ISO/IEC 42001 certification, tailored for New Zealand organisations.

New Zealand has no mandatory AI regulation. When clients, partners, or government agencies ask how your organisation governs AI, what do you point to? ISO/IEC 42001 gives you a verifiable answer, and our team takes you from first maturity assessment to a successful audit with an accredited body in Auckland, Wellington, or Christchurch.

View the journey

Built for

Government suppliers · Fintech and financial services · Healthcare and research · AI and tech companies
Aligned with: ISO/IEC 42001:2023 / Privacy Act 2020 / Te Tiriti o Waitangi / Public Service AI Framework / OECD AI Principles / Standards New Zealand

What you walk away with.

Full certification journey

Complete AIMS documentation

AI policy, risk assessment procedures, impact assessment templates, control documentation, and operational records tailored to NZ regulation.

Treaty-aware risk framework

Risk methodology with Te Tiriti-informed impact assessment procedures and Privacy Act 2020 mapping integrated throughout.

Annex B control implementation

Full implementation of applicable controls covering AI system lifecycle, data governance, transparency, third-party management, and human oversight.

Internal audit programme

Audit checklists, schedules, and team training so you can run your own surveillance programme after certification. We build internal capability, not dependency.

The proof gap in New Zealand's AI landscape.

Without mandatory AI regulation, NZ organisations face a credibility problem. Everyone claims to use AI responsibly. Very few can prove it. The right controls separate the credible from the aspirational.

  1. 01
    Voluntary market

    Lead in a market where certification is a choice.

    New Zealand operates a voluntary adoption model for AI governance. Callaghan Innovation supports international standards development and the NZ National Mirror Committee for AI tracks global frameworks, but nothing forces compliance. Certification is a strategic choice. Organisations that make it stand apart from businesses that rely on self-assessment alone, from Auckland startups to established Wellington IT firms.

  2. 02
    Government procurement

    Win government contracts.

    The Public Service AI Framework sets expectations for AI use in government. Agencies increasingly favour suppliers who can demonstrate structured governance. ISO 42001 certification provides that evidence in a format procurement teams recognise and trust. A self-assessment document no longer satisfies due diligence.

  3. 03
    International credibility

    Satisfy international partners.

    EU partners are thinking about AI Act compliance. Australian partners are aligning with their Voluntary AI Safety Standard. When international clients evaluate your AI practices, ISO 42001 is the universal language they understand. It removes friction from cross-border partnerships.

  4. 04
    Regulation is coming

    Prepare before regulation arrives.

    The question is not whether New Zealand will formalise AI governance requirements, but when. The OECD AI Principles already inform the Public Service AI Framework, and the National AI Strategy signals a maturing regulatory direction. Organisations that certify now build the systems, processes, and culture needed to meet future regulation without scrambling.

  5. 05
    Privacy alignment

    Privacy Act and AI governance as one system.

    The Privacy Act 2020 already governs how personal data is collected and used, and most AI systems process personal data. ISO 42001 builds a management system that maps directly to Privacy Act obligations, creating a unified governance approach rather than two parallel compliance efforts.

Tailored to Aotearoa's legal and cultural context.

ISO 42001 is an international standard, but the way our team implements it is shaped entirely by New Zealand's legal, cultural, and regulatory environment.

Mapping

Privacy Act 2020

We map ISO 42001 controls directly to Privacy Act 2020 information privacy principles. Your AIMS documentation addresses data collection, purpose limitation, and individual access rights as integrated compliance requirements, not afterthoughts. This unified approach ensures privacy and AI governance work as one system.

Cultural

Te Tiriti o Waitangi

AI systems that affect Māori communities carry specific obligations grounded in te ao Māori. Our team incorporates Te Tiriti o Waitangi principles into your AI Management System, ensuring impact assessments account for Māori data governance, tino rangatiratanga over data, equitable outcomes, and meaningful consultation aligned with kaitiakitanga.

Public sector

Public Service AI Framework

For government agencies and their suppliers, we ensure your AIMS aligns with the expectations of the Public Service AI Framework. This means your certification directly supports government procurement requirements and positions you as a trusted public sector partner.

Standards body

Standards New Zealand

ISO/IEC 42001:2023 is available through Standards New Zealand. We stay connected to the NZ National Mirror Committee for AI to ensure our implementation approach reflects the latest guidance and interpretation relevant to New Zealand organisations.

Your ISO 42001 certification journey.

Six phases, typically 6 to 12 months, from your first conversation with our team to a successful Stage 2 audit. Organisations with existing ISO management systems move faster within that range.

  1. 01

    Maturity baseline

    We evaluate where your organisation stands today. Not just against ISO 42001 clauses, but against New Zealand's regulatory expectations, including Privacy Act 2020 alignment, Public Service Framework compatibility, OECD AI Principles, and Te Tiriti o Waitangi considerations. You receive a scored assessment with a clear picture of the distance to certification.

  2. 02

    Scope and strategy

    Which AI systems, teams, and processes will the certification cover? We help you define a scope that is meaningful to auditors and valuable to your business. For NZ organisations serving government, we ensure the scope addresses Public Service Framework requirements and aligns with your broader governance approach.

  3. 03

    Build the management system

    Our team develops your AI policy, risk management methodology, impact assessment procedures, and Annex B controls. Every component is tailored to your operating context, whether you are an Auckland fintech meeting FMA expectations, a Christchurch manufacturer, or a Wellington government supplier building procurement-ready controls.

  4. 04

    Documentation and evidence

    Auditors need evidence that your system works, not just that it exists on paper. We create the mandatory documentation, including policies, procedures, risk registers, and control records, and coach your teams to generate the operational evidence that auditors look for during Stage 2.

  5. 05

    Pre-certification audit

    Before your certification body arrives, we run a full internal audit using the same criteria they will apply. Any non-conformances are identified and resolved. Your team practises responding to audit questions. No surprises on the day.

  6. 06

    Certification body engagement

    We help you select an accredited certification body with NZ presence. BSI, Bureau Veritas, and DNV all operate in Auckland, Wellington, and Christchurch. We support you through Stage 1 (documentation review) and Stage 2 (implementation audit), and handle any findings that require resolution.

Who benefits most from certification.

ISO 42001 is relevant to any organisation developing, deploying, or procuring AI. For these NZ organisations, certification delivers outsized value.

01

AI and tech companies.

Auckland's growing tech hub, SaaS providers, and AI startups looking to prove governance maturity to investors and enterprise clients.

02

Fintech and financial services.

Organisations using AI for credit decisions, fraud detection, or customer analytics where governance is a competitive requirement.

03

Healthcare and research.

Organisations deploying AI in clinical decision support, diagnostics, or health research where trust and safety are non-negotiable.

04

Government suppliers.

IT companies and consultancies that supply AI-powered solutions to NZ government agencies and need to demonstrate Public Service Framework alignment.

Common questions about ISO 42001 in New Zealand.

Is ISO 42001 certification mandatory in New Zealand?

No. New Zealand operates a voluntary adoption model for AI governance standards. There is no legislation requiring ISO 42001 certification. However, the voluntary nature is precisely what makes certification valuable. It differentiates organisations that choose to demonstrate governance maturity from those that simply claim it.

How does ISO 42001 align with the Privacy Act 2020?

ISO 42001 requires controls for data management, transparency, and individual rights, all of which overlap significantly with Privacy Act obligations. During implementation, we map the 13 information privacy principles to relevant AIMS controls so your AI governance and privacy compliance operate as a single integrated system rather than parallel efforts.

How do Te Tiriti o Waitangi obligations fit into an AIMS?

The ISO 42001 impact assessment process provides a natural framework for addressing Treaty considerations. We incorporate Māori data sovereignty principles, equitable outcome analysis, and consultation requirements into the impact assessment methodology. For organisations serving government or working with Māori communities, these considerations become embedded governance requirements within the management system.

Will certification help us win government contracts?

The Public Service AI Framework sets clear expectations for how government agencies should govern AI. While certification is not a formal procurement requirement, it provides strong evidence of governance maturity that procurement evaluators value. Certified organisations can point to an independently verified system rather than relying on self-assessment claims.

What is the certification landscape in New Zealand?

Accredited certification bodies including BSI, Bureau Veritas, and DNV operate in New Zealand with presence in Auckland, Wellington, and Christchurch. Standards New Zealand distributes ISO/IEC 42001:2023, and training courses including ISO 42001 Implementation, Lead Auditor, and Foundation programmes are available through accredited providers. Callaghan Innovation supports New Zealand's participation in international AI standards development.

Can we integrate ISO 42001 with existing management systems?

Yes. ISO 42001 uses the Harmonised Structure (Annex SL) common to all modern ISO management system standards. If you already hold ISO 27001, ISO 9001, or ISO 14001, significant elements (leadership commitment, risk management, internal audit, management review) can be integrated. This reduces duplication and accelerates the certification timeline.

Related services.

Certification is one route. These services either sit underneath it or alongside it.

01
AI governance consulting
Programme design
02
AI risk assessment
Risk methodology
03
Privacy Act 2020 compliance
Integrated approach

Start your ISO 42001 certification in New Zealand.

Find out where your organisation stands against ISO 42001 requirements. We will assess your current maturity, map the work ahead, and give you a realistic timeline to certification.

Or explore governance consulting

Get in Touch