Clause 7: Support
Resources, competence, awareness, communication, and documented information requirements for AIMS support functions.
Chapter Overview
Clause 7 covers the support elements needed for effective AIMS operation: resources, competence, awareness, communication, and documented information. These are enabling factors that, if inadequate, will undermine the entire management system.
Clause Structure
| Sub-clause | Title | Focus |
|---|---|---|
| 7.1 | Resources | Providing necessary resources |
| 7.2 | Competence | Ensuring personnel capability |
| 7.3 | Awareness | Personnel understanding of AIMS |
| 7.4 | Communication | Internal and external communication |
| 7.5 | Documented information | Documentation requirements |
7.1 Resources
Requirement
The organization shall determine and provide the resources needed for the establishment, implementation, maintenance, and continual improvement of the AIMS.
Human Resources: AIMS manager, AI specialists, risk managers, auditors
Financial Resources: Budget for tools, training, certification, consultants
Technical Resources: AI governance tools, monitoring systems, documentation platforms
Infrastructure: Computing resources, security infrastructure
Time: Allocated time for AIMS activities
Resource Planning Considerations
| Phase | Resource Needs |
|---|---|
| Implementation | Project team, consultants, training, tools |
| Operation | AIMS staff, ongoing training, maintenance |
| Certification | Audit fees, preparation effort |
| Improvement | Enhancement projects, additional controls |
7.2 Competence
Requirement
The organization shall:
- Determine the necessary competence of persons doing work that affects AI management system performance
- Ensure these persons are competent on the basis of appropriate education, training, or experience
- Where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of actions taken
- Retain appropriate documented information as evidence of competence
Competence is the ability to apply knowledge and skills to achieve intended results. It's demonstrated through education, training, experience, or a combination of these.
Key Competence Areas for AIMS
| Role | Competence Requirements |
|---|---|
| AIMS Manager | Management systems, AI governance, ISO standards, leadership |
| AI Developers | ML/AI technical skills, responsible AI practices, security |
| AI System Owners | Risk management, business context, governance |
| Risk Managers | Risk assessment methodology, AI risks, treatment options |
| Internal Auditors | Audit techniques, ISO 42001, evidence evaluation |
| Data Scientists | Data quality, bias detection, model validation |
Competence Development Actions
- Formal training courses (ISO 42001, AI ethics, risk management)
- On-the-job training and mentoring
- Professional certifications (PECB, IRCA)
- Conferences and workshops
- Self-study and e-learning
- Cross-functional assignments
Template: Competence Matrix
Columns:
• Role/Position
• Name (person assigned)
• Required Competencies
• Current Competence Level (1-4 scale)
• Evidence (certificates, experience, qualifications)
• Gap (if any)
• Development Action
• Target Date
• Status
Competence Levels:
1 = Awareness (basic understanding)
2 = Practitioner (can apply with guidance)
3 = Proficient (can apply independently)
4 = Expert (can train others, lead initiatives)
7.3 Awareness
Requirement
Persons doing work under the organization's control shall be aware of:
- The AI policy
- Their contribution to the effectiveness of the AIMS, including the benefits of improved AI management performance
- The implications of not conforming with the AIMS requirements
Awareness: Understanding that something exists and its importance (all relevant staff)
Competence: Ability to perform specific tasks effectively (role-specific)
All personnel need awareness; only those in specific roles need detailed competence.
Awareness Activities
| Activity | Audience | Frequency |
|---|---|---|
| AI policy communication | All staff | At hire, annually |
| AIMS overview training | All staff | At hire, annually |
| Role-specific briefings | AI-involved staff | As needed |
| Awareness campaigns | All staff | Periodic |
| Intranet/portal content | All staff | Ongoing |
| Town halls/all-hands | All staff | Quarterly |
7.4 Communication
Requirement
The organization shall determine the need for internal and external communications relevant to the AIMS, including:
- What to communicate
- When to communicate
- With whom to communicate
- How to communicate
Internal: Within the organization (employees, management, board)
External: Outside the organization (regulators, customers, public, partners)
Communication Plan
| What | Audience | When | How | Who |
|---|---|---|---|---|
| AI Policy | All employees | On publication, annually | Email, intranet, training | AIMS Manager |
| AIMS updates | Management | Monthly | Report, meeting | AIMS Manager |
| AI incidents | Affected parties | As needed | Direct notification | Incident Manager |
| Regulatory updates | AI teams | As needed | Email, briefings | Compliance |
| Public AI transparency | External stakeholders | Annually | Website, reports | Communications |
| Audit results | Top management | After audits | Report, presentation | Audit Lead |
7.5 Documented Information
Requirement
The AIMS shall include:
- Documented information required by ISO 42001
- Documented information determined by the organization as necessary for AIMS effectiveness
7.5.2 Creating and Updating
When creating and updating documented information, ensure appropriate:
- Identification and description (title, date, author, reference number)
- Format (language, software version, graphics) and media (paper, electronic)
- Review and approval for suitability and adequacy
7.5.3 Control of Documented Information
Documented information shall be controlled to ensure:
- It is available and suitable for use, where and when it is needed
- It is adequately protected (from loss of confidentiality, improper use, or loss of integrity)
For control, the organization shall address:
- Distribution, access, retrieval, and use
- Storage and preservation, including preservation of legibility
- Control of changes (version control)
- Retention and disposition
Mandatory: Explicitly required by the standard ("shall be documented" or "documented information shall be retained")
Recommended: Not explicitly required but helpful for effective AIMS operation
ISO 42001 Mandatory Documents Summary
| Document | Clause Reference |
|---|---|
| AIMS Scope | 4.3 |
| AI Policy | 5.2 |
| AI Risk Assessment Process | 6.1.2 |
| AI Risk Treatment Process | 6.1.3 |
| Statement of Applicability | 6.1.3 |
| AI Risk Treatment Plan | 6.1.3 |
| AI Objectives | 6.2 |
| Competence Evidence | 7.2 |
| Operational Planning Documentation | 8.1 |
| AI Risk Assessment Results | 8.2 |
| AI Risk Treatment Results | 8.3 |
| AI System Impact Assessment | 8.4 |
| Monitoring and Measurement Results | 9.1 |
| Internal Audit Program and Results | 9.2 |
| Management Review Results | 9.3 |
| Nonconformities and Corrective Actions | 10.2 |
Document Control Best Practices
- Use a document management system
- Implement version control
- Define approval workflows
- Control access based on roles
- Establish retention periods
- Regular review cycles
- Backup and recovery procedures
Documented Information Requirements
Required:
• Evidence of competence (7.2)
Recommended:
• Resource Plan
• Competence Matrix
• Training Records
• Awareness Records
• Communication Plan
• Document Control Procedure
Sample Audit Questions
7.1 Resources:
• What resources have been allocated for AIMS?
• How did you determine resource needs?
• Are resources adequate for current AIMS scope?
7.2 Competence:
• How do you determine competence requirements?
• Show me evidence of competence for [specific role]
• What training has been provided?
• How do you evaluate training effectiveness?
7.3 Awareness:
• How do employees learn about the AI policy?
• How do staff understand their AIMS responsibilities?
• What happens if someone doesn't comply with AIMS?
7.4 Communication:
• How do you communicate AIMS matters internally?
• What external communications do you have about AI?
• How do you handle AI-related inquiries from stakeholders?
7.5 Documentation:
• How do you control documented information?
• Show me your document approval process
• How do you ensure documents are current?
• How do you protect sensitive AI documentation?
Common Nonconformities
| Type | Nonconformity | How to Avoid |
|---|---|---|
| Major | No evidence of competence for AIMS roles | Maintain competence records |
| Major | Key AIMS roles not filled or under-resourced | Proper resource planning |
| Minor | Training effectiveness not evaluated | Implement evaluation methods |
| Minor | Awareness training not documented | Keep attendance records |
| Minor | Communication plan incomplete | Define all communication needs |
| Minor | Documents without version control | Implement document management |
| Minor | Outdated documents in use | Regular review and update cycle |
1. Resources must be adequate for AIMS implementation and operation
2. Competence must be determined, ensured, and evidenced
3. Awareness covers policy, contribution, and implications of non-conformance
4. Communication plan should cover what, when, who, and how
5. Documented information must be controlled (access, versions, retention)
6. Evidence of competence is mandatory documented information
• Know the difference between competence and awareness
• Remember competence requires evidence (documented information)
• Awareness covers three things: policy, contribution, implications
• Communication must address what, when, who, how
• Document control includes creation, updating, and control aspects
• Know which documents are mandatory vs recommended