Revise Clause 7 README for clarity and structure

Ankit-Uniyal · web-flow · commit 27d7536f4cb0 · 2026-04-18T13:39:00.000+04:00
Updated the README to clarify the purpose and structure of Clause 7, including a new checklist format and detailed resource allocation information.
diff --git a/06-CLAUSE7-SUPPORT/README.md b/06-CLAUSE7-SUPPORT/README.md
@@ -1,226 +1,62 @@
 # Clause 7 — Support
 ## ISO/IEC 42001:2023 | Implementation Guide
 
-> **Purpose:** Ensure your organisation has the right resources, people, knowledge, communication channels, and documentation to successfully operate the AIMS.
+Purpose: Provide the resources, competence, awareness, communication, and documented information needed to run the AIMS.
 
 ---
 
-## 7.1 — Resources
+## Files in This Folder — Read in This Order
 
-### What it requires
-The organisation must determine and provide the resources needed to establish, implement, maintain, and continually improve the AIMS.
+| # | File | What It Is | ISO Ref |
+|---|------|-----------|---------|
+| 1 | [AIMS-RESOURCE-PLAN.md](AIMS-RESOURCE-PLAN.md) | Human, financial and infrastructure resources plan | 7.1 |
+| 2 | [COMPETENCE-REQUIREMENTS-MATRIX.md](COMPETENCE-REQUIREMENTS-MATRIX.md) | Required competences per role + gap analysis | 7.2 |
+| 3 | [TRAINING-PLAN.md](TRAINING-PLAN.md) | Training catalogue, schedules and individual records | 7.2 |
+| 4 | [AWARENESS-COMMUNICATION-PLAN.md](AWARENESS-COMMUNICATION-PLAN.md) | Internal awareness + external AI disclosure plan | 7.3 / 7.4 |
+| 5 | [MASTER-DOCUMENT-LIST.md](MASTER-DOCUMENT-LIST.md) | Master list of all AIMS documented information | 7.5 |
+| 6 | [DOCUMENT-CONTROL-PROCEDURE.md](DOCUMENT-CONTROL-PROCEDURE.md) | How AIMS documents are created, approved, updated | 7.5 |
+| 7 | [RECORDS-RETENTION-SCHEDULE.md](RECORDS-RETENTION-SCHEDULE.md) | Retention periods and disposal rules for all AIMS records | 7.5 |
 
-### Resources to Identify and Allocate
+Read order: 1 > 2 > 3 > 4 > 5 > 6 > 7
 
-| Resource Type | Examples for AI Governance |
-|--------------|--------------------------|
-| Financial | AIMS implementation budget, tool subscriptions, training budget |
-| Human | Dedicated AI governance staff, part-time SME time, legal support |
-| Infrastructure | AI testing environments, bias detection tools, audit platforms |
-| Technology | MLOps platforms, model monitoring tools, data lineage tools |
-| Knowledge | External consultants, legal advisors, ethics experts |
-| Time | Staff time for training, audits, risk assessments |
+---
 
-### Implementation Steps
-1. Create an AIMS Resource Plan showing what is needed vs what is available
-2. Identify gaps and escalate to management for budget approval
-3. Document resource decisions in management review records
-4. Review resource adequacy at each management review (Clause 9.3)
+## 7.1 — Resources
 
-### Documents Required
-- AIMS Resource Plan (what is needed, what is available, gaps)
-- Budget Allocation Record (links to Clause 5.1)
-
----
+The organisation must determine and provide resources needed for the AIMS. See AIMS-RESOURCE-PLAN.md.
 
 ## 7.2 — Competence
 
-### What it requires
-Determine what competence is needed for roles affecting AI performance, ensure people have it (through training or experience), and keep records as evidence.
-
-### Competence Areas for AI Governance
-
-| Role | Required Competencies |
-|------|--------------------|
-| AI Governance Lead | ISO 42001 requirements, AI risk management, regulatory landscape |
-| AI System Owner | AI system operation, risk identification, incident reporting |
-| AI Developer | Responsible AI practices, bias detection, model documentation |
-| Data Scientist | Data quality, statistical fairness, model explainability |
-| Internal Auditor | AIMS auditing, ISO 42001 clauses, evidence collection |
-| All In-Scope Staff | AI policy awareness, how to report AI concerns |
-
-### How to Demonstrate Competence
-- Formal qualifications (e.g., ISACA CGEIT, ISO 42001 Lead Implementer certification)
-- Completed training courses (with certificates)
-- Years of relevant experience (documented in role profiles)
-- Peer review and mentoring records
-- Internal test results or knowledge checks
-
-### Competence Gap Analysis Template
-
-| Role | Person | Required Competency | Current Level | Gap | Training Action | Deadline |
-|------|--------|--------------------|--------------|----|-----------------|---------|
-| AI Gov Lead | [Name] | ISO 42001 knowledge | Basic | High | Complete Lead Implementer course | Q2 2025 |
-| AI Developer | [Name] | Bias testing techniques | None | High | Internal workshop + online course | Q1 2025 |
-| All Staff | All | AI policy awareness | None | Medium | 30-min e-learning module | Q1 2025 |
-
-### Implementation Steps
-1. Define required competencies for each AIMS-related role
-2. Assess current competencies (surveys, interviews, assessments)
-3. Identify gaps and create a training plan
-4. Deliver training and collect evidence of completion
-5. Evaluate training effectiveness
-6. Keep competence records updated (especially for new staff and role changes)
-
-### Documents Required
-- Competence Requirements Matrix (roles x required competencies)
-- Competence Gap Analysis
-- Training Plan and Training Records
-- Evidence of completed training (certificates, attendance records)
-
----
+Determine required competence for AIMS roles, ensure people are competent, address gaps. See COMPETENCE-REQUIREMENTS-MATRIX.md and TRAINING-PLAN.md.
 
 ## 7.3 — Awareness
 
-### What it requires
-All in-scope persons must be aware of:
-- The AIMS policy
-- Their contribution to AIMS effectiveness
-- The implications of not conforming to AIMS requirements
-- Benefits of improved AI performance
-
-### Awareness Programme Components
-
-| Component | Method | Audience | Frequency |
-|-----------|--------|----------|-----------|
-| AIMS Policy communication | Email from CEO, intranet post | All staff | At launch + annual reminder |
-| AI ethics basics | E-learning module (30 min) | All in-scope staff | Annual |
-| Role-specific AI training | Workshops, webinars | AI teams, system owners | Per role / on change |
-| AI incident reporting | Briefing + quick reference guide | All staff | At launch + updates |
-| AI policy updates | Email + intranet | All staff | When changes occur |
-
-### Awareness Metrics to Track
-- % of staff who have completed AI ethics training
-- % of staff who can identify the AI Governance Lead
-- % of staff who know how to report an AI concern
-
-### Documents Required
-- Awareness and Communication Plan
-- Training Completion Records
-- Awareness Metrics Dashboard
-
----
+All people working under the organisation's control must be aware of the AI policy, AIMS objectives, their contribution, and the implications of not conforming. See AWARENESS-COMMUNICATION-PLAN.md.
 
 ## 7.4 — Communication
 
-### What it requires
-Determine what to communicate, when, to whom, how, and who communicates it — both internally and externally.
-
-### Communication Plan Template
-
-| Communication | Content | Audience | Channel | Frequency | Owner |
-|--------------|---------|----------|---------|-----------|-------|
-| AIMS Policy | Full policy text | All staff | Intranet + email | At launch, annual | AI Gov Lead |
-| AI objectives | Progress vs targets | Management | Dashboard + meeting | Quarterly | AI Gov Lead |
-| AI risk status | Risk register highlights | Board / leadership | Board report | Quarterly | Risk Manager |
-| AI incidents | Incident description, impact, resolution | Management + regulator | Incident report | As needed | AI Gov Lead |
-| Audit results | Audit findings + actions | Management | Audit report | Annual | Internal Auditor |
-| AI updates | New AI deployments, changes | All staff + affected users | Intranet + user notice | As needed | System Owner |
-| External AI disclosures | AI use statements | Customers, public | Website, contracts | At launch + updates | Legal / Marketing |
-
-### Implementation Steps
-1. Create the Communication Plan covering all stakeholder groups
-2. Assign owners to each communication activity
-3. Set up channels and templates
-4. Keep records of communications sent
-5. Include external AI disclosures where required by law (e.g., EU AI Act transparency obligations)
-
-### Documents Required
-- Internal and External Communication Plan
-- Communication Records / Log
-- External AI Disclosure Statements (website, contracts, user notices)
-
----
+Determine internal and external communications relevant to the AIMS including: what, when, with whom, how. See AWARENESS-COMMUNICATION-PLAN.md.
 
 ## 7.5 — Documented Information
 
-### What it requires
-The AIMS must include documented information required by ISO 42001 AND documented information determined necessary to ensure effective operation.
-
-### Two Types of Documented Information
-
-**Mandatory documents (required by ISO 42001):**
-- AIMS Scope Statement (4.3)
-- AIMS Policy (5.2)
-- AI Objectives (6.2)
-- Risk Register and Risk Treatment Plan (6.1)
-- Statement of Applicability (6.1.4)
-- Competence evidence (7.2)
-- Operational planning and controls (8.1)
-- Monitoring and measurement results (9.1)
-- Internal audit programme and results (9.2)
-- Management review results (9.3)
-- Nonconformity and corrective action records (10.1)
-
-**Additional documents you determine necessary:**
-- AI Systems Inventory
-- AI System Cards (per system technical documentation)
-- Supplier assessment records
-- Training materials and records
-- AI incident log
-
-### Document Control Requirements
-
-All documented information must be:
-- Appropriately identified (title, date, version, author)
-- In a suitable format (format, media)
-- Reviewed and approved before use
-- Protected from loss of confidentiality, improper use, or loss of integrity
-- Available where needed, when needed
-- Protected from unintended alteration
-- Retained and disposed of appropriately
-
-### Implementation Steps
-1. Create a Master Document List covering all mandatory and supporting documents
-2. Establish version control (even simple version numbering + review dates)
-3. Define document retention periods
-4. Set access controls — who can view, edit, approve each document
-5. Store documents in a central, accessible location (SharePoint, Confluence, GitHub, etc.)
-
-### Documents Required
-- Master Document List (all AIMS documents, versions, owners, review dates)
-- Document Control Procedure
-- Records Retention Schedule
+Maintain documented information required by ISO 42001 and as determined necessary by the organisation. See MASTER-DOCUMENT-LIST.md, DOCUMENT-CONTROL-PROCEDURE.md, and RECORDS-RETENTION-SCHEDULE.md.
 
 ---
 
-## Clause 7 — Documents Checklist
-
-| # | Document | ISO Ref | Status |
-|---|----------|---------|--------|
-| 1 | AIMS Resource Plan | 7.1 | To Do |
-| 2 | Competence Requirements Matrix | 7.2 | To Do |
-| 3 | Competence Gap Analysis | 7.2 | To Do |
-| 4 | Training Plan and Records | 7.2 | To Do |
-| 5 | Awareness and Communication Plan | 7.3 / 7.4 | To Do |
-| 6 | Communication Records | 7.4 | To Do |
-| 7 | External AI Disclosure Statements | 7.4 | To Do |
-| 8 | Master Document List | 7.5 | To Do |
-| 9 | Document Control Procedure | 7.5 | To Do |
-| 10 | Records Retention Schedule | 7.5 | To Do |
-
----
+## Documents Checklist
 
-## What Auditors Check in Clause 7
-- Is there a budget and named resources for the AIMS?
-- Do AIMS roles have defined competencies — and are people actually trained?
-- Are training records kept and accessible?
-- Do staff know the AI policy and their responsibilities?
-- Is there an internal communication plan that is actually followed?
-- Are external AI disclosures in place where legally required?
-- Is documented information controlled — versioned, approved, accessible?
-- Is there a master list of all AIMS documents?
+| # | Document | ISO Ref | File |
+|---|----------|---------|------|
+| 1 | AIMS Resource Plan | 7.1 | [AIMS-RESOURCE-PLAN.md](AIMS-RESOURCE-PLAN.md) |
+| 2 | Competence Requirements Matrix | 7.2 | [COMPETENCE-REQUIREMENTS-MATRIX.md](COMPETENCE-REQUIREMENTS-MATRIX.md) |
+| 3 | Competence Gap Analysis | 7.2 | Embedded in COMPETENCE-REQUIREMENTS-MATRIX.md |
+| 4 | Training Plan and Records | 7.2 | [TRAINING-PLAN.md](TRAINING-PLAN.md) |
+| 5 | Awareness and Communication Plan | 7.3/7.4 | [AWARENESS-COMMUNICATION-PLAN.md](AWARENESS-COMMUNICATION-PLAN.md) |
+| 6 | External AI Disclosure Statements | 7.4 | Embedded in AWARENESS-COMMUNICATION-PLAN.md |
+| 7 | Master Document List | 7.5 | [MASTER-DOCUMENT-LIST.md](MASTER-DOCUMENT-LIST.md) |
+| 8 | Document Control Procedure | 7.5 | [DOCUMENT-CONTROL-PROCEDURE.md](DOCUMENT-CONTROL-PROCEDURE.md) |
+| 9 | Records Retention Schedule | 7.5 | [RECORDS-RETENTION-SCHEDULE.md](RECORDS-RETENTION-SCHEDULE.md) |
 
 ---
 
-*ISO/IEC 42001:2023 AI Governance Toolkit — Clause 7 | See root README.md for full index*
+*ISO/IEC 42001:2023 AI Governance Toolkit | Clause 7 of 10 | See root README.md for full index*
