This checklist assesses the organization's secure AI model development practices, vulnerability testing, and model security controls based on ISO 42001, CIS Controls, and NIST CSF frameworks.
| Organization Name: | Assessment Date: | ||
|---|---|---|---|
| Assessor Name: | Assessment Type: | Pre-Engagement / Post-Engagement |
| Status | Description |
|---|---|
| Compliant | The organization fully meets the requirements of the control. |
| Partially Compliant | The organization partially meets the requirements of the control. |
| Non-Compliant | The organization does not meet the requirements of the control. |
| Not Applicable | The control is not applicable to the organization's environment. |
| Control ID | Control Description | Compliance Status | Evidence | Remediation |
|---|---|---|---|---|
| MODEL-3.1 | The organization has implemented a secure AI model development lifecycle that includes security requirements, threat modeling, and security testing at each phase. |
Implement a secure AI model development lifecycle that includes security requirements, threat modeling, and security testing at each phase. Document the lifecycle process and ensure it is followed for all AI model development. |
| Control ID | Control Description | Compliance Status | Evidence | Remediation |
|---|---|---|---|---|
| MODEL-3.2 | The organization has established standardized documentation practices for AI models, including architecture, parameters, training methods, and version control. |
Establish standardized documentation practices for AI models, including architecture, parameters, training methods, and version control. Implement a model registry or repository to maintain documentation and version history. |
| Control ID | Control Description | Compliance Status | Evidence | Remediation |
|---|---|---|---|---|
| MODEL-3.3 | The organization has implemented comprehensive security testing for AI models, including adversarial testing, input validation, and output filtering. |
Implement comprehensive security testing for AI models, including adversarial testing, input validation, and output filtering. Develop a testing framework specific to AI models and document testing results. |
| Control ID | Control Description | Compliance Status | Evidence | Remediation |
|---|---|---|---|---|
| MODEL-3.4 | The organization has developed and implemented a supply chain risk management program for AI components, including vendor assessment and component verification. |
Develop and implement a supply chain risk management program for AI components, including vendor assessment and component verification. Establish criteria for evaluating third-party AI components and services. |
| Control ID | Control Description | Compliance Status | Evidence | Remediation |
|---|---|---|---|---|
| MODEL-3.5 | The organization has established formal processes for secure model updates, including testing, approval, and rollback capabilities. |
Establish formal processes for secure model updates, including testing, approval, and rollback capabilities. Implement a change management process specific to AI models and ensure all updates are properly tested before deployment. |
| Control ID | Control Description | Compliance Status | Evidence | Remediation |
|---|---|---|---|---|
| MODEL-3.6 | The organization has implemented a program for regular security assessments of third-party AI models, including documentation review, testing, and compliance verification. |
Implement a program for regular security assessments of third-party AI models, including documentation review, testing, and compliance verification. Develop assessment criteria and schedules for third-party AI models used by the organization. |
| Total Controls | Compliant | Partially Compliant | Non-Compliant | Not Applicable | Compliance Score |
|---|---|---|---|---|---|
| 6 | 0 | 0 | 0 | 0 | 0% |
| Assessor Signature: | Date: | ||
|---|---|---|---|
| Client Signature: | Date: |