Tooling Resources
Organisations must establish a process to assess potential impacts of AI systems on individuals and society throughout their lifecycle.
Plain language
Think about how your AI might impact people and society even before you start using it. For example, if an AI is used to screen job applications, it should not unfairly reject qualified candidates because of a bias built into the system. This process helps you catch potential issues early on.
Framework
ISO/IEC 42001:2023
Control effect
Preventative
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
19 May 2026
Maturity levels
N/A
Official control statement
As part of resource identification, the organisation shall document information about the tooling resources utilised for the AI system.
Why it matters
If you don't assess AI impacts, the system might make harmful decisions, like a hiring AI unfairly rejecting qualified candidates due to bias.
Operational notes
Re-evaluate the AI system's impact on people and society every time you update the AI or expand its use, not just once.
Implementation tips
- The AI lead should create a simple checklist on potential impacts of the AI system on people and society. This could be as easy as listing potential harms and benefits in a document before developing or buying an AI solution.
- The head of risk should regularly review the AI system using that checklist to see if the AI's impact changes over time, like when new data is added. Don't just rely on initial assumptions; have quarterly check-ins.
- Product owners should get feedback from users about how the AI affects them. Simple surveys or occasional interviews can reveal unexpected issues, such as an AI misunderstanding customer inquiries.
- Procurement should include a requirement for vendors to disclose their AI systems’ potential impacts. This can be a simple clause in contracts asking for a list of expected advantages and risks.
- The board needs to set a clear policy that requires every AI project to undergo an impact assessment before launch. A one-page summary of this policy should be shared with all employees involved in AI decisions.
Audit / evidence tips
- AskAsk for the AI impact assessment logs or documentation. GoodThe documentation clearly lists potential societal impacts and is updated with each major change to the AI.
- AskRequest feedback records from AI users. GoodRecorded feedback is analysed for unexpected impacts, and follow-up actions are documented.
- AskReview the procurement contracts for vendor disclosure clauses. GoodContracts contain clauses requiring vendors to provide impact assessments of their AI systems.
- AskAsk the board for the official AI impact policy. GoodA clear, board-approved policy exists mandating AI impact assessments and is communicated to relevant staff.
- AskCheck the periodic review records of AI impact assessments. GoodImpact reviews are conducted quarterly or with each major update and are clearly documented.
Cross-framework mappings
How Annex A 4.4 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.9 | Annex A 4.4 demands documentation of AI system tooling resources | |
| handshake Supports (1) expand_less | ||
| Annex A 5.37 | Annex A 4.4 stipulates documenting AI system tooling resources | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| ISM-0041 | Annex A 4.4 requires the organisation to document information about the tooling resources utilised for an AI system as part of AI resourc... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.