Back to Framework

System, Data and Model Lifecycle

Control statements and requirements for system, data and model lifecycle.

Data Quality and GovernanceLC-1

The organisation shall establish and maintain comprehensive data governance processes ensuring high-quality data throughout the AI system lifecycle. This shall include documented requirements and procedures for data collection, processing, and validation, ensuring datasets are relevant, representative, and statistically suitable for their intended purpose. The organisation shall implement processes for bias detection and mitigation, maintain clear data provenance records, and ensure data reflects the specific geographical, behavioural, and functional settings where AI systems will be used.

ISO42001:A.7.2-A.7.6
ISO27701:A.7.4.1-A.7.4.2 A.7.4.6-A.7.4.8 B.8.4.1-B.8.4.2
EU AI ACT:10.1-10.6
NIST RMF:Map 2.1

System Development and Lifecycle ManagementLC-2

The organisation shall define, document, and maintain processes for responsible AI system development across the entire lifecycle, from requirements specification through deployment and eventual decommissioning. The organisation shall maintain clear records of system objectives, technical implementation decisions, and operational constraints throughout development and deployment phases.

ISO42001:A.6.1.2-A.6.1.3 A.6.2.2-A.6.2.3 A.6.2.5
ISO27701:A.7.4.1-A.7.4.2 A.7.4.5-A.7.4.8 B.8.4.1-B.8.4.2
NIST RMF:Map 1.6 Govern 1.7
SOC2:CC8.1 CC8.2

Resource Management and InfrastructureLC-3

The organisation shall document and maintain inventories of all resources required for AI system development and operation, including data resources, tooling, computing infrastructure, and human competencies. This shall include clear allocation of responsibilities, documentation of system dependencies, and maintenance of resource specifications throughout the system lifecycle.

ISO42001:A.4.3 A.4.5 A.4.6 A.10.2
ISO27001:A.8.1 A.8.2
ISO27701:A.7.2.6 A.7.2.7 B.8.5.6
NIST RMF:Govern 1.6

Technical DocumentationLC-4

The organisation shall maintain comprehensive technical documentation demonstrating compliance throughout the AI system lifecycle. This shall include system characteristics, design specifications, validation results, and operational logs. The organisation shall implement automated logging mechanisms to capture system events, maintain documentation for required retention periods, and ensure documentation remains accessible to relevant stakeholders.

ISO42001:7.5.1-7.5.3 A.6.2.7 A.6.2.8
ISO27001:7.5.1-7.5.3
ISO27701:A.7.2.8 A.7.5.3 A.7.5.4 B.8.2.6 B.8.5.3
EU AI ACT:11.1-11.3 12.1-12.3 18.1
NIST RMF:Map 2.2 Map 3.3

Change Management & Version ControlLC-5

The organisation shall establish and maintain comprehensive processes for managing changes to AI systems throughout their lifecycle. This shall include documented procedures for proposing, evaluating, testing, and implementing changes to models, data, or system components. The organisation shall maintain detailed version control of all system elements, including models, datasets, and software components, with clear records of modifications and their rationale. Changes shall be tested and validated before deployment, with documentation updated to reflect current system state.

ISO42001:A.6.2.5
ISO27001:A.12.2
ISO27701:A.7.3.7 B.8.5.7 B.8.5.8
EU AI ACT:11.3
NIST RMF:Map 2.1
SOC2:CC8.1 CC8.2