|
| 1 | +# AI Change Control Procedure |
| 2 | +## ISO/IEC 42001:2023 | Clause 8.1 — Template |
| 3 | + |
| 4 | +**Document ID:** AIMS-CHGCTRL-001 |
| 5 | +**Version:** 1.0 |
| 6 | +**Owner:** AI Governance Lead |
| 7 | +**Approved by:** ___________________________ |
| 8 | +**Date:** ___________________________ |
| 9 | +**Review Cycle:** Annual |
| 10 | + |
| 11 | +--- |
| 12 | + |
| 13 | +## Purpose |
| 14 | + |
| 15 | +This procedure defines how changes to in-scope AI systems are managed in a controlled, documented, and approved manner. It prevents uncontrolled modifications that could introduce new risks or compromise governance controls. |
| 16 | + |
| 17 | +--- |
| 18 | + |
| 19 | +## Scope |
| 20 | + |
| 21 | +Applies to all changes to in-scope AI systems including: new system deployments; major updates (new model, new training data, changed architecture, new use case); significant configuration changes affecting system behaviour; changes to data inputs affecting AI outcomes; changes to human oversight processes. |
| 22 | + |
| 23 | +**Minor changes** (bug fixes with no model behaviour impact, documentation updates) may use a simplified notification process — document rationale for classification. |
| 24 | + |
| 25 | +--- |
| 26 | + |
| 27 | +## Change Classification |
| 28 | + |
| 29 | +| Type | Description | Review Required | |
| 30 | +|------|-------------|----------------| |
| 31 | +| Major | New system; new model; new training data; changed risk level | Full review — System Owner + AI Gov Lead + Risk Manager + DPO (if personal data) | |
| 32 | +| Standard | Significant update to existing system; changed configuration | Standard review — System Owner + AI Gov Lead | |
| 33 | +| Minor | No model behaviour change; no risk impact | Notification only — System Owner notifies AI Gov Lead | |
| 34 | + |
| 35 | +--- |
| 36 | + |
| 37 | +## Change Request Process |
| 38 | + |
| 39 | +**Step 1 — Raise** Complete Change Request Form and submit to AI Governance Lead |
| 40 | + |
| 41 | +**Step 2 — Classify** Assign as Major / Standard / Minor per criteria above |
| 42 | + |
| 43 | +**Step 3 — Assess Impact** For Major and Standard changes, assess impact on: Risk Register, Impact Assessment, Annex A controls, regulatory compliance, documentation |
| 44 | + |
| 45 | +**Step 4 — Approve** Obtain required approvals per change type |
| 46 | + |
| 47 | +**Step 5 — Implement** Test in non-production first; verify outcome; re-run relevant tests; complete Deployment Checklist for Major changes |
| 48 | + |
| 49 | +**Step 6 — Document** Update: AI Systems Inventory, Model Card, Risk Register (if new risks), AIMS Change Log (Clause 6.3) |
| 50 | + |
| 51 | +--- |
| 52 | + |
| 53 | +## Change Request Form |
| 54 | + |
| 55 | +**Change Request ID:** CHG-[####] |
| 56 | +**Date Raised:** ___________________________ |
| 57 | +**AI System:** ___________________________ |
| 58 | +**System ID:** ___________________________ |
| 59 | +**Change Type:** Major / Standard / Minor |
| 60 | +**Requested By:** ___________________________ |
| 61 | +**Target Date:** ___________________________ |
| 62 | + |
| 63 | +**Description of Change:** |
| 64 | +[What is being changed and why] |
| 65 | + |
| 66 | +**Business Justification:** |
| 67 | +[Why is this change needed] |
| 68 | + |
| 69 | +**Impact Assessment Summary:** |
| 70 | +[Impact on risk, controls, compliance, documentation] |
| 71 | + |
| 72 | +**Testing Required:** |
| 73 | +- [ ] Performance testing |
| 74 | +- [ ] Bias and fairness evaluation |
| 75 | +- [ ] Adversarial / security testing |
| 76 | +- [ ] User acceptance testing |
| 77 | +- [ ] No testing required (justification: _______________) |
| 78 | + |
| 79 | +**Approval:** |
| 80 | + |
| 81 | +| Role | Name | Decision | Date | |
| 82 | +|------|------|---------|------| |
| 83 | +| AI System Owner | | Approve / Reject | | |
| 84 | +| AI Governance Lead | | Approve / Reject | | |
| 85 | +| Risk Manager (if applicable) | | Approve / Reject | | |
| 86 | +| DPO (if personal data affected) | | Approve / Reject | | |
| 87 | + |
| 88 | +--- |
| 89 | + |
| 90 | +## Change Register |
| 91 | + |
| 92 | +| Change ID | Date | AI System | Type | Description | Requested By | Approved By | Implemented | Status | Docs Updated | |
| 93 | +|-----------|------|---------|------|-------------|-------------|-------------|------------|--------|-------------| |
| 94 | +| CHG-001 | | | | | | | | | | |
| 95 | +| CHG-002 | | | | | | | | | | |
| 96 | + |
| 97 | +--- |
| 98 | + |
| 99 | +## Review History |
| 100 | + |
| 101 | +| Version | Date | Changes | Approved By | |
| 102 | +|---------|------|---------|-------------| |
| 103 | +| 1.0 | | Initial issue | | |
| 104 | + |
| 105 | +--- |
| 106 | + |
| 107 | +*ISO/IEC 42001:2023 AI Governance Toolkit | Clause 8.1 | See root README.md for full index* |
0 commit comments