ISO/IEC 5259-5:2025

International
Standard
ISO/IEC 5259-5
First edition
Artificial intelligence — Data
2025-02
quality for analytics and machine
learning (ML) —
Part 5:
Data quality governance framework
Intelligence artificielle — Qualité des données pour les analyses
de données et l'apprentissage automatique —
Partie 5: Cadre pour la gouvernance de qualité des données
Reference number
© ISO/IEC 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2025 – All rights reserved
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope .1
2 Normative references .1
3 Terms and definitions .1
4 Abbreviated terms .3
5 Data quality governance in the context of analytics and ML .4
5.1 Foundation .4
5.2 Ambiguous responsibilities for data .4
5.3 Purpose and justification .4
6 Data quality governance framework . 5
6.1 General .5
6.2 DQ guiding principles .6
6.3 Strategies and policies for DQ .6
6.4 Business planning for DQ .6
6.5 DQ accountabilities .7
6.6 DQ risk management .7
6.7 Management processes for DQ .7
7 Responsibilities of governing body .8
7.1 Understand the strategic importance of data quality .8
7.2 Establish enabling environment for data quality governance .8
7.3 Formulate data quality strategies .9
7.4 Business planning for data quality .10
7.5 Data quality risk management capability .10
7.6 Set policies to ensure data quality .10
7.7 Establish oversight mechanisms . 12
8 Responsibilities of management .12
8.1 Implement data quality strategies . 12
8.2 Establish and enforce comprehensive data quality policies . 12
8.3 Implement data quality management processes . 12
8.4 Establishing internal risk control as part of management process . 13
Bibliography .15

© ISO/IEC 2025 – All rights reserved
iii
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not
received notice of (a) patent(s) which may be required to implement this document. However, implementers
are cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held
responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee
SC 42, Artificial intelligence.
A list of all parts in the ISO/IEC 5259 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2025 – All rights reserved
iv
Introduction
To address data quality properly without wasting critical resources, the organization’s governing body can
set the strategic direction for the use of analytics and machine learning (ML) and can oversee the quality of
the needed data.
The data quality governance framework for analytics and ML assists the governing body in establishing
a data quality governance within its organization with adequate controls across different layers of the
organization throughout the data life cycle (DLC).
The framework can be used by both the governing body and management to interact and ensure the
establishment of an effective data quality governance for analytics and ML at all levels in the organization.
The framework can be applicable regardless of an organization’s size and type; and used in conjunction with
other parts of the ISO/IEC 5259 series.

© ISO/IEC 2025 – All rights reserved
v
International Standard ISO/IEC 5259-5:2025(en)
Artificial intelligence — Data quality for analytics and
machine learning (ML) —
Part 5:
Data quality governance framework
1 Scope
This document provides a data quality governance framework for analytics and machine learning (ML) to
enable governing bodies of organizations to direct and oversee the implementation and operation of data
quality measures, management, and related processes with adequate controls throughout the data life cycle
(DLC) model according to ISO/IEC 5259-1.
This document can be applied to any analytics and ML. This document does not define specific management
requirements or process requirements according to ISO/IEC 5259-3 and ISO/IEC 5259-4 respectively.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 5259-1, Artificial intelligence — Data quality for analytics and machine learning (ML) — Part 1:
Overview, terminology, and examples
ISO/IEC 22989:2022, Information technology — Artificial intelligence — Artificial intelligence concepts and
terminology
ISO/IEC 38505-1, Information technology — Governance of IT — Governance of data — Part 1: Application of
ISO/IEC 38500 to the governance of data
ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of
artificial intelligence by organizations
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 5259-1, ISO/IEC 22989,
ISO/IEC 38505-1 and ISO/IEC 38507, and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
data creator
role within an organization responsible for generating, collecting and curating data from data sources

© ISO/IEC 2025 – All rights reserved
3.2
data owner
organization that is in the position to obtain, create, and have significant control over the content, access
and distribution of data
Note 1 to entry: A data owner does not necessarily have a legal status with respect to data.
[SOURCE: ISO/TR 14872:2019, 3.4 — modified, Note 1 to entry replaced]
3.3
data steward
role within an organization responsible for ensuring that data-related work is performed according to
policies and practices as established through data governance
[SOURCE: ISO/IEC TS 38505-3:2021, 3.9]
3.4
direct
communicate desired purposes and outcomes
Note 1 to entry: Within the context of governance of IT, directing involves setting objectives, strategies, and policies to
be adopted by the members of the organization, to ensure that the use of IT meets organization’s business objectives.
Note 2 to entry: Objectives, strategies, and policies can be set by management if they have the relevant authority
delegated to them by the governing body.
[SOURCE: ISO/IEC 38500:2024, 3.1]
3.5
executive manager
person who has authority delegated from the governing body for implementation of strategies and policies
to fulfil the purpose of the organization
Note 1 to entry: Executive managers can include roles which report to the governing body or the head of the
organization or have overall accountability for major reporting function, for example Chief Executive Officers (CEOs),
Heads of Government Organizations, Chief Financial Officers (CFOs), Chief Operating Officers (COOs), Chief Information
Officers (CIOs), and similar roles.
Note 2 to entry: In management standards, executive managers can be referred to as top management.
3.6
governance
human-based system comprising directing, overseeing and accountability
[SOURCE: ISO/IEC 38500:2024, 3.3]
3.7
governing body
person or group of people who have ultimate accountability for the whole organization
Note 1 to entry: Every organizational entity has one governing body, whether or not it is explicitly established. When
the organization is not an organizational entity, the term governing group is applicable where “governing body” is
used throughout this document.
Note 2 to entry: A governing body can be explicitly established in a number of formats including, but not limited to, a
board of directors, supervisory board, sole director, joint and several directors, or trustees.
Note 3 to entry: ISO management system standards make reference to the term “top management” to describe a role
that, depending on the standard and organizational context, reports to, and is held accountable by, the governing body.
[SOURCE: ISO/IEC 37000:2021, 3.3.4]

© ISO/IEC 2025 – All rights reserved
3.8
monitor
review as a basis for appropriate decisions and adjustments
Note 1 to entry: Monitor involves routinely obtaining information about progress against plans as well as the periodic
examination of overall achievements against agreed strategies and outcomes to provide a basis for decision making
and adjustments to plans.
Note 2 to entry: Monitor includes reviewing compliance with relevant legislation, regulations, and organizational
policies.
[SOURCE: ISO/IEC 38500:2024, 3.8]
3.9
principle
fundamental truth, proposition or assumption that serves as foundations for a set of beliefs or behaviours or
for a chain of reasoning
[SOURCE: ISO/IEC 37000:2021, 3.2.1]
3.10
strategy
organization’s overall plan of development, describing the effective use of resources in support of the
organization in its future activities
Note 1 to entry: involves setting objectives and proposing initiatives for action
[SOURCE: ISO/IEC/IEEE 24765:2017, 3.4001]
3.11
management layer
organizational layer where exercise of control and supervision is performed within the constraints of
governance
3.12
operational layer
organizational layer where daily routine operational tasks are performed
4 Abbreviated terms
CDO chief data officer
CEO chief executive officer
DLC data life cycle
DQ data quality
DQMLC data quality management life cycle
DQP data quality processes
DT digital transformation
IT information technology
ML machine learning
PII personally identifiable information
SW software
© ISO/IEC 2025 – All rights reserved
HW hardware
5 Data quality governance in the context of analytics and ML
5.1 Foundation
Data for analytics and ML has its own set of unique characteristics compared to the traditional data generally
used in business settings. The quality of training data plays a key role in the decision-making process using
an ML model without human intervention. It is very important to produce quality outputs.
In order to safeguard data quality for analytics and ML effectively, a governing body should have adequate
visibility into how data quality can impact analytics and ML.
Data quality can impact the results of analytics and ML if the input data have a problem with data quality
characteristics such as accessibility, auditability, identifiability, portability, understandability, currentness,
effectiveness and efficiency; and dataset quality characteristics such as accuracy, balance, consistency,
scalability, diversity, effectiveness, generalizability, precision, relevance, representativeness, similarity and
timeliness. A more detailed list of data and dataset quality characteristics and their definitions are described
in ISO/IEC 5259-2. A governing body should understand these data quality characteristics and reflect them
in its governance arrangements when consuming and producing data throughout the DLC model according
to ISO/IEC 5259-1.
5.2 Ambiguous responsibilities for data
The data used by analytics and ML can be provided by a great number of third parties and the functionality
of the analytics and ML model can be primarily dependent on the data used. In this case, determining
the relevant party becomes a critical issue if an ML model produces an inaccurate or incorrect inference
or prediction due to an anomaly in data collected from multiple sensors or systems. In this case, an
organization can have a system in place that can determine the cause (data or otherwise) if an ML model
produces undesirable outcomes.
In addition, data for analytics and ML can be collected in various ways, including Internet search and posts
on social media services. Despite the greater convenience from the diverse usage of such data, it is important
to exercise caution due to serious problems that these kinds of data can present, such as privacy violations.
Data quality governance for analytics and ML entails a greater complexity in comparison to data quality
issues that involve only a single data source. The governing body should understand that there should
be clear roles and responsibilities established on how data for analytics and ML should be handled and
processed throughout the entire DLC within and across organizational boundaries.
5.3 Purpose and justification
A holistic data quality governance framework for analytics and ML is needed for an organization to have
adequate controls throughout the DLC model according to ISO/IEC 5259-1. The data quality governance
framework enables the governing body to direct and oversee the implementation and operation of data
quality measures according to ISO/IEC 5259-2, data quality management requirements and guidelines
according to ISO/IEC 5259-3 and the data quality process framework for various types of ML according to
ISO/IEC 5259-4 throughout the DLC. The goal is to enhance trust in data for analytics and ML applications
and services by mitigating data quality-related risks, making informed decisions, empowering effective and
efficient operations across the organization.
The approach for an organization to enhance trust in data for analytics and ML should be to establish a
robust and cross-cutting data quality governance framework across different levels of the organization
with clear roles and responsibilities on how data should be handled and processed (see Figure 1). This
document describes a data quality governance framework with which an organization develops its own data
quality governance. The framework is applicable regardless of an organization’s size and type. Individual
organization’s actual governance arrangement can differ according to their organizational structure,
maturity and other relevant factors. Both the governing body and management can use the framework to

© ISO/IEC 2025 – All rights reserved
empower organizational stakeholders to ensure that an effective data quality governance for analytics and
ML is established at all levels in the organization.
While a broader overview of governance of IT and data is available in ISO/IEC 38500 and ISO/IEC 38505-1
respectively, the general terms of governance implications of the data use in AI systems can be found in
ISO/IEC 38507:2022, 6.4. This document elaborates basic guidelines provided by those International
Standards for the purpose of establishing data quality governance for analytics and ML. This document
emphasizes that the roles of the governing body are to set the direction for aligning data quality strategy
with organization’s business objectives and to establish the data quality accountabilities throughout and
across different layers of the organization. This approach to governing data quality for analytics and ML
ensures that management and operational layers’ obligations for monitoring data quality characteristics
are in line with the organization’s strategy for analytics and ML. Each element of the governance framework
in ISO/IEC TR 38502 is referenced in this document with a description of how each element is used in the
context of data quality governance for analytics and ML.
Key
guide
direct and oversee
Figure 1 — Relationship between data quality governance framework and the rest of
ISO/IEC 5259 series
NOTE The data life cycle model of ISO/IEC 5259-1 in Figure 1 is derived from data life cycle framework in
ISO/IEC 8183. For more information on data life cycle framework, see ISO/IEC 8183.
6 Data quality governance framework
6.1 General
Figure 1 shows the cross-cutting key elements of the data quality governance framework and how it
relates to the ISO/IEC 5259 series. The goal is to help the organization establish an effective data quality

© ISO/IEC 2025 – All rights reserved
governance by providing a governance framework with guiding principles on the governance of data quality
for analytics and ML.
This clause explains the elements of the data quality governance framework in Figure 1.
6.2 DQ guiding principles
Data quality guiding principles express the desired behaviour of relevant individuals and groups across
the organization to produce data with specific data quality characteristics for analytics and ML in order
to achieve organization’s business objectives in relation to analytics and ML systems. The governing body
should ensure that the data quality principles are applied to the organization’s data quality governance
across management and operational processes related to the data quality for analytics and ML. The governing
body should also take the initiatives and leadership to oversee the effective and timely implementation and
adoption of data quality principles as directed by its management.
The followings are examples of data quality principles in relation to each element of the framework:
— Strategies and policies for DQ: An organization should ensure that data quality strategies and associated
policies are aligned with the organization’s current and future intent of achieving ML supported
organization’s business objectives.
— Business planning for DQ: An organization should ensure that strategic plans to achieve the data quality
strategies are developed through its business planning process and those plans are supported through
proper resource allocations.
— Management processes for DQ: An organization should establish data quality metrics on all relevant
aspects of data quality with effective management controls on how data are handled and processed at
each DLC phase to ensure data quality requirements are fully supported.
— DQ accountabilities: An organization should establish the oversight mechanisms through which those
personnel with responsibility and authorization are held accountable for the required outcomes within
the data quality strategies and policies.
— DQ risk management: An organization should have proper risk management capabilities to assess and
mitigate risks associated with the DQP in ISO/IEC 5259-4 and the management practices in ISO/IEC 5259-3
to achieve ML supported organization’s business objectives.
— The organization’s use of data for analytics and ML: An organization’s use of data for analytics and ML to
achieve its ML supported organization’s business objectives should be subject to the strategies and policies
defined as part of the data quality governance framework as well as the management processes for DQ.
6.3 Strategies and policies for DQ
The following practices are associated with the strategies and policies for DQ:
— The governing body should ensure that data quality strategies and associated policies are set to attain
the ML supported organization’s business objectives.
— The governing body should ensure that the data quality strategies include ways to improve any
shortcoming against the data quality principles set forth in this document.
— Managers should ensure that the data quality policies are established and enforced to address data
quality principles, specific requirements set by the governing body and the stakeholders.
6.4 Business planning for DQ
The followings are the practices associated with business planning for DQ:
— The governing body should ensure that strategic plans to achieve the data quality strategies are developed
and budgets and other resources to execute the plans are allocated.

© ISO/IEC 2025 – All rights reserved
— During the planning process, the governing body should ensure that the strategic plans for data quality
are aligned with the organization’s current and future intent of achieving ML supported organization’s
business objectives.
— If the governing body delegates its authority then managers can develop the strategic plans for data
quality to achieve ML supported organization’s business objectives.
6.5 DQ accountabilities
The followings are the practices associated with DQ accountabilities:
— The governing body is accountable for achieving ML supported organization’s business objectives and
formulating data quality strategies. Implementation of data quality strategies are delegated to managers.
— The governing body should ensure that the oversight mechanism is established to oversee managers
achieving the required business outcomes (e.g. ML supported organization’s business objectives are
achieved through data quality management throughout the DLC) within the data quality strategies and
policies.
— Managers are responsible for monitoring and assessing data quality performance and conformance
throughout the DLC phases and are accountable to the governing body for the required outcomes.
— Managers’ responsibility, authority and accountability are determined by the governing body according
to ISO/IEC TR 38502.
6.6 DQ risk management
The followings are the practices associated with DQ risk management:
— The governing body should set policies on internal risk control over the phases of the DLC model in
ISO/IEC 5259-1, the DQP in ISO/IEC 5259-4 and management practices in ISO/IEC 5259-3, taking into
account the organization’s risk appetite for both outsourced and in-house data-related processes, ML
supported organization’s business objectives and regulatory requirements.
— Managers should establish an appropriate system of internal
...