Browse Skills

ISO 42001 Supplier & Third-Party AI

    ISO 42001 Supplier Third-Party Compliance AI
    Get Started with This Skill

    Overview

    Draft supplier and third-party AI evaluation, contracts, and documentation for ISO/IEC 42001:2023.

    Getting Started

    Add your source materials to the project workspace, then activate the ISO 42001 Supplier & Third-Party AI skill. The agent will guide you through the process step by step.

    Example conversation

    You: We’re evaluating a third-party AI API for [e.g. content moderation]. We need a procedure for evaluation, contracts, and ongoing monitoring for ISO 42001.

    Agent: I’ll draft the supplier/third-party AI procedure and templates using the skill reference. I’ll cover how we evaluate third-party AI (due diligence, risk assessment), contractual requirements (AI governance, incident notification, data, compliance), security and assurance expectations, and ongoing monitoring. I’ll add an evaluation and risk assessment template and link to the risk register and SoA third-party controls.

    Output excerpt

    Supplier and third-party AI excerpt

    Evaluation — Before adoption: due diligence (vendor, product, support); capability and limitation assessment; AI-specific risk assessment (bias, transparency, data, compliance). Checklist: [e.g. questionnaire]. Approval: [e.g. AIMS owner + procurement]. Record: evaluation result and risk assessment.

    Contractual requirements — Contracts for AI products/services include: AI governance and acceptable use; incident notification (e.g. within [X] days); data processing (lawful basis, retention, sub-processors); compliance (e.g. EU AI Act if applicable); audit/assurance rights. Ref: [e.g. standard clauses or legal template].

    Security and assurance — We require [e.g. SOC 2 or equivalent] where relevant; [e.g. data residency]. Assurance evidence reviewed [e.g. annually].

    Ongoing monitoring — [e.g. Quarterly or on incident]: performance; incidents; contract compliance; reassessment if material change. Findings feed risk register and management review.

    Records — Retain: vendor; product; evaluation date; risk assessment; contract reference; assurance evidence; monitoring log.

    Extension and validation

    This skill does not include custom validation tools. Elaboration is guided by the skill workflow and reference materials.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started