ISO/IEC JTC 1/SC 42 · Artificial intelligence

ISO/IEC 8183

Information technology.
Artificial intelligence.
Data life cycle framework.

The international standard that defines how data moves through an AI system — from the first idea to the last server. Published 26 July 2023. Adopted across Europe without a word changed.

26 Jul 2023Published by ISO and IEC
First edition
10Life cycle stages
from conception to retirement
34Countries obliged to adopt it
as a national standard
0Words changed when Europe
took it over

Clause 6

Ten stages. One boundary.

ISO/IEC 8183 divides the life of data inside an AI system into ten separate stages. Seven of them sit inside the data-processing boundary. Three do not — and two of those come before you have acquired a single row.

Inside the data-processing boundary — stages 3 to 9 Outside the boundary — stages 1, 2 and 10

Stage 1

Outside the boundary

Idea conception

Adoption

A standard the world actually took up.

Most international standards are published and left on a shelf for national bodies to consider. ISO/IEC 8183 was taken over wholesale — in Europe by the committee writing the AI Act's harmonised standards, and in Canada as a National Standard. In both cases, without modification.

26 July 2023

Published as an International Standard

ISO/IEC 8183:2023, first edition, developed by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 42, Artificial intelligence. Ten pages.

ISO & IEC · Geneva
31 October 2023

Adopted in the United Kingdom

Published as BS ISO/IEC 8183:2023 under the authority of the BSI Standards Policy and Strategy Committee. UK participation was entrusted to Technical Committee ART/1, Artificial Intelligence.

BSI · London
10 June 2024

Taken over as a European Standard

Approved by CEN as EN ISO/IEC 8183:2024 and taken over by CEN-CENELEC/JTC 21, Artificial Intelligence — the same committee developing the harmonised standards for the EU AI Act. The endorsement notice records that it was approved without any modification.

CEN-CENELEC · Brussels
By December 2024

Mandatory national status across 34 countries

Under the CEN-CENELEC Internal Regulations, the national standards bodies of 34 countries were bound to give it the status of a national standard — and to withdraw any conflicting national standard. Not an invitation. An obligation.

Austria to the United Kingdom
2024

Adopted as a National Standard of Canada

Reviewed by the CSA Technical Committee on Information Technology and published by CSA Group as CSA ISO/IEC 8183:2024 — again, formally approved without modification.

CSA Group · Toronto

ISO's network is one national standards body per country, 176 of them. What makes 8183 unusual is not that it is available to all of them — every ISO standard is. It is that in 34 of those countries, adopting it was not optional.

Why it matters

The standard underneath the standards.

AI standards multiply quickly, and most of them assume a data life cycle without defining one. 8183 is the one that defines it. When a later standard needs to say when in the life of an AI system something happens, this is the document it points at.

“The DLC model for analytics and ML shown in Figure 3 is derived from ISO/IEC 8183.” ISO/IEC 5259-1:2024, Clause 5.3.2.1 — Data quality for analytics and machine learning
ISO/IEC 5259 series — data quality for analytics and ML

Six parts. Its data life cycle model is derived directly from 8183, a point restated in Part 5 and refined for data quality management in Part 3. Get 8183 wrong and the whole 5259 series is built on sand.

ISO/IEC 42001 — AI management systems

The certifiable management system. Its Annex A data controls assume something like a life cycle exists and has owners. 8183 is what tells you where the stages are and what belongs in each. See our ISO/IEC 42001 guide.

ISO/IEC 23894 — AI risk management

Risk has to attach to a moment. Data quality, provenance, poisoning and drift are risks at specific stages, and the stages are 8183's.

ISO/IEC 42005 — AI system impact assessment

Impact assessment asks what an AI system does to people, and when. The life cycle supplies the “when”.

This is what makes 8183 foundational rather than merely useful. It is short — ten pages — because it is not trying to tell you how to do the work. It is establishing the vocabulary and the sequence that everything else in data-driven AI standardisation then relies on.

Policy

How a technical standard ends up shaping law.

Regulators rarely invent technical detail. They write requirements, then point at standards to say what meeting them looks like. That is the mechanism by which a ten-page framework reaches into legislation on three continents.

European Union

The EU AI Act's Article 10 governs data and data governance for high-risk AI systems. Under Article 40, harmonised standards give a presumption of conformity, and the European Commission asked CEN-CENELEC to write them under standardisation request M/593.

The committee doing that work is JTC 21 — and JTC 21 took 8183 over unchanged as EN ISO/IEC 8183:2024. The people drafting Europe's AI conformity landscape adopted this framework rather than write their own.

United Kingdom

The UK's approach is principles-based and delegated to existing sector regulators rather than a single AI act. In that model, international standards carry more weight, not less: they are the shared reference a regulator can point to without legislating.

BSI published it as BS EN ISO/IEC 8183:2024, prepared by committee ART/1.

Beyond

Canada adopted it as a National Standard of Canada through CSA Group. Elsewhere, the influence runs through the ISO/IEC catalogue itself — every national body that adopts the 5259 series or certifies to 42001 inherits 8183's life cycle whether or not it ever buys the document.

That is the quiet reach of foundational standards: you comply with them through other things.

A caveat worth stating plainly, because a lot of marketing gets this wrong: adoption as a European Standard is not the same as being a harmonised standard cited in the Official Journal. Only cited standards confer presumption of conformity. 8183's significance is architectural — it is the life cycle the conformity work is being built on.

The team

Four people wrote it.

International standards sound institutional. In practice a small group of experts, nominated through their national bodies, does the drafting. ISO/IEC 8183 had an editor and three sub-editors.

Colin Crone, Editor and Project Leader of ISO/IEC 8183

Editor · Project Leader

Colin Crone

Editor of the AI Data Life Cycle standard and the project's leader. A cyber security expert with complementary AI knowledge — which is why data security runs through the framework as a cross-cutting concern rather than sitting in a clause of its own.

Dr Julian Padget, Sub-Editor of ISO/IEC 8183 and Reader in AI at the University of Bath

Sub-Editor

Julian Padget

Reader in Artificial Intelligence at the University of Bath. An expert in optimising AI solutions — mitigating unwanted bias among them. He leads AI research and is an AI standards guru, which is the academic rigour behind the framework's treatment of data preparation.

Jeremy Swinfen-Green, Sub-Editor of ISO/IEC 8183, digital governance specialist

Sub-Editor

Jeremy Swinfen-Green

Sub-editor of the AI Data Life Cycle standard, specialising in digital technology's impact on business processes. The reason the framework starts at idea conception and business requirements rather than at the first row of data.

Matthew Blakemore, Sub-Editor of ISO/IEC 8183, AI and business strategy

Sub-Editor

Matthew Blakemore

Sub-editor of the AI Data Life Cycle standard, covering AI and business strategy. Chief Executive of AI Caramba!, member of the BSI and ISO AI committees, and adviser to the Innovate UK BridgeAI programme.

Matthew Blakemore, sub-editor of ISO/IEC 8183, speaking on stage at an AI summit

Sub-editor · ISO/IEC 8183

Matthew Blakemore

One of the four people who drafted this standard. An AI strategist, standards architect and governance practitioner — and the person to talk to if you need 8183 to mean something inside your organisation rather than on a shelf.

  • StandardSub-editor, ISO/IEC 8183 — Data life cycle framework
  • CommitteesMember, BSI and ISO artificial intelligence committees
  • AdvisoryInnovate UK BridgeAI programme
  • CompanyChief Executive, AI Caramba!
  • FrameworkOriginator of the Snakes and Ladders AI Framework™
  • BookSnakes and Ladders: A Leader's Playbook for AI Strategy, Governance and Risk (forthcoming)

Questions

ISO/IEC 8183, answered.

What is ISO/IEC 8183?

ISO/IEC 8183:2023 is an International Standard titled Information technology — Artificial intelligence — Data life cycle framework. It maps the life of data inside an AI system onto ten stages and says what belongs in each — from first obtaining or creating data, through building and running the system, to retiring both.

It is deliberately technology-neutral: no vendors, no products, no platforms. And it draws no line by company size or sector. If you use data to build or run AI, it was written with you in mind.

When was ISO/IEC 8183 published?

26 July 2023, as a first edition. It was developed by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 42, Artificial intelligence, and runs to ten pages. The UK implementation followed on 31 October 2023 as BS ISO/IEC 8183:2023, later renumbered BS EN ISO/IEC 8183:2024 following a corrigendum on 30 June 2024.

What are the ten stages of ISO/IEC 8183?

Idea conception, business requirements, data planning, data acquisition, data preparation, building a model, system deployment, system operation, data decommissioning and system decommissioning. Stages 3 to 9 sit inside what the standard treats as the data-processing boundary; stages 1, 2 and 10 sit outside it. Stages 9 and 10 are kept separate on purpose: retiring the data and retiring the system are different jobs.

Is ISO/IEC 8183 mandatory?

Standards are voluntary, and ISO/IEC 8183 places no legal obligation on any company. But there is a real obligation in the picture, and it is often misreported. When CEN-CENELEC took the text over as EN ISO/IEC 8183:2024, the national standards bodies of 34 countries became bound to give it the status of a national standard by December 2024 and to withdraw any conflicting national standard. That obligation falls on the standards bodies, not on you.

Is ISO/IEC 8183 a European standard?

Yes. It was approved by CEN on 10 June 2024 and taken over as EN ISO/IEC 8183:2024 by CEN-CENELEC/JTC 21, Artificial Intelligence, whose secretariat is held by Danish Standards. The endorsement notice records that the text was approved without any modification. The 34 countries bound to implement it run from Austria to the United Kingdom, and include Iceland, Norway, Serbia, Switzerland, Türkiye and North Macedonia alongside the EU member states.

How does ISO/IEC 8183 relate to ISO/IEC 42001?

They do different jobs. ISO/IEC 42001 is the certifiable AI management system standard — it tells you what your organisation must have in place and can be audited against. ISO/IEC 8183 is a framework, not a management system: it tells you what the stages of the data life cycle are. In practice 42001's data controls assume a life cycle exists and has owners, and 8183 is the document that says where those stages begin and end.

How does ISO/IEC 8183 relate to the EU AI Act?

Indirectly, but structurally. Article 10 of the AI Act governs data and data governance for high-risk systems, and Article 40 lets harmonised standards confer a presumption of conformity. The European Commission asked CEN-CENELEC to develop those harmonised standards, and the committee doing it — JTC 21 — is the same one that adopted 8183 unchanged as a European Standard.

To be precise: 8183 is not itself a harmonised standard cited in the Official Journal, and adopting it does not give you presumption of conformity. Its role is architectural.

Can you get certified to ISO/IEC 8183?

No, and anyone offering to certify you against it has misunderstood the document. 8183 is a framework of ten pages describing stages and actions; it contains no auditable requirements and no conformity assessment scheme. If you want a certificate, ISO/IEC 42001 is the AI management system standard that supports accredited certification. 8183 is what makes your 42001 data controls coherent.

Who wrote ISO/IEC 8183?

It was drafted within ISO/IEC JTC 1/SC 42 by an editor and three sub-editors: Colin Crone, the editor and project leader, a cyber security expert; Julian Padget, sub-editor and Reader in AI at the University of Bath; Jeremy Swinfen-Green, sub-editor, specialising in digital technology's impact on business processes; and Matthew Blakemore, sub-editor, covering AI and business strategy. Experts participate in standards work in a personal and expert capacity, nominated through their national standards bodies.

Where can I buy ISO/IEC 8183?

From ISO directly, from the IEC, or from your national standards body — in the UK that is BSI, as BS EN ISO/IEC 8183:2024. It is a copyrighted document and this site does not reproduce it. The list price from ISO at the time of writing is CHF 67.

Next

Reading the standard is the easy part.

Ten pages will tell you the stages exist. They will not tell you which clause obliges what, what evidence an assessor accepts, or what any of it means for your system, your data and your regulator. That is judgement, and it is what these three do.