Annex A 5.5 psychology ISO/IEC 42001:2023

Assessing Societal Impacts of AI Systems

Organisations need documented processes for ethically designing and developing AI systems.

A.5 Assessing impacts of AI systems Preventative ISO/IEC 42001:2023 AI Management SystemISO 42001 Annex A 5 governance secure by design software development data governance

record_voice_over

Plain language

This control means you need clear, written steps for making AI systems that don't cause problems like giving wrong advice or making bad decisions. It's important because these steps help ensure your AI acts responsibly and doesn't damage your business or reputation.

01 - Overview

Framework

ISO/IEC 42001:2023

Control effect

Preventative

Classifications

N/A

Official last update

01 Dec 2023

Control Stack last updated

19 May 2026

Maturity levels

N/A

Official control statement

The organisation shall assess and document the potential societal impacts of their AI systems throughout their life cycle.

psychology ISO/IEC 42001:2023 Annex A 5.5

priority_high

Why it matters

Without clear processes, your AI could make biased or wrong decisions, harming customer trust and potentially leading to legal issues.

settings

Operational notes

Whenever you update your AI, document the change and check it against your ethics guidelines to catch potential issues early.

02 - Implement

build

Implementation tips

The AI lead should create simple guidelines for AI development that clearly outline what ethical design means for your business. This could be as straightforward as a one-page document highlighting key principles like fairness and accuracy.
The head of risk should organise a meeting with key decision-makers to review these guidelines and ensure everyone understands how they apply to their work. Taking a few hours to go over real-life examples where AI went wrong and discussing how to avoid these is valuable.
Data stewards need to set up a process for documenting where all AI training data comes from and how it was handled. Keeping a simple spreadsheet with this information can help spot any potential biases later on.
The product owner should ensure their teams regularly update AI system documentation with any changes made during development. A shared digital folder or document can make sure everyone knows what's changed and why.
Procurement could include a clear line in vendor contracts stating the vendor has to tell you exactly how their AI works and the source of their training data. Adding this requirement can prevent surprises down the line.

03 - Audit

fact_check

Audit / evidence tips

AskRequest the written AI system design and development guidelines. GoodThe guidelines exist and include specific points on ethical AI and responsible use.
AskAsk for meeting minutes where responsible AI practices were discussed. GoodMeetings are documented with clear decisions and are tied to responsible AI practices.
AskLook at the AI training data record logs. GoodLogs exist with clear, detailed records of all training data and its origins.
AskRequest the change logs for AI systems. GoodAll changes are tracked in an accessible document with explanations for each update.
AskReview supplier contracts. GoodThe contracts contain terms requiring supplier transparency on AI data sources and methods.

04 - Mappings

link

Cross-framework mappings

How Annex A 5.5 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

link_off

No cross-framework mappings recorded yet.

psychology

Want to implement this AI control?

Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.