ISO/IEC 23894:2023 - HITRUST AI Security Assessment and Certification Specification

Crosswalks to other sources of AI guidance

ISO/IEC 42001:2023

ISO/IEC 23894:2023 provides guidance on AI risk management. It is not a security-focused standard, but its guidance slightly overlaps with a small number of HITRUST CSF requirements included in the HITRUST AI Security Assessment and Certification given that security is a key area of risk to an AI system.

HITRUST offers an AI Risk Management Assessment and Insights Report which directly addresses the guidance provided by both ISO/IEC 23894:2023 and the NIST AI Risk Management Framework. Please see this video and this page for more information.

For the benefit of organizations utilizing the HITRUST AI Security Assessment and Certification and ISO/IEC 23894:2023, HITRUST has prepared the following crosswalk. Note that many mappings are labeled as “subset”, as most of the mapped HITRUST CSF requirements focus exclusively on AI security while the accompanying ISO/IEC 23894:2023 guidance should address the entirety of AI risk (not just security).

Part 5- Framework
- 5.4.3 Assigning organizational roles, authorities, responsibilities and accountabilities
  - Maps to, as a subset: Assign roles and responsibilities for AI
Part 6- Risk management process
- 6.4.2.2 Identification of assets and their value
  - Maps to, as a subset: Inventory deployed AI systems
  - Maps to, as a subset: AI data and data supply inventory
- 6.4.2.3 Identification of risk sources
  - Maps to, as a subset: Identifying security threats to the AI system
- 6.4.2.4 Identification of potential events and outcomes
  - Maps to, as a subset: Identifying security threats to the AI system
- 6.4.2.5 Identification of controls
  - Maps to, as a subset: Threat modeling
  - Maps to, as a subset: Additional training data measures
- 6.5.2 Selection of risk treatment options
  - Maps to, as a subset: Threat modeling
  - Maps to, as a subset: Additional training data measures
- 6.6 Monitoring and review
  - Maps to, as a subset: Security evaluations such as AI red teaming
Annex A
- A.2- Accountability > Last paragraph > First two sentences
  - Maps to: Assign roles and responsibilities for AI
- A.2- Accountability > Last paragraph > Last sentence
  - Maps to: ID and evaluate compliance & legal obligations for AI system development and deployment
- A.9- Robustness
  - Maps to: Model robustness
- A.11- Security
  - Maps to: All requirements in the HITRUST AI Security Assessment and Certification

Crosswalks to other sources of AI guidance

ISO/IEC 42001:2023