#238 Umony’s ISO 42001 Journey – Setting the Standard for effective AI Management

AI has become inescapable over the past years, with the technology being integrated into tools that most people use every day. This has raised some important questions about the associated risks and benefits related to AI.

Those developing software and services that include AI are also coming under increasing scrutiny, from both consumers and legislators, regarding the transparency of their tools. This ranges from how safe they are to use to where the training data for their systems originates from.

This is especially true of already heavily regulated industries, such as the financial sector. Today’s guest took a proactive approach while developing their unique AI software, that helps the financial sector detect fraud, and got a jump start on becoming accredited to the world’s first best practice Standard for AI, ISO 42001 AI Management.

In this episode, Mel Blackmore is joined by Rachel Churchman, The Global Head of GRC at Umony, to discuss their journey towards ISO 42001 certification, including the key drivers, lessons learned, and benefits gained from implementation.   

You’ll learn

• Who is Rachel?
• Who are Umony?
• Why did Umony want to implement ISO 42001?
• What were the key drivers behind gaining ISO 42001 certification?
• How long did it take to implement ISO 42001?
• What was the biggest gap identified during the Gap Analysis?
• What did Umony learn from implementing ISO 42001?
• What difference did bridging this gap make?
• What are the main benefits of ISO 42001?
• The importance of accredited certification
• Rachel’s top tip for ISO 42001 Implementation  

Resources

• Umony
• Isologyhub

In this episode, we talk about:

[02:05] Episode Summary – Mel is joined by Rachel Churchman, The Global Head of GRC at Umony, to explore their journey towards ISO 42001 certification.

[02:15] Who is Rachel?: Rachel Churchman is currently The Global Head of GRC (Governance, Risk and Compliance) at Umony, however keen listeners to the show may recognise her as she was once a part of the Blackmores team. She originally created the ISO 42001 toolkit for us while starting the Umony project under Blackmores but made the switch from consultant to client during the project.

[04:15] Who are Umony? Umony operate in the financial services industry. For context, in that industry every form of communication matters, and there are regulatory requirements for firms to capture, archive and supervise all business communications.

That covers quite a lot! From phone calls, to video calls, instant messaging etc, and failures to capture that info can lead to fines.

Umony are a compliance technology company operating within the financial services space, and provide a platform that can capture all that communications data and store that securely.

[05:55] Why did Umony embark on their ISO 42001 journey? Umony have recently developed an AI platform call CODA, which uses advanced AI to review all communications to detect financial risks such as market abuse, fraud or other misconduct.

This will flag those potential high-risk communications to a human to continue the process. The benefit of this is that rather than financial institutions only being able to monitor a very small set of communications due to it being a very labour intensive task, this AI system would allow for monitoring of 100% of communications with much more ease.

Ultimately, it’s taking communications capture from reactive compliance to proactive oversight.

[08:15] Led by industry professionals: Umony have quite the impressive advisory board, made up of both regulatory compliance personnel as well as AI technology experts.

This includes the likes of Dr.Thomas Wolfe, Co-Founder of Hugging Face, former Chief Compliance Officer at JP Morgan and the CEO of the FCA.

[09:00] What were the key drivers behind obtaining ISO 42001 certification? Originally, Rachel had been working for Blackmores to assist Umony with their ISO 27001:2022 transition back in early 2024. At the time, they had just started to develop their AI platform CODA.

Rachel learned about what they were developing and mentioned that a new Standard was recently published to address AI specifically. After some discussion, Umony felt that ISO 42001 would be greatly beneficial as it took a proactive approach to effective AI management.

While they were still in the early stages of creating CODA they wanted to utilise best practice Standards to ensure that the responsible and ethical development of this new AI system.

When compared to ISO 27001, ISO 42001 provided more of a secure development lifecycle and was a better fit for CODA as it explores AI risks in particular. These risks include considerations for things like transparency of data, risk of bias and other ethical risks related to AI.

At the time, no one was asking for companies to be certified to ISO 42001, so it wasn’t a case of industry pressure for Umony, they simply knew that this was the right thing to do.

Rachel was keen to sink her teeth into the project because the Standard was so new that Umony would be early adopters. It was so new, that certification bodies weren’t even accredited to the Standard when they were implementing the Standard.

[12:20] How long did it take to get ISO 42001 certified? Rachel started working with Anna Pitt-Stanley, COO of Umony, around April 2024. However the actual project work didn’t start until October 2024, Umony already had a fantastic head start with ISO 27001 in place, and so project completion wrapped up around July of 2025.

They had their pre-assessment with BSI in July, which Rachel considered a real value add for ISO 42001 as it gave them more information from the assessors point of view for what they were looking for in the Management System.

This then led onto Stage 1 in August 2025 and Stage 2 in early September 2025. That is an unusually short period of time between a Stage 1 & 2, but they were in remarkably good shape at the end of Stage 1 and could confidently tackle Stage 2 in quick succession.

The BSI technical audit finished at the end of September, so in total from start to finish the Implementation of ISO 42001 took just under 12 months.

[15:50] What was the biggest gap identified during the Gap Analysis? A lot of the AI specific requirements were completely new to this Standard, so processes and documentation relating to things like ‘AI Impact Assessment’ had to be put in place.

ISO 42001 includes an Annex A which details a lot of the AI related technical controls, these are unique to this Standard, so their current ISO 27001 certification didn’t cover these elements.

These weren’t unexpected gaps, the biggest surprise to Rachel was the concept of an AI life cycle. This concept and its related objectives underpin the whole management system and its aims. It covers the utilisation or development of AI all the way through to the retirement of an AI system.

It’s not a standalone process and differs from ISO 27001’s secure development life cycle, which is a contained subset of controls. ISO 42001’s AI life cycle in comparison is integrated throughout the entire process and is a main driver for the management system.  

[19:30] What difference did bridging this gap make? After Umony understood the AI life cycle approach and how it applied to everything, it made implementing the Standard a lot easier. It became the golden thread that ran through the entire management system.

They were building into an existing ISMS, and as a result it created a much more holistic management system.

It also helped with the internal auditing, as you can’t take a process approach to auditing in ISO 42001 because controls can’t be audited in isolation.  

[21:30] What did Umony learn from Implementing ISO 42001? Rachel in particular learned a lot, not just with ISO 42001 but with AI itself.

AI is new to a lot of people, herself included, and it can be difficult to distinguish what is considered a risk or opportunity regarding AI.

In reality, it’s very much a mix of the two. There’s a lot of risk around data transparency, bias and data poisoning as well as new risks popping up all the time due to the developing technology. There’s also a creeping issue of shadow IT, which is where employees may use hardware of software that hasn’t been verified or validated by the company. For example, many people have their own Chat GPT accounts, but do you have oversight of what emplyees may be putting into that AI tool to help with their own tasks?

On a more positive note, there are so many opportunities that AI can provide. Whether that’s productivity, helping people focus more on the strategic elements of their role or reduction of tedious tasks.

Umony is a great example of where an AI has been developed to serve a very specific purpose, preventing or highlighting potential fraud in a highly regulated industry. They’re not the only one, with many others developing equally crucial AI systems to tackle some of our most labour-intensive tasks.

In terms of experience with Implementing ISO 42001, Rachel feels it cemented her opinion that an ISO Standard provides a best practice framework that is the right way to go about managing AI in an organisation. Whether you’re developing it, using it or selling it, ISO 42001 puts in place the right guardrails to make sure that AI is used responsibly, ethically, and that people understand the risks and opportunities associated with AI.

[26:30] What benefits were gained from Implementing ISO 42001? The biggest benefit is having those AI related processes in place, regardless of if you go for certification.

Umony in particular were keen to ensure that their certification was accredited, as this is a recognised certification. With Umony being part of such a regulated industry, it made sense that this was a high priority. As a result, they went with BSI as their Certification Body, who were one of the first CB’s in the UK to get IAF accredited, quickly followed by UKAS accreditation.

[27:55] The Importance of accredited certification: Sadly, a new Standard creates a lot of tempting offers from cowboy certification bodies that operate without a recognised accreditation.

They will offer a very quick and cheap route to certification, usually provided through a generic management system which isn’t reflective of how you work. Their certificate will also not hold up to scrutiny as it’s not accredited with any recognisable body. For the UK this is UKAS, who is the only body in the UK under the IAF that is able to certify companies to be able to provide a valid accredited certificate.

There’s are easily available tools to help identify if a certificate is accredited or not, so it’s best to go through the proper channels in the first place!

Other warning signs of cowboy companies to look out for include:

• Off the shelf Management system provided for a fee
• Offering of both consultancy and certification services – no accredited CB can provide both to a client, as this is a conflict of interest.
• A 5 – 10 year contract

It’s vital that you use an accredited Certification Body, as they will leave no stone unturned when evaluating your Management System. They are there to help you, not judge you, and will ensure that you have the upmost confidence in your management system once you’ve passed assessment.

Umony were pleased to have only received 1 minor non-conformity through the entire assessment process. A frankly astounding result for such a new and complex Standard!

[32:15] Rachel’s top tip: Firstly, get a copy of the Standard. Unlike a lot of other Standards where you have to buy another Standard to understand the first one, ISO 42001 provides all that additional guidance in its annexes.  

Annex B in particular is a gold mine for knowledge in understanding how to implement the technical controls required for ISO 42001.

It also points towards other helpful supporting Standards as well, that cover aspects like AI risks and AI life cycle in more detail.

Rachel’s second tip is: You need to scope out your Management System before you start diving into the creation of the documentation. This scoping process is much more in-depth for ISO 42001 than with other ISO Standards as it gets you to understand your role from an AI perspective. It helps determine whether you’re an AI user, producer or provider, it also gets you to understand what the management system is going to cover.

This creates your baseline for the AI life cycle and AI risk profile. These you need to get right from the start, as they guide the entire management system.

If you’ve already got an ISO Standard in place, you cannot simply re-use the existing scope, as it will be different for ISO 42001. If you’re struggling, CB’s like BSI can help you with this.

[35:20] Rachel’s Podcast recommendation: Diary of a CEO with Stephen Bartlett.

[32:15] Rachel’s favourite quote: “What’s the worst that can happen?” – An extract from a Dale Carnegie course, where the full quote is: “First ask yourself what is the worst that can happen? Then, you prepare to accept it and then proceed to improve on the worst.”

If you’d like to learn more about Umony and their services, check out their website.  

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List