ISO 42001 Lead Implementer Complete Guide Chapter 18 of 27
Chapter 18

Annex A Controls: Third-Party & Customer Relationships (A.10)

Detailed guidance on implementing Annex A controls for third-party and customer relationships (A.10), covering supplier management, monitoring, and customer requirements with 3 controls.

15 min read

Chapter Overview

This chapter covers the Third-Party and Customer Relationships domain (A.10), which ensures organizations manage AI-related relationships with suppliers and customers appropriately. This domain contains 3 controls.

A.10 Third-Party and Customer Relationships

AI systems often involve third parties - cloud providers, model vendors, data suppliers, and customers who use AI products. These relationships require governance.

Why Third-Party Controls Matter

Organizations often:
• Use third-party AI models or APIs
• Rely on external data sources
• Deploy AI on third-party infrastructure
• Provide AI systems to customers

You retain accountability even when third parties are involved. Controls ensure appropriate governance across the supply chain.

A.10.2 Third Parties

AttributeDetails
ControlRequirements for third parties providing or receiving AI system components, products, or services shall be identified, documented, and addressed.
PurposeEnsure third parties meet AI governance requirements
Related Clause8.1 (Operational planning and control)

Implementation Guidance

  • Identify all third parties involved with AI systems
  • Define AI governance requirements for third parties
  • Include requirements in contracts and agreements
  • Assess third parties against requirements
  • Communicate expectations clearly
  • Maintain third-party inventory

Types of AI Third Parties

TypeExamplesKey Requirements
AI Model ProvidersOpenAI, Google, model vendorsModel documentation, performance, updates
Cloud/InfrastructureAWS, Azure, GCPSecurity, availability, compliance
Data ProvidersData vendors, aggregatorsData quality, provenance, rights
Labeling ServicesAnnotation companiesQuality, confidentiality, ethics
Consultants/DevelopersAI development firmsStandards compliance, IP, confidentiality
AI Tool VendorsMLOps platformsSecurity, support, integration

Third-Party Requirements

Requirement AreaTypical Requirements
SecurityData protection, access control, encryption
PrivacyData processing agreements, compliance
QualityPerformance standards, SLAs
TransparencyDocumentation, explainability support
EthicsResponsible AI commitments, bias prevention
ComplianceRegulatory compliance, certifications
AuditAudit rights, reporting requirements
Third-Party Contract Clauses

Include in AI-related contracts:
• AI governance requirements and standards
• Data protection and privacy obligations
• Security requirements
• Documentation and transparency obligations
• Performance and quality standards
• Audit and assessment rights
• Incident notification requirements
• Liability and indemnification
• Termination and transition provisions

Audit Questions - A.10.2

• What third parties are involved with your AI systems?
• How do you define requirements for AI third parties?
• Show me third-party requirements documentation
• How are requirements included in contracts?
• How do you assess third parties before engagement?

A.10.3 Monitoring of Third Parties

AttributeDetails
ControlThird parties providing AI system components, products, or services shall be monitored and reviewed.
PurposeEnsure ongoing third-party compliance and performance
Related Clause9.1 (Monitoring, measurement, analysis and evaluation)

Implementation Guidance

  • Define monitoring approach for each third party
  • Establish monitoring metrics and frequency
  • Conduct periodic reviews and assessments
  • Track third-party performance against requirements
  • Address issues and non-compliance
  • Review when significant changes occur
  • Document monitoring activities and results

Third-Party Monitoring Activities

ActivityFrequencyFocus
Performance ReviewMonthly/QuarterlySLA compliance, quality metrics
Security AssessmentAnnual/As neededSecurity controls, vulnerabilities
Compliance ReviewAnnualRegulatory compliance, certifications
Contract ReviewAnnual/At renewalTerms, requirements, updates
Incident ReviewAs neededThird-party incidents affecting AI
Change AssessmentAs neededImpact of third-party changes
Third-Party Risk Indicators

Monitor for warning signs:
• Performance degradation
• Security incidents
• Compliance failures
• Financial instability
• Key personnel changes
• Service disruptions
• Unannounced changes
• Communication issues

Audit Questions - A.10.3

• How do you monitor AI third parties?
• What metrics do you track?
• Show me third-party monitoring reports
• How do you address third-party issues?
• When did you last review [specific third party]?

A.10.4 Customers and Users

AttributeDetails
ControlRequirements related to customers and users of the organization's AI systems shall be identified, documented, and addressed.
PurposeEnsure customer and user needs are met
Related Clause4.2 (Understanding needs and expectations of interested parties)

Implementation Guidance

  • Identify customers and users of AI systems
  • Understand their requirements and expectations
  • Document requirements and how they're addressed
  • Communicate AI capabilities and limitations
  • Provide appropriate support and documentation
  • Collect and respond to feedback
  • Manage customer AI-related complaints

Customer/User Requirements

Requirement AreaTypical Requirements
FunctionalityWhat the AI system should do for them
PerformanceAccuracy, speed, reliability expectations
UsabilityEase of use, accessibility
TransparencyUnderstanding how AI works, explanations
SupportHelp, training, issue resolution
PrivacyData protection, consent, rights
ControlAbility to opt out, override, provide feedback

Customer Communication

TopicCommunication Approach
AI CapabilitiesProduct documentation, sales materials
LimitationsClear disclaimers, documentation
Data UsePrivacy notices, consent mechanisms
ChangesAdvance notification of significant changes
IssuesIncident notifications, status updates
SupportHelp documentation, support channels
Customer Requirements Documentation

For each AI product/service, document:
• Target customers and user groups
• Customer requirements (functional, non-functional)
• How requirements are addressed
• Customer communication approach
• Support and documentation provided
• Feedback collection mechanisms
• Complaint handling process

Audit Questions - A.10.4

• Who are the customers/users of your AI systems?
• How do you identify their requirements?
• Show me customer requirements documentation
• How do you communicate AI limitations to customers?
• How do you handle customer complaints about AI?
• How do you collect and use customer feedback?

Control Implementation Summary

ControlKey EvidenceCommon Gaps
A.10.2 Third PartiesThird-party inventory, requirements, contractsNo AI-specific third-party requirements
A.10.3 MonitoringMonitoring reports, review records, metricsNo ongoing third-party monitoring
A.10.4 CustomersRequirements docs, communications, feedbackCustomer requirements not documented

Complete Annex A Summary

You have now covered all 39 controls across all 9 domains:

DomainControlsFocus
A.2 Policies2Policy establishment and review
A.3 Organization4Roles, reporting, authorities, coordination
A.4 Resources4Data, tools, computing resources
A.5 Impacts4Individual and societal impact assessment
A.6 Lifecycle12AI system lifecycle management
A.7 Data5Data acquisition, quality, provenance
A.8 Information4Transparency, explainability
A.9 Use3Intended use, fitness, human oversight
A.10 Third-Party3Suppliers and customers
Total39
Key Takeaways - A.10

1. Third parties must meet documented AI governance requirements
2. Requirements should be included in contracts
3. Ongoing monitoring of third parties is required
4. Customer/user requirements must be identified and addressed
5. Communication with customers about AI is essential
6. You retain accountability even when third parties are involved

AI Assistant
00:00