examstrack logo
Scenario 2 (continued):
Empsy HR Solutions is a human resources consulting company that provides innovative HR solutions to diverse industries. Recognizing the significant impact of artificial intelligence Al in HR processes, including its ability to automate repetitive tasks, analyze vast amounts of data for insights, improve recruitment and talent management strategies, and personalize employee experiences, the company has initiated the implementation of an artificial intelligence management system AIMS based on ISO/IEC 42001.
Initially, the top management established an Al policy that was aligned with the company's objectives. The Al policy provided a framework for defining Al objectives, a commitment to meeting relevant requirements, and a dedication to continually improve the AIMS. However, it
did not refer to other organizational policies, although some were relevant to the AIMS. Afterward, the top management documented the policy, communicated it internally, and made it accessible to interested parties.
The top management designated specific individuals to ensure that the AIMS meets the standard's requirements. Additionally, they ensured that these individuals were responsible for overseeing the AIMS, reporting its performance to the top management, and facilitating continual improvement. Moreover, in its awareness sessions, the company focused exclusively on ensuring that all personnel
were informed about the Al policy, emphasizing their role in ensuring the effectiveness of the AIMS and the benefits of enhanced Al performance.
The company also planned, implemented, and monitored processes to meet AIMS requirements. Additionally, it set clear criteria and implemented controls based on them, ensuring effective operation, alignment with organizational objectives, and continual improvement. Empsy HR Solutions decided to implement strict measures to control changes to documented information within the AIMS. To ensure the integrity and accuracy of documentation, the company adopted version control practices. Each document update was tracked using a versioning system, with clear records of what was modified, who made the changes, and when the updates occurred. Access to make changes was restricted to authorized personnel, and any proposed modifications required approval from the designated management team before being implemented.
Moreover, considering past experiences where the company encountered unforeseen risks, Empsy HR Solutions established a comprehensive Al risk assessment process. This process involved identifying, analyzing, and evaluating Al risks to determine if it is necessary to implement additional controls than those specified in Annex A. The company also referred to Annex B for guidance on implementing controls and, ultimately, produced a Statement of Applicability So A. The SoA contained the necessary controls, including all the controls of Annex A and justifications for their inclusion or exclusion.
Lastly. Empsy HR Solutions decided to establish an internal audit program to ensure the AIMS conforms to both the company's requirements and ISO/IEC 42001. It defined the audit objectives, criteria, and scope for each audit, selected auditors, and ensured objectivity and impartiality during the audit process. The results of the first audit were documented and reported only to the top
management of the company.
Question:
Based on Scenario 2, has Empsy HR Solutions established a suitable internal audit program?
At which stage of the audit process is materiality assessed and determined?
Which control in Annex A of ISO 42001:2023 focuses on the need for stakeholder engagement in AI system development?
What did the audit team use to assess the implementation of AI-related controls, verify compliance with established procedures, and identify any gaps in adherence to the AIMS requirements? Refer to Scenario 6
Scenario 2 (continued):
Empsy HR Solutions is a human resources consulting company that provides innovative HR solutions to diverse industries. Recognizing the significant impact of artificial intelligence Al in HR processes, including its ability to automate repetitive tasks, analyze vast amounts of data for insights, improve recruitment and talent management strategies, and personalize employee experiences, the company has initiated the implementation of an artificial intelligence management system AIMS based on ISO/IEC 42001.
Initially, the top management established an Al policy that was aligned with the company's objectives. The Al policy provided a framework for defining Al objectives, a commitment to meeting relevant requirements, and a dedication to continually improve the AIMS. However, it
did not refer to other organizational policies, although some were relevant to the AIMS. Afterward, the top management documented the policy, communicated it internally, and made it accessible to interested parties.
The top management designated specific individuals to ensure that the AIMS meets the standard's requirements. Additionally, they ensured that these individuals were responsible for overseeing the AIMS, reporting its performance to the top management, and facilitating continual improvement. Moreover, in its awareness sessions, the company focused exclusively on ensuring that all personnel
were informed about the Al policy, emphasizing their role in ensuring the effectiveness of the AIMS and the benefits of enhanced Al performance.
The company also planned, implemented, and monitored processes to meet AIMS requirements. Additionally, it set clear criteria and implemented controls based on them, ensuring effective operation, alignment with organizational objectives, and continual improvement. Empsy HR Solutions decided to implement strict measures to control changes to documented information within the AIMS. To ensure the integrity and accuracy of documentation, the company adopted version control practices. Each document update was tracked using a versioning system, with clear records of what was modified, who made the changes, and when the updates occurred. Access to make changes was restricted to authorized personnel, and any proposed modifications required approval from the designated management team before being implemented.
Moreover, considering past experiences where the company encountered unforeseen risks, Empsy HR Solutions established a comprehensive Al risk assessment process. This process involved identifying, analyzing, and evaluating Al risks to determine if it is necessary to implement additional controls than those specified in Annex A. The company also referred to Annex B for guidance on implementing controls and, ultimately, produced a Statement of Applicability So A. The SoA contained the necessary controls, including all the controls of Annex A and justifications for their inclusion or exclusion.
Lastly. Empsy HR Solutions decided to establish an internal audit program to ensure the AIMS conforms to both the company's requirements and ISO/IEC 42001. It defined the audit objectives, criteria, and scope for each audit, selected auditors, and ensured objectivity and impartiality during the audit process. The results of the first audit were documented and reported only to the top
management of the company.
Question:
Based on Scenario 2, was the awareness session conducted in accordance with the requirements of Clause 7.3 Awareness of ISO/IEC 42001?
Scenario 3 (continued):
ArBank is a financial institution located in Brussels, Belgium, which offers a diverse range of banking and investment services to its clients. To ensure the continual improvement of its operations, ArBank has implemented a quality management system QMS based
on ISO 9001 and an artificial intelligence management system AIMS based on the requirements of ISO/IEC 42001.
Audrey, an experienced auditor, led an internal audit focused on the AIMS within ArBank. She assessed the chatbots integrated into the bank's website and mobile app, analyzing communications using big data technology to identify potential noncompliance, fraud, or unethical conduct. Instead of relying solely on the information provided by the chatbots, Audrey sought out evidence that would either confirm or challenge the validity of the data, ensuring her conclusions were based on reliable and accurate information. Her review of selected chatbot interactions confirmed they met their intended purpose.
For the specific context of ArBank's operations, Audrey utilized an Al system to assess the efficiency of the bank's digital infrastructure, focusing on tasks critical to the Finance Department. This Al system was able to analyze the functionality of chatbots integrated into ArBank's website and mobile app to determine if it adheres to ISO/IEC 42001 requirements and internal policies governing customer service in the banking sector.
In addition, Audrey conducted a deeper assessment of the bank’s AIMS. Her evaluation included observing different stages of the AIMS life cycle, from development to deployment, to ensure that roles and responsibilities were clearly defined and aligned with ArBank’s operational goals. She also evaluated the tools used to monitor and measure the performance of the AIMS.
Audrey continued the audit process by auditing ArBank's outsourced operations. Upon checking the contractual agreements between the two parties, Audrey decided that there was no need to gather audit evidence regarding the contractual agreement. She reviewed the company's processes for monitoring the quality of outsourced operations, determined whether appropriate governance processes are in place with regard to the engagement of outsourced persons or organizations, and reviewed and evaluated the company's plans in case of expected or unexpected termination of the outsourcing agreement.
Based on the scenario above, answer the following question:
Question:
Did Audrey conduct the audit process for the outsourced operation correctly? Refer to Scenario 3.
Scenario 9 (continued):
Scenario 9: Securisai, located in Tallinn. Estonia, specializes in the development of automated cybersecurity solutions that utilize AI systems. The company recently implemented an artificial intelligence management system AIMS in accordance with ISO/IEC 42001. In doing so, the company aimed to manage its Al-driven systems’ capabilities to detect and mitigate cyber threats more efficiently and ethically. As part of its commitment to upholding the highest standards of Al use and management, Securisai underwent a certification audit to demonstrate compliance with ISO/IEC 42001.
The audit process comprised two main stages: the initial or stage 1 audit focused on reviewing Securisai's documentation, policies, and procedures related to its AIMS. This review laid the groundwork for the stage 2 audit, which involved a comprehensive, on-site evaluation
of the actual implementation and effectiveness of the AIMS within Securisai's operations. The goal was to observe the AIMS in operation, ensuring that it not only existed on paper but was effectively integrated into the company's daily activities and cybersecurity strategies.
After the audit, Roger, Securisai's internal auditor, addressed the action plans devised to rectify nonconformities identified during the certification audit. He developed a long term strategy, highlighting key AIMS processes for triennial audits. Roger's internal audits play a
key role in advancing Securisai's goals by employing a systematic and disciplined method to assess and boost the efficiency of risk
management, governance processes, and strategic decision-making. Roger reported his findings directly to Securisai's top management.
Following the successful rectification of nonconformities, Securisai was officially certified against ISO/IEC 42001.
Recently, the company decided to transfer its ISO/IEC 42001 certification registration from one certification body to another despite being initially bound by a long-term agreement with the current certification body. This decision was motivated by the desire to partner with a certification body that offers deeper insights and expertise in the rapidly evolving field of artificial intelligence in cybersecurity.
To ensure a smooth transition and uphold its certification status, Securisai is diligently compiling the required documentation for submission to the new certification body. This includes a formal request, the most recent audit report underscoring its adherence to ISO/IEC 42001, the latest corrective action plan that highlights its continuous efforts toward improvement, and a copy of its current valid certification registration.
A year following Securisai's initial certification audit, a subsequent audit was carried out by the certification body on its AIMS. The
purpose of this audit was to assess compliance with ISO/IEC 42001 and verify the ongoing improvement of the AIMS. The audit team
concluded that Securisai's AIMS consistently meets the requirements set by ISO/IEC 42001.
Question:
What type of audit is described in the last paragraph of Scenario 9?
Which core element focuses on ensuring that the creators and operators of AI systems are responsible for the outcomes and impacts of those systems?
Based on Scenario 5, which of the following should NOT be Jonathan's responsibility?
Scenario 5: Alterhealth is a mid-sized technology firm based in Toronto. Canada. It develops Al systems for healthcare providers, focusing on improving patient care,
optimizing hospital workflows, and analyzing healthcare data for insights that can improve health outcomes. To ensure responsible and effective use of Al in its
operations, Alterhealth has implemented an artificial intelligence management system AIMS based on ISO/IEC 42001. After a year of having the AIMS in place, the
company decided to apply for a certification audit to obtain certification against ISO/IEC 42001.
The company contracted a certification body to conduct the audit, who assembled the audit team and appointed the audit team leader. The audit team leader had
conducted a certification audit at Alterhealth in the past. The top management of Alterhealth decided to reject the appointment of this auditor because they believed
that they would not receive added value from the audit. In response, the certification body appointed Jonathan, an independent auditor with no prior engagements with
Alterhealth, as the new audit team leader. Jonathan's introduction marked the beginning of a collaborative process aimed at evaluating the conformity of the AIMS to
ISO/IEC 42001 requirements.
The certification body determined the audit scope, which included only specific departments essential to the integration and application of Al, such as the Al Research,
Machine Learning Applications, and Al Ethics and Compliance Departments, and did not cover all of the departments covered by the AIMS scope. Meanwhile,
Alterhealth determined the audit time, setting the necessary time frame for planning and conducting a thorough and effective review to ensure all aspects of the AIMS
within the selected departments were meticulously reviewed.
Afterward, Jonathan received a detailed offer from the certification body, outlining his role and including information related to the audit, such as the audit's duration,
team members, their responsibilities, the limits to the audit engagement, and their salary compensation. With a clear mandate, Jonathan was tasked with a multitude
of responsibilities: defining the audit objectives and criteria, planning the audit process, identifying and addressing audit risks, managing communication with
Alterhealth, overseeing the audit team, and ensuring a smooth and conflict free execution.
With Jonathan's leadership and a well-defined audit framework in place, the certification audit proceeded with a structured and objective evaluation of Alterhealth's
AIMS.
Question:
During the annual ISO/IEC 42001 audit at a financial company, the auditor selected and analyzed a sample of 5 out of 25 follow-up nonconformity reports to assess whether the company adheres to its follow-up process. What type of evidence did the auditor gather?
|
PDF + Testing Engine
|
|---|
|
$66 |
|
Testing Engine
|
|---|
|
$50 |
|
PDF (Q&A)
|
|---|
|
$42 |
PECB Free Exams |
|---|
|
Copyright © 2025 Examstrack. All Rights Reserved
TESTED 16 Sep 2025
