ISO 42001: 2023 - A.4.5 System and Computing Resources

ISO 42001 Control Description

As part of resource identification, the organisation shall document information about the system and computing resources utilised for the AI system.

Control Objective

To ensure that the organisation accounts for the resources (including AI system components and assets) of the AI system in order to fully understand and address risks and impacts.

Purpose

To document the hardware, infrastructure, and computational resources required for AI systems. Computing resources directly affect AI system performance, scalability, reliability, environmental impact, and cost, making their documentation critical for risk management, capacity planning, and impact assessment.

Guidance on Implementation

System and Computing Resources to Document

Information about system and computing resources includes:

a) Resource requirements of the AI system

Minimum and recommended specifications
Resource constraints (e.g., for edge computing, mobile deployment, or IoT devices)
Scalability requirements (horizontal vs. vertical scaling)

b) Resource location

On-premises infrastructure (organisation's data centers)
Cloud computing (public, private, or hybrid cloud)
Edge computing (devices at the network edge)
Distributed computing (across multiple locations)
Geographic locations of resources (data sovereignty considerations)

c) Processing resources

CPU specifications and quantities
GPU or specialised AI accelerators (TPU, NPU)
Memory (RAM) requirements
Network bandwidth requirements
Storage capacity and performance (IOPS, throughput)

d) Environmental and operational impact

Energy consumption during training and inference
Carbon footprint (direct and indirect emissions)
Cooling requirements
Manufacturing impact of specialised hardware
Cost of operating the AI system workloads
Resource utilisation efficiency

Different Resources for Different Phases

Organisations should recognise that different resources can be required for:

a) Development phase

Development environments and sandboxes
Experimentation infrastructure (often GPU-intensive)
Training infrastructure (large-scale compute for model training)
Version control and collaboration systems

b) Deployment phase

Production infrastructure
Redundancy and failover systems
Load balancers and scaling infrastructure
Monitoring and logging systems

c) Operation phase

Inference infrastructure (serving predictions)
Continuous monitoring systems
Data pipeline infrastructure
Backup and disaster recovery systems

Implementation Steps

Organisations should:

Assess resource needs - For each AI system, identify all computing resources across development, deployment, and operation
Document specifications - Record detailed technical specifications for each resource type
Map resource locations - Document where resources are located (physical, cloud region, edge locations)
Calculate resource impacts - Estimate energy consumption, carbon footprint, and operational costs
Identify constraints - Document any limitations (e.g., must run on devices with limited compute, must stay within specific geographic regions)
Plan for scaling - Document how resources scale as demand increases
Consider continual improvement - Assess opportunities to optimise resource usage over time
Link to sustainability goals - Align resource documentation with organisational environmental commitments

Key Considerations

Resource efficiency: Document actual utilisation rates, not just provisioned capacity. Underutilised resources represent waste and unnecessary environmental impact.

Edge computing considerations: For AI systems deployed on constrained devices (mobile, IoT), document:

Device specifications and limitations
Offline operation requirements
Model compression techniques used
Fallback mechanisms when resources are insufficient

Cloud computing: For cloud-based resources, document:

Cloud provider and region
Service level agreements (SLAs)
Data residency requirements
Cost management and optimisation strategies
Vendor lock-in considerations

Environmental impact: Increasingly important for responsible AI. Document:

Energy consumption (training can use significant electricity)
Carbon emissions (consider grid energy sources)
Hardware lifecycle (manufacturing, disposal)
Efficiency improvements over time

Specialised hardware: For AI accelerators (GPUs, TPUs), document:

Specific hardware models and generations
Availability and procurement lead times
Cost implications
Compatibility with AI frameworks

Security: Computing resources have security implications. Document:

Access controls
Network segmentation
Encryption (at rest and in transit)
Compliance requirements (e.g., GDPR, HIPAA)

Disaster recovery: Document backup and recovery resources:

Backup infrastructure and frequency
Recovery time objectives (RTO)
Recovery point objectives (RPO)
Geographic distribution of redundancy

Cost management: Resource costs can be substantial. Document:

Cost attribution (by project, team, AI system)
Budget allocation and tracking
Cost optimisation opportunities
Trade-offs between performance and cost

Documentation Methods

Organisations can document computing resources using:

Infrastructure diagrams - Visual representation of computing architecture

Resource inventory - Detailed list of hardware and infrastructure components
Capacity planning documents - Current and projected resource needs
Cost tracking systems - Financial monitoring of resource expenditure
Environmental impact reports - Carbon footprint and energy consumption metrics
Configuration management databases (CMDB) - Automated tracking of infrastructure

Related Controls

Within ISO/IEC 42001:

A.4.2 Resource documentation
A.4.4 Tooling resources (tools run on computing infrastructure)
Environmental sustainability considerations

Related Standards:

ISO/IEC 22989 System resource considerations
Environmental management standards (ISO 14001 series)