Incident Management

The organisation shall establish and maintain a comprehensive incident management process for AI systems. This process must include mechanisms for detecting incidents, assessing their severity, implementing immediate response measures, and conducting thorough investigations. The organisation shall maintain documented procedures for incident response, ensure adequate resources are available for incident handling, and verify that response teams have appropriate expertise. Response procedures must address both technical and privacy-related incidents, with specific provisions for high-risk AI systems.

The organisation shall implement processes for timely reporting of serious incidents to relevant suppliers, customers, authorities, affected individuals, and other stakeholders as required by applicable regulations or internal policy. This includes maintaining clear notification timelines based on incident severity, ensuring completeness and accuracy of incident reports. The organisation must document all notifications and maintain evidence of compliance.

The organisation shall analyse incidents to identify root causes, assess the effectiveness of response measures, and implement improvements to prevent recurrence. This includes conducting post-incident reviews, documenting lessons learned, updating incident response procedures based on experience, and verifying the effectiveness of corrective actions. The organisation must maintain records of all incident analyses and resulting improvements.