ISO/IEC 42001 certification for Australian organisations.
The world's first international standard for artificial intelligence management systems, published December 2023. We guide Australian organisations through every phase of the certification journey, from readiness assessment to certification body audit.
Built for
What ISO 42001 covers.
The first international standard providing requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System. Applies to any organisation that develops, provides, or uses AI. Follows the Annex SL high-level structure shared with ISO 27001 and ISO 9001.
- 01
AI policy and objectives.
Organisational commitment to responsible AI with measurable objectives aligned to business strategy, stakeholder expectations, and Australian regulatory requirements.
- 02
Risk assessment.
Systematic identification, analysis, and treatment of risks throughout the AI lifecycle. Includes machine learning model bias, data governance failures, and unintended outcomes from generative AI.
- 03
Impact assessment.
Evaluation of potential impacts on individuals, groups, communities, and society. Fairness, transparency, accountability, and the ethical implications of deploying AI in high-stakes decisions.
- 04
AI system lifecycle.
Controls for design, development, verification, deployment, operation, monitoring, and retirement. Covers machine learning models, generative AI, and automated decision-making.
- 05
Third-party management.
Requirements for managing AI components, models, and services sourced from third-party providers. Vendor due diligence, contractual obligations, data governance controls, and ongoing monitoring.
- 06
Performance evaluation.
Monitoring, measurement, analysis, internal audit, and management review of the AI management system. Continuous improvement with evidence of governance effectiveness.
Why certify against ISO 42001.
Over 100 organisations globally have certified since the standard was published in December 2023, including Microsoft, AWS, IBM, Google Cloud, and Anthropic. A major Australian professional services firm became the first globally to achieve certification, with BSI, in October 2024.
- 01
Demonstrate commitment to responsible AI.
Independently verified, third-party validation of your management system. The strongest available evidence of responsible AI practices for customers, regulators, and stakeholders.
- 02
First-mover advantage.
Early certification positions your organisation ahead of competitors. Certification is rapidly becoming a procurement baseline for enterprise customers and government tenders.
- 03
Regulatory alignment.
Aligns with Australia's Voluntary AI Safety Standard, supports APRA CPS 230 operational risk management, and maps to ASIC expectations for AI governance. Provides a strong foundation for EU AI Act compliance.
- 04
Customer and procurement requirements.
Enterprise customers and government procurement teams increasingly require AI governance assurance from suppliers. Certification positions you to win contracts that demand documented risk management maturity.
- 05
Continuous improvement.
The management system approach embeds ongoing improvement into governance. Annual surveillance audits and recertification every three years reinforce discipline rather than treating ISO 42001 as a point-in-time assessment.
Clauses 4 through 10. The mandatory requirements.
ISO/IEC 42001:2023 follows the Annex SL high-level structure shared with ISO 27001 and ISO 9001. Clauses 4 to 10 define what every organisation must satisfy to certify.
Identify internal and external factors affecting AI objectives, understand stakeholder needs (regulators, customers, employees), determine AIMS scope, and define which systems fall in scope. In Australia, that means mapping to APRA, ASIC, and Privacy Act obligations.
Top management must demonstrate leadership and commitment, establish an AI policy, assign roles and responsibilities, and resource the system. For Australian businesses, this means aligning board-level AI governance with the Financial Accountability Regime and directors' duties under the Corporations Act 2001.
Plan actions to address risks and opportunities, set measurable AI objectives, and plan for changes. This clause drives the risk management approach that underpins the entire standard, including machine learning bias, data governance gaps, and generative AI risks.
Resources, competence, awareness, communication, and documented information. People working under the AIMS must be competent, aware of the AI policy, and supported by controlled documentation. Drives training programmes, data governance processes, and audit documentation.
The core operational clause covering AI risk assessment, risk treatment, and system impact assessment. Implement Annex A controls, manage the AI system lifecycle from design through retirement, oversee third-party AI providers. Most implementation effort is concentrated here.
Clause 9 requires monitoring, measurement, internal audit, and management review. Clause 10 mandates continual improvement and corrective action for nonconformities. Together they create the cycle that distinguishes ISO 42001 from one-off assessments.
Annex A and Annex B. The AI-specific controls.
ISO 42001 includes four annexes that provide the AI-specific controls and guidance that distinguish this standard. Annex A defines 39 controls evaluated through a Statement of Applicability. Annex B provides detailed implementation guidance.
Annex A
39 AI-specific control objectives.
Organised across nine categories covering every aspect of responsible AI governance. Organisations must assess each control's applicability and justify inclusions and exclusions in a Statement of Applicability.
- 路 Policies for AI systems and internal organisation
- 路 Resources, competence, and training for AI systems
- 路 AI system lifecycle controls (design through retirement)
- 路 Data governance, data quality, and data privacy controls
- 路 Third-party and customer relationship management
- 路 Human oversight, transparency, and disclosure
Annex B, C & D
Implementation guidance.
Annex B operationalises each Annex A control. Annex C addresses risk sources. Annex D covers integration with ISO 27001 and ISO 9001.
- 路 Data quality assessment and governance processes
- 路 Practical AI risk assessment and treatment approaches
- 路 Model validation and testing for machine learning
- 路 Impact assessment for high-risk AI applications
- 路 Third-party AI supplier management and contracts
- 路 Risk sources (Annex C) and standards integration (Annex D)
How certification maps to Australian regulators.
Australia does not yet have comprehensive AI legislation. Existing law applies to AI on a sector-by-sector basis. ISO 42001 is the structured management system framework that demonstrates responsible governance across overlapping obligations.
CPS 230 requires operational risk frameworks that explicitly cover AI for banks, insurers, and superannuation funds. The Financial Accountability Regime holds senior executives personally liable. ISO 42001 provides the management system that satisfies systematic AI risk management, third-party oversight, and operational resilience.
Privacy Act amendments require automated decision-making transparency from 10 December 2026. Organisations must disclose when AI significantly affects individuals' rights. ISO 42001's impact assessment and transparency controls address these requirements directly.
Australian businesses exporting AI or serving European clients must prepare for EU AI Act obligations. ISO 42001 provides a strong foundation for the Act's risk management, transparency, and data governance requirements. Certification does not guarantee EU AI Act compliance, but it demonstrates the systematic approach European regulators expect.
Australia's Voluntary AI Safety Standard defines 10 guardrails for responsible AI. ISO 42001 operationalises these guardrails through a formal management system. Certification demonstrates alignment with the 8 AI Ethics Principles and positions businesses to meet proposed mandatory guardrails for high-risk AI.
ASIC REP 798 reviewed 624 AI use cases across 23 financial institutions and found widespread governance gaps in consumer fairness, algorithmic bias, and AI disclosure. ISO 42001 certification provides the independently verified management system that demonstrates compliance with ASIC's expectations.
The certification journey.
Typical timelines run 6 to 12 months depending on scope and maturity. Organisations with existing ISO 27001 or ISO 9001 management systems certify faster. In some cases, with focused effort, audit-ready in 6 to 8 weeks.
- 01
Readiness assessment and gap analysis.
Current AI governance maturity assessed against all ISO 42001 requirements. Gaps identified across Clauses 4 to 10 and Annex A controls, with severity ratings, remediation priorities, and effort estimates.
- 02
Scope definition and planning.
Define which systems, machine learning models, generative AI applications, business processes, and organisational units the AIMS will cover. Scope balances meaningful governance with practical implementation, and we advise on phased scope expansion.
- 03
AIMS design and implementation.
Develop and implement all required components: AI policy, risk assessment framework, risk management processes, Annex A controls, data governance procedures, third-party management protocols, and monitoring mechanisms. Existing ISO 27001 or ISO 9001 systems are integrated to avoid duplication.
- 04
Documentation development.
Mandatory documentation that certification bodies require: AI policy, Statement of Applicability, risk assessment records, impact assessment procedures, control documentation, competence framework, and evidence of management system operation. Every document is tailored, not templated.
- 05
Internal audit and management review.
Internal audits verify the management system is operating effectively and identify nonconformities before the certification audit. Management review demonstrates leadership engagement and continuous improvement. Corrective action plans are prepared and closure verified.
- 06
Certification audit support.
Stage 1 audit verifies AIMS documentation meets requirements. Stage 2 verifies the management system operates as documented. We support your team through both stages and help resolve any nonconformances identified.
Certification bodies operating in Australia.
ISO 42001 certification is provided by accredited certification bodies. We help you select the right body based on industry, geographic footprint, and existing certifications, and prepare your team for their specific audit process.
Related services.
Governance programme design that forms the foundation for ISO 42001 certification. Framework, policies, and risk management solutions before formal certification.
AI risk management aligned to ISO 42001 risk assessment requirements, APRA CPS 230 operational resilience, and Australia's Voluntary AI Safety Standard.
Independent gap assessment against ISO 42001 requirements to understand certification readiness.
Start your ISO 42001 certification journey.
Schedule a consultation to discuss certification goals, understand the pathway, and learn how we can help your organisation become one of Australia's certified responsible AI leaders. Whether building from scratch or extending existing management systems, we deliver the solutions to get you audit-ready.