Back

Establish, implement, and maintain conformity assessment procedures.


CONTROL ID
15032
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a testing program., CC ID: 00654

This Control has the following implementation support Control(s):
  • Share conformity assessment results with affected parties and interested personnel., CC ID: 15113
  • Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued., CC ID: 15112
  • Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted., CC ID: 15111
  • Create technical documentation assessment certificates in an official language., CC ID: 15110
  • Opt out of third party conformity assessments when the system meets harmonized standards., CC ID: 15096
  • Perform conformity assessments, as necessary., CC ID: 15095


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • the conformity assessment procedure based on assessment of the quality management system and assessment of the technical documentation, with the involvement of a notified body, referred to in Annex VII. (Article 43 1. ¶ 1(b), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Where, in demonstrating the compliance of a high-risk AI system with the requirements set out in Chapter 2 of this Title, the provider has not applied or has applied only in part harmonised standards referred to in Article 40, or where such harmonised standards do not exist and common specifications… (Article 43 1. ¶ 2, Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • For high-risk AI systems referred to in points 2 to 8 of Annex III, providers shall follow the conformity assessment procedure based on internal control as referred to in Annex VI, which does not provide for the involvement of a notified body. For high-risk AI systems referred to in point 5(b) of An… (Article 43 2., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • High-risk AI systems shall undergo a new conformity assessment procedure whenever they are substantially modified, regardless of whether the modified system is intended to be further distributed or continues to be used by the current user. (Article 43 4. ¶ 1, Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Where the organization has chosen outside compliance review, such verification must demonstrate that its privacy policy regarding personal information received from the EU is accurate, comprehensive, readily available, conforms to the Principles, and is completely implemented (i.e., is being complie… (III.7.d., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Where the organization has chosen outside compliance review, such verification must demonstrate that its privacy policy regarding personal information received from Switzerland is accurate, comprehensive, readily available, conforms to the Principles, and is completely implemented (i.e., is being co… (iii.7.d., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Where the organization has chosen outside compliance review, such verification must demonstrate that its privacy policy regarding personal information received from the EU is accurate, comprehensive, readily available, conforms to the Principles, and is completely implemented (i.e., is being complie… (III.7.d., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Internal audit, independent reviews, and certifications. (App A Objective 2:1f, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)