ISO/IEC 42001:2023
ISO/IEC 42001:2023 is the world's first internationally certified management system standard specifically for artificial intelligence. Published by the International Organization for Standardization and the International Electrotechnical Commission in December 2023, it specifies requirements for establishing, implementing, maintaining and continually improving an Artificial Intelligence Management System (AIMS) within any organisation.
The standard uses the familiar Plan-Do-Check-Act management system methodology also used by ISO 27001 (information security), ISO 9001 (quality management) and ISO 14001 (environmental management), making it straightforward to integrate with existing management systems. It includes 38 specific controls organised across areas including AI policy, risk assessment, data management, AI system impact assessment, resource management and continual improvement.
ISO 42001 is certifiable, meaning organisations can engage accredited third-party certification bodies to audit their AIMS and issue a certificate of conformance. This makes it distinct from most AI governance frameworks and particularly valuable for organisations that need to demonstrate AI governance credibility to clients, regulators, investors or partners through an independent, verifiable credential.
Our take on this
ISO 42001 is what moves AI governance from aspiration to demonstration. The management system approach—establish, implement, maintain, improve—is one that organisations already understand from information security and quality management. That familiarity matters because it means you can embed AI governance into existing organisational infrastructure rather than creating something entirely parallel and new. If you have ISO 27001, your management system infrastructure—policies, risk registers, internal audit programs, management reviews—is directly reusable.
The certification piece is significant. In a world where everyone claims to do 'responsible AI', ISO 42001 certification is the credential that distinguishes demonstrated governance from stated intention. Third-party auditors apply consistent criteria, the certificate has a defined scope and recertification cycle, and it's internationally recognised. For procurement, tendering and investor due diligence, it provides a level of assurance that self-assessment frameworks cannot match.
Why this matters for Australian organisations
Organisations already certified to ISO 27001 have most of the management system infrastructure required for ISO 42001—documentation, audit cycles, risk management processes and governance structures are largely transferable. For these organisations, 42001 certification is an incremental investment with disproportionate credibility returns.
The alignment between ISO 42001 and Australia's Voluntary AI Safety Standard is explicit and deliberate—the Standard was designed with ISO 42001 in mind. Implementing ISO 42001 simultaneously satisfies most of the Standard's requirements, creating a single governance investment with both domestic and international returns. As Australian mandatory AI requirements develop, ISO 42001 certification will likely be recognised as evidence of compliance, similar to how ISO 27001 is recognised in privacy and cybersecurity regulatory contexts.
For organisations dealing with international clients—particularly in Europe, where the EU AI Act's conformity assessment requirements for high-risk AI systems reference ISO standards—ISO 42001 alignment is increasingly becoming a commercial requirement rather than a nice-to-have.
Practical steps for adoption
- If you have ISO 27001, conduct a gap analysis between your existing management system and ISO 42001 requirements—the overlap is substantial and the gap is likely smaller than you expect.
- Start with the ISO 42001 AI system impact assessment process for your highest-risk AI applications as a bounded, practical initial implementation.
- Engage an accredited ISO 42001 certification body early to understand their scope interpretation and audit approach—this shapes how you structure your AIMS.
- Map your ISO 42001 controls against Australia's Voluntary AI Safety Standard guardrails to ensure domestic alignment alongside international certification.
- Build AI governance into your existing management review cycle rather than creating a separate process—integration is more sustainable than parallel systems.
Ready to transform your AI strategy?
Partner with Australia's AI strategy and governance specialists. From adoption roadmaps to ISO 42001 audit readiness.