AI System Requirements and Specification
Organisations need to clearly outline and document requirements for new or significantly updated AI systems.
Plain language
Before you start using a new AI system or make significant changes to an old one, it's crucial to clearly spell out what you need it to do. Imagine buying a fancy new tool; you'd want to make sure it actually fits the jobs you have in mind, so you don't end up with a gadget that misleads customers or makes work harder.
Framework
ISO/IEC 42001:2023
Control effect
Preventative
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
19 May 2026
Maturity levels
N/A
Official control statement
The organisation shall specify and document requirements for new AI systems or material enhancements to existing systems.
Why it matters
If you don't specify what you need the AI to do, you might end up with a system that creates more confusion than it's worth-leading to unhappy customers or mismanaged work processes.
Operational notes
Update AI system requirements whenever business priorities change, not just on a set schedule.
Implementation tips
- The AI lead should hold a meeting with all relevant stakeholders, like team leaders who will use the AI, to gather what they need from the new system. Clearly documenting these needs in straightforward bullet points can help ensure nothing important is missed.
- Product owners must make sure any AI project starts with a simple written list of 'must-have' features and functions. An easy-to-read checklist can guide developers and keep everyone on the same page.
- Before signing off on a new AI tool, the head of risk should review the listed requirements to ensure no potential issues are overlooked, like privacy concerns. Using a standard risk management list such as the NIST AI RMF can be a good checklist to start with.
- Procurement should ensure suppliers provide a clear outline of how their AI meets the organisation's specified needs. Adding a condition in contracts requiring suppliers to match their tools with the documented needs helps enforce this.
- The board should set times to review and update these requirements in light of changing business needs, making sure they stay relevant. A simple yearly update meeting and document review ensures everything stays current.
Audit / evidence tips
- AskReview the documented AI system requirements for the project. GoodThe documentation is detailed, up-to-date, and signed by responsible parties.
- AskRequest a list of attendees from requirement-gathering meetings. GoodThe list includes relevant parties and shows active participation.
- AskExamine the procurement contracts with AI suppliers. GoodContracts explicitly refer to the organisation's system requirements.
- AskCheck minutes from the latest board review meeting. GoodMinutes confirm that requirements were reviewed and updated if needed.
- AskLook at the risk assessment documentation for the AI system. GoodThe assessment thoroughly addresses risks outlined in documented requirements.
Cross-framework mappings
How Annex A 6.2.2 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.8 | Annex A 6.2.2 (ISO/IEC 42001:2023) requires the organisation to specify and document requirements for new AI systems or material enhancem... | |
| Annex A 5.23 | Annex A 6.2.2 requires specifying and documenting requirements for new AI systems or material enhancements | |
| handshake Supports (2) expand_less | ||
| Annex A 5.1 | Annex A 6.2.2 requires specifying and documenting requirements for AI systems | |
| Annex A 5.31 | Annex A 6.2.2 requires documenting requirements for AI systems, including compliance-related aspects | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-0041 | Annex A 6.2.2 requires documented requirements/specifications for new or materially enhanced AI systems | |
| ISM-0072 | Annex A 6.2.2 requires documenting requirements for new AI systems or material enhancements, often including external services, data hand... | |
| handshake Supports (1) expand_less | ||
| ISM-0009 | Annex A 6.2.2 requires the organisation to specify and document requirements for new AI systems or material enhancements | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.