Documented Information Explained for ISO 42001
ISO 42001 Clause 7.5
Documented information for AI extends beyond policies and procedures. It includes the registers, assessments, logs and technical records that evidence how AI is being managed.
ISO 42001 Clause 7.5 - Documented Information Explained
Clause 7.5 follows the standard Annex SL documented information requirements with no AI-specific additions in the main clause text. The AI-specific documented information requirements are scattered through the rest of the standard - the scope under 4.3, the policy under 5.2, the risk assessment under 6.1.2, the Statement of Applicability under 6.1.3, the impact assessment under 6.1.4, the objectives under 6.2, competence evidence under 7.2, monitoring evidence under 9.1, audit results under 9.2, management review records under 9.3, and nonconformity records under 10.2. Clause 7.5 requires all of this information to be controlled to a consistent standard.
What ISO 42001 Clause 7.5 requires
The AI management system must include the documented information required by the standard and any additional documented information determined by the organisation as necessary for the effectiveness of the management system. The extent of documented information varies by the size and complexity of the organisation and its AI activities.
When creating and updating documented information, the organisation must make sure it has appropriate identification and description (such as a title, date, author or reference number), an appropriate format and media, and review and approval for suitability and adequacy.
Documented information must be controlled to make sure it is available and suitable for use where and when it is needed, and that it is adequately protected from loss of confidentiality, improper use or loss of integrity. The organisation must address distribution, access, retrieval and use; storage and preservation; control of changes; and retention and disposition. Documented information of external origin determined to be necessary for the management system must be identified and controlled.
AI-specific documented information considerations
Two AI-specific considerations affect documented information practice. The first is the volume and variety of AI technical documentation generated by AI systems themselves - event logs, model evaluation records, training data documentation, deployment records and impact assessment outputs. Annex A.6.2.7 and Annex A.6.2.8 set out specific requirements for AI system technical documentation and event logs. The management system needs to make sure this technical documentation is captured, controlled and retained alongside the policies, procedures and registers.
The second is the protection of documented information that may include personal data, commercially sensitive AI information, or model-specific information that needs to be protected from improper disclosure. The integration with information security under ISO 27001 is particularly important here, because AI documented information often falls within the scope of both standards.
Document register approach
A document register is the most common way to manage controlled documented information for the AI management system. The register lists each controlled document with its identifier, title, current version, owner, location, retention period and review date. AI-specific documented information is added to the register alongside the existing management system documents, with the AI-specific items identified for ease of audit.
When auditing Clause 7.5, I sample documents from the register and check the controls. I look for current versions, evidence of review and approval, and consistency between the register and the actual documents. I check that documents identified as confidential have appropriate access controls and that retention periods are being applied.
For AI-specific documents, I pay particular attention to event logs and technical documentation. The standard requires these to be retained for the period necessary for the intended use and within the data retention policies of the organisation. An event log that has been deleted or overwritten without justification is a finding.
The trick with documented information is to keep it proportionate. The standard does not require everything to be elaborately documented. It requires the documented information that is actually needed for the management system to be effective, plus the specific documented information required by particular clauses. Adding more documented information than that creates overhead without adding value.
Where the organisation already has a document control system under ISO 9001 or ISO 27001, the AI-specific documented information slots into the existing system rather than needing a parallel system. This is the cleanest approach for integrated management systems.
Our document register has the AI documents listed alongside everything else. Same control, same retention rules, same review schedule. AI did not get its own system, it joined the existing one.
Practical Compliance Guidance
IMS1 Section 1.5 Management of Documented Information sets out the procedure the organisation has adopted for controlling documented information across the management system, including the AI-specific documented information required by ISO 42001. The document register provides the operational view of controlled documented information.
The following alphaZ documents support compliance with ISO 42001 Clause 7.5.
| alphaZ document | How to use it |
|---|---|
| ISO 42001 AI Management System Toolkit | The full toolkit containing the AI management system documentation including IMS1 where document control is defined. |
| F-IMS20 Document Register | Records the controlled documents of the management system, the version, owner, location, retention period and review date for each, including the AI-specific documents. |
Note - all the above files can be downloaded with an alphaZ subscription.
