ISO 42001 A.6.2: Data Management for AI Systems
AI systems are only as reliable as the data that trains them. Control A.6.2 requires your organization to implement end-to-end data management processes—from acquisition through disposal—ensuring training datasets are representative, unbiased, and fully documented. Without proper data governance, AI models inherit flaws that cascade through your operations and compliance posture.
What this means
This control mandates that your organization establish formal processes governing all aspects of data used in AI systems. You must define procedures for acquiring data from reliable sources, preparing and cleaning datasets to remove errors and inconsistencies, and conducting quality assessments to validate completeness and accuracy. Critical to this control is addressing dataset bias—your processes must actively identify and mitigate representational, measurement, and algorithmic biases in training, validation, and test data. You must document data lineage, sources, transformations, and quality metrics. Access controls must restrict who can view, modify, or export datasets. Finally, you need secure disposal procedures to ensure sensitive data is irrevocably removed when datasets are retired.
How to comply
- 1.Create a data management policy covering the full lifecycle: acquisition, preparation, quality assessment, storage, access, and secure disposal.
- 2.Establish data acquisition standards defining approved sources, validation checks, and documentation requirements for all datasets.
- 3.Implement data preparation procedures including cleaning, normalization, and transformation with audit trails of all modifications.
- 4.Conduct bias assessments on training, validation, and test datasets, documenting representativeness across demographic, geographic, and behavioral dimensions.
- 5.Define data quality metrics and conduct assessments verifying completeness, accuracy, consistency, and relevance before AI model development.
- 6.Maintain comprehensive data documentation including source, provenance, collection date, field definitions, known limitations, and quality scores.
- 7.Configure access controls restricting dataset access to authorized roles with logging of all access events.
- 8.Establish secure data storage with encryption at rest and in transit, with segregation of sensitive datasets.
- 9.Document and test secure disposal procedures ensuring sensitive data is unrecoverable after retention periods expire.
Evidence auditors look for
- Data management policy document addressing lifecycle stages and bias mitigation requirements.
- Data inventory spreadsheet or tool documenting all datasets with source, purpose, collection date, and quality scores.
- Bias assessment reports analyzing demographic representation, statistical parity, and fairness metrics in training datasets.
- Data preparation logs showing all transformations, exclusions, and quality corrections applied to datasets.
- Access control matrix defining who can access each dataset and for what purposes, with role-based permissions.
- Data storage architecture documentation showing encryption methods, segregation, and backup procedures.
- Secure disposal checklist and test results confirming datasets are irrevocably deleted from all systems.
- Quality assessment records documenting completeness checks, accuracy validation, and consistency verification.
- Data lineage documentation tracing datasets back to original sources with transformation history.
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
See how GRCWatch handles this control automatically.
See how GRCWatch handles this control automatically
Start free trial