![Adoptech-logo-GreyWithoutStrapline-1.png]](https://knowledge.adoptech.co.uk/hs-fs/hubfs/Adoptech-logo-GreyWithoutStrapline-1.png?height=39&name=Adoptech-logo-GreyWithoutStrapline-1.png){kind=logo}
ISO 42001: 2023 - A.6.2.3 Data for Development and Testing of AI Systems
This article provides guidance on how to implement the ISO 42001: 2023 A.6.2.3 Data for Development and Testing of AI Systems
ISO 42001 Control Description
The organisation shall identify, manage, and document the data used for the development and testing of AI systems, ensuring that data is appropriate for the intended use, of sufficient quality, and handled in accordance with applicable legal and ethical requirements.
Control Objective
To ensure that data used in AI system development and testing activities is fit for purpose, properly governed, and managed in a manner that supports the production of reliable, fair, and trustworthy AI systems, while meeting the organisation's legal, regulatory, and ethical obligations.
Purpose
Data is foundational to the development and performance of AI systems. The characteristics of training, validation, and test datasets directly determine the capabilities, limitations, and potential failure modes of the resulting systems. Poorly curated, unrepresentative, or inadequately governed data can introduce bias, degrade system performance, create legal exposure, and result in AI systems that cause harm to individuals or groups.
This control recognises that data for AI development must be actively managed rather than passively collected. Decisions about data sourcing, curation, labelling, and partitioning have direct implications for the system's eventual behaviour, and organisations bear responsibility for ensuring that those decisions are made deliberately, documented rigorously, and reviewed as part of ongoing quality assurance.
Appropriate data governance during development also provides the evidentiary basis for demonstrating compliance with data protection legislation, supporting transparency obligations, and enabling meaningful audits of the AI system throughout its lifecycle.
Guidance on Implementation
Data Sourcing and Provenance
The organisation shall document the sources of data used for development and testing, including internal datasets, third-party data suppliers, publicly available datasets, and data generated through data augmentation or synthetic data techniques. For each data source, provenance information shall be recorded to enable traceability and to support assessments of data quality and appropriateness.
Where data is obtained from third parties, the organisation shall verify that the terms under which it was collected and licensed are compatible with the intended development activities. Legal bases for processing personal data shall be established and documented prior to use.
Data Quality Assessment
Data used for development and testing shall be assessed for quality prior to use and throughout the development process. Quality assessments shall address completeness, accuracy, consistency, timeliness, and representativeness in relation to the intended operational context of the AI system.
The organisation shall establish criteria for acceptable data quality thresholds, aligned with the requirements established under A.6.2.2, and shall document the outcomes of quality assessments. Where data quality deficiencies are identified, appropriate remediation actions shall be taken before the data is used in development activities.
Dataset Composition and Representativeness
The organisation shall assess whether datasets used for development and testing are sufficiently representative of the populations, conditions, and scenarios the AI system will encounter in operation. Where datasets under-represent particular groups or conditions, the associated risks shall be assessed and documented, and mitigating actions shall be considered.
Dataset composition shall be documented, including the demographic or contextual characteristics of the data where known and relevant. This documentation supports assessments of fairness and supports the identification of potential sources of discriminatory bias in system outputs.
Data Labelling and Annotation
Where the development process involves labelled data, the organisation shall establish and document processes for data labelling and annotation. These processes shall address labelling criteria and instructions, inter-annotator consistency, quality review mechanisms, and the qualifications and training of annotators.
The organisation shall maintain records that enable the provenance and quality of labels to be assessed, supporting the traceability of development decisions.
Dataset Partitioning
The organisation shall ensure that datasets used for training, validation, and testing are appropriately partitioned and that contamination between partitions is prevented. Test datasets shall be held out from development activities and shall not be used to inform design or tuning decisions, ensuring that test results provide a genuine measure of system performance on unseen data.
Dataset partitioning decisions shall be documented, including the rationale for partition sizes and any stratification applied.
Data Protection and Ethical Compliance
The handling of data for development and testing shall comply with applicable data protection legislation and the organisation's data governance policies. Where personal data is processed, privacy-enhancing techniques such as anonymisation, pseudonymisation, or the use of synthetic data shall be considered as means of reducing privacy risk.
The organisation shall also assess the ethical dimensions of data use, including whether data was collected in a manner consistent with the expectations of those it concerns, and whether its use in AI development is compatible with the purpose for which it was originally gathered.
Related Controls
- A.6.2.2 – AI System Requirements and Specification: Data quality and representativeness requirements shall be defined in the requirements specification and used to guide data sourcing and curation decisions.
- A.6.2.4 – AI System Design: Dataset characteristics and known data limitations shall inform design decisions and architectural choices.
- A.6.2.5 – AI System Implementation: Implementation activities shall take into account documented data provenance and quality to support consistent model performance.
- A.6.2.6 – AI System Verification and Validation: Test dataset management is integral to the validity and integrity of verification and validation activities.
- A.4.3 – Data Resources for AI Systems: Organisational data governance policies and data classification schemes apply to data used throughout the AI development lifecycle.