ISO/IEC 27090 Information security, cybersecurity and privacy protection — Guidance on AI security and privacy controls

ISO/IEC 27090 is a forthcoming international standard within the ISO 27000 family, providing implementation guidance for security and privacy controls specifically for Artificial Intelligence (AI). It does not introduce new controls but explains how to apply existing controls from ISO/IEC 27002:2022 to mitigate AI-specific threats like adversarial attacks, data poisoning, and model inversion. The standard acts as a crucial bridge between general information security management systems (ISMS) and the unique risks of AI technologies. Its primary role is to help organizations operationalize the high-level security requirements found in regulations such as the EU AI Act, translating them into actionable practices for AI development and security teams.

Enterprises can apply ISO 27090 in a three-step process. First, conduct a context-specific AI risk assessment using frameworks like the NIST AI Risk Management Framework (RMF) to identify threats unique to their AI applications. Second, use ISO 27090's guidance to select and tailor controls from ISO/IEC 27002. For example, to counter data poisoning risks, enhance data integrity and secure data transfer controls. Third, establish continuous monitoring and validation processes, such as adversarial testing, to ensure control effectiveness. Documenting these steps provides critical evidence for demonstrating due diligence and compliance with regulations like the EU AI Act, potentially reducing AI-related security incidents and improving audit outcomes.

Taiwan enterprises face three key challenges. First, a skills gap exists, with a shortage of professionals proficient in both AI and cybersecurity. The solution is to build cross-functional teams and partner with expert consultants for targeted training. Second, there are significant third-party risks from using pre-trained or open-source models with unclear security postures. This can be mitigated by implementing a robust AI vendor risk management program that requires transparency through artifacts like Model Cards. Third, uncertainty about evolving local AI regulations can cause hesitation. Adopting international standards like ISO 27090 proactively builds a resilient framework that can easily adapt to future legal requirements.

Winners Consulting specializes in ISO 27090 for Taiwan enterprises, delivering compliant management systems within 90 days. Free consultation: https://winners.com.tw/contact