Skip to content
arrow_back
Annex A 3.3
search
Annex A 3.3 psychology ISO/IEC 42001:2023

Reporting of Concerns

Organisations must document tools used in their AI systems.

A.3 Internal organisation Preventative ISO/IEC 42001:2023 AI Management SystemISO 42001 Annex A 3asset managementcontracts and clauses
record_voice_over

Plain language

This control means you need to make a list of all the tools and software your business uses in its AI systems. It's important because if a tool goes wrong or stops getting updates, it could make your AI give bad advice to customers or break privacy rules.

Framework

ISO/IEC 42001:2023

Control effect

Preventative

Classifications

N/A

Official last update

01 Dec 2023

Control Stack last updated

19 May 2026

Maturity levels

N/A

Official control statement

The organisation shall define and put in place a process to report concerns about the organisation''s role with respect to an AI system throughout its life cycle.
psychology ISO/IEC 42001:2023 Annex A 3.3
priority_high

Why it matters

If the list of AI tools is missing, a faulty or outdated tool might cause AI errors, leading to wrong decisions, legal issues, or unhappy customers.

settings

Operational notes

Update the AI tooling list every time a change is made. This keeps the list relevant and ensures everyone uses current tools and software.

build

Implementation tips

  • The AI lead should make a simple document listing all tools and software used in any AI systems. This can be as basic as a spreadsheet with each tool's name, what it does, and who provides it.
  • The data steward should regularly update this list whenever a new tool is added or removed. Keeping the document on a shared drive ensures all updates are easy to manage and access.
  • Procurement should ensure contracts with tool vendors include obligations for regular updates and support. Adding a clause that the vendor must notify the organisation of any changes helps keep systems running smoothly.
  • The head of IT security (CISO) should check that all tools listed meet basic security standards. An easy way to start is by listing which tools encrypt data and which don't.
  • The product owner should verify that each tool's function is still necessary every quarter, reducing unused or underused software. This can help save costs and reduce complexity.
fact_check

Audit / evidence tips

  • AskRequest the list of AI tools maintained by the organisation. GoodThe list accurately includes all tools with their purposes and providers.
  • AskRequest records of when the AI tool list was last updated. GoodThe list was updated within the past three months ensuring currency.
  • AskAsk to see any contracts the organisation has with AI tool providers. GoodContracts include clauses for vendor updates and support obligations.
  • AskRequest evidence of security checks on AI tools. GoodSecurity checks are documented and show compliance with set standards.
  • AskReview any meeting notes where tool relevance was discussed. GoodDocumentation exists showing regular reviews of tool necessity and usage.
link

Cross-framework mappings

How Annex A 3.3 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

link_off

No cross-framework mappings recorded yet.

psychology

Want to implement this AI control?

Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.

Mapping detail

Mapping

Direction

Controls