Annex A 8.2 psychology ISO/IEC 42001:2023

System Documentation and Information for Users

Organisations need to have a plan for notifying users about any AI system incidents.

A.8 Information for interested parties of AI systems Responsive ISO/IEC 42001:2023 AI Management SystemISO 42001 Annex A 8 incident reporting incident management roles

record_voice_over

Plain language

If your business uses an AI system and something goes wrong, like the AI gives incorrect information to a customer, you need a plan to tell your users about it. This matters because knowing about problems helps your users understand what's happening and builds trust in your business.

01 - Overview

Framework

ISO/IEC 42001:2023

Control effect

Responsive

Classifications

N/A

Official last update

01 Dec 2023

Control Stack last updated

19 May 2026

Maturity levels

N/A

Official control statement

The organisation shall determine and provide the necessary information to users of the AI system.

psychology ISO/IEC 42001:2023 Annex A 8.2

priority_high

Why it matters

If you don't inform users when the AI messes up, you risk losing their trust and creating potential legal issues if users are left unaware of important problems.

settings

Operational notes

Keep your communication plan updated; regularly test it to ensure everyone knows their role when an incident occurs.

02 - Implement

build

Implementation tips

The AI lead should draft a simple plan detailing who needs to be contacted if the AI makes a mistake. An example might include emailing affected customers with a brief explanation and steps being taken to fix it.
The head of risk needs to work with legal staff to decide how quickly incidents need to be reported based on their severity. For severe incidents, like a data breach, notifying users within 24 hours might be needed.
The product owner can keep a log of past incidents that have occurred with the AI system. Regularly review this to spot patterns and help prevent future incidents.
Procurement should make sure any new AI services bought include provisions for incident communication. Adding a clause that obliges suppliers to assist in such notifications is a practical step.
The board can help set the tone by approving the incident communication plan and ensuring it aligns with the business's overall risk management strategy. This provides authority and resources to the operational team to act quickly.

03 - Audit

fact_check

Audit / evidence tips

AskAsk to see the AI incident communication plan document. GoodThe document names a specific person or role responsible for communication.
AskAsk for records of any AI incidents and the follow-up communication sent to users. GoodRecords show user notifications were sent within the agreed timeframe post-incident.
AskRequest the log of received AI-related complaints from users. GoodComplaints are logged with details of user communication and resolutions.
AskRequest evidence of board approval of the incident communication plan. GoodThe plan is signed by board members and has a review date within the last 12 months.
AskAsk for any training materials on incident communication for staff. GoodTraining materials exist and show regular updates and staff completion.

04 - Mappings

link

Cross-framework mappings

How Annex A 8.2 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

link_off

No cross-framework mappings recorded yet.

psychology

Want to implement this AI control?

Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.