Skip to content
  • There are no suggestions because the search field is empty.

ISO 42001: 2023 - A.4.6 Human Resources

This article provides guidance on how to implement the ISO 42001:2023 A.4.6 Human Resources

ISO 42001 Control Description

As part of resource identification, the organisation shall document information about the human resources and their competences utilised for the development, deployment, operation, change management, maintenance, transfer and decommissioning, as well as verification and integration of the AI system.

Control Objective

To ensure that the organisation accounts for the resources (including AI system components and assets) of the AI system in order to fully understand and address risks and impacts.

Purpose

To ensure the organisation identifies and documents the people and expertise required throughout the AI system lifecycle. Human resources are fundamental to responsible AI - the competence and diversity of personnel directly affects AI system quality, safety, fairness, and trustworthiness.

Guidance on Implementation

Human Resources to Document

The organisation should document human resources needed for:

  1. Development - Creating and training AI systems 
  2. Deployment - Implementing AI systems in production environments 
  3. Operation - Running and monitoring AI systems 
  4. Change management - Managing updates and modifications 
  5. Maintenance - Ongoing support and optimisation 
  6. Transfer - Handover between teams or organisations 
  7. Decommissioning - Retiring AI systems responsibly 
  8. Verification - Testing and validating AI system behavior 
  9. Integration - Incorporating AI into broader systems

Types of Expertise to Document

The organisation should consider the need for diverse expertise including:

a) Technical roles:
  • Data scientists and machine learning engineers
  • AI researchers and specialists
  • Software engineers (for non-AI components)
  • Data engineers
  • MLOps engineers
  • System architects
b) Domain expertise:
  • Subject matter experts relevant to the AI system's application domain
  • Industry specialists
  • End-user representatives
c) Human oversight roles:
  • Personnel responsible for monitoring AI system outputs
  • Decision-makers who review AI recommendations
  • Escalation points for problematic cases
d) Trustworthiness experts:
  • Safety specialists
  • Security professionals
  • Privacy experts
  • Ethics advisors
  • Bias and fairness specialists
e) Operational roles:
  • System operators
  • Support personnel
  • Incident responders
f) Governance roles:
  • Risk managers
  • Compliance officers
  • Legal counsel
  • Auditors

Competences to Document

For each role, document required competences:

  • Technical skills - Specific AI/ML techniques, programming languages, tools
  • Domain knowledge - Understanding of application area
  • Regulatory knowledge - Awareness of applicable laws and standards
  • Ethical awareness - Understanding of trustworthy AI principles
  • Soft skills - Communication, collaboration, problem-solving

Link to Control A.4.7 (Competence) for detailed competence requirements.

Diversity Considerations

The organisation should consider the need for diverse expertise, which can include:

  • Demographic diversity - To help identify biases in datasets and outputs
  • Disciplinary diversity - Multiple perspectives (technical, legal, ethical, domain)
  • Geographic diversity - Understanding of different cultural contexts and regulations
  • Lived experience diversity - Representatives from affected communities

Organisations may need to include specific demographic groups related to datasets used to train models if their inclusion is necessary for responsible system design.

Documentation Across Lifecycle Stages

Different human resources can be necessary at different AI system lifecycle stages. Document which expertise is needed when:

Inception: Business analysts, domain experts, AI strategists Development: Data scientists, ML engineers, data engineers Verification: Test engineers, domain validators, ethics reviewers Deployment: DevOps/MLOps engineers, system administrators Operation: System operators, human oversight personnel, support teams Monitoring: Performance analysts, data quality monitors Maintenance: ML engineers for retraining, software engineers for updates Decommissioning: Data management specialists, archival experts

Implementation Steps

Organisations should:

  1. Map lifecycle activities - Identify all activities requiring human involvement across the AI system lifecycle
  2. Identify required roles - For each activity, determine what roles and expertise are needed
  3. Document competence requirements - Specify what skills and knowledge each role requires (link to A.4.7)
  4. Assess availability - Determine whether required human resources are available internally or need to be sourced externally
  5. Document diversity needs - Identify where diverse perspectives are particularly important
  6. Plan for gaps - If necessary expertise is unavailable, document how this will be addressed (training, hiring, consulting)
  7. Consider lifecycle transitions - Document handover requirements when personnel change or responsibilities transfer
  8. Link to roles and responsibilities - Ensure human resource documentation aligns with defined AI roles (Control A.3.2)

Key Considerations

Competence gaps: If required expertise is not available, the organisation should:

  • Acquire competence through hiring or training
  • Engage external consultants or partners
  • Adjust AI system design to match available competence
  • Document residual risks from competence gaps

Continuous learning: AI is a rapidly evolving field. Document:

  • How personnel stay current with developments
  • Training and professional development plans
  • Knowledge sharing mechanisms

Third-party personnel: For contractors or consultants, document:

  • Contractual arrangements
  • Competence verification
  • Knowledge transfer requirements
  • Continuity plans

Human oversight criticality: For high-risk AI systems, human oversight personnel are particularly important. Document:

  • Qualifications required for oversight roles
  • Decision-making authority
  • Escalation procedures
  • Training on AI system limitations

Interdisciplinary teams: AI systems benefit from diverse expertise. Document how different specialties collaborate:

  • Communication protocols
  • Decision-making processes
  • Conflict resolution mechanisms

Succession planning: Document plans for knowledge retention when key personnel leave:

  • Documentation practices
  • Knowledge transfer procedures
  • Redundancy in critical roles

Related Controls

Within ISO/IEC 42001:

  • A.3.2 AI roles and responsibilities
  • A.4.7 Competence
  • A.9.4 Human oversight
  • Clause 7.2 Competence