Ask a procurement team in 2024 how they evaluated an AI vendor and you would likely hear: "We asked about model accuracy and uptime." Ask the same team today and the questions have shifted: "Do you have documented AI policies? Have you conducted an impact assessment? Can this system be audited?" The market has moved faster than most compliance calendars, and the organisations leading that shift are doing so under a single international standard — ISO/IEC 42001:2023, the world's first AI Management System standard. For Australian enterprises deploying or procuring AI, it is no longer a distant aspiration. It is fast becoming a baseline expectation.
What Is ISO 42001 and Why Does It Exist?
Published by the International Organisation for Standardisation in December 2023, ISO/IEC 42001 (commonly shortened to ISO 42001) establishes requirements for an Artificial Intelligence Management System (AIMS) — a structured governance framework an organisation puts in place to responsibly develop, deploy, and maintain AI systems throughout their lifecycle.
The standard exists because AI introduces governance challenges that existing frameworks — including ISO/IEC 27001 for information security — were not designed to address. AI systems exhibit emergent behaviour, degrade silently over time (model drift), encode historical bias, and produce consequential outputs that are difficult to explain or audit. A data breach has a clear moment of failure; an AI system causing discriminatory lending decisions may operate for months before the pattern is detected. ISO 42001 provides the management scaffolding to govern that ongoing risk.
Crucially, ISO 42001 applies to any organisation that provides or uses AI-based products or services — not just AI developers. If your organisation is procuring AI tools, embedding a large language model into a customer-facing workflow, or making decisions informed by algorithmic outputs, the standard is relevant to you.
The Core Requirements: What ISO 42001 Actually Demands
Like ISO 27001 and other management system standards, ISO 42001 follows the Plan-Do-Check-Act (PDCA) cycle. Its clauses are structured using the ISO Harmonised Structure, which means organisations already certified to ISO 27001 will recognise the architecture immediately. Experts estimate that 50–60% of existing documentation and processes from an ISO 27001 programme can be directly leveraged when implementing ISO 42001.
AI Policy and Governance Structure
Clause 5 requires top management to establish an AI policy that articulates the organisation's commitments regarding responsible AI. This is not a single-page statement — it must define objectives, assign ownership, and demonstrate leadership accountability for AI governance. The standard recognises that AI decisions are often irreversible or have significant societal impact, so governance cannot be delegated solely to technical teams.
AI Risk Assessment
Clause 6.1 mandates a systematic process for identifying and evaluating AI-specific risks. This goes beyond conventional information security risk assessment. AI risk factors include: model bias and fairness concerns, lack of explainability, data quality and provenance, unintended use or misuse, and the cumulative effect of many low-risk AI decisions. Organisations must define risk criteria, document their assessments, and implement controls proportionate to the risks identified.
AI System Impact Assessments
One of the most distinctive requirements in ISO 42001 is the AI System Impact Assessment — a forward-looking evaluation of the potential effects an AI system may have on individuals, groups, and society before and during deployment. This concept shares philosophical ground with the GDPR's Data Protection Impact Assessment but extends it to cover fairness, human rights, safety, and broader societal harm. For Australian organisations subject to the Privacy Act and its forthcoming reforms, the impact assessment requirement will feel familiar in purpose if not entirely in method.
Lifecycle Controls
ISO 42001 addresses the full AI system lifecycle — from requirements and design through training, testing, deployment, monitoring, and decommissioning. Clause 8 establishes operational controls that cover: defining intended use and acceptable use boundaries, validating system performance against objectives, monitoring deployed systems for drift or degradation, and maintaining records that support auditability. This lifecycle lens is critical: a system that performed acceptably at launch may introduce new risks as the data it acts upon changes.
Data Governance
AI systems are only as trustworthy as the data they learn from and act upon. The standard requires organisations to address data quality, data provenance, representativeness, and the appropriateness of training and operational datasets. This intersects directly with existing obligations under the Australian Privacy Principles and creates a natural integration point with your existing data governance programme.
Transparency and Human Oversight
ISO 42001 mandates that organisations maintain appropriate transparency about their AI systems — both internally (to employees and stakeholders) and externally (to those affected by AI-driven decisions). Human oversight requirements ensure that consequential AI decisions can be reviewed, overridden, and appealed. For high-stakes use cases — credit assessments, recruitment screening, clinical decision support — this is not just a governance checkbox; it is a legal and ethical imperative.
Supplier and Third-Party AI Oversight
Clause 8 extends governance obligations to the supply chain. When your organisation relies on third-party AI systems — a SaaS platform with embedded AI, an AI-enabled recruitment tool, a cloud-based fraud detection engine — you remain accountable for the governance of those systems within your context of use. ISO 42001 requires organisations to assess supplier AI governance practices and embed AI-specific requirements into procurement contracts and vendor due diligence processes.
Annex A Controls and Statement of Applicability
Like ISO 27001's Annex A, ISO 42001 includes a set of reference controls in Annex A that organisations select and apply based on their risk assessment. A Statement of Applicability (SoA) — the document that records which controls apply, which are implemented, and the justification for any exclusions — is a required output. The SoA becomes a key artefact in third-party audits and provides a transparent record of the organisation's AI governance posture.
The Certification Pathway
ISO 42001 certification follows the same three-stage structure used for ISO 27001: a readiness gap assessment, a Stage 1 documentation audit, and a Stage 2 on-site (or remote) assessment conducted by an accredited certification body. Certification is granted for a three-year cycle, with annual surveillance audits.
The certification ecosystem is maturing rapidly. Schellman became the first ISO 42001 certification body accredited by ANAB (ANSI National Accreditation Board) in September 2024, and BSI holds accreditation from both UKAS and ANAB. Major organisations have already demonstrated the pathway is achievable: Amazon Web Services was the first major cloud provider to achieve accredited ISO 42001 certification in November 2024, audited by Schellman. KPMG International was the first Big Four firm to receive certification in December 2024. IBM achieved certification for its Granite open-source AI models, becoming the first major open-source AI model developer to do so. Public estimates suggest more than 350 organisations globally now hold ISO 42001 certificates as of early 2026.
For most organisations, the path to certification takes six to eighteen months depending on the maturity of existing management systems, the complexity of AI use cases in scope, and the availability of internal governance resources.
How ISO 42001 Complements ISO 27001
If your organisation is already certified to ISO/IEC 27001, you have a significant head start. Both standards share the Harmonised Structure, meaning leadership, risk management, internal audit, management review, and continual improvement clauses are structurally identical. Your existing ISMS documentation — policies, risk registers, asset inventories, supplier management procedures — can be extended rather than rebuilt.
The critical difference is scope. ISO 27001 governs the confidentiality, integrity, and availability of information assets. ISO 42001 governs the responsible behaviour of AI systems — fairness, transparency, human oversight, and societal impact. Together, the two standards create a unified governance framework that addresses both the security of your AI systems and the ethical and operational risks they introduce. Integrated audits can assess both simultaneously, reducing the compliance overhead for organisations managing both certifications.
The Australian Context: Regulation is Catching Up
Australian organisations face a rapidly evolving AI regulatory environment. The Voluntary AI Safety Standard, released by the Department of Industry, Science and Resources in September 2024 and updated in December 2025, outlines 10 guardrails for safe and responsible AI across the supply chain — covering accountability processes, risk management, data governance, transparency, and testing. These guardrails closely align with the core controls in ISO 42001.
In October 2025, the National AI Centre introduced the Guidance for AI Adoption — a national framework that evolved the Voluntary AI Safety Standard into six essential practices for responsible AI governance. Simultaneously, Australia consulted on mandatory guardrails for AI in high-risk settings, signalling that voluntary compliance is likely to become a regulatory floor in key sectors.
ISO 42001 certification provides the most defensible evidence that an organisation has operationalised the principles embedded in these frameworks. When mandatory requirements arrive — and in Australia's financial services, healthcare, and critical infrastructure sectors, they likely will — organisations with a functioning AIMS will be substantially better positioned than those scrambling to build governance from scratch.
The Business Case: Trust, Tendering, and Risk Reduction
Beyond regulatory readiness, ISO 42001 delivers concrete commercial and operational value.
Tender and Procurement Advantage
Government procurement guidelines in Australia increasingly require vendors to demonstrate responsible AI practices. Exporters and service providers supplying into the EU — where the EU AI Act is now in force — face mandatory conformity assessments for high-risk AI systems. ISO 42001 certification provides internationally recognised evidence of AI governance maturity that supports both domestic tenders and cross-border market access.
Customer and Stakeholder Trust
Certification signals to customers, partners, and investors that your AI systems are governed by a documented, audited management system — not informal practices or good intentions. As AI literacy improves among buyers and boards, the question is shifting from "does this AI work?" to "can this AI be trusted and held accountable?"
Operational Risk Reduction
The discipline required to achieve certification — conducting impact assessments, documenting lifecycle controls, assessing third-party AI governance — surfaces risks that organisations frequently carry without knowing it. The cost of remediating a biased AI decision after it affects thousands of customers is orders of magnitude greater than the cost of a structured governance programme implemented upfront.
Board and Executive Accountability
In Australia, directors face personal liability exposure under the Corporations Act where organisational failures result from inadequate governance. An AI system that causes material harm — financial, reputational, or regulatory — without evidence of a governance framework in place creates significant director-level risk. ISO 42001 provides that governance evidence.
Practical First Steps for Australian Organisations
Organisations new to ISO 42001 do not need to start with a blank page. The following sequence provides a structured entry point:
- Inventory your AI systems. Begin with a comprehensive catalogue of every AI-enabled system your organisation operates or procures — including embedded AI in SaaS platforms. Many organisations are surprised by how many AI systems they already use.
- Conduct a gap assessment. Map your current governance practices against ISO 42001's clauses and Annex A controls. If you hold ISO 27001 certification, leverage your existing ISMS documentation as a foundation. Identify high-priority gaps in AI risk assessment, impact assessment, and supplier oversight.
- Define your AIMS scope. ISO 42001 allows organisations to scope their AIMS to specific AI systems, business units, or use cases. Starting with your highest-risk or highest-visibility AI applications creates a manageable entry point and demonstrates governance intent early.
- Establish leadership accountability. The standard requires visible senior leadership engagement. Assign an AI governance lead, establish a cross-functional AI governance committee, and embed AI policy review into your existing management review cycle.
- Conduct your first AI System Impact Assessment. Prioritise your most consequential AI systems — those affecting individuals' rights, access to services, or financial outcomes — and work through a structured impact assessment. This single exercise typically surfaces more material risk than any other governance activity.
- Align with the Australian Voluntary AI Safety Standard. Map the 10 guardrails against your gap assessment findings. The overlap with ISO 42001 is significant, meaning a single implementation effort can satisfy both frameworks simultaneously.
- Engage an accredited certification body early. Pre-certification conversations with bodies such as Schellman or BSI help organisations calibrate the scope of evidence required and avoid rework late in the programme.
Key Takeaways
- ISO/IEC 42001:2023 is the world's first international AI Management System standard, published December 2023 and applicable to any organisation that develops, deploys, or procures AI.
- Core requirements include AI policy and governance, AI risk assessment, AI System Impact Assessments, lifecycle controls, data governance, transparency, human oversight, and supplier management — each documented in a Statement of Applicability.
- The certification ecosystem is established. Over 350 organisations globally hold certificates, including AWS, KPMG International, and IBM. Accredited certification bodies including Schellman and BSI are conducting audits now.
- ISO 27001-certified organisations have a head start — 50–60% of existing documentation can be leveraged, and integrated audits cover both standards simultaneously.
- Australia's regulatory landscape is converging on ISO 42001 principles. The Voluntary AI Safety Standard's 10 guardrails closely mirror the standard's requirements, and mandatory guardrails for high-risk AI are under active consultation.
- The business case is concrete: tender readiness, export market access, customer trust, board-level risk reduction, and operational risk identification before harm occurs.
- The first step is an inventory and gap assessment — establish what AI systems you operate, map them against ISO 42001, and define a scoped AIMS that is achievable within your current governance maturity.
ISO 42001 represents the shift from AI adoption at any cost to AI adoption that can be governed, audited, and trusted. For Australian organisations, the question is no longer whether to engage with this standard — it is whether to lead or follow. Schedule a GRC Assessment with CyberCorp to understand your current AI governance posture and build a clear path to ISO 42001 readiness. Our AI governance and secure AI deployment services are designed to take organisations from first inventory to certified AIMS.
