Uploaded bypriyanshamadhwal2
2,292 views

ISO 42001 2023 Audit and Control Checklist

As Artificial Intelligence continues to evolve, ensuring responsible, ethical, and regulatory-compliant AI governance is more critical than ever. This comprehensive audit checklist designed to help organizations align with ISO/IEC 42001:2023, the first global standard for AI management systems. 👉 What’s Inside? ✔AI Management System (AIMS) audit framework ✔Key compliance factors covering risk, ethics and accountability ✔Readiness evaluation for AI-driven organizations ✔Actionable steps to align with ISO/IEC 42001:2023

Education
Related topics:
Cyber-Security

Embed presentation

Downloaded 162 times
1
Clause no. Control name Control Description Audit questionnaire Evidence required A.2.2 AI policy The organization shall document a policy for the development or use of AI systems. • Is there a documented AI policy for development or use? • Has management formally approved the policy? • Does the policy define AI development and usage guidelines? • Approved AI Policy Document • Management Approval Records • Policy Review and Revision Logs A.2.3 Alignment with other organizational policies The organization shall determine where other policies can be affected by or apply to, the organization’s objectives with respect to AI systems. • Has the organization identified policies that may be impacted by or applicable to AI objectives? • Is there a process to assess and document policy interdependencies related to AI? • Have affected policies been reviewed and updated to align with AI objectives? • Is there a mechanism to ensure ongoing alignment between AI objectives and other policies? • Documentation of identified affected policies • Records of policy impact assessments • Approved policy updates reflecting AI objectives • Review and approval records for policy modifications A.2.4 Review of the AI policy The AI policy shall be reviewed at planned intervals or additionally as needed to ensure its continuing suitability, adequacy and effectiveness. • Is the AI policy reviewed at planned intervals? • Are additional reviews conducted when significant changes occur? • Is there a documented process for policy review and updates? • Are review outcomes approved by management? • AI Policy Review Schedule • Policy Review and Update Records • Management Approval of Policy Revisions • Meeting Minutes or Review Reports A.3.2 AI roles and responsibilities Roles and responsibilities for AI shall be defined and allocated according to the needs of the organization. • Have roles and responsibilities for AI development, deployment, and governance been formally defined? • Are AI-related responsibilities aligned with the organization’s needs and objectives? • Has management approved and communicated AI roles and responsibilities to relevant personnel? • Documented AI roles and responsibilities • Management approval records • Communication records confirming role assignments www.infosectrain.com | www.azpirantz.com 2
A.3.3 Reporting of concerns The organization shall define and put in place a process to report concerns about the organization’s role with respect to an AI system throughout its life cycle. • Is there a documented process for reporting concerns about the organization’s role in AI systems? • Does the process define who can report, how to report, and response timelines? • Are reporting channels (e.g., email, portal, hotline) established and communicated? • Are AI-related concerns tracked, reviewed, and resolved with documented actions? • Has the organization conducted awareness sessions on the reporting process? • Approved AI Concern Reporting Procedure • List of Available Reporting Channels (e.g., email, hotline, portal) • Records of AI- Related Concern Reports and Actions Taken • Communication Logs (e.g., emails, notices) Informing Employees About the Process • Training or Awareness Session Records on AI Concern Reporting A.4.2 Resource documentation The organization shall identify and document relevant resources required for the activities at given AI system life cycle stages and other AI-related activities relevant for the organization • Has the organization identified and documented the required resources for each AI lifecycle stage? • Are human, technical, and financial resources explicitly defined? • Is there a process for periodic review and reallocation of AI- related resources? • Has management formally approved the resource allocation for AI activities? • Documented AI Resource Requirements • Records of Resource Review and Updates • Management Approval for Resource Allocation A.4.3 Data Resources As part of resource identification, the organization shall document information about the data resources utilized for the AI system. • Has the organization documented the data resources used for the AI system? • Does the documentation include data sources, types, and ownership? • Are data resource records periodically reviewed and updated? • Documented AI Data Resource Inventory • Records of Data Source Review and Updates 3 www.infosectrain.com | www.azpirantz.com
A.4.4 Tooling resources As part of resource identification, the organization shall document information about the tooling resources utilized for the AI system. • Has the organization documented the tooling resources used for the AI system? • Does the documentation include software, frameworks, cloud services, and hardware? • Are tooling resources regularly reviewed and updated? • Documented List of AI Tooling Resources • Records of Tooling Resource Reviews and Updates A.4.5 System and Computing resources As part of resource identification, the organization shall document information about the system and computing resources utilized for the AI system. • Has the organization documented the system and computing resources used for the AI system? • Does the documentation specify hardware, software, cloud services, and storage? • Are resource allocations monitored and updated as the AI system evolves? • Documented AI System and Computing Resources • Inventory of Hardware, Software, and Cloud Services • Records of Resource Updates and Monitoring A.4.6 Human resources As part of resource identification, the organization shall document information about the human resources and their competences utilized for the development, deployment, operation, change management, maintenance, transfer and decommissioning, as well as verification and integration of the AI system • Has the organization documented the human resources involved in each AI lifecycle stage? • Are the competencies and skill requirements for these roles clearly defined? • Is there a process to review and update resource allocations as AI systems evolve? • Has management formally approved the assigned human resources for AI activities? • Documented AI Human Resource Allocation • Competency and Skill Requirement Records • Records of Resource Review and Updates • Management Approval for Assigned Personnel 4 www.infosectrain.com | www.azpirantz.com
A.5.2 AI system impact assessment process The organization shall establish a process to assess the potential consequences for individuals or groups of individuals, or both, and societies that can result from the AI system throughout its life cycle. • Has the organization established a documented process to assess AI system consequences for individuals and society? • Does the assessment cover all lifecycle stages of the AI system? • Are ethical, legal, and social impacts considered in the assessment? • Is there a process for reviewing and updating the assessment based on AI system changes? • Has management approved and implemented the assessment framework? • Documented AI Impact Assessment Process • Records of Conducted AI Impact Assessments • Review and Update Logs for Assessments • Management Approval of Assessment Framework A.5.3 Documentati- on of AI system impact assessments The organization shall document the results of AI system impact assessments and retain results for a defined period. • Are AI system impact assessments documented after each evaluation? • Does the organization define and follow a retention period for assessment results? • Are assessment results reviewed and approved by relevant stakeholders? • Is there a process to ensure secure storage and accessibility of past assessments? • Documented AI Impact Assessment Reports • Defined Retention Policy for Assessment Results • Records of Review and Approval of Assessments • Logs or System Records Showing Secure Storage of Past Assessments A.5.4 Assessing AI system impact on individuals or groups of individuals The organization shall assess and document the potential impacts of AI systems to individuals or groups of individuals throughout the system’s life cycle • Has the organization conducted an assessment of AI system impacts on individuals or groups? • Is the impact assessment documented and aligned with the AI system lifecycle? • Are ethical, legal, and societal risks considered in the assessment? • Is there a process for reviewing and updating impact assessments over time? • Documented AI Impact Assessment Report • Records of Periodic Impact Reviews and Updates • Risk Assessment Findings Related to AI Systems 5 www.infosectrain.com | www.azpirantz.com
A.5.5 Assessing societal impacts of AI systems The organization shall assess and document the potential societal impacts of their AI systems throughout their life cycle. • Has the organization conducted an assessment of the potential societal impacts of its AI systems? • Is the assessment documented and updated throughout the AI system lifecycle? • Does the assessment consider ethical, legal, and social risks? • Are mitigation measures defined for identified negative societal impacts? • Has management reviewed and approved the societal impact assessment? • Documented Societal Impact Assessment Reports • Records of Periodic Reviews and Updates • Risk Mitigation Plans for Identified Societal Impacts • Management Approval Records A.6.1.2 Objectives for responsible development of AI system The organization shall identify and document objectives to guide the responsible development AI systems, and take those objectives into account and integrate measures to achieve them in the development life cycle • Has the organization identified and documented objectives for responsible AI development? • Are these objectives aligned with ethical, legal, and business requirements? • Have measures been integrated into the AI development lifecycle to achieve these objectives? • Is there a process to review and update AI development objectives periodically? • Documented AI Development Objectives • AI Lifecycle Process with Integrated Measures • Records of Objective Reviews and Updates A.6.1.3 Processes for responsible AI system design and development The organization shall define and document the specific processes for the responsible design and development of the AI system • Has the organization defined and documented processes for responsible AI design and development? • Do the processes address ethical, legal, and security considerations? • Is there a formal review and approval mechanism for AI design and development processes? • Are these processes communicated and followed by AI development teams? • Documented AI Design and Development Processes • Records of Process Review and Approval • Training or Awareness Records for AI Development Teams 6 www.infosectrain.com | www.azpirantz.com
A.6.2.2 AI system requirements and specification The organization shall specify and document requirements for new AI systems or material enhancements to existing systems. • Has the organization documented requirements for new AI systems and enhancements? • Do the requirements cover functionality, security, compliance, and ethical considerations? • Is there a formal approval process before implementation? • Are requirement documents regularly reviewed and updated? • Documented AI System Requirements • Approval Records for New or Enhanced AI Systems • Requirement Review and Update Logs A.6.2.3 Documentati- on of AI system design and development The organization shall document the AI system design and development based on organizational objectives, documented requirements and specification criteria • Has the organization documented the AI system design and development process? • Are AI systems designed based on organizational objectives and documented requirements? • Does the documentation include specification criteria for AI system development? • Is there a process to review and update the design and development documentation? • Documented AI System Design and Development Process • AI System Requirement and Specification Documents • Records of Design Review and Updates A.6.2.4 AI system verification and validation The organization shall define and document verification and validation measures for the AI system and specify criteria for their use. • Has the organization defined and documented verification and validation (V&V) measures for AI systems? • Are specific criteria for applying V&V measures clearly outlined? • Is there a process to review and update V&V measures based on AI system changes? • Has management approved and implemented the V&V framework? • Documented AI Verification and Validation Measures • Defined Criteria for Applying V&V • Records of V&V Implementation and Review • Management Approval for V&V Framework A.6.2.5 AI system deployment The organization shall document a deployment plan and ensure that appropriate requirements are met prior to deployment. • Is there a documented AI deployment plan covering all necessary steps? • Does the plan define pre- deployment requirements and validation checks? • Is there a process to verify and approve compliance before deployment? • Has management formally approved the deployment plan? • Documented AI System Requirements • Approval Records for New or Enhanced AI Systems • Requirement Review and Update Logs 7 www.infosectrain.com | www.azpirantz.com
A.6.2.6 AI system operation and monitoring The organization shall define and document the necessary elements for the ongoing operation of the AI system. At the minimum, this should include system • Has the organization defined and documented the essential elements for the ongoing operation of the AI system? • Does the documentation specify system functionality, maintenance, and monitoring requirements? • Are operational procedures regularly reviewed and updated based on system performance? • Has management approved the operational framework for AI systems? • Documented AI System Operational Requirements • Maintenance and Monitoring Logs • Records of Operational Reviews and Updates • Management Approval for AI System Operations A.6.2.7 AI system technical documentation The organization shall determine what AI system technical documentation is needed for each relevant category of interested parties, such as users, partners, supervisory authorities, and provide the technical documentation to them in the appropriate form. • Has the organization identified the necessary AI system technical documentation for each category of interested parties? • Does the documentation cover users, partners, and regulatory authorities as required? • Is there a process to ensure documentation is updated and maintained? • Are there defined methods for distributing the documentation to relevant parties? • List of AI System Technical Documentation by Audience Category • Records of Documentation Distribution • Documentation Update and Maintenance Logs A.6.2.8 AI system recording of event logs The organization shall determine at which phases of the AI system life cycle, record keeping of event logs should be enabled, but at the minimum when the AI system is in use • Has the organization identified which AI lifecycle phases require event logging? • Are event logs enabled at a minimum when the AI system is in use? • Does the logging process capture relevant AI-related activities and decisions? • Is there a documented log retention and management process? • Documented AI Logging Requirements • Log Records for AI System Usage Phase • Log Retention and Management Policy 8 www.infosectrain.com | www.azpirantz.com
A.7.2 Data for development and enhancement of AI system The organization shall define, document and implement data management processes related to the development of AI systems. • Has the organization defined and documented data management processes for AI system development? • Do these processes cover data collection, storage, processing, and disposal? • Are data management practices aligned with regulatory and security requirements? • Is there a mechanism to monitor and enforce compliance with data management processes? • Are AI development teams trained on data management policies and procedures? • Documented AI Data Management Processes • Records of Data Handling Practices (Collection, Storage, Processing, Disposal) • Compliance Reports or Audit Logs on Data Management • Training Records for AI Development Teams A.7.3 Acquisition of data The organization shall determine and document details about the acquisition and selection of the data used in AI systems. • Has the organization documented the criteria and process for acquiring and selecting data for AI systems? • Are data sources verified for accuracy, reliability, and compliance with regulations? • Does the organization maintain records of data provenance and justification for selection? • Is there a process to periodically review and update data selection criteria? • Documented Data Acquisition and Selection Criteria • Records of Data Source Verification and Approval • Logs of Data Provenance and Justification for Use • Review and Update Records for Data Selection Criteria A.7.4 Quality of data for AI systems The organization shall define and document requirements for data quality and ensure that data used to develop and operate the AI system meet those requirements. • Has the organization defined and documented data quality requirements for AI systems? • Are there established criteria for accuracy, completeness, consistency, and reliability of data? • Is there a process to validate and monitor data quality during AI development and operation? • Are data quality checks regularly reviewed and updated based on AI system needs? • Documented Data Quality Requirements for AI • Records of Data Validation and Monitoring Processes • Reports on Data Quality Assessments and Corrections 9 www.infosectrain.com | www.azpirantz.com
• Has management approved and communicated the data quality requirements? • Management Approval for Data Quality Standards A.7.5 Data provenance The organization shall define and document a process for recording the provenance of data used in its AI systems over the life cycles of the data and the AI system. • Has the organization defined and documented a process for recording data provenance in AI systems? • Does the process cover data origin, transformations, and usage throughout the AI lifecycle? • Are data provenance records maintained and regularly updated? • Is there a mechanism to verify the integrity and accuracy of provenance records? • Documented Data Provenance Recording Process • Data Provenance Logs and Records • Records of Periodic Review and Updates • Integrity Verification Reports for Provenance Data A.7.6 Data preparation The organization shall define and document its criteria for selecting data preparations and the data preparation methods to be used. • Has the organization defined and documented criteria for selecting data preparation methods? • Are the selected data preparation methods aligned with AI system requirements? • Is there a process to review and update data preparation criteria based on evolving AI needs? • Has management approved the data preparation selection criteria? • Documented Data Preparation Criteria • List of Approved Data Preparation Methods • Records of Criteria Review and Updates • Management Approval for Data Preparation Standards A.8.2 System documentation and information for users The organization shall determine and provide the necessary information to users of the AI system. • Has the organization identified the necessary information that AI system users need? • Is this information clearly documented and accessible to users? • Does the organization provide instructions, limitations, and potential risks of the AI system? • Is there a process to update and communicate changes in AI system information to users? • Documented AI System User Guidelines • Records of Information Provided to Users • Communication Logs for AI System Updates 10 www.infosectrain.com | www.azpirantz.com
A.8.3 External reporting The organization shall provide capabilities for interested parties to report adverse impacts of the AI system. • Has the organization established a formal mechanism for interested parties to report adverse AI impacts? • Are reporting channels (e.g., portal, email, hotline) accessible and communicated? • Is there a defined process for reviewing, addressing, and responding to reported issues? • Are reports and resolutions documented and maintained for accountability? • Documented AI Adverse Impact Reporting Procedure • List of Available Reporting Channels • Records of Reported Cases and Actions Taken • Communication Logs Informing Stakeholders About the Reporting Process A.8.4 Communicati- on of incidents The organization shall determine and document a plan for communicating incidents to users of the AI system. • Has the organization established and documented a plan for communicating AI system incidents to users? • Does the plan specify incident types, notification timelines, and communication channels? • Are roles and responsibilities defined for incident reporting and user notification? • Is the communication plan tested and reviewed periodically? • Documented AI Incident Communication Plan • Defined Incident Notification Procedures • Records of Communication Plan Testing and Updates • Incident Logs with User Notifications A.8.5 Information for interested parties The organization shall determine and document their obligations to reporting information about the AI system to interested parties. • Has the organization identified and documented its AI system reporting obligations to interested parties? • Are reporting requirements aligned with legal, regulatory, and contractual obligations? • Is there a process for periodic review and updates to reporting obligations? • Are reporting responsibilities formally assigned within the organization? • Documented AI System Reporting Obligations • Regulatory and Contractual Compliance Records • Review and Update Logs for Reporting Requirements • Assigned Roles and Responsibilities for AI Reporting 11 www.infosectrain.com | www.azpirantz.com
A.9.2 Processes for responsible use of AI systems The organization shall define and document the processes for the responsible use of AI systems. • Has the organization defined and documented processes for the responsible use of AI systems? • Do the processes address ethical considerations, fairness, transparency, and accountability? • Are there guidelines for monitoring and mitigating risks associated with AI usage? • Has management formally approved these processes? • Are employees and stakeholders aware of and trained on responsible AI usage? • Documented AI Responsible Use Processes • Management Approval Records • 3.Risk Mitigation Guidelines for AI Usage • Training and Awareness Records on AI Ethics and Responsibilities A.9.3 Objectives for responsible use of AI system The organization shall identify and document objectives to guide the responsible use of AI systems. • Has the organization defined and documented objectives for the responsible use of AI systems? • Do the objectives align with ethical, legal, and organizational requirements? • Are the objectives communicated to relevant stakeholders? • Is there a process for reviewing and updating these objectives? • Documented AI Responsibility Objectives • Management Approval Records • Communication Records (e.g., emails, policy documents) • Review and Update Logs A.9.4 Intended use of the AI system The organization shall ensure that the AI system is used according to the intended uses of the AI system and its accompanying documentation. • Is there a documented process to ensure AI systems are used only for their intended purpose? • Does the organization maintain records of AI system usage and monitor deviations? • Are AI users provided with clear guidelines and documentation on intended use? • Is there a mechanism to detect and address unauthorized AI usage? • Documented AI Usage Guidelines • AI System Usage Logs and Monitoring Reports • Records of Unauthorized Usage Incidents and Actions Taken • User Training or Acknowledgment of Intended AI Use A.10.2 Allocating responsibilities The organization shall ensure that responsibilities within their AI system life cycle • Has the organization defined and documented responsibilities for each AI lifecycle stage? • Documented AI Responsibility Matrix 12 www.infosectrain.com | www.azpirantz.com
are allocated between the organization, its partners, suppliers, customers and third parties. • Are roles and responsibilities clearly allocated among internal teams, partners, suppliers, customers, and third parties? • Have all involved parties formally agreed to their assigned responsibilities? • Is there a process to review and update responsibilities as AI systems evolve? • Agreements or Contracts Defining AI-Related Roles • Records of Periodic Responsibility Reviews and Updates • Communications or Acknowledgments from Relevant Parties A.10.3 Suppliers The organization shall establish a process to ensure that its usage of services, products or materials provided by suppliers aligns with the organization’s approach to the responsible development and use of AI systems. • Has the organization established a documented process to assess supplier-provided AI services, products, or materials? • Does the process ensure supplier compliance with the organization's responsible AI principles? • Are AI-related supplier agreements reviewed for ethical AI use and security requirements? • Is there a mechanism to regularly monitor and reassess supplier compliance? • Documented Supplier AI Compliance Assessment Process • Supplier Agreements with AI Responsibility Clauses • Records of Supplier Evaluations and Compliance Reviews • Evidence of Ongoing Supplier Monitoring and Reassessment A.10.4 Customers The organization shall ensure that its responsible approach to the development and use of AI systems considers their customer expectations and needs. • Has the organization defined a process to assess customer expectations and needs related to AI systems? • Are customer requirements considered in AI system design, development, and deployment? • Is there a mechanism for gathering and incorporating customer feedback on AI systems? • Has management reviewed and approved the approach to addressing customer expectations? • Documented Process for Assessing Customer Expectations in AI Development • Records of Customer Feedback and AI System Adjustments • Management Approval for AI Customer Consideration Approach 13

More Related Content

PPTX
ISOIEC 42001 AI Management System Slides
byGilangRamadhan884333
 
PDF
153. ai-management-system-iso-iec42001-r2.pdf
byArmansyahHeni
 
PDF
pr ISMS Documented Information (lite).pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
ISO 27001 2022 REQUIREMENTS EXPLAINED 4.pptx
byJustinNickaf3
 
PDF
ISO 27701:2022 Data Privacy New Version Presentation
byyogaallworks
 
PDF
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
ISO Survey 2021: ISO 27001.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
ISMS ISO_IEC 27001 Lead Auditor Practice Questions v1_140223_.pptx
byMSaadJumani
 
ISOIEC 42001 AI Management System Slides
byGilangRamadhan884333
 
153. ai-management-system-iso-iec42001-r2.pdf
byArmansyahHeni
 
pr ISMS Documented Information (lite).pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001 2022 REQUIREMENTS EXPLAINED 4.pptx
byJustinNickaf3
 
ISO 27701:2022 Data Privacy New Version Presentation
byyogaallworks
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO Survey 2021: ISO 27001.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISMS ISO_IEC 27001 Lead Auditor Practice Questions v1_140223_.pptx
byMSaadJumani
 

What's hot

PPTX
SOC 2 Compliance and Certification
byControlCase
 
PPTX
ISO 27001 Awareness/TRansition.pptx
byDr Madhu Aman Sharma
 
PDF
Steps to iso 27001 implementation
byRalf Braga
 
PDF
ISO 27001_2022 Standard_Presentation.pdf
bySerkanRafetHalil1
 
PPTX
Implementing ISO27001 2013
byscttmcvy
 
PPTX
27001 awareness Training
byDr Madhu Aman Sharma
 
PPTX
ISO 27001 - information security user awareness training presentation - Part 1
byTanmay Shinde
 
PPTX
ISMS User_Awareness Training.pptx
byMukesh Pant
 
PPTX
ISO 27001 - information security user awareness training presentation -part 2
byTanmay Shinde
 
PPTX
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
byiFour Consultancy
 
PDF
ISO 27002-2022.pdf
byChristianAquino52
 
PDF
ISO/IEC 27001:2013
byRamiro Cid
 
PPTX
Iso 27001 awareness
byÃsħâr Ãâlâm
 
PDF
Why ISO27001 For My Organisation
byVigilant Software
 
PPTX
The Zero Trust Model of Information Security
byTripwire
 
PPTX
Iso 27001 isms presentation
byMidhun Nirmal
 
PDF
ISO 27001
byn|u - The Open Security Community
 
PDF
Business impact analysis
byShashwat Shankar
 
PPTX
Cybersecurity Audit
byEC-Council
 
PDF
ISO 27001:2022 Introduction
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
SOC 2 Compliance and Certification
byControlCase
 
ISO 27001 Awareness/TRansition.pptx
byDr Madhu Aman Sharma
 
Steps to iso 27001 implementation
byRalf Braga
 
ISO 27001_2022 Standard_Presentation.pdf
bySerkanRafetHalil1
 
Implementing ISO27001 2013
byscttmcvy
 
27001 awareness Training
byDr Madhu Aman Sharma
 
ISO 27001 - information security user awareness training presentation - Part 1
byTanmay Shinde
 
ISMS User_Awareness Training.pptx
byMukesh Pant
 
ISO 27001 - information security user awareness training presentation -part 2
byTanmay Shinde
 
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
byiFour Consultancy
 
ISO 27002-2022.pdf
byChristianAquino52
 
ISO/IEC 27001:2013
byRamiro Cid
 
Iso 27001 awareness
byÃsħâr Ãâlâm
 
Why ISO27001 For My Organisation
byVigilant Software
 
The Zero Trust Model of Information Security
byTripwire
 
Iso 27001 isms presentation
byMidhun Nirmal
 
ISO 27001
byn|u - The Open Security Community
 
Business impact analysis
byShashwat Shankar
 
Cybersecurity Audit
byEC-Council
 
ISO 27001:2022 Introduction
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 

Similar to ISO 42001 2023 Audit and Control Checklist

PDF
NIST_AI_RMF_to_ISO_IEC_42001_Crosswalk.pdf
bydarasridhar1
 
PDF
ISO IEC 42001 2023 Day wise Roadmap by infosectrain.pdf
bypriyanshamadhwal2
 
PDF
ISO IEC 42001 2023 Complete Implementation Guide.pdf
byinfosec train
 
PDF
AI-GRC Pros, Are You Implementation-Ready.pdf
byinfosecTrain
 
PDF
AI GRC Implementation Checklist by Infosectrain
bypriyanshamadhwal2
 
PDF
AI GRC Implementation Checklist-New.pdf
byinfosec train
 
PDF
HRIA and tool example.pdf
byFederico Marengo
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PPTX
Security Baselines and Risk Assessments
byPriyank Hada
 
PDF
September Update (including NIST ARIA Testing): Role of AI Safety Institutes.pdf
byBob Marcus
 
PDF
AI Audit: The Essential Checklist for Responsible AI
byYashikaSharma391629
 
PDF
Artificial Intelligence: Shaping the Future of Technology
byCyberPro Magazine
 
PPTX
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
byAyilurRamnath1
 
PPTX
ARTIFICIAL INTELLIGENCE IN CORPORATE GOVERNANCE
byaddanews10
 
PPTX
it_Govern_the_Use_of_AI_Responsibly_With_a_Fit_for_Purpose_Structure_.pptx
byValeryDiby
 
PDF
Navigating the 12 Risks of Artificial Intelligence - oragetechnologies .pdf
byorage technologies
 
PPTX
DOC-20240715-WA0015.ppt.1.ppvdvgcvgvhgvgvtx
byakhilaniyan11
 
PPTX
AI Risks.pptx Ai danger hai bach ke rahena thik hai
byAmanpandey70349
 
PPTX
Pros and cons of AI_ Promise vs Peril.pptx
byshalinivihansabandar
 
PPTX
Introduction-to-AI-and-its-Impact PPT BY AI.pptx
byTharunKonda
 
NIST_AI_RMF_to_ISO_IEC_42001_Crosswalk.pdf
bydarasridhar1
 
ISO IEC 42001 2023 Day wise Roadmap by infosectrain.pdf
bypriyanshamadhwal2
 
ISO IEC 42001 2023 Complete Implementation Guide.pdf
byinfosec train
 
AI-GRC Pros, Are You Implementation-Ready.pdf
byinfosecTrain
 
AI GRC Implementation Checklist by Infosectrain
bypriyanshamadhwal2
 
AI GRC Implementation Checklist-New.pdf
byinfosec train
 
HRIA and tool example.pdf
byFederico Marengo
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
Security Baselines and Risk Assessments
byPriyank Hada
 
September Update (including NIST ARIA Testing): Role of AI Safety Institutes.pdf
byBob Marcus
 
AI Audit: The Essential Checklist for Responsible AI
byYashikaSharma391629
 
Artificial Intelligence: Shaping the Future of Technology
byCyberPro Magazine
 
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
byAyilurRamnath1
 
ARTIFICIAL INTELLIGENCE IN CORPORATE GOVERNANCE
byaddanews10
 
it_Govern_the_Use_of_AI_Responsibly_With_a_Fit_for_Purpose_Structure_.pptx
byValeryDiby
 
Navigating the 12 Risks of Artificial Intelligence - oragetechnologies .pdf
byorage technologies
 
DOC-20240715-WA0015.ppt.1.ppvdvgcvgvhgvgvtx
byakhilaniyan11
 
AI Risks.pptx Ai danger hai bach ke rahena thik hai
byAmanpandey70349
 
Pros and cons of AI_ Promise vs Peril.pptx
byshalinivihansabandar
 
Introduction-to-AI-and-its-Impact PPT BY AI.pptx
byTharunKonda
 

More from priyanshamadhwal2

PDF
How to implement ISO 22301 step by step by InfosecTrain
bypriyanshamadhwal2
 
PDF
Hands on Secure Coding Bootcamp by InfosecTrain.pdf
bypriyanshamadhwal2
 
PDF
SOC Analyst 7 Core Logs that catches 99% of threats
bypriyanshamadhwal2
 
PDF
Advantages and disadvantages of Firewalls
bypriyanshamadhwal2
 
PDF
OSI MODEL Comprehensive Guide For Exam and Interview
bypriyanshamadhwal2
 
PDF
How AI is Changing Threat Detection by InfosecTrain
bypriyanshamadhwal2
 
PDF
ISO IEC 27001 Clause wise checklist by infosectrain
bypriyanshamadhwal2
 
PDF
DPDP Act Draft Rules 2025 Commencement Timeline Explained
bypriyanshamadhwal2
 
PDF
Digital Personal Data Protection Rules, 2025.pdf
bypriyanshamadhwal2
 
PDF
Firewall Testing with hPing3 A comprehensive side by InfosecTrain.pdf
bypriyanshamadhwal2
 
PDF
Advanced Threat Hunting Digital forensics and incident response training.pdf
bypriyanshamadhwal2
 
PDF
SHODAN Information Gathering Tool Cheatsheet.pdf
bypriyanshamadhwal2
 
PDF
Mandatory Documents list DPDPA Digital Personal Data Protection ACT 2023.pdf
bypriyanshamadhwal2
 
PDF
Draft of India Digital Personal Data Protection Act 2023.pdf
bypriyanshamadhwal2
 
PDF
Information Gathering Using Spider Foot By InfosecTrain.pdf
bypriyanshamadhwal2
 
PDF
Navigating BCMS Vendor Contract Requirements.pdf
bypriyanshamadhwal2
 
PDF
AWS US EAST 1 Outage cascade analysis.pdf
bypriyanshamadhwal2
 
PDF
Cybersecurity awareness Month by InfosecTrain
bypriyanshamadhwal2
 
PDF
Top 12 Encryption Tools By InfosecTrain.pdf
bypriyanshamadhwal2
 
PDF
CEH Module 6 System Hacking mind map by InfosecTrain.pdf
bypriyanshamadhwal2
 
How to implement ISO 22301 step by step by InfosecTrain
bypriyanshamadhwal2
 
Hands on Secure Coding Bootcamp by InfosecTrain.pdf
bypriyanshamadhwal2
 
SOC Analyst 7 Core Logs that catches 99% of threats
bypriyanshamadhwal2
 
Advantages and disadvantages of Firewalls
bypriyanshamadhwal2
 
OSI MODEL Comprehensive Guide For Exam and Interview
bypriyanshamadhwal2
 
How AI is Changing Threat Detection by InfosecTrain
bypriyanshamadhwal2
 
ISO IEC 27001 Clause wise checklist by infosectrain
bypriyanshamadhwal2
 
DPDP Act Draft Rules 2025 Commencement Timeline Explained
bypriyanshamadhwal2
 
Digital Personal Data Protection Rules, 2025.pdf
bypriyanshamadhwal2
 
Firewall Testing with hPing3 A comprehensive side by InfosecTrain.pdf
bypriyanshamadhwal2
 
Advanced Threat Hunting Digital forensics and incident response training.pdf
bypriyanshamadhwal2
 
SHODAN Information Gathering Tool Cheatsheet.pdf
bypriyanshamadhwal2
 
Mandatory Documents list DPDPA Digital Personal Data Protection ACT 2023.pdf
bypriyanshamadhwal2
 
Draft of India Digital Personal Data Protection Act 2023.pdf
bypriyanshamadhwal2
 
Information Gathering Using Spider Foot By InfosecTrain.pdf
bypriyanshamadhwal2
 
Navigating BCMS Vendor Contract Requirements.pdf
bypriyanshamadhwal2
 
AWS US EAST 1 Outage cascade analysis.pdf
bypriyanshamadhwal2
 
Cybersecurity awareness Month by InfosecTrain
bypriyanshamadhwal2
 
Top 12 Encryption Tools By InfosecTrain.pdf
bypriyanshamadhwal2
 
CEH Module 6 System Hacking mind map by InfosecTrain.pdf
bypriyanshamadhwal2
 

Recently uploaded

PDF
All Students Workshop 25 Yoga Wellness by LDMMIA
by©LDMMIA, ©Reiki Yoga
 
PPTX
MACSYMA introduction,working,application
bymanahilraees49
 
PPTX
CROP RESIDUE MANAGEMANT AND ITS EFFECT ON SOIL HEALTH
byShraddha Maurya
 
PPTX
Role of the Uninstall Hook in Odoo 18 Module Cleanup
byCeline George
 
PDF
1ST APPLICATION FOR ANNULMENT (4)8787666.pdf
bykonstantinantountoum1
 
PPTX
ELEMENTS OF COMMUNICATION (UNIT 2) .pptx
byPOOJA KARVANDE
 
PDF
Types of Vegetable Gardens, College of Agriculture Balaghat.pdf
bybisensharad
 
PPTX
The Art Pastor's Guide to the Liturgical Calendar
bySteve Thomason
 
PDF
Orchard Floor Managment.pdf Orchard Floor Management
bybisensharad
 
PDF
Projecte de la porta d'i5B: Els animals marins
byeduardrubio1
 
PPTX
Details of Muscular-and-Nervous-Tissues.pptx
byAshish Umale
 
DOCX
Mobile applications Devlopment ReTest year 2025-2026
byDr. Mazin Mohamed alkathiri
 
PDF
Chaplin's Visual Critique of Modernism: Modern Times and The Great Dictator
bykrutivyas2005
 
PDF
BỘ TEST KIỂM TRA CUỐI HỌC KÌ 1 - TIẾNG ANH 6-7-8-9 GLOBAL SUCCESS - PHIÊN BẢN...
byNguyen Thanh Tu Collection
 
PPTX
What is the Post load hook in Odoo 18
byCeline George
 
PDF
Unit-III pdf (Basic listening Skill, Effective Writing Communication & Writin...
bySayyadTarannum
 
PPTX
Vitamins and mineral deficiency , signs and symptoms associated with exercise
byvirupa chandrika reddy
 
PDF
Principles and Practices of GST 2.0 Study material
bySri Ramakrishna College of Arts and science
 
PDF
Prescription Writing- Elements, Parts, and Exercises
byDr. Ishita Agarwal
 
PPTX
SOCIAL SYSTEM.......................pptx
byAneetaSharma15
 
All Students Workshop 25 Yoga Wellness by LDMMIA
by©LDMMIA, ©Reiki Yoga
 
MACSYMA introduction,working,application
bymanahilraees49
 
CROP RESIDUE MANAGEMANT AND ITS EFFECT ON SOIL HEALTH
byShraddha Maurya
 
Role of the Uninstall Hook in Odoo 18 Module Cleanup
byCeline George
 
1ST APPLICATION FOR ANNULMENT (4)8787666.pdf
bykonstantinantountoum1
 
ELEMENTS OF COMMUNICATION (UNIT 2) .pptx
byPOOJA KARVANDE
 
Types of Vegetable Gardens, College of Agriculture Balaghat.pdf
bybisensharad
 
The Art Pastor's Guide to the Liturgical Calendar
bySteve Thomason
 
Orchard Floor Managment.pdf Orchard Floor Management
bybisensharad
 
Projecte de la porta d'i5B: Els animals marins
byeduardrubio1
 
Details of Muscular-and-Nervous-Tissues.pptx
byAshish Umale
 
Mobile applications Devlopment ReTest year 2025-2026
byDr. Mazin Mohamed alkathiri
 
Chaplin's Visual Critique of Modernism: Modern Times and The Great Dictator
bykrutivyas2005
 
BỘ TEST KIỂM TRA CUỐI HỌC KÌ 1 - TIẾNG ANH 6-7-8-9 GLOBAL SUCCESS - PHIÊN BẢN...
byNguyen Thanh Tu Collection
 
What is the Post load hook in Odoo 18
byCeline George
 
Unit-III pdf (Basic listening Skill, Effective Writing Communication & Writin...
bySayyadTarannum
 
Vitamins and mineral deficiency , signs and symptoms associated with exercise
byvirupa chandrika reddy
 
Principles and Practices of GST 2.0 Study material
bySri Ramakrishna College of Arts and science
 
Prescription Writing- Elements, Parts, and Exercises
byDr. Ishita Agarwal
 
SOCIAL SYSTEM.......................pptx
byAneetaSharma15
 

ISO 42001 2023 Audit and Control Checklist

  • 1.
  • 2.
    Clause no. Control name Control Description Audit questionnaire Evidence required A.2.2AI policy The organization shall document a policy for the development or use of AI systems. • Is there a documented AI policy for development or use? • Has management formally approved the policy? • Does the policy define AI development and usage guidelines? • Approved AI Policy Document • Management Approval Records • Policy Review and Revision Logs A.2.3 Alignment with other organizational policies The organization shall determine where other policies can be affected by or apply to, the organization’s objectives with respect to AI systems. • Has the organization identified policies that may be impacted by or applicable to AI objectives? • Is there a process to assess and document policy interdependencies related to AI? • Have affected policies been reviewed and updated to align with AI objectives? • Is there a mechanism to ensure ongoing alignment between AI objectives and other policies? • Documentation of identified affected policies • Records of policy impact assessments • Approved policy updates reflecting AI objectives • Review and approval records for policy modifications A.2.4 Review of the AI policy The AI policy shall be reviewed at planned intervals or additionally as needed to ensure its continuing suitability, adequacy and effectiveness. • Is the AI policy reviewed at planned intervals? • Are additional reviews conducted when significant changes occur? • Is there a documented process for policy review and updates? • Are review outcomes approved by management? • AI Policy Review Schedule • Policy Review and Update Records • Management Approval of Policy Revisions • Meeting Minutes or Review Reports A.3.2 AI roles and responsibilities Roles and responsibilities for AI shall be defined and allocated according to the needs of the organization. • Have roles and responsibilities for AI development, deployment, and governance been formally defined? • Are AI-related responsibilities aligned with the organization’s needs and objectives? • Has management approved and communicated AI roles and responsibilities to relevant personnel? • Documented AI roles and responsibilities • Management approval records • Communication records confirming role assignments www.infosectrain.com | www.azpirantz.com 2
  • 3.
    A.3.3 Reporting of concerns Theorganization shall define and put in place a process to report concerns about the organization’s role with respect to an AI system throughout its life cycle. • Is there a documented process for reporting concerns about the organization’s role in AI systems? • Does the process define who can report, how to report, and response timelines? • Are reporting channels (e.g., email, portal, hotline) established and communicated? • Are AI-related concerns tracked, reviewed, and resolved with documented actions? • Has the organization conducted awareness sessions on the reporting process? • Approved AI Concern Reporting Procedure • List of Available Reporting Channels (e.g., email, hotline, portal) • Records of AI- Related Concern Reports and Actions Taken • Communication Logs (e.g., emails, notices) Informing Employees About the Process • Training or Awareness Session Records on AI Concern Reporting A.4.2 Resource documentation The organization shall identify and document relevant resources required for the activities at given AI system life cycle stages and other AI-related activities relevant for the organization • Has the organization identified and documented the required resources for each AI lifecycle stage? • Are human, technical, and financial resources explicitly defined? • Is there a process for periodic review and reallocation of AI- related resources? • Has management formally approved the resource allocation for AI activities? • Documented AI Resource Requirements • Records of Resource Review and Updates • Management Approval for Resource Allocation A.4.3 Data Resources As part of resource identification, the organization shall document information about the data resources utilized for the AI system. • Has the organization documented the data resources used for the AI system? • Does the documentation include data sources, types, and ownership? • Are data resource records periodically reviewed and updated? • Documented AI Data Resource Inventory • Records of Data Source Review and Updates 3 www.infosectrain.com | www.azpirantz.com
  • 4.
    A.4.4 Tooling resources As partof resource identification, the organization shall document information about the tooling resources utilized for the AI system. • Has the organization documented the tooling resources used for the AI system? • Does the documentation include software, frameworks, cloud services, and hardware? • Are tooling resources regularly reviewed and updated? • Documented List of AI Tooling Resources • Records of Tooling Resource Reviews and Updates A.4.5 System and Computing resources As part of resource identification, the organization shall document information about the system and computing resources utilized for the AI system. • Has the organization documented the system and computing resources used for the AI system? • Does the documentation specify hardware, software, cloud services, and storage? • Are resource allocations monitored and updated as the AI system evolves? • Documented AI System and Computing Resources • Inventory of Hardware, Software, and Cloud Services • Records of Resource Updates and Monitoring A.4.6 Human resources As part of resource identification, the organization shall document information about the human resources and their competences utilized for the development, deployment, operation, change management, maintenance, transfer and decommissioning, as well as verification and integration of the AI system • Has the organization documented the human resources involved in each AI lifecycle stage? • Are the competencies and skill requirements for these roles clearly defined? • Is there a process to review and update resource allocations as AI systems evolve? • Has management formally approved the assigned human resources for AI activities? • Documented AI Human Resource Allocation • Competency and Skill Requirement Records • Records of Resource Review and Updates • Management Approval for Assigned Personnel 4 www.infosectrain.com | www.azpirantz.com
  • 5.
    A.5.2 AI system impact assessment process Theorganization shall establish a process to assess the potential consequences for individuals or groups of individuals, or both, and societies that can result from the AI system throughout its life cycle. • Has the organization established a documented process to assess AI system consequences for individuals and society? • Does the assessment cover all lifecycle stages of the AI system? • Are ethical, legal, and social impacts considered in the assessment? • Is there a process for reviewing and updating the assessment based on AI system changes? • Has management approved and implemented the assessment framework? • Documented AI Impact Assessment Process • Records of Conducted AI Impact Assessments • Review and Update Logs for Assessments • Management Approval of Assessment Framework A.5.3 Documentati- on of AI system impact assessments The organization shall document the results of AI system impact assessments and retain results for a defined period. • Are AI system impact assessments documented after each evaluation? • Does the organization define and follow a retention period for assessment results? • Are assessment results reviewed and approved by relevant stakeholders? • Is there a process to ensure secure storage and accessibility of past assessments? • Documented AI Impact Assessment Reports • Defined Retention Policy for Assessment Results • Records of Review and Approval of Assessments • Logs or System Records Showing Secure Storage of Past Assessments A.5.4 Assessing AI system impact on individuals or groups of individuals The organization shall assess and document the potential impacts of AI systems to individuals or groups of individuals throughout the system’s life cycle • Has the organization conducted an assessment of AI system impacts on individuals or groups? • Is the impact assessment documented and aligned with the AI system lifecycle? • Are ethical, legal, and societal risks considered in the assessment? • Is there a process for reviewing and updating impact assessments over time? • Documented AI Impact Assessment Report • Records of Periodic Impact Reviews and Updates • Risk Assessment Findings Related to AI Systems 5 www.infosectrain.com | www.azpirantz.com
  • 6.
    A.5.5 Assessing societal impacts ofAI systems The organization shall assess and document the potential societal impacts of their AI systems throughout their life cycle. • Has the organization conducted an assessment of the potential societal impacts of its AI systems? • Is the assessment documented and updated throughout the AI system lifecycle? • Does the assessment consider ethical, legal, and social risks? • Are mitigation measures defined for identified negative societal impacts? • Has management reviewed and approved the societal impact assessment? • Documented Societal Impact Assessment Reports • Records of Periodic Reviews and Updates • Risk Mitigation Plans for Identified Societal Impacts • Management Approval Records A.6.1.2 Objectives for responsible development of AI system The organization shall identify and document objectives to guide the responsible development AI systems, and take those objectives into account and integrate measures to achieve them in the development life cycle • Has the organization identified and documented objectives for responsible AI development? • Are these objectives aligned with ethical, legal, and business requirements? • Have measures been integrated into the AI development lifecycle to achieve these objectives? • Is there a process to review and update AI development objectives periodically? • Documented AI Development Objectives • AI Lifecycle Process with Integrated Measures • Records of Objective Reviews and Updates A.6.1.3 Processes for responsible AI system design and development The organization shall define and document the specific processes for the responsible design and development of the AI system • Has the organization defined and documented processes for responsible AI design and development? • Do the processes address ethical, legal, and security considerations? • Is there a formal review and approval mechanism for AI design and development processes? • Are these processes communicated and followed by AI development teams? • Documented AI Design and Development Processes • Records of Process Review and Approval • Training or Awareness Records for AI Development Teams 6 www.infosectrain.com | www.azpirantz.com
  • 7.
    A.6.2.2 AI system requirements and specification Theorganization shall specify and document requirements for new AI systems or material enhancements to existing systems. • Has the organization documented requirements for new AI systems and enhancements? • Do the requirements cover functionality, security, compliance, and ethical considerations? • Is there a formal approval process before implementation? • Are requirement documents regularly reviewed and updated? • Documented AI System Requirements • Approval Records for New or Enhanced AI Systems • Requirement Review and Update Logs A.6.2.3 Documentati- on of AI system design and development The organization shall document the AI system design and development based on organizational objectives, documented requirements and specification criteria • Has the organization documented the AI system design and development process? • Are AI systems designed based on organizational objectives and documented requirements? • Does the documentation include specification criteria for AI system development? • Is there a process to review and update the design and development documentation? • Documented AI System Design and Development Process • AI System Requirement and Specification Documents • Records of Design Review and Updates A.6.2.4 AI system verification and validation The organization shall define and document verification and validation measures for the AI system and specify criteria for their use. • Has the organization defined and documented verification and validation (V&V) measures for AI systems? • Are specific criteria for applying V&V measures clearly outlined? • Is there a process to review and update V&V measures based on AI system changes? • Has management approved and implemented the V&V framework? • Documented AI Verification and Validation Measures • Defined Criteria for Applying V&V • Records of V&V Implementation and Review • Management Approval for V&V Framework A.6.2.5 AI system deployment The organization shall document a deployment plan and ensure that appropriate requirements are met prior to deployment. • Is there a documented AI deployment plan covering all necessary steps? • Does the plan define pre- deployment requirements and validation checks? • Is there a process to verify and approve compliance before deployment? • Has management formally approved the deployment plan? • Documented AI System Requirements • Approval Records for New or Enhanced AI Systems • Requirement Review and Update Logs 7 www.infosectrain.com | www.azpirantz.com
  • 8.
    A.6.2.6 AI system operationand monitoring The organization shall define and document the necessary elements for the ongoing operation of the AI system. At the minimum, this should include system • Has the organization defined and documented the essential elements for the ongoing operation of the AI system? • Does the documentation specify system functionality, maintenance, and monitoring requirements? • Are operational procedures regularly reviewed and updated based on system performance? • Has management approved the operational framework for AI systems? • Documented AI System Operational Requirements • Maintenance and Monitoring Logs • Records of Operational Reviews and Updates • Management Approval for AI System Operations A.6.2.7 AI system technical documentation The organization shall determine what AI system technical documentation is needed for each relevant category of interested parties, such as users, partners, supervisory authorities, and provide the technical documentation to them in the appropriate form. • Has the organization identified the necessary AI system technical documentation for each category of interested parties? • Does the documentation cover users, partners, and regulatory authorities as required? • Is there a process to ensure documentation is updated and maintained? • Are there defined methods for distributing the documentation to relevant parties? • List of AI System Technical Documentation by Audience Category • Records of Documentation Distribution • Documentation Update and Maintenance Logs A.6.2.8 AI system recording of event logs The organization shall determine at which phases of the AI system life cycle, record keeping of event logs should be enabled, but at the minimum when the AI system is in use • Has the organization identified which AI lifecycle phases require event logging? • Are event logs enabled at a minimum when the AI system is in use? • Does the logging process capture relevant AI-related activities and decisions? • Is there a documented log retention and management process? • Documented AI Logging Requirements • Log Records for AI System Usage Phase • Log Retention and Management Policy 8 www.infosectrain.com | www.azpirantz.com
  • 9.
    A.7.2 Data for development and enhancement ofAI system The organization shall define, document and implement data management processes related to the development of AI systems. • Has the organization defined and documented data management processes for AI system development? • Do these processes cover data collection, storage, processing, and disposal? • Are data management practices aligned with regulatory and security requirements? • Is there a mechanism to monitor and enforce compliance with data management processes? • Are AI development teams trained on data management policies and procedures? • Documented AI Data Management Processes • Records of Data Handling Practices (Collection, Storage, Processing, Disposal) • Compliance Reports or Audit Logs on Data Management • Training Records for AI Development Teams A.7.3 Acquisition of data The organization shall determine and document details about the acquisition and selection of the data used in AI systems. • Has the organization documented the criteria and process for acquiring and selecting data for AI systems? • Are data sources verified for accuracy, reliability, and compliance with regulations? • Does the organization maintain records of data provenance and justification for selection? • Is there a process to periodically review and update data selection criteria? • Documented Data Acquisition and Selection Criteria • Records of Data Source Verification and Approval • Logs of Data Provenance and Justification for Use • Review and Update Records for Data Selection Criteria A.7.4 Quality of data for AI systems The organization shall define and document requirements for data quality and ensure that data used to develop and operate the AI system meet those requirements. • Has the organization defined and documented data quality requirements for AI systems? • Are there established criteria for accuracy, completeness, consistency, and reliability of data? • Is there a process to validate and monitor data quality during AI development and operation? • Are data quality checks regularly reviewed and updated based on AI system needs? • Documented Data Quality Requirements for AI • Records of Data Validation and Monitoring Processes • Reports on Data Quality Assessments and Corrections 9 www.infosectrain.com | www.azpirantz.com
  • 10.
    • Has managementapproved and communicated the data quality requirements? • Management Approval for Data Quality Standards A.7.5 Data provenance The organization shall define and document a process for recording the provenance of data used in its AI systems over the life cycles of the data and the AI system. • Has the organization defined and documented a process for recording data provenance in AI systems? • Does the process cover data origin, transformations, and usage throughout the AI lifecycle? • Are data provenance records maintained and regularly updated? • Is there a mechanism to verify the integrity and accuracy of provenance records? • Documented Data Provenance Recording Process • Data Provenance Logs and Records • Records of Periodic Review and Updates • Integrity Verification Reports for Provenance Data A.7.6 Data preparation The organization shall define and document its criteria for selecting data preparations and the data preparation methods to be used. • Has the organization defined and documented criteria for selecting data preparation methods? • Are the selected data preparation methods aligned with AI system requirements? • Is there a process to review and update data preparation criteria based on evolving AI needs? • Has management approved the data preparation selection criteria? • Documented Data Preparation Criteria • List of Approved Data Preparation Methods • Records of Criteria Review and Updates • Management Approval for Data Preparation Standards A.8.2 System documentation and information for users The organization shall determine and provide the necessary information to users of the AI system. • Has the organization identified the necessary information that AI system users need? • Is this information clearly documented and accessible to users? • Does the organization provide instructions, limitations, and potential risks of the AI system? • Is there a process to update and communicate changes in AI system information to users? • Documented AI System User Guidelines • Records of Information Provided to Users • Communication Logs for AI System Updates 10 www.infosectrain.com | www.azpirantz.com
  • 11.
    A.8.3 External reporting The organization shallprovide capabilities for interested parties to report adverse impacts of the AI system. • Has the organization established a formal mechanism for interested parties to report adverse AI impacts? • Are reporting channels (e.g., portal, email, hotline) accessible and communicated? • Is there a defined process for reviewing, addressing, and responding to reported issues? • Are reports and resolutions documented and maintained for accountability? • Documented AI Adverse Impact Reporting Procedure • List of Available Reporting Channels • Records of Reported Cases and Actions Taken • Communication Logs Informing Stakeholders About the Reporting Process A.8.4 Communicati- on of incidents The organization shall determine and document a plan for communicating incidents to users of the AI system. • Has the organization established and documented a plan for communicating AI system incidents to users? • Does the plan specify incident types, notification timelines, and communication channels? • Are roles and responsibilities defined for incident reporting and user notification? • Is the communication plan tested and reviewed periodically? • Documented AI Incident Communication Plan • Defined Incident Notification Procedures • Records of Communication Plan Testing and Updates • Incident Logs with User Notifications A.8.5 Information for interested parties The organization shall determine and document their obligations to reporting information about the AI system to interested parties. • Has the organization identified and documented its AI system reporting obligations to interested parties? • Are reporting requirements aligned with legal, regulatory, and contractual obligations? • Is there a process for periodic review and updates to reporting obligations? • Are reporting responsibilities formally assigned within the organization? • Documented AI System Reporting Obligations • Regulatory and Contractual Compliance Records • Review and Update Logs for Reporting Requirements • Assigned Roles and Responsibilities for AI Reporting 11 www.infosectrain.com | www.azpirantz.com
  • 12.
    A.9.2 Processes for responsible useof AI systems The organization shall define and document the processes for the responsible use of AI systems. • Has the organization defined and documented processes for the responsible use of AI systems? • Do the processes address ethical considerations, fairness, transparency, and accountability? • Are there guidelines for monitoring and mitigating risks associated with AI usage? • Has management formally approved these processes? • Are employees and stakeholders aware of and trained on responsible AI usage? • Documented AI Responsible Use Processes • Management Approval Records • 3.Risk Mitigation Guidelines for AI Usage • Training and Awareness Records on AI Ethics and Responsibilities A.9.3 Objectives for responsible use of AI system The organization shall identify and document objectives to guide the responsible use of AI systems. • Has the organization defined and documented objectives for the responsible use of AI systems? • Do the objectives align with ethical, legal, and organizational requirements? • Are the objectives communicated to relevant stakeholders? • Is there a process for reviewing and updating these objectives? • Documented AI Responsibility Objectives • Management Approval Records • Communication Records (e.g., emails, policy documents) • Review and Update Logs A.9.4 Intended use of the AI system The organization shall ensure that the AI system is used according to the intended uses of the AI system and its accompanying documentation. • Is there a documented process to ensure AI systems are used only for their intended purpose? • Does the organization maintain records of AI system usage and monitor deviations? • Are AI users provided with clear guidelines and documentation on intended use? • Is there a mechanism to detect and address unauthorized AI usage? • Documented AI Usage Guidelines • AI System Usage Logs and Monitoring Reports • Records of Unauthorized Usage Incidents and Actions Taken • User Training or Acknowledgment of Intended AI Use A.10.2 Allocating responsibilities The organization shall ensure that responsibilities within their AI system life cycle • Has the organization defined and documented responsibilities for each AI lifecycle stage? • Documented AI Responsibility Matrix 12 www.infosectrain.com | www.azpirantz.com
  • 13.
    are allocated between the organization,its partners, suppliers, customers and third parties. • Are roles and responsibilities clearly allocated among internal teams, partners, suppliers, customers, and third parties? • Have all involved parties formally agreed to their assigned responsibilities? • Is there a process to review and update responsibilities as AI systems evolve? • Agreements or Contracts Defining AI-Related Roles • Records of Periodic Responsibility Reviews and Updates • Communications or Acknowledgments from Relevant Parties A.10.3 Suppliers The organization shall establish a process to ensure that its usage of services, products or materials provided by suppliers aligns with the organization’s approach to the responsible development and use of AI systems. • Has the organization established a documented process to assess supplier-provided AI services, products, or materials? • Does the process ensure supplier compliance with the organization's responsible AI principles? • Are AI-related supplier agreements reviewed for ethical AI use and security requirements? • Is there a mechanism to regularly monitor and reassess supplier compliance? • Documented Supplier AI Compliance Assessment Process • Supplier Agreements with AI Responsibility Clauses • Records of Supplier Evaluations and Compliance Reviews • Evidence of Ongoing Supplier Monitoring and Reassessment A.10.4 Customers The organization shall ensure that its responsible approach to the development and use of AI systems considers their customer expectations and needs. • Has the organization defined a process to assess customer expectations and needs related to AI systems? • Are customer requirements considered in AI system design, development, and deployment? • Is there a mechanism for gathering and incorporating customer feedback on AI systems? • Has management reviewed and approved the approach to addressing customer expectations? • Documented Process for Assessing Customer Expectations in AI Development • Records of Customer Feedback and AI System Adjustments • Management Approval for AI Customer Consideration Approach 13