ISO 42001: What the AI Management System Standard Requires and Who Needs to Comply
ISO 42001 was published in December 2023 as the first international standard for AI management systems. It follows the same High Level Structure used by ISO 27001 and ISO 9001, which means organisations that already operate a management system under either of those standards will find the structure familiar. The standard addresses the governance, risk management, and operational requirements for organisations that develop, deploy, or use AI systems, and it is designed to be applicable regardless of the type or scale of AI in use.
Interest in ISO 42001 in Australia has grown quickly, driven partly by AI governance questions from boards and audit committees and partly by customer and regulatory expectations beginning to form around AI risk management. This article explains what the standard requires and how to think about whether and when it is relevant to your organisation.
Who ISO 42001 Applies To
ISO 42001 is designed for organisations that develop AI systems, organisations that deploy AI systems developed by others, and organisations that are significant consumers of AI outputs in decision-making processes. The standard is intentionally broad in scope. An organisation that uses AI to automate credit decisions, triage support tickets, or generate content for external publication is within the intended scope of the standard.
The standard does not mandate certification. There is no regulatory body in Australia that currently requires ISO 42001 compliance, though that position is evolving. The value of the standard is in its structure: it provides a documented, auditable management system framework for AI governance at a time when most organisations are managing AI risk informally. For organisations that face procurement questionnaires about AI governance, regulatory inquiry, or board-level scrutiny of AI risk, having a structured programme aligned to an international standard provides a defensible position.
What the Standard Requires
ISO 42001 requires organisations to establish an AI management system that covers four broad areas. The first is organisational context and AI policy, which requires the organisation to define its position on AI use, development, and governance, and to assign accountability for AI risk management at the leadership level. The second is risk and impact assessment, which requires the organisation to identify the AI systems in scope, assess the risks and potential impacts of those systems, and document treatment decisions.
The third area is operational controls, which covers the specific requirements for how AI systems are developed, deployed, monitored, and decommissioned. This includes requirements for data quality, testing, validation, and the management of changes to AI systems. The fourth area is performance evaluation and continual improvement, which requires the organisation to measure how well its AI management system is working and to have a process for identifying and addressing gaps. These four areas map to the Plan-Do-Check-Act cycle familiar from ISO 27001.
How ISO 42001 Relates to ISO 27001
ISO 42001 and ISO 27001 address different but overlapping areas of risk. ISO 27001 addresses the confidentiality, integrity, and availability of information. ISO 42001 addresses the broader risks associated with AI systems, which include but extend beyond information security to cover fairness, transparency, accountability, and the potential for AI to produce harmful outputs or decisions. An organisation can be ISO 27001 certified and have significant AI governance gaps that ISO 27001 does not address.
The two standards are designed to be integrated. Because both use the High Level Structure, the management system elements, such as policy, risk assessment, objectives, and management review, can be integrated into a single management system rather than maintained separately. An organisation pursuing both certifications can combine their internal audit programmes, management reviews, and continual improvement processes. The Annex A controls in each standard are distinct and address different subject matter, so the control programmes are separate, but the management system infrastructure that supports both can be shared. This reduces the overhead of maintaining two separate certifications significantly.
When to Consider ISO 42001
For most Australian organisations, ISO 42001 is not yet a regulatory requirement. The question is whether the business case for a structured AI management system exists on other grounds. Three scenarios make it worth pursuing. First, if you are a technology company selling AI-powered services and your customers are beginning to ask about AI governance in procurement. Second, if you are in a regulated sector where AI is used in consequential decisions and regulators are beginning to signal expectations around AI risk management. Third, if your board or audit committee has identified AI risk as a material issue and wants a structured programme to govern it rather than ad hoc management.
For organisations that are not yet ready for formal ISO 42001 certification but want to address AI governance, the standard is publicly available and can be used as a programme design framework without pursuing certification. Implementing the core elements of context, risk assessment, operational controls, and monitoring against the standard provides a defensible structure and positions the organisation to move toward certification when the business case strengthens. To discuss ISO 42001 readiness and how it fits alongside your existing management system, contact Cyberlinx at info@cyberlinx.com.au.
Related Articles







