Skip to content
arrow_back
Annex A 6.1.3
search
Annex A 6.1.3 psychology ISO/IEC 42001:2023

Processes for Responsible AI System Design and Development

Organisations must document AI system design and development aligned with objectives, goals, and specified criteria.

A.6 AI system life cycle Preventative ISO/IEC 42001:2023 AI Management SystemISO 42001 Annex A 6secure sdlcrecords managementmanagement
record_voice_over

Plain language

This control means you need to write down how you're designing and building your AI systems. It matters because if something goes wrong, like your AI recommending the wrong product or giving poor advice, you need to know the steps you took and why, so you can fix it quickly.

Framework

ISO/IEC 42001:2023

Control effect

Preventative

Classifications

N/A

Official last update

01 Dec 2023

Control Stack last updated

19 May 2026

Maturity levels

N/A

Official control statement

The organisation shall define and document the specific processes for the responsible design and development of the AI system.
psychology ISO/IEC 42001:2023 Annex A 6.1.3
priority_high

Why it matters

If the AI system design is not documented, when it makes a mistake, it becomes very hard to fix quickly, leading to user and business dissatisfaction.

settings

Operational notes

Keep the design documentation up-to-date as changes happen to the AI system, not just when a problem arises; this ensures no detail is overlooked.

build

Implementation tips

  • The AI lead should create a simple documentation process for every AI project. This could be a shared document where every design decision and its reason is logged, just like keeping a diary.
  • The data steward must ensure all data sources are recorded at the start of each AI project. A basic table listing where each data piece comes from and its purpose will do the trick.
  • Product owners should regularly review the AI design against business goals. A quarterly meeting to compare how the AI is performing with what you expected from it is a good start.
  • Aska one-page summary of how the AI tool was designed and built
  • The head of risk should schedule annual reviews of AI design documentation to catch outdated practices. A checklist in line with ISO 42001 and regular audits will help keep things up-to-date.
fact_check

Audit / evidence tips

  • AskRequest the AI design documentation from a recent project. GoodThe document lists objectives, technical details, and decision reasons clearly.
  • AskAsk for the data source log for an AI system. GoodThe log lists all data sources, usage, and the date they were collected.
  • AskRequest records of design reviews against business goals. GoodThe records show consistent alignment checks with business objectives.
  • AskAsk for supplier-provided AI system documentation. GoodSupplier documentation provides a clear summary of design and purpose.
  • AskRequest the latest AI design review audit report. GoodThe report highlights updates needed and aligns with the standard.
link

Cross-framework mappings

How Annex A 6.1.3 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

link_off

No cross-framework mappings recorded yet.

psychology

Want to implement this AI control?

Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.

Mapping detail

Mapping

Direction

Controls