GRCWatch
Sign inStart free trial

ISO 42001 A.6.8: AI System Decommissioning

Decommissioning AI systems improperly can expose sensitive data, disrupt dependent operations, and create compliance gaps. Control A.6.8 requires organizations to plan and execute AI system decommissioning in a controlled manner, addressing data retention, documentation, system dependencies, and stakeholder notification. This guide shows you how to meet this ISO 42001 requirement.

What this means

A.6.8 requires a structured decommissioning process for AI systems that goes beyond simple shutdown. Organizations must establish procedures that cover secure data retention and disposal, document lessons learned from the system's operational history, identify and manage impacts on systems that depend on the AI system, and communicate transparently with all affected stakeholders. This control ensures that decommissioning doesn't create security risks, operational disruptions, or compliance violations.

How to comply

  1. 1.Develop a formal AI system decommissioning policy that outlines the complete lifecycle from decision to final shutdown.
  2. 2.Conduct a dependency mapping exercise to identify all systems, processes, and teams relying on the AI system before decommissioning begins.
  3. 3.Create a data inventory and establish retention schedules compliant with data protection regulations and business requirements.
  4. 4.Implement secure data disposal procedures, including encryption removal, physical destruction where applicable, and verification of deletion.
  5. 5.Establish a lessons-learned process to document operational insights, failures, successes, and recommendations for future AI systems.
  6. 6.Notify all affected stakeholders—internal teams, customers, partners, regulators—with sufficient notice and transition plans.
  7. 7.Maintain detailed decommissioning documentation including timelines, disposal records, stakeholder communications, and post-decommissioning audits.

Evidence auditors look for

  • Signed decommissioning plan with data retention and disposal schedules
  • Dependency impact assessment identifying connected systems and mitigation strategies
  • Data destruction certificates or audit logs proving secure deletion
  • Lessons-learned documentation with observations and recommendations
  • Communication logs showing stakeholder notifications and transition timelines
  • Decommissioning checklist completed and signed by responsible parties
  • Post-decommissioning audit report confirming all systems properly shut down

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates decommissioning workflows by tracking AI system dependencies, managing data disposal checklists, archiving stakeholder communications, and generating destruction evidence reports—eliminating manual tracking and ensuring no system falls through the cracks.

See how GRCWatch handles this control automatically

Start free trial

Related controls

A.5.14 — AI System SecurityA.5.15 — Data ManagementB.6.1 — Monitoring and MeasurementB.6.2 — Audit and Review