents and Controversies, 2024. "AIAAIC repository." [Online].
The AI Risk Analysis Collaborative, 2024. "AI incident database." [Online].
Organisation for Economic Co-operation and Development, 2024. "OECD AI incidents monitor." [Online].
A. Reuel et al., 2024. "Open problems in technical AI governance," arXiv preprint arXiv:2407.14981.
H. Herrmann, 2023. "What’s next for responsible artificial intelligence: a way forward through responsible innovation," Heliyon. 9(3): e14379.
T. R. McIntosh, T. Susnjak, T. Liu, P. Watters, D. Xu, D. Liu, R. Nowrozy, and M.N. Halgamuge, 2024. "From COBIT to ISO 42001: evaluating cybersecurity frameworks for opportunities, risks and regulatory compliance in commercializing large language models," Computers & Security. 144: 103964.
J. Mökander, M. Sheth, M. Gersbro-Sundler, P. Blomgren, and L. Floridi, 2022. "Challenges and best practices in corporate AI governance: lessons from the biopharmaceutical industry," Frontiers in Computer Science. 4: 1068361.
M. Bevilacqua, N. Berente, H. Domin, B. Goehring, and F. Rossi, 2023. "The return on investment in AI ethics: a holistic framework," arXiv preprint arXiv:2309.13057.
JDN. 2024."National Digital Department." https://www.jdn.gov.my/ accessed September 29, 2024.
LPPSA. 2024. "Public Sector Home Financing Board." https://www.lppsa.gov.my/v3/my/ accessed September 29, 2024.
S. Alsheibani, Y. Cheung, and C. H. Messom, 2019. "Towards an artificial intelligence maturity model: from science fiction to business facts," In PACIS. 46.
National Institute of Standards and Technology, 2023. "NISTIR 8332 artificial intelligence risk management framework."
V. Turri and R. Dzombak, 2023. "Why we need to know more: exploring the state of AI incident documentation practices," In Proceedings of the 2023 AAAI/ACM Conference on AI, Ethics, and Society. 576-583.
Jabatan Perdana Menteri, 2024. "SPA Bil 3 Tahun 2024 — garis panduan pengurusan risiko keselamatan maklumat sektor awam."
Ministry of Science Technology and Innovation Malaysia, 2024. "The national guidelines on AI governance and ethics for responsible and inclusive AI." [Online].
T. Cui, Y. Wang, C. Fu, Y. Xiao, S. Li, X. Deng, Y. Liu, Q. Zhang, Z. Qiu, and P. Li, 2024. "Risk taxonomy, mitigation and assessment benchmarks of large language model systems," arXiv preprint arXiv:2401.05778.
M. Mogalakwe, 2009. "The documentary research method — using documentary sources in social research," Eastern Africa Social Science Research Review. 25(1): 43-58.
U. Flick, 2019. "From intuition to reflexive construction: research design and triangulation in grounded theory research," In The SAGE Handbook of Current Developments in Grounded Theory. 125-144.
M. F. He, B. D. Schultz, and W. H. Schubert, 2015. The SAGE guide to curriculum in education. Sage Publications.
Malaysian Parliament, 2024. "Cyber security bill 2024."
Jabatan Perdana Menteri, 2024. "Garis panduan pengurusan dan pengendalian rahsia rasmi dalam perkhidmatan awam."
Malaysian Parliament, 2024. "Personal data protection (amendment) act 2024."
Y. Zeng, K. Kyman, A. Zhou, Y. Yang, M. Pan, R. Jia, D. Song, P. Liang, and B. Li, 2024. "AI risk categorization decoded (AIR 2024): from government regulations to corporate policies," arXiv preprint arXiv:2406.17864.
ISO/IEC, 2022. "ISO/IEC 22989 information technology — artificial intelligence — vocabulary."
National Institute of Standards and Technology, 2024. "Artificial intelligence risk management framework: generative artificial intelligence profile."
National Institute of Standards and Technology, 2024. "Adversarial machine learning: a taxonomy and terminology of attacks and mitigations."
National Institute of Standards and Technology, 2024. "Artificial intelligence risk management framework: generative artificial intelligence profile."
P. Bradley, 2020. "Risk management standards and the active management of malicious intent in artificial superintelligence," AI & Society. 35(2): 319-328.
X. Qi, Y. Zeng, T. Xie, P. Chen, R. Jia, P. Mittal, and P. Henderson, 2023. "Fine-tuning aligned language models compromises safety, even when users do not intend to," arXiv preprint arXiv:2310.03693.
S. Ee, J. O’Brien, Z. Williams, A. El-Dakhakhni, M. Aird, and A. Lintz, 2024. "Adapting cybersecurity frameworks to manage frontier AI risks: a defense-in-depth approach," arXiv preprint arXiv:2408.07933.
A. Y. Javaid, W. Sun, V. K. Devabhaktuni, and M. Alam, 2012. "Cyber security threat analysis and modeling of an unmanned aerial vehicle system," In 2012 IEEE Conference on Technologies for Homeland Security. IEEE. 585-590.
P. Bountakas, A. Zarras, A. Lekidis, and C. Xenakis, 2023. "Defense strategies for adversarial machine learning: a survey," Computer Science Review. 49: 100573.
K. A. Kilian, C. J. Ventura, and M. M. Bailey, 2023. "Examining the differential risk from high-level artificial intelligence and the question of control," Futures. 151: 103182.
