How to handle artificial intelligence threats using ISO 27001

The impacts of artificial intelligence (AI) and machine learning threats on business can be massive. Malware, or the intentional input of misleading data into poorly designed or developed AI and machine learning systems, can lead to widespread data breaches or the dissemination of wholly inaccurate information. The ultimate result of incidents like these can be severe: legal proceedings, financial losses, increases in operational and insurance costs, damage to business competitiveness, and harm to organizational reputation.

To prevent, or at least minimize, the impacts of such incidents, organizations should consider the implementation of security controls, and a good reference to use are those outlined in ISO 27001, the leading international standard on Information Security Management Systems.

Most common security controls for covering AI and machine learning security in ISO 27001:
  • A.5.9 Inventory of information and other associated assets
  • A.5.12 Information classification
  • A.5.14 Information transfer
  • A.5.15 Access control
  • A.5.19 Information security in supplier relationships
  • A.5.31 Legal, statutory, regulatory and contractual requirements
  • A.8.25 Secure development life cycle

AI and machine learning security threats

AI and machine learning security threats in the context of information security are potential causes of incidents that can endanger the confidentiality, integrity, or availability of information processed by AI systems or machine learning algorithms. They can be natural or man-made, deliberate or accidental.

Threats and information can be related through an asset-based risk assessment, which helps identify and prioritize situations where threats can compromise assets (e.g., AI systems, platforms, or infrastructure, and machine learning algorithms) that store or process information. Examples of AI and machine learning security threats include:

  • data theft
  • malicious use
  • use of biased or discriminatory information
  • defective models
  • breach of legal requirements
  • information disclosure
  • unintentional use of licensed materials
  • reverse engineering of AI/ML model (model extraction)
  • data or parameter inference (model inversion)
  • data poisoning
  • submission of distorted or deceiving training data (adversarial attack)

AI and machine learning security

AI and machine learning security refers to practices to protect data and secure AI and machine learning environments, enabling them to resist attacks and fulfill business and strategic objectives.

Examples of such practices are policies, procedures, and technologies related to information management, access control, and encryption — and ISO 27001 can be used as a guide to decide which of these security practices to use. See the next section for more details.

Addressing AI and machine learning security threats with ISO 27001

In simple terms, ISO 27001 is the ISO standard that describes how to manage information security in an organization, through the application of management practices and security controls. Several of these controls are equally applicable to the protection of information confidentiality, integrity, and availability in AI and machine learning environments.

Based on a risk assessment and treatment approach, and in the identification of applicable legal requirements (e.g., laws, regulations, and contracts), ISO 27001 can help organizations improve the security of AI and machine leaning environments in the following ways:

Control Rationale Documentation Additional references
A.5.1 Policies for information security Develop a policy that addresses the secure use of AI and machine learning technology Any security policy or a procedure 8 criteria to decide which ISO 27001 policies and procedures to write
A.5.9 Inventory of information and other associated assets Maintain an inventory of AI and machine learning systems and their associated assets Inventory of Assets Asset management according to ISO 27001: How to handle an asset register / asset inventory
A.5.12 Information classification Classify data used by AI and machine learning systems based on its sensitivity and apply appropriate security measures Information Classification Policy How to classify information according to ISO 27001 in four steps
A.5.14 Information transfer Implement policies and procedures for securely transferring data to and from AI and machine learning systems, including encryption and access controls Information Transfer Policy
A.5.15 Access control Implement access controls to ensure that only authorized individuals can access and modify machine learning systems and data Access Control Policy How to handle access control according to ISO 27001
A.5.19 Information security in supplier relationships Ensure that AI and machine learning systems and services provided by external suppliers meet the organization’s security requirements Supplier Security Policy 6-step process for handling supplier security according to ISO 27001

 

Which security clauses to use for supplier agreements?

A.5.31 Legal, statutory, regulatory and contractual requirements Identify and comply with legal and contractual requirements related to the use of AI and machine learning technology List of Legal, Regulatory, Contractual and Other Requirements How to identify ISMS requirements of interested parties in ISO 27001
A.5.36 Compliance with policies, rules and standards for information security Ensure that the use of AI and machine learning systems complies with legal and regulatory requirements, as well as contractual obligations related to data protection and privacy List of Legal, Regulatory, Contractual and Other Requirements ISO 27001 internal audit: The complete guide
A.5.37 Documented operating procedures Define and document operational procedures for the secure use of AI and machine learning, including roles and responsibilities for managing AI and machine learning systems Security Procedures for IT Department 8 criteria to decide which ISO 27001 policies and procedures to write
A.8.25 Secure development life cycle Establish a policy for secure development practices when creating or implementing AI and machine learning systems Secure Development Policy How to integrate ISO 27001 controls into the system/software development life cycle (SDLC)
A.8.32 Change management Implement a change management process to ensure that any changes to AI and machine learning systems are properly assessed and controlled Change Management Policy How to manage changes in an ISMS according to ISO 27001 A.12.1.2

Increase AI and machine learning results and reliability with ISO 27001

Organizations seeking to adopt AI and machine learning applications to improve productivity by automating and streamlining various processes must ensure that they do so without letting information go unprotected, so handling threats is crucial.

Additionally, by implementing proper security practices, organizations can get ahead of the competition by offering the benefits of AI and machine learning resources to their customers, while ensuring protected information and reliable services according to their needs.

By adopting ISO 27001, organizations can achieve all of these results through an already proven, globally recognized approach.

To automate handling AI and machine learning security threats using ISO 27001, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Rhand Leal

Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001. Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are: ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.
Read more articles by Rhand Leal