Acquisition of Data
Organisations must document how they obtain and choose data for AI systems.
Plain language
This control means that your organisation must carefully pick and write down where you get the data for your AI systems. Imagine if you fed your AI old, biased data-your AI could end up making unfair decisions, like incorrectly suggesting products only to certain types of customers.
Framework
ISO/IEC 42001:2023
Control effect
Preventative
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
19 May 2026
Maturity levels
N/A
Official control statement
The organisation shall determine and document details about the acquisition and selection of the data used in AI systems.
Why it matters
If data origins are unclear, your AI might make unfair choices, like targeting ads wrongly or excluding customer groups-potentially violating privacy laws.
Operational notes
Update your data source records whenever new data is acquired, not just during audits or reviews.
Implementation tips
- The data steward should set up a clear spreadsheet listing all the sources where your business's AI data comes from. This can be as simple as a Google Sheet, updated monthly, to keep track of data origins and any new sources added.
- Procurement must add a line to supplier contracts requiring them to share details about where their data comes from, such as the age of the data and who collected it. Start with a simple clause and refer to the EU AI Act for guidance.
- The AI lead should organise bi-annual training for staff on the importance of using good quality data, highlighting the risks of biased or outdated information. This can be a short, 30-minute session using real examples relevant to your industry.
- Product owners should keep a document detailing why they chose certain data for training their AI. This reasoning helps explain why specific datasets meet their product’s needs and can be updated in a simple Word document whenever there is a change.
- The head of risk should review and document any legal or ethical concerns related to the data being used. They can consult the Privacy Act 1988 for data privacy standards and update these reviews annually.
Audit / evidence tips
- AskAsk for the data sources log for the AI project. GoodThe log includes all current data sources and has been updated within the last six months.
- AskCheck the supplier contract. GoodThe contract clearly states the supplier's obligation to disclose data origins.
- AskAsk for the minutes from the last data training session. GoodThe minutes show attendance by key staff and relevant topics were covered.
- AskRequest the document explaining data selection for AI training. GoodThe document explains data selection decisions clearly and is up-to-date.
- AskCheck the risk assessment report about AI data. GoodThe report includes recent analysis of legal and ethical issues related to data.
Cross-framework mappings
How Annex A 7.3 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (3) expand_less | ||
| Annex A 5.12 | Annex A 7.3 requires the organisation to document data acquisition and selection for AI systems | |
| Annex A 5.13 | Annex A 7.3 mandates documenting AI data acquisition and selection | |
| Annex A 5.19 | Annex A 7.3 requires documenting how data for AI is acquired and selected | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.