Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

Implementing an ISO Standard Using AI – An Introduction

You could be forgiven for thinking that artificial intelligence (AI) was invented a couple of years ago almost overnight, such was the media frenzy surrounding OpenAI’s launch of ChatGPT. But to be fair, the fact that OpenAI made their system publicly available meant that what was previously perceived as something that quietly inhabited the Computer Science labs at universities, suddenly went mainstream.

Since then, AI has been bubbling away in the background of public and business perception, as governments and legislators race to create some kind of framework to ensure that things don’t get too far out of hand. In the meantime, the technology continues to improve in leaps and bounds and applications for AI are blossoming daily.

Even in the sober and sensible area of ISO standards implementation, the potential to use AI to help with the creation of a management system is being recognised. In this article, we look at how a common example of an AI, ChatGPT, can be used to assist an organization with the various components required to achieve certification to an ISO standard, whether that’s ISO9001 (quality), ISO27001 (security) or ISO 14001 (environmental).

First, let’s talk about ChatGPT and GPT 3.5

Before we discuss how AI can help, let’s clarify what it is we’ll be using to represent AI in this case. There are a number of tools we could make use of, including Google’s Gemini (formerly known as Bard), and GPT 4, also from OpenAI. We’ve chosen to use the version of ChatGPT which uses the OpenAI model known as GPT 3.5. Whilst this is an earlier version than GPT 4, it has the advantage that it’s free to use and so you will be able to do everything we describe, without giving OpenAI any money.

And What It CAN’T Do…

ChatGPT using GPT 3.5 was released in December 2022 and has been trained on events up to January 2022 (so far), so it doesn’t know about anything that happened after that month. In terms of helping with an ISO implementation, that could be a problem depending on the standard you’re looking to implement. For example, the ISO/IEC 27001 information security standard was updated in October 2022, so GPT 3.5 doesn’t know about it yet. This means that the advice it gives about Annex A controls will refer to the 2013 version of the standard, which is slightly unhelpful.

There are some other areas that ChatGPT won’t help with for various reasons. Examples are obtaining the full text of a standard (because it’s copyright material) and getting detailed legal advice (although general lists of legislation are ok).

There’s also the “hallucination problem”. Sometimes if ChatGPT doesn’t know an answer it makes it up. This makes it challenging to trust ChatGPT and means that you’ll sometimes need to check the information provided via another source. Disappointing I know, but I suppose sometimes humans get it wrong too.

Lastly, be aware that the model is constantly learning, and any information you provide to it will become part of the learning process. So be careful about how you interact with ChatGPT and avoid telling it anything that might be deemed confidential or is of high value to your organization. This will include third party copyright materials which shouldn’t be uploaded en masse.

Getting the most out of ChatGPT

Even with AI, the old adage of “garbage in, garbage out” still applies. AI may be intelligent, but it’s not psychic (yet). So to get the most useful output from the model you’ll need to be specific. And it’s ok to be fussy too, so if an answer isn’t quite what you wanted, feel free to be more demanding. The more you tell ChatGPT about what exactly you need, the better the results will be. As a minimum you should tell the model what your organization does and further details will depend on the standard you’re implementing; for example if it’s ISO14001 then the main materials used in production will be helpful.

Now that the main limitations are out of the way, let’s talk about what ChatGPT CAN do for you.

General education and clarification

At the highest level, using ChatGPT is like having a knowledgeable friend sitting next to you. You can ask it questions about how to approach the different areas of an ISO management system and clarify your thinking around concepts such as process, risk and customer focus. In this respect, ChatGPT is similar to performing a search on Google, but answers are more direct rather than being a selection of links for you to choose between. The more you talk to it, the more it knows about you and can make better suggestions, so don’t be shy. This can help with fulfilling the competence and awareness requirements for a number of different standards.

Creating and tailoring documentation

If you know that a document is needed to cover a particular area of your management system, then ChatGPT can help with producing a first draft of suggested content. Better yet, if you’re starting from an existing human-written draft (for example from a CertiKit toolkit) then ChatGPT can be useful in tailoring that content to be more specific to your organization. Factors such as the industry in which your organization operates, the products and services it produces and the technology it uses can be taken into consideration and the text amended or added to accordingly.

Generating ideas

If you’re not sure what’s required within some of the clauses of an ISO standard, then ChatGPT can help by giving you ideas for content. Again, being specific will yield more useful results, but this could help in areas such as context, Internal and external issues, and the needs and expectations of interested parties to name but a few. Use ChatGPT as an “imagination-booster” when your own inspiration is flagging.

Risk and Opportunity Assessment

For an event-based risk assessment, one of the most difficult tasks can be thinking of relevant risks to start with. This is an area where AI can help; again the key is to provide as much context as possible so that the suggestions are as relevant as they can be. Specifying the required number of risks and even asking for the controls that might address them are also helpful. Note that for the ISO27001 standard only controls from the 2013 version of the standard will be suggested because, as far as ChatGPT is concerned, the 2022 version hasn’t happened yet.

Other Areas

It can be difficult sometimes to think of appropriate objectives for your management system, and ChatGPT (again, with a little context provided) can be helpful with this task. More technical areas such as creating a register of applicable legislation can also be facilitated by AI subject to the proviso that recent updates will not be covered.

Further Potential

If you’re prepared to invest a little cash with OpenAI then this can get you access to the latest version of GPT (version 4), along with the ability to create custom GPTs which can be trained by you (including limited upload of relevant information and API calls to external services) and deployed internally. It’s relatively early days for these and they do have their own limitations, but the door is well and truly open to integrating AI into many of the areas involved with ISO management systems. So far we’ve been talking about small islands of AI but as these become connected into the organization’s other systems over time, then more powerful activities (such as automated internal auditing and dynamic risk assessment) become possible.

In Summary

This introduction to the usefulness of AI in implementing an ISO management system has focused on using ChatGPT as an advisor to achieve relevant tasks. There are still significant limitations in the current models which mean that human input remains important to ensure that what is produced is correct and up to date. Given the rapid pace of development however these restrictions are certain to lessen and implementors will become ever more used to calling on AI capabilities as a matter of course.


Written by Ken Holmes, CertiKit’s Managing Director and Lead Toolkit Creator. Ken is a CISSP-qualified security and data protection specialist who also holds the internationally-recognised Certified Information Privacy Professional – Europe (CIPP/E).

Image by on Freepik

How can CertiKit help with your ISO Implementation?

CertiKit’s ISO Toolkits and ISO Services are available help you understand and implement your chosen ISO standard(s). The toolkits include easy to understand templates and guides, plus a perpetual licence with ongoing updates and support, so you’ve got help whenever you need it.

Click the links to find out more the ISO Toolkits and ISO Services.

We’ve helped more than 4000 businesses with their compliance


The documents are excellent in covering a vast number of key areas in terms of ISO. I particularly like the layout and the comprehensive nature of the documents provided.

GTI Group

View all Testimonials