![Adoptech-logo-GreyWithoutStrapline-1.png]](https://knowledge.adoptech.co.uk/hs-fs/hubfs/Adoptech-logo-GreyWithoutStrapline-1.png?height=39&name=Adoptech-logo-GreyWithoutStrapline-1.png){kind=logo}
ISO 42001: 2023 - A.7.3 AI System Operational Procedures
This article provides guidance on how to implement the ISO 42001: 2023 A.7.3 AI System Operational Procedures
ISO 42001 Control Description
The organisation shall develop, maintain, and apply documented operational procedures for AI systems, covering all routine and foreseeable non-routine activities required to manage and maintain the system during its operational life.
Control Objective
To ensure that the operation of AI systems is governed by clear, accurate, and current procedural documentation that enables consistent, controlled, and accountable management of the system by operational personnel.
Purpose
Documented operational procedures translate the operational framework established under A.7.2 into the practical, step-by-step guidance that personnel require to perform their operational responsibilities consistently and correctly. Procedures provide the mechanism by which organisational intent and control requirements are embedded into daily operational practice.
For AI systems, the need for robust operational procedures is heightened by several factors. AI systems can exhibit complex and context-sensitive behaviour, and operational personnel may not possess the deep technical understanding of the underlying model required to make sound judgements about system behaviour in the absence of procedural guidance. Procedures fill this gap, providing explicit instructions for standard operational tasks and clear direction on how to recognise and respond to conditions that fall outside normal parameters.
Operational procedures also serve accountability and audit functions: they establish what personnel are expected to do, creating a baseline against which actual practice can be assessed and deviations identified. In the event of an operational incident, the existence — or absence — of appropriate procedures is frequently a significant factor in determining root cause and in identifying corrective actions.
Guidance on Implementation
Scope of Operational Procedures
The organisation shall identify and document all activities that require procedural coverage, including system start-up and shutdown; routine operation and output management; data input preparation and quality checking; scheduled and unscheduled maintenance activities, including model updates and retraining; monitoring activities and the interpretation of monitoring alerts; escalation procedures for anomalies, errors, and incidents; and system recovery following failures or interruptions.
Procedural coverage shall extend to non-routine but foreseeable activities, such as the handling of requests for explanations of system outputs, the processing of requests to challenge automated decisions, and the management of system changes through the change control process.
Procedure Development and Review
Operational procedures shall be developed with the involvement of personnel who have relevant technical knowledge of the AI system and familiarity with the operational environment in which it will be used. Procedures shall be written at a level of clarity and specificity appropriate to the competence level of the personnel who will follow them.
Procedures shall be reviewed and validated before the AI system enters operational use. Reviews shall confirm that procedures are technically accurate, operationally practical, and consistent with the requirements of the system's design documentation and applicable policies. Procedures shall subsequently be reviewed and updated whenever material changes occur to the system, the operational environment, or the policy framework, and shall be subject to periodic review at defined intervals even in the absence of specific change triggers.
Clarity and Accessibility
Procedures shall be written in clear language appropriate to the intended audience, with unambiguous instructions and clearly defined decision points. Where procedures involve conditional logic — such as different actions depending on the nature of an alert — the conditions and corresponding actions shall be described explicitly.
Procedures shall be stored in a manner that makes them readily accessible to operational personnel at the time they are needed, including under conditions where system issues may be actively developing. Access arrangements shall ensure that the current version of each procedure is clearly identified and that superseded versions are not inadvertently followed.
Procedure for Handling Uncertain or Disputed Outputs
Where the AI system produces outputs that inform decisions affecting individuals, operational procedures shall specifically address the handling of uncertain outputs — those that fall below defined confidence thresholds — and outputs that are disputed by affected individuals. Procedures shall establish the circumstances in which human review is mandatory before an output is acted upon, the process for conducting such a review, and the escalation pathway for cases where the human reviewer requires specialist input.
Training on Operational Procedures
Operational personnel shall be trained on applicable procedures before performing operational activities. Training shall be documented, and training records shall be maintained. Procedures shall be accessible to personnel as reference materials during operational activities, and refresher training shall be provided when procedures are materially updated.
Records of Procedure Compliance
Where the execution of operational procedures is required to be recorded — such as in the performance of monitoring activities or the handling of escalations — the organisation shall maintain records of procedure execution in accordance with its document management and retention policies. These records support audit activities and provide evidence of operational governance.
Related Controls
- A.7.2 – Establishing Processes, Functions and Tools for AI Operation: Operational procedures give practical effect to the processes and responsibilities defined under A.7.2 and shall be consistent with the operational framework established there.
- A.7.5 – AI System Monitoring: Monitoring procedures are a specific category of operational procedure and shall be developed and governed in accordance with this control.
- A.8.2 – AI System Incident Management: Incident escalation and response procedures are a critical element of operational procedural coverage and shall be clearly defined.
- A.6.2.8 – AI System Documentation: Operational procedures form part of the AI system documentation and shall be subject to the version control and review requirements established under that control.
- A.5.4 – Human Oversight of AI Systems: Procedures for human review of AI outputs shall be designed to enable effective and meaningful oversight rather than perfunctory compliance.