Control A.7.3 – Acquisition of Data

In today’s article by Kimova AI, we explore Annex A Control A.7.3 – Acquisition of Data, an essential control in ISO/IEC 42001 that governs how organizations source, collect, and obtain data for AI systems in a lawful, ethical, and controlled manner.

From an auditor’s perspective, data acquisition is one of the highest-risk stages in the AI lifecycle. If data is acquired improperly, no amount of downstream controls can fully correct the resulting legal, ethical, or reputational exposure. This control ensures that organizations build AI systems on legitimate and well-governed data foundations.

What This Control Means

Control A.7.3 requires organizations to define and implement processes that ensure data used for AI systems is acquired responsibly, whether it is collected internally, purchased, licensed, scraped, or obtained from third parties.

The control applies to data used for:

training and testing AI systems
model validation and enhancement
ongoing system operation

Organizations must ensure that data acquisition activities respect legal requirements, contractual obligations, and ethical expectations.

Why Data Acquisition Matters

Improper data acquisition can lead to:

violations of data protection and privacy laws
infringement of intellectual property rights
use of data without valid consent or legal basis
hidden bias introduced at the earliest stage
regulatory enforcement actions and fines
loss of stakeholder and public trust

ISO 42001 highlights data acquisition because responsible AI cannot exist without responsible sourcing of data.

Key Requirements Under Control A.7.3

To comply with this control, organizations should ensure:

Lawful and Authorized Data Collection – Data must be acquired with a valid legal basis, respecting consent, licensing, and contractual terms.
Clear Purpose Definition – The purpose for acquiring data must be clearly defined and aligned with the intended AI use case.
Ethical Considerations – Organizations should assess whether data acquisition practices align with ethical standards and societal expectations.
Third-Party Data Governance – When using external datasets, due diligence must be performed on data providers, including rights, restrictions, and quality.
Transparency and Documentation – Records must be maintained detailing how data was acquired, from whom, under what conditions, and for what purpose.
Risk and Bias Awareness – Organizations should consider potential bias or representativeness issues introduced by the data source.

Implementation Guidance

Organizations can implement Control A.7.3 effectively by:

Establishing a formal AI data acquisition policy
Performing legal and privacy reviews before acquiring new datasets
Conducting vendor and dataset due diligence for third-party data
Maintaining a data acquisition register or inventory
Integrating acquisition reviews into AI risk assessments
Ensuring acquisition decisions are approved by appropriate stakeholders
Aligning AI data sourcing with existing ISMS and privacy management frameworks

At Kimova AI, we help organizations assess and document data acquisition practices so AI systems are built on legally sound and ethically sourced data.

Conclusion

Annex A Control A.7.3 reinforces a fundamental principle of ISO 42001: AI systems must be built on data that is responsibly and lawfully acquired. Strong acquisition controls reduce legal risk, improve data quality, and enhance trust in AI outcomes.

In tomorrow’s article by Kimova.AI, we’ll explore Annex A Control A.7.4 – Quality of Data for AI Systems, where we’ll explore how organizations can ensure data accuracy, completeness, relevance, and consistency to support reliable, fair, and trustworthy AI system performance

Try Ask AIMS for Free