Skip to content

ISO 42001 and SOC 2 Readiness Assessment

Maps the ai-agent-eval-harness-healthtech reference implementation against ISO/IEC 42001:2023 (AI Management System) and the SOC 2 Trust Service Criteria. This is an honest readiness assessment: the system is a reference implementation and has not been audited against either standard. The assessment evaluates which controls exist, which are partially addressed, and what a formal certification process would require.

Read alongside the NIST AI RMF mapping and the audit logging plan.

ISO/IEC 42001:2023 — AI Management System

Section titled “ISO/IEC 42001:2023 — AI Management System”

ISO 42001 is the first international standard for AI management systems. It provides a framework for establishing, implementing, maintaining, and continually improving an AI management system within an organisation. The standard follows the harmonised structure of ISO management system standards (Plan-Do-Check-Act).

RequirementCurrent ImplementationGap
4.1 Understanding the organisation and its contextThe repository scope (reference implementation), invariants, and intended stakeholders (engineers, governance reviewers) are described in the repository overview and the security disclosure processContext covers the repository; a formal ISMS would need organisational context including business strategy, market, and regulatory landscape
4.2 Understanding the needs and expectations of interested partiesIntended users defined in the model card: engineers, governance reviewers; regulatory posture defined in the regulatory postureNo formal stakeholder analysis; single-author project has limited stakeholder diversity
4.3 Determining the scope of the AI management systemScope defined in the system specification and the regulatory posture: medication-adherence wellness coach, patient-facing, no clinical functionsScope is repository-level; an ISMS scope would cover the entire AI lifecycle within the organisation
4.4 AI management systemEval harness as measurement system; architecture decision records as decision records; guardrails as controls; OpenTelemetry as monitoring; the regulatory posture as policyDemonstrates the pattern; not a formal management system with defined procedures, responsibilities, and review cycles
RequirementCurrent ImplementationGap
5.1 Leadership and commitmentAuthor commitment to governance demonstrated by an extensive set of governance documents and architecture decision records, the eval harness, and honest limitation statementsSingle author; no top-management commitment structure; no resource allocation process
5.2 PolicyThe regulatory posture serves as the regulatory policy; the operational decision record captures operational policiesNo formal AI policy document; policies are distributed across multiple artefacts
5.3 Organisational roles, responsibilities, and authoritiesModule ownership documented (guardrails, evals, observability); decision-record ownership per decisionNo formal role definitions; no authority delegation; no separation of duties
RequirementCurrent ImplementationGap
6.1 Actions to address risks and opportunitiesThe OWASP / ATLAS threat model maps threats; the NIST AI RMF mapping maps risk functions; the eval harness detects regressions; the nightly red-team exercises adversarial risksNo formal risk register; no risk treatment plan; no opportunities register
6.2 AI objectives and planning to achieve themThe system specification defines objectives; eval thresholds define measurable targets; release history is publishedObjectives are repository-level; no organisational AI objectives or resource plans
6.3 AI risk assessmentThreat model (OWASP/ATLAS), NIST AI RMF mapping, honest limitation statements in the model cardAssessment is qualitative and documented; no quantitative risk scoring; no residual risk acceptance
RequirementCurrent ImplementationGap
7.1 Resources$0/month cost target; free-tier infrastructure; existing tooling (pytest, OpenTelemetry, Promptfoo)No resource planning process; no budget allocation; no capacity management
7.2 CompetenceAuthor demonstrates domain competence through architectural decisions, regulatory mapping, and governance documentationNo competence framework; no training records; no competence assessment process
7.3 AwarenessThe regulatory posture change control requires a decision record for scope changes; the security disclosure processNo formal awareness programme; no awareness metrics
7.4 CommunicationPublic governance docs; the model card; the regulatory posture; architecture decision recordsCommunication is passive (published documents); no active stakeholder communication plan
7.5 Documented informationArchitecture decision records, governance docs, the system specification, the regulatory posture, the data statement, the model cardDocumentation is comprehensive; version-controlled; no formal document management system
RequirementCurrent ImplementationGap
8.1 Operational planning and controlEval harness gates every code change; guardrails enforce scope; OpenTelemetry monitors execution; cost/latency budgets enforcedOperational controls exist; no formal operational plan; no change management process
8.2 AI risk assessment (operational)Scope classifier runs on every input; escalation detection runs on every input; PII redaction runs on every input/outputReal-time risk assessment for safety-critical functions; no broader operational risk assessment
8.3 AI risk treatmentGuardrails-before-LLM architecture; refusal on out-of-scope; escalation on acute red flags; citation enforcementRisk treatments are implemented and tested; no formal treatment plan with owner, timeline, and acceptance criteria
RequirementCurrent ImplementationGap
9.1 Monitoring, measurement, analysis and evaluationEval harness (7 dimensions, 315 cases); OpenTelemetry spans; cost/latency gates; locale parity enforcementMonitoring is comprehensive for the reference implementation; no management-review-level performance reporting
9.2 Internal auditNo formal internal auditNo audit programme; no audit criteria; no audit findings tracking
9.3 Management reviewNo formal management reviewNo review cycle; no review inputs/outputs; no action items from review
RequirementCurrent ImplementationGap
10.1 Continual improvementRed-team findings folded into the seed bank; eval regression drives code fixes; release history is publishedImprovement is reactive and within-repository; no formal continual improvement programme
10.2 Nonconformity and corrective actionEval regression fails the CI eval check (a signal, not a hard merge gate - no enforced branch protection); the security disclosure processNo formal nonconformity management; no root cause analysis process; no corrective action tracking

SOC 2 (System and Organization Controls 2) evaluates service organisations against five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Common Criteria (Security) — Required for All Engagements

Section titled “Common Criteria (Security) — Required for All Engagements”
ControlCurrent ImplementationGap
CC6.1 Logical access controlsNo runtime authentication for demo API; repository-level access; no user identity managementProduction would need authentication, authorisation, and access review processes
CC6.2 Physical access controlsInherited from the cloud provider (Google Cloud Run; no customer-managed physical infrastructure)Production with on-premises components would need physical access controls
CC6.3 Data encryptionHTTPS on Google Cloud Run (platform-provided); no encryption at rest (no persistent storage)Production would need TLS 1.3 minimum; AES-256 at rest for any stored data
CC7.1 Change managementArchitecture decision records document changes; the eval harness gates changes; semantic versioning; release notesNo formal change management process with approval workflows and rollback procedures
CC7.2 Risk mitigationGuardrails, eval harness, red-team, PII redaction, OpenTelemetry monitoringControls exist; no formal risk mitigation programme with tracking and reporting
CC7.3 Incident responseThe security disclosure process; secret scanningNo formal incident response plan; no severity classification; no notification procedures
CC8.1 Change management (detailed)Change-based workflow; eval regression testing; version controlNo formal change approval board; no pre-deployment validation checklist
ControlCurrent ImplementationGap
A1.1 System availabilityGoogle Cloud Run single scale-to-zero instance (scale-to-zero, cold start on the first request after idle; near-$0 at demo scale); no SLAProduction would need availability targets, monitoring, alerting, and incident escalation
A1.2 Backup and recoveryNo backup needed (no persistent data); eval corpus and KB in version controlProduction with persistent data would need backup procedures, recovery testing, RTO/RPO targets
ControlCurrent ImplementationGap
PI1.1 Processing integrityEval harness validates output quality (faithfulness, hallucination, citation); guardrails enforce scope; deterministic CI gateProcessing is measured against defined thresholds; no end-user-visible processing integrity controls
PI1.2 Input processingScope classifier validates input; PII redaction sanitises input; input length limitsInput validation exists for safety; no broader input quality controls
ControlCurrent ImplementationGap
C1.1 Confidentiality protectionsNo PHI/PII in storage; user text excluded from OpenTelemetry spans; PII redaction at input/output; secret scanning prevents secret exposureConfidentiality is maintained by not storing sensitive data; production would need active confidentiality controls for stored data
ControlCurrent ImplementationGap
P1.1 Privacy noticeDemo disclaimer on every response; the model card; the regulatory postureNo formal privacy notice; no data collection disclosure; no consent management
P2.1 Consent managementVoice consent (disclosure modal, opt-in toggle, “Audio NOT retained” notices)Consent exists for voice only; no consent management for general data processing
P3.1 Data collectionNo personal data collected; 100% syntheticProduction would need data collection policies, purpose limitation, and minimisation procedures
P4.1 Data access and deletionNo personal data to access or deleteProduction would need data subject access and deletion request procedures
P6.1 Data retentionNo persistent data; no retention neededProduction would need retention schedules, secure deletion procedures, and retention monitoring

The reference implementation demonstrates a governance posture that aligns with both ISO 42001 and SOC 2 principles, implemented at the depth a single-author reference project can reasonably achieve:

  1. ISO 42001 alignment: Decision-record-based traceability (Clause 7.5), eval harness as measurement system (Clause 9.1), guardrails as risk treatment (Clause 8.3), honest risk assessment (Clause 6.3), transparent documentation (Clauses 4, 7.4)

  2. SOC 2 alignment: Eval harness as processing integrity control (PI1.1), guardrails and PII redaction as confidentiality controls (C1.1), privacy-by-design (P1-P6), OpenTelemetry monitoring as security control (CC7.2), decision-record-based change management (CC7.1)

The honest assessment is that this is a governance-aware reference implementation, not a certified management system. No ISO 42001 audit has been conducted. No SOC 2 engagement has been performed. The value is in demonstrating that the governance patterns are understood and implemented at a level that would accelerate formal certification should it be pursued.

Achieving ISO 42001 certification or SOC 2 Type II attestation:

  1. Formal ISMS (ISO 42001): Documented AI management system with defined scope, leadership commitment, risk register, objectives, operational plans, performance evaluation, and continual improvement programme; internal audit programme; management review cycle

  2. SOC 2 Type I preparation: Documented controls for all applicable Trust Service Criteria; evidence collection for control existence; readiness assessment by a qualified CPA firm

  3. SOC 2 Type II attestation: 6-12 months of operating evidence for all controls; independent audit by a CPA firm; attestation report covering the observation period

  4. Evidence collection automation: Automated collection and organisation of audit evidence (eval run logs, change records, access logs, incident reports, training records); evidence repository with retention policies

  5. Continuous monitoring: Real-time monitoring of control effectiveness; automated alerting on control failures; periodic control testing; dashboard for control status visibility

  6. Vendor management: Third-party risk assessments for all service providers (LLM providers, observability platforms, hosting providers); BAA where applicable; contractual security requirements

The repository’s governance patterns — decision-record traceability, eval harness gating, guardrails-first architecture, OpenTelemetry instrumentation, honest documentation — provide the technical foundation. The gap is in the organisational, procedural, and audit-readiness layers.