Data Resources
Organisations must identify potential impacts of AI on people and society over its life cycle.
Plain language
This control means that your business needs to think carefully about how your AI might affect people and communities during its whole life. For instance, if your AI recommends products and suddenly starts suggesting dangerous items, it could harm customers and your reputation. Understanding these impacts helps prevent harm before it happens.
Framework
ISO/IEC 42001:2023
Control effect
Preventative
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
19 May 2026
Maturity levels
N/A
Official control statement
As part of resource identification, the organisation shall document information about the data resources utilised for the AI system.
Why it matters
Failing to assess AI impacts could mean your AI harms users by, for example, making biased decisions, resulting in legal trouble or reputational damage.
Operational notes
Check AI impact assessments whenever your AI is updated or retrained, beyond just annual reviews. User input matters.
Implementation tips
- The AI lead should set up a basic review process to regularly check potential effects of your AI on real people. They could start by using a simple checklist to evaluate if your AI might accidentally harm customers or employees.
- The product owner needs to involve actual users early in the AI's development to gather feedback on potential risks. Holding periodic workshops with customers can reveal hidden impacts before they become issues.
- The head of risk should identify what could go wrong with the AI system and plan how to manage those risks. They might create a risk register to track these issues and plan actions to mitigate them.
- Data stewards should ensure data privacy is kept in mind when assessing AI impacts. They must confirm that the data used doesn't inadvertently expose personal information, perhaps by using anonymisation techniques.
- The Board should require regular reports from the AI lead on the AI's societal impacts over time. They could review these reports quarterly to make informed decisions about the AI's future direction.
Audit / evidence tips
- AskAsk for the AI system impact assessment report. GoodThe report covers design, development, deployment, and decommissioning impacts.
- AskRequest feedback session notes from actual users. GoodUsers' concerns are documented clearly and addressed in the AI plan.
- AskSeek evidence of a risk register. GoodThe register lists AI risks with plans to mitigate each risk.
- AskAsk about anonymisation methods for training data. GoodData is anonymised to prevent exposure of personal information.
- AskInquire about the AI impact monitoring plan. GoodThe plan assigns clear responsibilities and has set update intervals.
Cross-framework mappings
How Annex A 4.3 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.9 | Annex A 4.3 requires the organisation to document information about the data resources utilised for an AI system as part of resource iden... | |
| Annex A 5.34 | Annex A 4.3 requires documenting the AI system’s data resources, which often includes identifying whether datasets contain personal infor... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.12 | Annex A 4.3 requires documenting the data resources used by an AI system to understand what data underpins the system across its lifecycle | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.