icon icon

AI Act, ISO 27001, ISO 42001 and SZBI (ISMS) in Practice – Regulations, System Elements and Implementation

icon

Training process

Training needs analysis

If you have specific requirements regarding the training programme, we will carry out a training needs analysis for you. This will guide us on which aspects of the programme should receive greater emphasis, so that the training programme meets your specific needs.

What will you gain?

icon

Align AI with security - You will learn how to connect IT security and AI governance in one operating model, making it easier to assign ownership, define processes, and set practical priorities across the organization.

icon

Understand regulatory duties - You will turn AI Act, NIS2, KSC, ISO 27001, and ISO 42001 requirements into clear business obligations, so you can assess their impact on your organization and projects faster.

icon

See the full ISMS picture - You will understand the core parts of an effective ISMS, from policies and risk to access, incidents, and BCP/DR, so you can design one coherent system instead of isolated activities.

icon

Structure AI governance - You will learn how to classify AI systems by risk, oversee models, and identify issues linked to data, LLMs, and prompts, so you can roll out AI solutions in a safer, controlled way.

icon

Clarify roles and ownership - You will see how to split responsibilities between the CISO, DPO, and AI Governance Lead and build a clear RACI model, reducing decision gaps, overlaps, and confusion in daily work.

icon

Assess risks more effectively - You will practice identifying IT and AI risks, choosing assessment methods, and planning safeguards, which will help you respond more effectively to incidents and crisis scenarios.

icon

Build a practical roadmap - You will learn how to run a gap analysis, set priorities, create an implementation roadmap, and prepare documentation, so you can move from compliance demands to structured execution.

icon

Measure organizational maturity - During the workshop, you will assess your organization’s maturity level, identify key gaps and risks, and draft an initial action map tailored to your company’s real operating context.

Training programme

1. Current regulatory landscape: AI Act, NIS2/KSC, GDPR and ISO standards

  • AI Act as a key regulation concerning artificial intelligence in the European Union,
  • current AI Act implementation schedule:
    • entry into force of the AI Act,
    • prohibited AI practices,
    • obligations in the field of AI literacy,
    • obligations concerning general-purpose models / GPAI,
    • application of most provisions from 2 August 2026,
    • transitional periods for selected high-risk systems,
  • NIS2 and the amendment of the National Cybersecurity System – impact on organizations,
  • GDPR, personal data protection and privacy in AI projects,
  • ISO 27001 as the foundation of the information security management system,
  • ISO 42001 as the standard for the artificial intelligence management system / AIMS,
  • links between the AI Act, ISO 27001, ISO 42001, ISMS/ISMS, DORA, CRA, Data Act and other regulations,
  • how to approach regulatory compliance in a practical way, and not exclusively a formal one.

2. AI Act in practice – obligations of organizations using AI

  • who is covered by the AI Act provisions: providers, deployers, importers, distributors and users of AI systems,
  • the role of the organization as a deployer, user or provider of an AI system,
  • risk-based approach – classification of AI systems:
    • unacceptable risk systems,
    • high-risk systems,
    • limited-risk systems,
    • minimal-risk systems,
  • examples of high-risk systems in HR, education, finance, public services, critical infrastructure and security,
  • obligations regarding human oversight of AI systems,
  • documentation, instructions for use, AI system registers and post-deployment monitoring,
  • transparency and informing users about the use of AI,
  • AI literacy – the obligation to develop the competencies of persons using AI,
  • the organization's responsibility for decisions supported or automated by AI,
  • preparing the organization for an AI Act compliance audit.

3. ISO 27001 and ISMS/SZBI – systemic information security management

  • what ISMS/SZBI is and what role it plays in the organization,
  • the structure of ISO 27001 and the process approach,
  • the context of the organization, stakeholders and the scope of the ISMS,
  • information security policy,
  • roles, responsibilities and leadership in the information security management system,
  • management of information assets,
  • information classification and rules for handling data,
  • information security risk management,
  • selection of organizational, technical and physical controls,
  • monitoring, measurement, internal audits and improvement of the ISMS,
  • integration of ISO 27001 with the requirements of the AI Act, NIS2/KSC and ISO 42001.

4. ISO 42001 – artificial intelligence management system / AIMS

  • what ISO 42001 is and why it is important for organizations using AI,
  • AIMS – Artificial Intelligence Management System as a complement to the ISMS/SZBI,
  • the scope of the AI management system in the organization,
  • AI policy and artificial intelligence management objectives,
  • roles and responsibilities in the AI governance system,
  • management of risks and opportunities related to AI,
  • assessment of the impact of AI systems on the organization, users and stakeholders,
  • oversight of the AI systems lifecycle: design, procurement, implementation, use, monitoring and withdrawal,
  • transparency, explainability, data quality and accountability,
  • oversight of suppliers of AI solutions,
  • the connection of ISO 42001 with the requirements of the AI Act,
  • how to combine AIMS with an existing ISMS based on ISO 27001.

5. Integration of ISMS/ISMS with AI governance

  • why ISO 27001 alone is not sufficient when implementing AI,
  • how to extend the existing information security system with an AI governance component,
  • common elements of ISO 27001 and ISO 42001:
    • risk management,
    • policies and procedures,
    • roles and responsibilities,
    • audits,
    • monitoring,
    • improvement,
    • documentation,
  • differences between information security and AI management,
  • how to build a coherent management model: compliance, IT, security, DPO, HR, business and management board,
  • AI systems register and AI risk register,
  • process for approving new AI tools in the organization,
  • criteria for allowing generative AI tools for business use,
  • AI accountability model in the organization.

6. AI cybersecurity and new technological risks

  • threats resulting from the use of generative AI tools,
  • prompt injection – the risk of manipulating commands and model responses,
  • Data leakage – data leaks through public and uncontrolled AI tools,
  • Shadow AI – unauthorized use of AI by employees,
  • Phishing, spear phishing and social engineering supported by AI,
  • Deepfake, voice cloning and false content generated by AI,
  • risks related to AI agents and action automation,
  • attacks on AI models: poisoning, evasion, model extraction, jailbreak,
  • risks of integrating AI with email, CRM, ERP, documents, code repositories and knowledge bases,
  • security of training data, input data and output data,
  • how to include AI risks in the ISMS risk analysis,
  • control mechanisms limiting the risks of generative AI.

7. Data, GDPR and confidentiality of information in AI projects

  • personal data, sensitive data, confidential data and trade secrets in the context of AI,
  • what should not be provided to public AI tools,
  • data minimization and privacy by design,
  • data anonymization and pseudonymization before using AI,
  • profiling and automated decision-making,
  • data protection impact assessment / DPIA in AI projects,
  • AI and the rights of natural persons,
  • the relationship between the DPO, the IT department, compliance and the business process owner,
  • data management throughout the entire life cycle of the AI system,
  • practical examples of breaches related to the improper use of AI.

8. NIS2/KSC and the cybersecurity resilience of the organization

  • the most important assumptions of NIS2 and their impact on organizations,
  • the amendment to KSC as the implementation of NIS2 requirements in the Polish legal order,
  • essential and important entities – the significance of the classification of organizations,
  • organizational and technical obligations in the field of cybersecurity,
  • cybersecurity risk management,
  • incident management and reporting obligations,
  • security of the supply chain and ICT service providers,
  • business continuity, operational resilience and incident response,
  • the role of SZBI/ISMS in preparing the organization for NIS2/KSC requirements,
  • how to take AI risks into account in the organization's cyber resilience program.

9. AI and information security documentation, policies and procedures

  • what documents are worth having in an organization using AI,
  • AI usage policy,
  • information security policy,
  • AI tools approval procedure,
  • AI systems register,
  • AI risks and information security risks register,
  • instructions for users of AI tools,
  • rules for using data in prompts,
  • procedure for responding to AI-related incidents,
  • procedure for supervision of AI suppliers,
  • documentation of compliance with the AI Act, ISO 27001 and ISO 42001,
  • preparing the organization for inspection, audit or compliance review.

10. Roles and responsibilities: CISO, DPO, compliance, IT, business and AI Governance Lead

  • division of responsibilities for AI and information security in the organization,
  • the role of the management board and executive staff,
  • the role of the CISO in the context of AI, ISMS and cybersecurity,
  • the role of the DPO in AI projects and data protection impact assessment,
  • the role of compliance in assessing compliance with the AI Act,
  • the role of IT in managing tools, access and integration security,
  • the role of HR in AI literacy and competency management,
  • AI Governance Lead / AI Officer – when it is worth establishing such a function,
  • a cooperation model between departments,
  • AI committee / AI Governance Board – tasks, composition and mode of operation.

11. Audit, monitoring and continuous improvement

  • compliance audit with the AI Act,
  • ISMS audit in the context of ISO 27001,
  • AI management system audit in the context of ISO 42001,
  • how to prepare the organization for an internal and external audit,
  • criteria for assessing the effectiveness of safeguards,
  • monitoring the operation of AI systems after implementation,
  • assessment of the quality, security and compliance of responses generated by AI,
  • change management in AI systems,
  • periodic reviews of the AI systems register and the risk register,
  • effectiveness indicators of AI governance and ISMS,
  • continuous improvement of the information security and AI management system.

12. Practical workshop – compliance, risk and implementation action map

  • analysis of a sample AI use case in an organization,
  • classification of the AI system according to the AI Act,
  • identification of data processed by the system,
  • assessment of legal, organizational, technological and reputational risks,
  • linking AI risks with the ISMS,
  • selection of safeguards and control mechanisms,
  • determination of the required documentation,
  • preparation of implementation recommendations,
  • development of a short action map for the organization:
    • inventory of AI tools,
    • classification of AI systems,
    • risk assessment,
    • policy updates,
    • AI literacy training,
    • implementation of the AI register,
    • preparation for audit,
    • integration of ISO 27001 and ISO 42001.

13. Summary and recommendations for the organization

  • the most important obligations resulting from the AI Act, NIS2/KSC, ISO 27001 and ISO 42001,
  • the most common mistakes of organizations implementing AI,
  • how to reduce risks related to shadow AI, data leaks and lack of oversight over AI tools,
  • how to develop a culture of responsible use of AI,
  • priorities for actions for the coming months,
  • organization readiness checklist:
    • AI policy,
    • AI systems register,
    • risk register,
    • tool acceptance procedure,
    • rules for data use,
    • employee training,
    • compliance documentation,
    • monitoring and audits,
    • integration of the ISMS with AI governance,
  • question and answer session.

What are the prerequisites for participating in the training?

icon

Information security basics - You should understand core terms such as risk, vulnerability, incident, control, and access, so you can work comfortably with ISMS, audit, and security management topics.

icon

Awareness of business processes - You should know your organization’s basic processes, decision flow, and roles responsible for IT, data, or compliance, so you can relate the material to your own environment.

icon

Basic regulatory awareness - You should be familiar with the general regulatory context of cybersecurity, data protection, or AI, so you can understand links between formal requirements and practice faster.

icon

Readiness for workshop work - You should be ready to analyze examples, discuss risks, and relate the topics to your own organization, because the training includes workshop-based and strategic sessions.