System and Computing Resources
Organisations must document and retain AI impact assessment results for a specified duration.
Plain language
This control means your business needs to keep a record of how your AI affects things like customer satisfaction or safety. Imagine if an AI-driven chatbot gave a customer misleading information - having records helps you find out why and fix it.
Framework
ISO/IEC 42001:2023
Control effect
Detective
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
19 May 2026
Maturity levels
N/A
Official control statement
As part of resource identification, the organisation shall document information about the system and computing resources utilised for the AI system.
Why it matters
If impact assessments are missing, AI-caused issues might go unchecked, leading to unhappy customers or legal troubles without a clear way to solve them.
Operational notes
Revisit and update the impact assessment whenever a significant change is made to the AI system, not just on a set schedule.
Implementation tips
- The AI lead should create an easy form or digital tool for documenting each AI system's impact, like how it changed customer call handling. This could be a simple online survey filled out by staff after each AI system is used.
- The head of risk should set a specific time frame for keeping impact assessments, like storing them for two years. This makes sure any issues that arise can be traced back easily.
- Data stewards need to ensure all impact assessments are organised and stored in a central location that's easy to access. Using cloud storage labelled with dates and project names is an effective start.
- The board should periodically review these impact assessments to see if AI is meeting strategic goals, similar to reviewing financial performance. They can ask for a high-level summary at quarterly meetings.
- Product owners should work with customer service teams to collect feedback on how the AI impacts user experience. This can be as simple as tracking complaints in a shared document.
Audit / evidence tips
- AskRequest to see the latest AI impact assessments. GoodImpact assessments are recent, clearly describe the AI's effect, and are filed by date.
- AskAsk to see how long the organisation keeps impact assessments. GoodA clear policy states impact assessments are retained for at least two years.
- AskSpeak to the Product Owner about customer feedback collection. GoodFeedback about AI systems is documented, with notes on any follow-ups.
- AskRequest minutes from board meetings where AI impacts were discussed. GoodMinutes show the board reviewed AI impacts at quarterly meetings.
- AskView the storage system for impact assessments. GoodFiles are clearly labelled with names and dates, making them easy to find.
Cross-framework mappings
How Annex A 4.5 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-0336 | Annex A 4.5 requires the organisation to document the system and computing resources used by the AI system | |
| handshake Supports (1) expand_less | ||
| ISM-0041 | Annex A 4.5 requires the organisation to document information about the system and computing resources utilised for the AI system | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.