Resource documentation

ISO/IEC 42001 Annex A.4.2 requires organizations to identify and formally document the resources necessary for AI systems across their entire life cycle. This documentation acts as a foundational inventory to help organizations understand system dependencies, evaluate risks, and manage potential impacts effectively.

The standard specifies that organizations must document AI system components, data resources, tooling such as algorithms and software, and computing resources like hardware and cloud infrastructure. Additionally, organizations must document human resources, ensuring people with the necessary expertise are identified for the development, operation, and maintenance of the AI system.

To create an AI resource register, organizations should systematically map out each phase of the AI life cycle and identify the data, tools, infrastructure, and personnel required at each stage. This inventory can utilize data flow diagrams or system architecture diagrams to visually document how these resources interact and support the AI system. Tools like WatchDog Security's Asset Inventory can help keep this register centralized with clear ownership and lifecycle tagging.

Yes, ISO/IEC 42001 outlines specific control objectives for each resource category, including data, tooling, computing resources, and human resources. While they can be tracked within a centralized asset inventory, the unique characteristics, risks, and requirements for each type of resource must be distinctly documented and managed.

Auditors look for formal, maintained documented information such as asset inventories, system architecture diagrams, data flow maps, and skills competency matrices. They will verify that these documents accurately reflect the current resources used across all active AI systems and that they are updated appropriately. Tools like WatchDog Security's Compliance Center can centralize these artifacts as evidence, track collection status, and highlight missing items before an assessment.

AI resource documentation should be reviewed at planned intervals and updated whenever there are significant changes to the AI system's design, deployment, or operational environment. Organizations must ensure that any modifications to data sources, compute infrastructure, or tooling are reflected in the documentation to maintain an accurate risk profile.

Third-party resources, such as externally sourced APIs, cloud computing infrastructure, and vendor-supplied models, must be included in the resource documentation just like internal assets. The documentation should detail the nature of the third-party resource, its role in the AI system life cycle, and any dependencies it creates for the organization. WatchDog Security's Vendor Risk Management can catalog these providers, capture security assessments, and risk-tier critical AI dependencies to support consistent documentation.

Annex A.4.2 acts as the overarching control requiring the identification and documentation of all types of resources needed for the AI system. Annex A.4.3 is a more specific sub-control focusing exclusively on the documentation of data resources, including provenance, categories, and retention policies.

Organizations should structure their documentation to explicitly link specific resources to the lifecycle stages where they are utilized, such as mapping training data to the design phase or monitoring tools to the operations phase. This lifecycle-centric approach ensures that resource dependencies and capacity requirements are clear during transitions from development to production.

While ISO/IEC 42001 does not mandate a specific template, organizations often use comprehensive asset inventory spreadsheets, configuration management databases, and system architecture diagrams as acceptable formats. The key requirement is that the chosen format adequately captures the necessary resource categories and is controlled as documented information. Tools like WatchDog Security's Policy Management can support version control and review workflows for the documented resource templates, and WatchDog Security's Compliance Center can map the resulting artifacts to ISO/IEC 42001 requirements for readiness tracking.

Keeping resource documentation current is difficult when data sources, models, cloud services, and team ownership change frequently. Tools like WatchDog Security's Asset Inventory can centralize AI-related assets and dependencies, while WatchDog Security's Compliance Center can track required evidence, review cadence, and gaps against ISO/IEC 42001.

Audits typically require consistent, version-controlled inventories and diagrams that match what is actually in production. Tools like WatchDog Security's Compliance Center can organize and map resource artifacts as evidence, and WatchDog Security's Trust Center can support controlled external access to the evidence set when sharing with customers or auditors.