ISO 42001 for AI: What the Standard Actually Requires vs What Vendors Claim
ISO 42001 was published in December 2023 as the first international standard for AI management systems. It provides a framework for how organisations should govern, develop, deploy, and manage AI systems responsibly. In the twelve months since its publication, it has acquired a secondary context: a marketing claim for GRC software vendors who have added it to their compliance frameworks and suggested to customers that mapping controls in a platform is equivalent to implementing the standard. It is not.
Cyberlinx holds ISO 42001 Lead Implementer certification and has worked through what genuine implementation involves. The gap between what vendors often describe and what the standard actually requires is meaningful. This article explains what ISO 42001 genuinely demands, where the common misrepresentations occur, and what a real implementation programme looks like for an Australian organisation.
What ISO 42001 Actually Covers
ISO 42001 is a management system standard, which means it follows the same high-level structure as ISO 27001, ISO 9001, and other management system standards. It requires an organisation to establish, implement, maintain, and continually improve an AI management system (AIMS). The scope includes policies, risk assessment processes, roles and responsibilities, objectives, monitoring, audit, and management review. These are the same bones as other management system standards.
What makes ISO 42001 distinct is the domain-specific content. Annex A includes 38 controls organised across nine control objectives, covering AI policies, internal organisation, resources for AI systems, assessing AI system impacts, AI system life cycle management, and AI systems procured from or provided to third parties. Annex A is normative; Annexes B through D are informative and provide implementation guidance rather than additional requirements. A genuine implementation requires substantive engagement with the control objectives and the underlying intent of each control, not just a policy library and a completed control checklist.
Where Vendor Claims Diverge From Reality
GRC platform vendors typically represent ISO 42001 compliance as a matter of mapping controls, completing policy templates, and collecting evidence against a checklist. These activities are part of implementation, but they are not sufficient on their own. The standard requires that controls are appropriate to the specific AI systems in scope, that risk assessment informs control selection, and that the management system is actually operated over time, not just documented.
The AI system impact assessment requirement is where the gap between vendor claims and genuine implementation is most visible. ISO 42001 requires organisations to assess the potential impacts of their AI systems on individuals, groups, and society. This is not a checkbox exercise. It requires engagement with the specific characteristics of each AI system: what data it uses, what decisions it influences, what populations it affects, and what happens when it fails or is misused. A vendor platform can provide a template for this assessment. It cannot do the assessment for you, and an organisation that has completed a template without genuinely working through the assessment questions has not met the standard's requirements.
What a Real Implementation Programme Looks Like
A genuine ISO 42001 implementation starts with an AI system inventory. You cannot manage what you have not identified, and many organisations discover during implementation that their AI system footprint is broader than they expected, including third-party services with AI components that were procured without formal AI governance review. The inventory drives everything else: scope definition, risk assessment, impact assessment, and control selection.
From the inventory, the implementation proceeds through policy development, risk assessment, impact assessment for each in-scope AI system, control implementation informed by the assessment findings, and then the operational elements: monitoring, audit, management review, and continual improvement. A first-time implementation typically takes four to six months for an organisation with moderate AI system complexity, and it requires active participation from technical, legal, privacy, and business stakeholders. It cannot be delegated entirely to a GRC platform administrator. If you are planning an ISO 42001 certification audit, your certification body will test the substance of your management system, not just whether you can demonstrate a completed control checklist.
- ISO 42001 is a management system standard -- it requires a functioning AIMS, not just documented controls
- Annex A has 38 controls across nine control objectives and is the normative control set; Annexes B to D are informative guidance
- AI system impact assessment requires genuine engagement with each system's specific characteristics
- GRC platforms provide useful structure but cannot substitute for the substantive work of implementation
- An AI system inventory is the necessary starting point -- scope cannot be defined without it
- First-time implementation typically takes four to six months with active cross-functional participation
Cyberlinx delivers ISO 42001 implementation programmes for Australian organisations. We have the certification, the implementation experience, and the hands-on AI security capability to address both the governance and technical dimensions of the standard. Contact us at info@cyberlinx.com.au to discuss what implementation looks like for your organisation.
Related Articles







