Information Security and Artificial Intelligence Governance Standard

A project normative framework for LA / AI environments and the CAISO function

Introductory Note

This standard defines the minimum governance, technical and organisational controls required to protect information security when an organisation creates, deploys, operates, changes, or retires artificial intelligence systems.

It is designed as an internal normative document. It states what must be done, who is responsible, what evidence must exist for audit, and which regulatory and standards-based sources should be used when managing AI systems.

Summary

  1. This document separates general information security requirements from AI-specific EU regulatory and standardisation requirements.
  2. The document is structured as an internal standard with purpose, scope, mandatory controls, responsibilities, and audit evidence.
  3. CAISO is treated as a recommended horizontal second-line governance function for AI security, AI risk, and accountability.
  4. Because the harmonised European standards linked to the AI Act are still being developed, the practical interim baseline should rely on ISO/IEC 42001, ISO/IEC 23894, ISO/IEC 38507, ISO/IEC 42005, and the ISO/IEC 27001 family.
Note on the term "LA": In this project, "LA" is used as an internal client term for an AI / algorithmic / digital information environment. If the organisation uses another official expansion of the abbreviation, only the terminology section must be edited; the normative content should remain unchanged.

Explore the Standard

Purpose & Scope

Defines what this standard covers, its intended use, and key terminology.

EU Regulatory Framework

General baseline, AI-specific, and sectoral regulatory layers mapped for AI security.

Standards Analysis

ISO/IEC information security and AI-specific standards with prioritisation guidance.

Mandatory Controls

Core governance, technical, and organisational controls for AI systems.

CAISO Function

Definition, placement, mandate, and responsibilities of the CAISO role.

RACI & KPI

Responsibility matrix, function relationships, and key performance indicators.

Implementation Roadmap

Three-phase plan from governance foundations to mature compliance.

Compliance Matrix

Quick-reference matrix mapping regulations and standards to ownership.

References

Official EU and ISO/IEC sources used throughout this standard.

Certification Program

Executive CAISO certification: eligibility, body of knowledge, assessment, and maintenance.