This project aims to provide methodological tools for managing AI-related risks.
A presentation is provided in .pdf and .pptx formats.
It comprises a set of documents, developed collaboratively and under continuous improvement:
It is intended to fit in with existing approaches within organizations, notably system certification processes. However, some or all of these documents may also be used directly, together or separately.
The backlog is currently the following (using MoSCoW priorization: (M) Must have | (S) Should have | (C) Could Have | (W) Won't have):
| Documents | Added value | Limits | Actions on documents | Actions on references |
|---|---|---|---|---|
| General | Global approach, needed by organizations | - Institutions are not legitimate on a wide global scope - [Règlement IA] scope is ambiguous and might be diverted - Currently only in French |
- (M) Explain (new document?) how to factorize actions and deliverables in order to comply with differents regulations by implementing our tools - (S) Promote the problematic and the approach - (S) Translate into English |
None identified |
| 1. Risk management method | 1. Huge: simple, pragmatic, global, flexible | - May appear as focused on EBIOS only | - (M) Split step 1 to get a new step characterizing the use case (in order to filter reference documents and tools) OR rename it - (M) Add a reference to [ISO/IEC 27090] for attacks and controls - (S) Describe the method using [ISO 31000] and/or [ISO/IEC 27005] - (C) Better explain that the starting tools are existings ones |
- (M) (ongoing) Contribute to current working documents (EU draft on risk management, [Guide de France IA]) - (S) Contribute to the reference documents (e.g. [ISO/IEC 23894], [ISO/IEC 42001]) when revised |
| 2. Usecases and functionalities | 3. Low: illustrating | - Controversial - Difficult to use and maintain |
- (S) Clarify the use of this document in its scope - (S) Link to [ISO/IEC 42102] |
- (W) Try to make [ISO/IEC 24030] available for free |
| 3. Best practices | 2. High: global, merging, extensible, synthetic, redirecting to detailed references | - Very wide - No worldwide consensus on trust criteria neither on the label (objectives, principles, criteria, sections, etc.) nor on the list - Could be redundant with other references |
None identified | - (S) Contribute to [ISO/IEC 42001] (objectives and structure) when revised - (C) Determine the most effective way to converge (e.g. thru ISO/JTC1/SC27 or MITRE) |
| 4. Reference documents | 2. High: centralized, focused on standards | None identified | - (M) Add [ISO/IEC 42102] - (S) Add a section to explain the rules for positionning new references in the cartography - (C) Shortly show the main added values and limits of each reference |
None identified |
| Presentation | 2. High: simply showing the problematics and the project | - Controversial | - (M) Explain how this work helps at factorizing actions and deliverables - (S) Add an annex on the cartography |
None identified |
Those documents are licensed under a Creative Commons Attribution 4.0 International License.
