This project aims to provide methodological tools for managing AI-related risks.
A presentation is provided in .pdf and .pptx formats.
It comprises a set of documents, developed collaboratively and under continuous improvement:
- risk management method;
- trust criteria;
- best practices;
- usecases and functionalities;
- reference documents.
It is intended to fit in with existing approaches within organizations, notably system certification processes. However, some or all of these documents may also be used directly, together or separately.
The backlog is currently the following (using MoSCoW priorization: (M) Must have | (S) Should have | (C) Could Have | (W) Won't have):
| Documents | Added value | Limits | Actions on documents | Actions on references |
|---|---|---|---|---|
| General | Global approach, needed by organizations | - Institutions are not legitimate on a wide global scope - [Règlement IA] scope is ambiguous and might be diverted - Currently only in French |
- (S) Promote the problematic and the approach - (S) Translate into English |
None for now |
| Risk management method | 1. Huge: simple, pragmatic, global, flexible | - May appear as focused on EBIOS only | - (M) Add a reference to [ISO/IEC 27090] for attacks and controls - (S) Try to describe the method using [ISO 31000] and/or [ISO/IEC 27005] - (C) Better explain that the starting tools are existings ones |
- (S) Contribute to the reference documents (e.g. [ISO/IEC 23894], [ISO/IEC 42001], EU draft on risk management, [Guide de France IA]) when created or revised |
| Best practices | 2. High: global, merging, extensible, synthetic, redirecting to detailed references | - Very wide - Could be redundant with other references |
None for now | - (M) Add a reference to [ISO/IEC 27090] - (M) Add more appropriate references for safety - (C) Determine the most effective way to converge (e.g. thru ISO/JTC1/SC27 or MITRE) |
| Reference documents | 2. High: centralized, focused on standards | None identified | - (M) Add a section on the cartography (landscape/architecture) - (M) Choose and add safety reference(s) - (S) Add a section to explain the rules for positionning new references in the cartography - (C) Shortly show the main added values and limits of each reference |
None for now |
| Presentation | 2. High: simply showing the problematics and the project | - Controversial | - (M) Add an annex on the cartography | None for now |
| Usecases and functionalities | 3. Low: illustrating | - Controversial - Difficult to use and maintain |
- (S) Clarify the use of this document in its scope | - (W) Try to make [ISO/IEC 24030] available for free |
| Trust criteria | 3. Low: structuring, aligning | - No worldwide consensus neither on the label (objectives, principles, criteria, sections, etc.) nor on the list | None for now | - (S) Contribute to [ISO/IEC 42001] when revised |
Those documents are licensed under a Creative Commons Attribution 4.0 International License.
