When embarking on your ISO journey, a crucial first step is evaluating your current level of compliance and identifying what gaps need to be filled to gain certification or fully align with a Standard. This is typically done by conducting a Gap Analysis.
This exercise sets the foundations for your ISO Implementation project, from setting key actions and objectives, to resourcing and establishing a project timeline.
In this episode, Ian Battersby dives into the purpose of a Gap Analysis, who should be involved in the exercise and what inputs and outputs you should expect to have from conducting a Gap Analysis.
You’ll learn
- What is a Gap Analysis?
- What is the aim of a Gap Analysis?
- What is the process of conducting a Gap Analysis?
- Who should be involved in a Gap Analysis?
- What inputs should be included in a Gap Analysis?
- What outputs can you expect from a Gap Analysis?
Resources
In this episode, we talk about:
[02:05] Episode Summary – Ian Battersby dives into the first step on any ISO Implementation journey, breaking down what a Gap Analysis is, it’s purpose and what you should expect to get out of conducting one.
[02:50] What is a Gap Analysis?: Simply put, it’s the start of the process.
It’s a key to understanding where an organisation is right now and establishing what it needs to do on its journey to ISO certification.
But it’s not just for certification, as certification isn’t always what people are trying to achieve. Many businesses opt to align themselves to a standard to ensure they’re doing the right thing, but may not go through with full certification.
[04:05] Who is the aim of a Gap Analysis? The objective of a Gap Analysis is to carry out a review of your organisation against the requirements of the respective standard.
This will help to establish the following:
- Areas where you conform to the standard, where you may have established the required processes, procedures, roles, responsibilities, systems, methods, documents
- Areas of nonconformity, where such things will need to be developed
- You may partly conform, so it’s important to understand that as well
From that understanding, you can build key actions, timescales and responsibilities for implementing an ISO Standard.
It’s also very useful to leadership; to clarify what’s needed, to look at priorities, to resource what’s required and to establish a timeline to your end goal.
[06:25] What is the process of conducting a Gap Analysis? It’s important to do this in a very structured manner. It’s also important to get access to existing documentation and personnel in key roles; they’ll be helpful during the gap analysis in providing understanding.
You’ll need to evaluate your current level of compliance against the following clauses within your desired ISO Standard(s):
4 Context: Understanding the world in which you operate, the people and organisations which are important to you. This is where you will determine the scope of your system (what to include, what parts of the standard are relevant).
5 Leadership: Top management’s commitment, how involved they are, their accountability and their commitment to resourcing, promoting, to giving people authority through clear roles and responsibilities.
6 Planning: This is about assessing risks and opportunities; understanding the uncertainty caused by your operating environment (context). It also involves setting objectives and then establishing meaningful plans to address the risks/opportunities and objectives; mitigations; establishing controls; operational processes.
7 Support: This is where you look at people, competence Infrastructure and environment (are your facilities/equipment appropriate to what you need to do). You will also need to identify what you need to monitor and measure to demonstrate the effectiveness of your ISO Management System.
Next, you need to cover awareness and communication, i.e. how do you make people aware of your system, policy, processes; what do you tell other interested parties?
Lastly, ensure you address how you control the documentation which supports your system.
8 Operation: This address the delivery of a product or service to the customer, including all the processes for doing so. For example, in ISO 9001 this clause defines what’s required when designing, developing, controlling externally provided products/services and controlling anything which goes wrong.
This is typically the clause that contains the largest difference between ISO Standard, with each one focusing requirements on it’s topic focus. For example, ISO 14001 includes requirements for emergency preparedness and response in the event of an environmental incident.
9 Performance evaluation: This is where you review and report on the results of the monitoring and measurement that you’ve put in place. For those familiar with ISO, this is where the internal audit and management review requirements sit.
10 Improvement: This clause states requirements for addressing any non-conformities that pop-up during your Internal Audits. It also encourages you to address opportunities for improvement to help drive continual improvement and innovation.
[13:50] Who should be involved in a Gap Analysis? One key myth that we’d like to clear up is that not everyone in the business needs to be involved in this process, however, we do recommend the following are included:
The person responsible for the day-to-day running of the Management System. This may not be known at this early stage, which is fine as the purpose of the Gap Analysis is to identify gaps such as this.
Leadership; someone in a senior role; responsible for resourcing the system, communicating its importance to the workforce; responsible for setting the strategic direction and objectives.
People who understand the context of the organisation; understanding interested parties (stakeholders); needs of customers and others; the regulatory environment
Those involved in risk management; operational, financial, commercial, regulatory, safety or environmental.
Someone with knowledge of the legal requirements and how they’re evaluated; relative to specific standard.
Anyone setting objectives related to the specific standard.
Those with knowledge of competence arrangements; not just those responsible for co-ordinating the Management System, but across the board, for delivering operational processes.
Those responsible for facilities and equipment; maintenance, service, test, inspection, etc.
People responsible for developing and delivering operational processes.
People with knowledge of how things are monitored or measured; possibly operations people, data analysis or those who report performance to management.
Those who control nonconformity and those who run improvement processes.
It can be quite a range of people!
However, in smaller organisations there may be quite a limited number who likely wear many hats. Again, that’s not a problem, as the Gap Analysis exists to discover that.
[21:55] What inputs should be included in a Gap Analysis? This can include a number of things, as not everything will necessarily be a document. Typically, we as consultants will look at:
- Management System manual or System Scope
- Organisational chart
- Mission, vision, values and culture
- SWOT/PESTLE and Interested Parties
- Policy relevant to the standard
- Job descriptions
- Risk and opportunities analysis; methodology
- Objectives
- Legislation register and methods of evaluation
- Competence arrangements, training records
- Management System awareness, training completion
- Details of version and document control in place
- Monitoring and measuring plans (KPIs, SLAs, internal performance metrics)
- Internal audit programme and audit reports
- Management review records
- Agendas for any regular management meetings
- Nonconformities, incident report and corrective action records
- Customer complaints/feedback
- Emergency Plans
- Process Documentation
- Examples of process documentation:
- Change control documentation
- Sales, tendering, order processing
- Procedures for the design and development of products and services
- Design and development records stating inputs, verification and validation activities, outputs, and approval of changes
- Procedures to approve products and services for release to customers including quality checks
- Supplier / third party evaluation and onboarding documents
- Non-conformity/complaint information
- Traceability documentation
[29:40] What is the output from a Gap Analysis? We look at all of this and compare it against the requirements of the Standard to see where you currently stand. In our case, we do this on a spreadsheet with a simple scoring system to give you an overview of what you already have in place and what needs to be addressed.
In many cases, businesses already have a lot of the required documentation, but don’t have it tied together in one cohesive system. So a large part of implementation is consolidating that existing documentation, process ect. Into an accessible and easily understood system.
The key thing to remember is that this is not an audit. The evidence required does not have to be as detailed as an audit; some things can be taken on trust or face value. At this stage we aren’t demonstrating anything to a certification body, and you are not being judged.
We are simply looking at what needs to be done to achieve full Implementation or certification.
If you’d like assistance with carrying out a Gap Analysis, get in contact with us, we’d be happy to help.
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
AI has been integrated into almost every aspect of our lives, from everyday software we use at work, to the algorithms that determine what content is recommended to us at home.
While extraordinary in its capabilities, it isn’t infallible and will open up everyone to new and emerging risks. Legislation and regulations are finally catching up to the rapid adoption of this technology, such as the EU AI Act and new Best Practice Standards such as ISO 42001.
For those looking to integrate AI in a safe and ethical manner, ISO 42001 may be the answer.
Today Rachel Churchman, Technical Director at Blackmores, explains what ISO 42001 is, why you should conduct an ISO 42001 Gap analysis and what’s involved with taking the first step towards ISO 42001 Implementation.
You’ll learn
- What is ISO 42001?
- What are the key principles of ISO 42001?
- Why is ISO 42001 Important for companies either using or developing AI?
- Why conduct an ISO 42001 Gap Analysis?
- What should you be looking at in an ISO 42001 Gap Analysis?
Resources
In this episode, we talk about:
[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.
[02:05] Episode summary: Rachel Churchman joins Steph to discuss what ISO 42001 is, it’s key principles and the importance of implementing ISO 42001 regardless of if you’re developing AI or simply just utilising it.
Rachel will also explain the first step towards implementation – an ISO 42001 Gap Analysis.
[02:45] Upcoming ISO 42001 Workshop– We have an upcoming ISO 42001 workshop where you can learn how to complete an AI System Impact Assessment, which is a key tool to help you effectively assess the potential risks and benefits of utilising AI.
Rachel Churchman, our Technical Director, will be hosting that workshop on the 5th December at 2pm GMT, but places are limited so make sure you register your place sooner rather than later!
[03:20] The impact of AI – AI is everywhere, and has largely outpaced any sort of regulation or legislation up until very recently. These are both needed as AI is like any other technology, and will bring it’s own risks, which is why a best practice Standard for AI Management has been created.
If you’d like a more in-depth breakdown of ISO 42001, check out our previous episodes: 166 & 173
[04:30] A brief summary of ISO 42001 – ISO 42001 is an Internationally recognised Standard for developing an Artificial Intelligence Management System. It provides a comprehensive framework for organisations to establish, implement, maintain, and continually improve how they implement and develop or consume AI in their business. It aims to ensure that AI risks are understood and mitigated and that AI systems are developed or deployed in an ethical, secure, and transparent manner, taking a fully risk-based approach to responsible use of AI.
Much like other ISO Standards, it follows the High-Level Structure and therefore can be integrated with existing ISO Management systems as many of the core requirements are very similar in nature.
[05:45] Why is ISO 42001 important for companies both developing and using AI? – AI is now becoming commonplace in our world, and has been for some time. A good example is the use or Alexa or Siri – both of these are Large Language AI Models that we all use routinely in our lives. But AI is now being introduced in many technologies that we consume in our working lives – all designed to help make us more efficient and effective. Some examples being:
- Microsoft 365 Copilot
- GitHub Copilot
- Google Workspace
- Adobe Photoshop
- Search Engines i.e. Google
Organisations need to be aware of where they’re consuming AI in their business as it may have crept in without them being fully aware. Awareness and governance of AI is crucial for several reasons:
For companies using AI they need to ensure they have assessed the potential risks of the AI such as unintended consequences and negative societal impacts, or potential commercial data leakage. They also need to ensure that if they are using AI to support decision making, that they have ensured that decisions made or supported by AI systems are fair and unbiased. It’s not all about risk – organisations can also use AI to streamlining processes helping to become more efficient and effective, or it could support innovation in ways previously not considered.
For companies developing AI, the standard promotes the ethical development and deployment of AI systems, ensuring they are fair, transparent, and accountable. It provides a structured approach to risk assessment and governance associated with AI, such as bias, data privacy breaches, and security vulnerabilities.
And for all, using ISO 42001 as the best practice framework, organisations can ensure that their AI initiatives are aligned with ethical principles, legal requirements, and industry best practices. This will ultimately lead to more trustworthy, reliable, and beneficial AI systems for all.
[10:00] Clause 7.4 Communication – The organisation shall determine the internal and external communications relevant to the system, and that includes what should be communicated when and to who.
[09:00] What are the key principles outlined in ISO 42001? –
- Fairness and Non-Discrimination – ensuring AI systems treat all individuals and groups fairly and without bias.
- Transparency and Explainability – Making AI systems understandable and accountable by providing clear explanations of their decision-making processes.
- Privacy and Security – Protecting personal data and privacy while ensuring the security of AI systems.
- Safety and Security – Prioritising the safety and well-being of individuals and the environment by mitigating potential risks associated with AI systems.
- Environmental & Social – Considering the impact of AI on the environment and society, promoting sustainable and responsible practices.
- Accountability and Human Oversight – Maintaining human control and responsibility for AI systems, ensuring they operate within ethical and legal boundaries. You’ll often hear the term ‘Human in the loop’. This is vital to ensure that AI is sanity checked by a human to ensure it hasn’t hallucinated or result ‘drifted’ in any way.
[11:10] Why conduct an ISO 42001 Gap Analysis? What is the main aim? – Any gap analysis is a strategic planning activity to help you understand where you are, where you want to be and how you’re going to get there. The ISO 42001 gap analysis will identify gaps and pinpoint areas where your AI practices need to meet the ISO 42001 requirements.
It aims to conduct a systematic review of how your organisation uses or develops AI to then assess your current AI management practices against the requirements of the ISO 42001 standard. This analysis will then help you to identify any “gaps” where your current practices do not fully meet the standard’s requirements. It also helps organisations to understand ‘what good looks like’ in terms of responsible use of AI.
It will help you to prioritise improvement areas that may require immediate attention, and those that can be addressed in a phased approach.
It will help you to understand and mitigate the risks associated with AI.
It will also help you to develop a roadmap for compliance to include plans with clear actions identified that can then be project managed through to completion, and as with all ISO standards it will support and enhance AI Governance.
[13:15] Does an ISO 42001 gap analysis differ from gap analysis for other standards? – Ultimately, no. The ISO 42001 gap analysis doesn’t differ massively from other ISO standard gap analysis, so anyone who already has an ISO Standard and has been through the gap analysis process will be familiar with it.
In terms of likeness, ISO 42001 is similar in nature to ISO 27001 in as much as there is a supporting ‘Annex’ of controls and objectives that need to be considered by the organisation. Therefore the questions being asked will extend beyond the standard High Level Structure format.
Now is probably a good time to note that the Standard itself is very informative and includes additional annex guidance information to include
- implementation guidance for the specific AI controls,
- an Annex for potential AI-related organisational objectives and risk sources,
- and an Annex that provides guidance on use of the AI management system across domains and sectors and integration with other management system standards.
[14:55] What should people be looking at in an ISO 42001 gap analysis? – The Gap Analysis will include areas such as looking at the ‘Context’ of your organisation to better understand what it is that you do, or the issues you are facing internally and externally in relation to AI – both now and in the reasonably foreseeable future, and also how you currently engage with AI in your business. This will help to identify your role in terms of AI.
It will also look at all the main areas typically captured within any ISO standard to include leadership and governance, policy, roles and responsibilities, AI Risks and your approach to risk assessment and treatment and AI system impact assessments. It also looks at AI objectives, the support resources you have in place to manage requirements, awareness within your business for AI best practice and use, through to KPI’s, internal audit, management review and how you manage and track issues through to completion in your business.
The AI specific controls look more in-depth at Policies related to AI, your internal organisation in relation to key roles & responsibilities and reporting of concerns, The resources for AI Systems, how you assess the impacts of AI Systems, The AI system lifecycle (AI Development), Data for AI Systems, Information provided to interested parties of AI Systems, and the use of AI Systems and 3rd party and customer relationships.
[18:10] Who should be involved in an ISO 42001 Gap analysis? – An ISO 42001 gap analysis looks at AI from a number of different angles to include organisational governance that includes strategic plans, policies and risk management, through to training and awareness of AI for all staff, through to technical knowledge of how and where AI is either used or potentially developed within the organisation. This means that it is likely that there will need to be multiple roles involved over the duration of a gap Analysis.
At Blackmores we always provide a Gap Analysis ‘Agenda’ that clearly defines what will be covered over the duration of the gap analysis, and who typically could be involved in the different sessions. We find this is the best way to help organisations plan the support needed to answer all the questions required.
It’s also important to treat the gap analysis as a ‘drains up’ review, to help get the most benefit out of the gap analysis. This will ensure that all gaps are identified so that a plan can then be devised to support the organisation to bridge these gaps, putting them on the path to AI best practice for their business.
If you’d find out more about ISO 42001 implementation, register for our upcoming Workshop on the 5th December 2024.
If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
Beyond certification, we take great pride in delivering ISO consultancy and support solutions. These solutions help our clients improve their productivity and profitability in a risk-controlled way.
We are your dedicated ISO consultants for all compliance matters from internal audits to updating Health, Safety and Environmental Legal compliance.
No matter what ISO certification you are hoping to achieve, we have a specialist ISO consultant ready to work with you and your organisation. Contact our team today to get started.
Our 7 Steps to Success
The Blackmores ISO Roadmap is a proven path to go from idea to launching your ISO Management System.
Whether you choose to work with one of our ISO Consultants, our isologists®, or work your own way through the process on our isology Hub, we’re certain you’ll achieve certification in no time!
We have a proven step by step process that our ISO Consultants implement as soon as our working relationship begins. We use our specialist skills and industry knowledge to determine what is already on track and where improvements can be made. We live and breathe ISO standards, we know the standards inside out so you don’t have to.
Our ISO Consultants can help you implement systems for any ISO Standard. See the full list for specialised standards here.
What our clients have to say
We engaged Blackmores to develop our ISO 9001, 14001, and 45001 management system from scratch. Throughout the creation and development stages of our ISO journey, Anju Punetha demonstrated remarkable patience, knowledge, and understanding as our dedicated consultant.
During our internal audit preparations, Ian Battersby’s meticulous attention to detail and thorough approach ensured we were well-prepared for our external audit, which we passed with flying colours. His guidance during the external audit was invaluable.
Based on our engagement and experience, I highly recommend the entire Blackmores team. If you’re considering pursuing ISO accreditations, Blackmores should be your first choice.
Graeme Adam
The support and advise I get from our assigned auditors is immense. Forward planning for the following year is great and they are flexible and always willing to help.
Kalil Vandi
“Blackmores have assisted us almost since the start of our adoption of the ISO 9001 quality standard. Their input has improved our processes since the start, and enabled our goal of continuous improvement to be achieved. The people are also extremely easy to get on with, and they really understand our business, giving us a great deal of confidence in their advice.”
David Gibson
“Blackmores are the perfect bridge between working on your ISO as an individual or company, to being audited each year. We find that any queries we have are covered and we feel sure that we have everything as needs be before going into an external audit.”
Mandy Welsby
“We have been extremely impressed with the service and support provided by Blackmores. There knowledge and assistance through out our ISO journey has been amazing!”
Philip Hannabuss
“Blackmores have really kept us on our toes with the broad scope and level of detail they apply to our internal audit schedule. They always stay abreast of ISO standard changes and help us to adapt our processes and documents to embrace these changes accordingly. Having Blackmores shadow our external audits provides invaluable confidence and peace of mind – would highly recommend their services!”
Phil Geens
“Our ISO 27001 certification project has gone so well, that there was no doubt in who we were going to ask to help us with our aspirations of becoming ISO 14001 certified. It’s been an absolute pleasure working with Blackmores, and we are really looking forward to working with them for the foreseeable future.”
Trusted by leading organisations across all sectors, we support companies of all sizes in any location.
Listen to our Podcast
Welcome to the ISO Show podcast, dispelling myths and sharing tips for success to improve your business with ISO Standards. Join us to hear interviews with successful business leaders as they share their ISO journey with you.
Get top tips via audio master classes “ISO Steps to Success” on the most popular ISO Standards.
