Skip to content
arrow_back
Annex A 5.3
search
Annex A 5.3 psychology ISO/IEC 42001:2023

Documentation of AI System Impact Assessments

Organisations should outline processes ensuring responsible AI design and development.

A.5 Assessing impacts of AI systems Preventative ISO/IEC 42001:2023 AI Management SystemISO 42001 Annex A 5governancesecure by designrecords managementcompliance obligations
record_voice_over

Plain language

This control means your business should have a clear plan for how you design and develop AI systems responsibly. Imagine a delivery app where the AI suggests the wrong delivery times due to poor design. This control helps prevent such errors by ensuring your AI systems are built thoughtfully and ethically.

Framework

ISO/IEC 42001:2023

Control effect

Preventative

Classifications

N/A

Official last update

01 Dec 2023

Control Stack last updated

19 May 2026

Maturity levels

N/A

Official control statement

The organisation shall document the results of AI system impact assessments and retain results for a defined period.
psychology ISO/IEC 42001:2023 Annex A 5.3
priority_high

Why it matters

Without this, the AI could suggest incorrect actions, like wrong delivery times or inaccurate approvals, confusing or frustrating customers.

settings

Operational notes

Schedule monthly team reviews of the AI system to catch any early signs of it behaving out of line with established protocols.

build

Implementation tips

  • The AI lead should set clear goals for how AI systems should act, covering important things like user privacy and fairness. This could be a simple document stating how AI should never make biased decisions against any group of customers.
  • The data steward needs to keep a record of where all data for training AI comes from and check it's accurate. An example would be maintaining a spreadsheet with details about the data sources, including any permissions needed for use.
  • The product owner should routinely review how the AI works with the team, focusing on how its designs could lead to unintended outcomes, like misinterpreting customer requests. A monthly team meeting could spotlight any odd results or complaints from customers.
  • The head of risk should create a checklist that ensures potential AI risks are considered before any new AI project starts. This checklist might include questions like whether the AI has potential biased outcomes.
  • The CISO should set up a way to review AI systems for security and integrity, ensuring they still follow the guidelines you've set. A simple example is a quarterly review meeting to examine if the AI is working safely and responsibly.
fact_check

Audit / evidence tips

  • AskAsk for the AI design and development process document. GoodThe document clearly outlines processes, with a defined review schedule and ethical guidelines.
  • AskRequest the list of AI risks considered before a new system is developed. GoodThe list includes various AI-specific risks, has been updated recently, and specifies how each risk is mitigated.
  • AskGet the log showing AI data source checks. GoodThe log is current, lists all data sources, and confirms data compliance with privacy standards.
  • AskRequest minutes from the last AI review meeting. GoodThe minutes show a discussion on AI issues, with clear actions assigned and responsible persons named.
  • AskAsk for the AI security review records. GoodRecords show comprehensive security checks were made and necessary actions were taken promptly.
link

Cross-framework mappings

How Annex A 5.3 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
sync_alt Partially overlaps (1) expand_less
Annex A 8.10 Annex A 5.3 requires the organisation to document AI system impact assessment results and retain them for a defined period
handshake Supports (2) expand_less
Annex A 5.1 Annex A 5.3 requires the organisation to document AI system impact assessment results and retain them for a defined period
Annex A 5.33 Annex A 5.3 requires the organisation to document AI system impact assessment results and retain them for a defined period

ASD ISM

Control Notes Details
sync_alt Partially overlaps (1) expand_less
ISM-1989 Annex A 5.3 requires the organisation to document AI system impact assessment results and retain them for a defined period

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

psychology

Want to implement this AI control?

Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.

Mapping detail

Mapping

Direction

Controls