Data for Development and Enhancement of AI System
Organisations must implement structured processes to manage data effectively while developing AI systems.
Plain language
This control means you need to have clear steps in place to handle data when you're developing AI. It's like making sure your recipes are written down clearly so your cakes turn out right every time, even with a different baker. If you don't manage your data properly, your AI could end up making bad decisions, like recommending the wrong products or getting customer details wrong.
Framework
ISO/IEC 42001:2023
Control effect
Preventative
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
19 May 2026
Maturity levels
N/A
Official control statement
The organisation shall define, document and implement data management processes related to the development of AI systems.
Why it matters
If you don't manage your data well, your AI may make mistakes - like giving wrong product suggestions or mishandling customer information.
Operational notes
Review and update data processes whenever there's a big change like using new data sources or altering AI systems, not just annually.
Implementation tips
- The data steward needs to create clear guidelines for how data is collected, stored, and used in AI projects. This is similar to having a step-by-step cooking guide for a new recipe, so everyone knows exactly what to do and where to find the ingredients.
- The AI lead should work with the team to ensure they regularly check the quality of the data used in AI systems. Imagine it as occasionally tasting the soup to make sure it's not too salty - regular checks help prevent problems later.
- Procurement should require suppliers of AI tools to provide documentation on their data sources. Think of it like asking for the list of ingredients in a packaged cake mix to make sure you're comfortable with what's in it.
- The head of risk can set up regular risk assessments to identify any potential issues with the data. This is like a safety check to make sure the kitchen equipment is up to standard to avoid accidents.
- The product owner should ensure that all team members have access to training about data management processes. This could be like a short online course explaining how to properly handle customer data when using it for AI training.
Audit / evidence tips
- AskRequest the data management procedure document. GoodThe document is thorough, up-to-date, and sets clear rules for each stage of AI data handling.
- AskSee the latest data quality check report. GoodThe report is recent, issues are documented, and actions to resolve them are clearly stated.
- AskRequest contracts with data suppliers. GoodContracts clearly specify where the data comes from and outline any usage limitations.
- AskSee records of data-related training sessions attended by the team. GoodTraining records show recent attendance and comprehensive coverage of data handling topics.
- AskReview the risk assessment for AI data use. GoodThe assessment identifies likely data-related issues and outlines clear mitigation steps.
Cross-framework mappings
How Annex A 7.2 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (3) expand_less | ||
| Annex A 5.10 | Annex A 7.2 requires the organisation to implement defined processes for managing data used in AI development and enhancement | |
| Annex A 5.12 | Annex A 7.2 requires data management processes for AI system development and enhancement, including governance over what data is used and... | |
| Annex A 5.37 | Annex A 7.2 requires the organisation to define, document and implement data management processes for developing and enhancing AI systems... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.