Skip to content
arrow_back
Annex A 5.3
search
Annex A 5.3 psychology ISO/IEC 42001:2023

Document and Retain AI Impact Assessment Results

Your organisation must write down the results of every AI (artificial intelligence) system impact assessment and keep those records for a set period of time.

A.5 Assessing impacts of AI systems Detective ISO/IEC 42001:2023 AI Management SystemISO 42001 Annex A 5records managementcompliance obligationsgovernance
record_voice_over

Plain language

An AI system impact assessment is a check of how an artificial intelligence (AI) system could affect people, such as customers, staff, or the wider community, before and while you use it. This control is not about doing the assessment itself; it is about what you do with the outcome. It requires two things. First, you must write down the results of each assessment so they exist as a clear record rather than living in someone's head or a verbal conversation. Second, you must keep those written results for a defined period, meaning your organisation decides in advance how long the records must be retained (for example three or five years) and then actually holds onto them for that time. Think of it like keeping the inspection report for a building. The inspection might happen once, but you keep the signed report on file so that later, if a regulator, an auditor, a customer, or your own board asks, you can show what was checked, what was found, and what was decided. Without a written and retained record, you cannot prove you considered the impact of your AI, and you cannot look back to see whether earlier concerns were dealt with.

Framework

ISO/IEC 42001:2023

Control effect

Detective

Classifications

N/A

Official last update

01 Dec 2023

Control Stack last updated

18 June 2026

Maturity levels

N/A

Official control statement

The organisation shall document the results of AI system impact assessments and retain results for a defined period.
psychology ISO/IEC 42001:2023 Annex A 5.3
priority_high

Why it matters

If results are not documented and retained, the organisation cannot prove it assessed its AI's impact, leaving it exposed in audits, disputes, or regulatory reviews.

settings

Operational notes

Set the retention period once in policy, store results in a controlled location, and review yearly to confirm nothing was deleted before its retention date.

build

Implementation tips

  • The person responsible for the AI management system (AIMS) should create a standard template for recording impact assessment results, so every assessment captures the same details such as the AI system name, date, who carried it out, the impacts identified, and the decisions made.
  • The compliance manager should set a written retention period for these records (for example three or five years) and record this in a policy, basing the length on any legal, contractual, or regulatory requirements that apply to your organisation.
  • The records owner should store completed impact assessment results in a single, access-controlled location such as a managed document library, so they cannot be casually deleted, overwritten, or lost when staff leave.
  • The AIMS owner should keep a register that lists every AI system and links to its corresponding impact assessment record, making it quick to confirm that no system is missing its documented results.
  • The compliance manager should schedule a periodic check (for example annually) to confirm that records are still being kept for the full defined period and that nothing has been deleted before its retention date.
fact_check

Audit / evidence tips

  • Askto see the documented results of impact assessments for two or three named AI systems, and confirm each one is written down rather than described verbally
  • Look atwhether the organisation has a stated retention period for these records and where it is defined, such as in a policy or procedure
  • Askhow and where the results are stored, and check that the storage location protects records from accidental or unauthorised deletion before the retention period ends
  • Look atthe dates on the retained records to confirm older assessments are still available and have not been purged earlier than the defined period allows
  • Gooda complete, dated set of written impact assessment results held in a controlled location, a clearly defined retention period, and evidence that records from earlier years are still retained as required
link

Cross-framework mappings

How Annex A 5.3 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
sync_alt Partially overlaps (2) expand_less
Annex A 5.33 Annex A 5.3 (ISO/IEC 42001:2023) mandates documenting and retaining AI impact assessment results
Annex A 8.10 Annex A 5.3 requires the organisation to document AI system impact assessment results and retain them for a defined period
handshake Supports (1) expand_less
Annex A 5.1 Annex A 5.3 requires the organisation to document AI system impact assessment results and retain them for a defined period

ASD ISM

Control Notes Details
handshake Supports (2) expand_less
ISM-0888 Annex A 5.3 (ISO/IEC 42001:2023) involves documenting AI system impact assessment results and retaining them
ISM-1989 Annex A 5.3 (ISO/IEC 42001:2023) requires the organisation to document AI system impact assessment results and retain those records for a...

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

psychology

Want to implement this AI control?

Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.

Mapping detail

Mapping

Direction

Controls