Implementation Roadmap & Project Setup
Complete implementation roadmap from project initiation to certification, including templates for project charter, gap analysis, and timeline planning.
Chapter Overview
This chapter provides a comprehensive roadmap for implementing ISO 42001 from scratch. Whether building on existing management systems or starting fresh, this guide helps plan and execute successful AIMS implementation.
Implementation Phases Overview
| Phase | Name | Duration | Key Deliverables |
|---|---|---|---|
| 1 | Project Initiation | 2-4 weeks | Business case, project charter, team |
| 2 | Gap Analysis | 3-6 weeks | Current state assessment, gap report |
| 3 | Design & Development | 8-16 weeks | Policies, processes, documentation |
| 4 | Implementation | 8-12 weeks | Control deployment, training |
| 5 | Internal Audit & Review | 4-8 weeks | Internal audit, management review |
| 6 | Certification | 4-8 weeks | Stage 1 & Stage 2 audits |
6-18 months depending on organization size, complexity, and existing maturity. Integration with existing ISO 27001/9001 can reduce timeline by 30-40%.
Phase 1: Project Initiation
1.1 Develop Business Case
| Component | Description |
|---|---|
| Problem Statement | Why does organization need AIMS? |
| Drivers | Regulatory, competitive, risk management |
| Benefits | Quantified benefits |
| Scope | AI systems and business units included |
| Investment | Resources, budget, timeline |
| ROI | Expected return |
| Risks | Implementation risks and mitigation |
1.2 Secure Management Commitment
- Executive Sponsor: C-level champion
- Budget Approval: Implementation and certification resources
- Policy Commitment: Agreement to establish AI policy
- Resource Allocation: Dedicated team
- Communication: Executive messaging
1.3 Form Project Team
| Role | Responsibility | Time Allocation |
|---|---|---|
| Project Manager | Overall coordination | 50-100% |
| AIMS Lead | Technical expertise | 50-100% |
| AI/ML Expert | AI system knowledge | 25-50% |
| Risk Manager | Risk methodology | 25-50% |
| Legal/Compliance | Regulatory requirements | 10-25% |
| IT/Security | Technical infrastructure | 25-50% |
| HR/Training | Competence development | 10-25% |
1.4 Define Project Scope
| Factor | Questions to Answer |
|---|---|
| AI Systems | Which systems included? |
| Business Units | Which departments? |
| Locations | Which geographic locations? |
| AI Roles | Developer, provider, user? |
| Lifecycle Stages | All stages or specific phases? |
| Third Parties | Which suppliers/partners? |
Template: Project Charter
1. PROJECT OVERVIEW
Project Name: [Organization] AIMS Implementation
Project Sponsor: [Name, Title]
Project Manager: [Name, Title]
Date: [Date]
2. BUSINESS CASE SUMMARY
Problem Statement: [Why AIMS needed]
Key Drivers: [List drivers]
Expected Benefits: [List benefits]
3. OBJECTIVES
• Achieve ISO 42001 certification
• Implement AIMS for defined scope
• Train personnel on AI governance
4. SCOPE
In Scope: AI systems, business units, locations
Out of Scope: [Exclusions]
5. TIMELINE
Phase 1-6 with start/end dates and durations
6. BUDGET
Personnel, consultants, training, certification fees, contingency
7. APPROVALS
Sponsor, PM signatures with dates
Phase 2: Gap Analysis
2.1 Current State Assessment
| Area | Assessment Focus |
|---|---|
| AI Inventory | What AI systems exist? |
| Governance | Existing policies, oversight |
| Risk Management | Current AI risk processes |
| Documentation | Existing procedures |
| Competence | AI skills and awareness |
| Third Parties | Supplier management |
| Existing MS | ISO 27001/9001 processes |
2.2 Gap Analysis Methodology
Step 1: Map Requirements
- All Clause 4-10 requirements
- All 39 Annex A controls
- Documented information requirements
Step 2: Assess Current State
| Rating | Description | Gap Level |
|---|---|---|
| Fully Implemented (FI) | Requirement met | None |
| Partially Implemented (PI) | Needs enhancement | Minor |
| Planned (PL) | Actions planned | Moderate |
| Not Implemented (NI) | No provision | Major |
| Not Applicable (NA) | Doesn't apply | N/A |
Step 3: Document Gaps - Requirement reference, current state, gap description, effort to close, priority
Step 4: Gap Closure Plan - Actions required, responsible party, timeline, resources, dependencies
2.3 AI System Inventory Template
| Field | Description |
|---|---|
| System ID | Unique identifier |
| System Name | Descriptive name |
| Description | Purpose and functionality |
| AI Type | ML, Deep Learning, NLP, etc. |
| Business Owner | Accountable owner |
| Technical Owner | Technical responsible |
| Lifecycle Stage | Development, Production, Retired |
| Risk Level | High, Medium, Low |
| Data Sources | Training and operational data |
| Third Parties | External providers |
| Users | Who uses outputs |
| Decisions | What decisions supported |
Phase 3: Design & Development
3.1 Policy Development
| Document | Purpose | Clause Reference |
|---|---|---|
| AI Policy | Governance commitment | 5.2 |
| AIMS Scope | Defines boundaries | 4.3 |
| Risk Methodology | How risks assessed | 6.1.2 |
| Risk Treatment | How risks treated | 6.1.3 |
| AI Lifecycle Procedure | Managing AI lifecycle | 8.1, A.6 |
| Impact Assessment | Assessing AI impacts | 8.4, A.5 |
3.2 Process Design by Domain
| Domain | Key Processes |
|---|---|
| A.2-A.3 | Policy management, roles, incident reporting |
| A.4 | Resource planning, data/tool management |
| A.5 | Impact assessment process |
| A.6 | AI lifecycle management |
| A.7 | Data acquisition, quality, provenance |
| A.8 | Communication, documentation, explainability |
| A.9 | Intended use, fitness, human oversight |
| A.10 | Third-party assessment, monitoring |
Phase 4: Implementation
4.1 Control Priority
High Priority (First):
• A.2.2 AI Policy
• A.3.2 Roles and responsibilities
• A.6.1.2 Managing AI lifecycle
• A.6.2.2 Defining objectives
• A.9.4 Human oversight
Medium Priority (Second):
• A.5.2-A.5.5 Impact assessment
• A.6.2.4-A.6.2.10 Lifecycle controls
• A.7.2-A.7.6 Data controls
• A.8.2-A.8.5 Transparency controls
Lower Priority (Third):
• A.4.2-A.4.5 Resource controls
• A.10.2-A.10.4 Third-party controls
• A.3.3-A.3.5 Organizational controls
4.2 Training & Awareness
| Audience | Content | Duration |
|---|---|---|
| All employees | AI awareness, policy | 1-2 hours |
| AI developers | Responsible AI, lifecycle | 1-2 days |
| AI system owners | Risk, impact assessment | 1 day |
| Management | Governance, oversight | 2-4 hours |
| Internal auditors | AIMS audit techniques | 2-3 days |
Phase 5: Internal Audit & Review
5.1 Audit Program Coverage
- All ISO 42001 clauses
- All applicable Annex A controls
- All AI systems in scope
- All locations in scope
5.2 Management Review Inputs (Clause 9.3)
- Audit results
- Policy effectiveness
- Objective achievement
- Nonconformities
- Improvement opportunities
Phase 6: Certification
6.1 Stage 1 Audit
Focus: Documentation review, scope verification, readiness assessment, Stage 2 planning
6.2 Stage 2 Audit
Focus: Full AIMS assessment, control effectiveness, evidence verification, personnel interviews
Implementation Timeline Template
12-Month Schedule
| Month | Phase | Key Activities | Deliverables |
|---|---|---|---|
| 1 | Initiation | Business case, team | Charter approved |
| 2 | Gap Analysis | Current state, inventory | AI inventory |
| 3 | Gap Analysis | Gap completion | Gap report |
| 4 | Design | Policy, methodology | AI Policy draft |
| 5 | Design | Process design, SoA | SoA draft |
| 6 | Design | Documentation | Complete docs |
| 7 | Implementation | Control implementation | Priority controls |
| 8 | Implementation | Training | Training records |
| 9 | Implementation | Full deployment | All controls |
| 10 | Audit Prep | Internal audit | Audit report |
| 11 | Audit Prep | Management review | Review minutes |
| 12 | Certification | Stage 1 & 2 | Certificate |
Critical Success Factors
| Factor | Why It Matters |
|---|---|
| Executive Sponsorship | Resources, barriers, priority |
| Clear Scope | Prevents scope creep |
| Competent Team | Technical and MS expertise |
| Realistic Timeline | Avoids rushed implementation |
| Stakeholder Engagement | Buy-in from owners/users |
| Integration Approach | Leverage existing investments |
| Practical Controls | Operational effectiveness |
| Change Management | Cultural and behavioral change |
Common Pitfalls
| Pitfall | Impact | Avoidance |
|---|---|---|
| Paper-only implementation | Audit failures | Focus on effectiveness |
| Unclear AI inventory | Incomplete scope | Comprehensive discovery |
| Insufficient resources | Delays | Realistic planning |
| Ignoring existing MS | Duplication | Integration from start |
| IT-only project | Missing engagement | Multi-disciplinary team |
| Underestimating training | Poor compliance | Comprehensive program |
| Rushing certification | Failed audits | Adequate preparation |
1. Six phases structure implementation
2. 6-18 months typical duration
3. Management commitment is essential
4. Gap analysis provides foundation
5. AI system inventory critical for scope
6. Integration with existing MS saves effort
• Know implementation phases and sequence
• Understand Stage 1 vs. Stage 2 audits
• Explain critical success factors
• Know gap analysis vs. internal audit difference
• Understand Statement of Applicability role