ISO/IEC 42001: AI Management System

World's first AI Management standard

Deploy AI safely. Win trust. Prove AI Governance.

ISO/IEC 42001 is the world's first AI management system standard — the framework boards, regulators and enterprise buyers are now asking for before they'll trust your AI. Get ahead with fixed-fee certification, UKAS accredited.

Get my fixed-fee quote → Call +61 38 256 7547
35K+Global clients
30K+Certifications issued
30+Years of experience
UKASAccredited partner
ISO/IEC 42001:2023

AI Management System

Board, regulator & buyer recognised.

Responsible AI governance built in
Aligned with EU AI Act & NIST AI RMF
Bias, risk & lifecycle controls
First-mover edge in enterprise AI
Typical timeline 14–18 weeks
// why 42001 / why now

Australia's AI accountability reckoning is here

From the Voluntary AI Safety Standard to procurement-mandated assurance questionnaires, organisations deploying AI in Australia now face real scrutiny. ISO/IEC 42001 is the management system that turns "trust us" into auditable evidence.

Voluntary AI Safety Std

Australia's 10 guardrails

The Department of Industry's Voluntary AI Safety Standard sets 10 guardrails for responsible AI. ISO 42001's clauses map cleanly, giving you a single evidence base for both.

Procurement

Tender-ready AI assurance

Federal, state and enterprise buyers are adding AI governance questions to RFPs. Certification answers them in one line instead of 40 pages of bespoke attestations.

Board Duty

Director-level AI risk

AICD guidance now flags AI as a board-level risk. ISO 42001 delivers the governance, roles, policies and review cadence directors need to discharge their duties.

Privacy Act reform

Automated decisions under scrutiny

Privacy Act reforms target automated decision-making transparency. ISO 42001's impact assessment and lifecycle controls help you prove fairness, explainability and recourse.

Global

EU AI Act adjacency

If you sell into Europe or via multinational supply chains, EU AI Act obligations are already cascading down. ISO 42001 is the de-facto compliance vehicle being adopted globally.

Pairs with 27001

Stack with InfoSec

Already have ISO 27001? ISO 42001 uses the same Annex SL structure — reuse your governance, risk register and internal audit programme for a ~40% leaner implementation.

// the 42001 lifecycle

End-to-end AI governance in six moves

ISO 42001 wraps your AI programme — from policy to deployment to retirement — in a Plan-Do-Check-Act cycle. It works whether you're building models, procuring them, or embedding third-party AI in your products.

01

Context & Leadership

Define AI use, roles, accountability & board oversight.

02

Policy & Objectives

Set your AI principles and measurable objectives.

03

Risk & Impact

Assess AI risk — bias, safety, explainability, privacy.

04

Controls

Implement Annex A controls across the AI lifecycle.

05

Monitor & Audit

Measure, internal audit, management review.

06

Improve

Close incidents, update controls, continual improvement.

Annex A.2

AI policies & governance roles

Annex A.5

AI impact & risk assessment

Annex A.6

AI system lifecycle management

Annex A.7

Data governance for AI

Annex A.8

Information for interested parties

Annex A.9

Third-party & supplier AI

// who this is for

If you build, buy, or embed AI — this is for you

ISO 42001 is designed to fit any organisation using AI in any capacity — from a single chatbot to a full ML platform. Here's where we see strongest demand in Australia right now.

🏦

Banks & Fintech

Credit decisions, fraud models, customer-facing AI.

🏥

Healthcare & MedTech

Diagnostic AI, clinical decision support, triage tools.

🏛️

Government & Councils

Automated decision-making in services & compliance.

☁️

SaaS & Platforms

Products embedding LLMs or AI features at scale.

🛒

Retail & E-commerce

Recommendation engines, dynamic pricing, ad targeting.

📚

Education

Student analytics, plagiarism detection, tutoring AI.

⚙️

Manufacturing

Predictive maintenance, quality control, robotics.

📞

BPO & Call Centres

Voice AI, agent assist, speech analytics.

// profile.a

You're building AI

  • In-house ML models or fine-tuned LLMs
  • Data science team shipping to production
  • Need auditable model lifecycle evidence
  • Facing procurement AI assurance questions
  • Want to sell AI-powered products globally
// profile.b

You're deploying AI

  • Using third-party AI or SaaS with AI features
  • Need policy & risk framework for safe use
  • Staff using ChatGPT, Copilot & similar
  • Want board-level comfort & director cover
  • Responding to customer or regulator queries
First
AI management system standard in the world
trust ↑ risk ↓ speed ↑
// why certify

Turn AI uncertainty into a competitive edge

Early movers on AI governance are already winning larger deals, closing enterprise contracts faster and defending against AI-related incidents with confidence. ISO 42001 is the credential that signals you've got it under control.

  • Win procurement & enterprise contracts
  • Satisfy AI assurance questionnaires fast
  • Reduce AI-related legal & reputational risk
  • Give your board defensible governance
  • Demonstrate fairness, safety & explainability
  • Align with Voluntary AI Safety Standard
  • Accelerate safe AI adoption internally
  • Pair with ISO 27001 for full coverage
Request Your Fixed-Fee Quote →
// the imsm process

Your path to ISO 42001, shipped as a plan

Fixed-fee. Fixed timeline. One Australian assessor from discovery to certificate. Here's how we execute it.

imsm/iso-42001-roadmap.md LIVE
01
02
03
04
05
06
07
01 →
scoping() Discovery call
Understand your AI use, organisation size and regulatory context. Agree scope and timeline.
02 →
gapAnalysis() Current state
Assess existing AI policies, risk practices and controls against all ISO 42001 clauses.
03 →
impactAssessment() AI risk
Impact assessments for each AI system — bias, fairness, safety, privacy, explainability.
04 →
documentation() Policies & SoA
AI policy, objectives, Statement of Applicability, lifecycle procedures and supplier clauses.
05 →
implement() Roll-out & training
Embed controls into your AI lifecycle, MLOps and procurement. Train teams on the new norms.
06 →
internalAudit() Evidence check
We run internal audit and management review so your external audit is a formality, not a scramble.
07 →
certify() UKAS-accredited
We guide you through stage 1 and stage 2 external audits to a recognised ISO 42001 certificate.
Typical timeline: 5–9 months · Fixed fee, no scope creep, no hourly billing · Australian assessor assigned for the full journey.
// prompts.faq

Everything you want to know, nothing more

We don't build AI — we just use ChatGPT and Copilot. Is ISO 42001 for us?

Yes — arguably even more so. ISO 42001 applies to organisations that use AI, not just build it. If your staff are feeding data into third-party AI tools, or your SaaS vendors have embedded AI features, you have governance, privacy and accountability obligations. ISO 42001 gives you the framework.

How is ISO 42001 different from ISO 27001?

ISO 27001 secures your information. ISO 42001 governs your AI. They share the same Annex SL backbone, so if you already have 27001 you'll reuse leadership, risk, internal audit and management review clauses — typically cutting 42001 implementation effort by 30–40%.

Is ISO 42001 legally required in Australia?

Not yet — but it's the standard Australian government and industry are converging on. The Voluntary AI Safety Standard explicitly references ISO 42001, and federal procurement is starting to ask for it. Certifying now puts you ahead of the curve before it becomes mandatory (as happened in the EU).

What does certification cost?

Cost depends on organisation size and the number of AI systems in scope. IMSM works on a transparent, all-inclusive fixed fee — you'll know the full cost after a short discovery call, with no hourly surprises later.

Can we certify if we only use one AI system?

Absolutely. ISO 42001 scales — from a single AI feature to a full ML platform. Scope is defined in your Statement of Applicability, so small deployments don't need enterprise-scale overhead.

How long does it take?

5–9 months is typical, depending on size and existing maturity. Organisations that already hold ISO 27001 often finish in 4–6 months.

Is the certification recognised internationally?

Yes — IMSM delivers UKAS-accredited ISO 42001 certification. This is recognised globally, including by EU regulators tracking AI Act compliance and by multinational procurement teams.

AUS AI COMPLIANCE, FIXED-FEE

Ready to turn "we use AI responsibly" into a certificate?

Book a free discovery call with IMSM Australia. We'll map your AI footprint against ISO 42001, quote a fixed fee, and walk you through realistic timelines — no pressure, no upsell.

  • run: discovery_call() → free, 30 min
  • quote: fixed_fee() → all-inclusive
  • deliver: ukas_certificate() → recognised globally

Start today

Let's talk about your AI use cases.

Request a Quote → Call +61 38 256 7547
Or email enquiry@imsm.com.au