Skip to content
arrow_back
Annex A 4.2
search
Annex A 4.2 psychology ISO/IEC 42001:2023

Resource Documentation

Organisations must identify and record resources needed for various stages of AI system lifecycle.

A.4 Resources for AI systems Preventative ISO/IEC 42001:2023 AI Management SystemISO 42001 Annex A 4asset managementbackupsupplier management
record_voice_over

Plain language

Think of AI like a team member needing resources like computers, data, and software to do their job. It's essential to jot down everything your AI needs at different stages so if things go wrong, like your AI giving bad advice, you can quickly figure out what's missing or broken.

Framework

ISO/IEC 42001:2023

Control effect

Preventative

Classifications

N/A

Official last update

01 Dec 2023

Control Stack last updated

19 May 2026

Maturity levels

N/A

Official control statement

The organisation shall identify and document relevant resources required for the activities at given AI system life cycle stages and other AI-related activities relevant for the organisation.
psychology ISO/IEC 42001:2023 Annex A 4.2
priority_high

Why it matters

If essential resources aren't identified and documented, the AI may work poorly or not at all, like a delivery driver without a truck.

settings

Operational notes

Whenever you upgrade or change your AI system, update your resource documentation to avoid costly and confusing mishaps.

build

Implementation tips

  • The AI lead should list all the things the AI needs at each stage, like training and operation; a simple spreadsheet can work to start.
  • The data steward should keep a record of where the AI's data comes from. Even a basic table that shows the source, date received, and purpose is useful.
  • The head of IT security (CISO) should ensure there's enough computing power and storage for the AI to run smoothly, using simple tools to check if computer resources are maxed out.
  • Asksuppliers to confirm their resources annually with a quick phone call or email
  • The head of risk should ensure that there's a backup plan for when AI resources are not available. A simple shared document summarising backup strategies can be a good start.
fact_check

Audit / evidence tips

  • AskAsk for the AI resource inventory list. GoodThe resource inventory lists all necessary items and their current status.
  • AskRequest the data source register from the data steward. GoodThe data source register is complete and up-to-date.
  • AskAsk the CISO for last month's resource utilisation report. GoodThe report reflects the AI's current resource use and indicates no overloads.
  • AskAsk to see supplier confirmations from Procurement. GoodSupplier confirmations are on file and current.
  • AskRequest the AI contingency plan from the head of risk. GoodThe contingency plan is clear and actionable, covering all critical resources.
link

Cross-framework mappings

How Annex A 4.2 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

link_off

No cross-framework mappings recorded yet.

psychology

Want to implement this AI control?

Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.

Mapping detail

Mapping

Direction

Controls