ISO/IEC TR 24028:2020 – Artificial Intelligence

Key Definitions in ISO/IEC 24028

• Trustworthiness: The degree to which a system performs its intended function while protecting against security, safety, privacy, and ethical risks
• Transparency: The ability to interpret, explain, and understand AI decisions and data flows
• Reliability: The consistency of an AI system’s performance under specified conditions
• Robustness: The capacity of an AI system to maintain its integrity in the presence of noise, attacks, or uncertainty
• Resilience: The ability of an AI system to recover and adapt after disruptions or adversarial events
• Fairness: Ensuring that AI systems do not produce discriminatory, biased, or harmful outcomes

Structure and Conceptual Framework of ISO/IEC 24028

This technical report is structured around a multi-dimensional view of trustworthiness. It categorizes trust-related concerns into key areas:

These dimensions form the foundation of AI risk assessment and governance strategies.

Implementation Considerations Based on ISO/IEC 24028

The standard encourages organizations to:

• Conduct risk assessments targeting the full AI system lifecycle
• Define trustworthiness objectives tied to business and societal expectations
• Apply security and privacy-by-design principles in AI development
• Incorporate fail-safe and fallback mechanisms in AI deployments
• Ensure traceability and auditability through data and model documentation
• Address bias and fairness in datasets, algorithms, and outcomes
• Provide human oversight and accountability in AI decision-making loops

These considerations align closely with Annex A controls in ISO/IEC 27001 and emerging clauses in ISO/IEC 42001.Want to integrate these principles into your ISMS or AI governance system? Contact support@pacificcert.com.

What are the requirements of ISO/IEC 24028?

Organizations referencing ISO/IEC TR 24028 in audits or internal governance should document:

• AI risk and threat modeling reports
• AI system design documentation with embedded security and privacy features
• Bias evaluation reports and fairness audit logs
• Model validation records and explainability documentation
• User consent and data processing agreements (for privacy)
• Incident response protocols specific to AI systems
• Records of human review and decision overrides

Want audit-focused documentation support aligned with ISO/IEC 27001 or ISO/IEC 42001? Email support@pacificcert.com.

What are the benefits of ISO/IEC 24028?

• Enables development of secure and resilient AI systems that withstand internal and external threats
• Enhances stakeholder confidence through structured trust and transparency mechanisms
• Supports compliance with AI regulations, such as the EU AI Act and national data ethics policies
• Aligns with risk-based frameworks such as ISO/IEC 27001, ISO/IEC 42001, and NIST AI RMF
• Builds a governance-ready AI environment suitable for audits, public scrutiny, and high-risk use cases
• Promotes fairness, inclusiveness, and ethical accountability in AI design and outcomes
• Enables traceability and explainability, vital for legal, operational, and customer-centric use cases
• Strengthens incident response and recovery capabilities for AI-specific risks
• Facilitates integration into cross-industry AI systems, from finance and healthcare to government and defense

Trustworthiness has become a critical pillar of AI deployment across sectors. With increasing regulatory developments, including the EU Artificial Intelligence Act, OECD AI Principles, and U.S. Executive Orders on AI governance, organizations are expected to document, audit, and govern AI behavior rigorously.

ISO/IEC TR 24028 is increasingly cited by policymakers, technical working groups, and ethics committees as the baseline for defining trustworthy AI. Companies developing high-risk AI systems (medical diagnostics, financial scoring, autonomous vehicles) are aligning this technical report with ISO/IEC 27001, ISO/IEC 42001, and ISO/IEC 27701 to demonstrate security, privacy and ethical readiness.

Furthermore, trust metrics are being embedded into AI procurement processes, insurance assessments, and investor risk evaluations. Organizations that adopt ISO/IEC TR 24028 principles position themselves as responsible and resilient AI leaders in an increasingly regulated digital world.

Want to align your AI practices with global trust and security standards? Contact support@pacificcert.com.

How Pacific Certifications Can Help?

As a certification body, Pacific Certifications offers accredited audit and certification services for:

• ISO/IEC 27001 – Information Security Management Systems
• ISO/IEC 27701 – Privacy Information Management
• ISO/IEC 42001 – Artificial Intelligence Management Systems
• ISO 9001, ISO 22301, ISO 14001, and ISO 45001

• Assessment of AI risk governance and security controls under ISO/IEC 27001
• Verification of AI trust principles embedded into ISO/IEC 42001-based management systems
• Documentation audits for explainability, accountability, and transparency
• Support for cross-standard certification involving AI, data protection, and cybersecurity

To integrate ISO/IEC TR 24028 guidance into your certified systems, contact support@pacificcert.com.