ISO 42001 readiness is the work of building an AI management system an accredited auditor can certify: an AI policy, an inventory of every AI system you run, an AI risk and impact assessment, the Annex A controls you select in a Statement of Applicability, and the records that prove it operates. Certification is optional.
What does ISO 42001 readiness actually involve?
Readiness is everything you put in place before an external auditor arrives for a Stage 1 and Stage 2 audit. ISO/IEC 42001:2023, published in December 2023, is the first standard that certifies an AI management system. It shares the same clause 4 to 10 backbone as ISO 27001, so the management system shape is familiar. What is new sits in two places: a normative set of 38 Annex A controls across nine objectives, and an AI system impact assessment that asks about harm to people, not only risk to the business. Readiness means closing the gap between how you run AI today and what those clauses and controls expect. Certification is optional. Many organisations build the system for buyer assurance and governance, then certify later, or not at all.
What does an ISO 42001 readiness checklist cover?
At a high level it tracks each management system clause and the Annex A controls against where you actually stand. The table below is the working version, clause by clause.
| Area | What ISO 42001 expects | Ready? |
|---|---|---|
| Context (clause 4) | AIMS scope defined; the AI systems you develop, provide or use identified; interested parties and their requirements set | |
| Leadership (clause 5) | An AI policy approved by top management; roles, authority and accountability assigned | |
| Planning (clause 6) | An AI risk assessment process; the AI system impact assessment; risk treatment; the Statement of Applicability; AI objectives | |
| Support (clause 7) | Resources, competence, awareness and control of documented information | |
| Operation (clause 8) | Risk and impact assessments performed and documented; operational controls running; third party and supplier controls applied | |
| Performance evaluation (clause 9) | Monitoring and measurement; an internal audit; a management review | |
| Improvement (clause 10) | Nonconformities recorded and corrective action taken | |
| Annex A controls | 38 controls across nine objectives (A.2 to A.10), each included or excluded with justification in the SoA |
The check is not whether a document exists. It is whether the document reflects what the organisation actually does with AI. An auditor samples evidence. A policy nobody follows fails Stage 2.
Which documents does ISO 42001 require?
The standard names the records it expects to see. Miss one and Stage 1 stalls. The documented information an AIMS is built to produce:
- The AIMS scope
- The AI policy and the AI objectives
- The AI risk assessment and risk treatment process, and their results
- The AI system impact assessment process, and its results
- The Statement of Applicability
- Roles, responsibilities and evidence of competence
- Operational planning and control records
- The internal audit programme and its results
- Management review results
- Nonconformities and the corrective actions taken
The Statement of Applicability is the spine. It records every Annex A control, whether you included or excluded it, and why. An auditor reads it first, then goes looking for the evidence behind each included control.
What is the AI system impact assessment, and why does it catch teams out?
This is the part that separates ISO 42001 from an information security standard. The AI system impact assessment asks what an AI system could do to individuals, groups and society: unfair or biased outcomes, opaque decisions, safety, and who is accountable when something goes wrong. Clause 6 requires you to plan it; clause 8 requires you to perform and document it. Teams who come from an ISO 27001 background read “risk” as risk to the organisation and stop there. That misses the point. The question here is harm to the people on the other side of the model. An assessor notices quickly when an impact assessment only talks about data breaches and downtime. The AI risk and impact assessment is where the standard earns its keep, and where most readiness work concentrates.
How do you scope the AIMS and build the AI system inventory?
Most organisations cannot produce a complete list of the AI systems they already run. That is the first gap, and it is usually wider than expected once you count embedded vendor features, models inside everyday SaaS tools, and the subscriptions individual teams bought on their own. Scope starts with that inventory: which systems, who owns each, what decisions they shape, whose data they touch. From there you set the AIMS boundary, what is in, what is out, and the reason for each line. Shadow AI, the tools staff adopted without telling anyone, is where the real exposure hides, and where the inventory earns its place. Get the boundary honest and the rest of the system has something solid to sit on. Why AI governance matters now sets out why regulators and buyers are asking for this.
How long does ISO 42001 readiness take?
It depends on how many AI systems sit in scope and how much governance already exists. As an indicative guide, Cybernion runs the gap analysis and AI system inventory in about three to six weeks, and full implementation through to audit readiness in about four to nine months. Those are indicative figures, not a fixed quote. An organisation with one AI product and an existing ISO 27001 system moves faster than one that discovers forty unmanaged tools in week one. The standard sets no minimum operating period, but Stage 2 tests that the system runs, so you need real records, at least one internal audit and one management review, before the auditor samples them. ISO 42001 is not the same thing as legal compliance with the EU AI Act, and it is not government mandated in Australia. The pull is commercial: customers, tenders and partners asking how you govern AI.
Frequently asked questions
No. ISO 42001 is not government mandated in Australia. Demand is commercial and procurement driven. The Department of Industry, Science and Resources published a Voluntary AI Safety Standard in September 2024 with 10 guardrails that align closely with the standard, so an AIMS is a practical route to meet them.
Certification is optional. Many organisations build the AI management system for governance and buyer assurance without certifying, then certify later if a customer or tender requires it. Readiness gives you the system either way.
They share the same clause 4 to 10 management system backbone, so they integrate. ISO 42001 adds an AI system impact assessment about harm to people and a set of AI specific Annex A controls. ISO 27001 covers information security, not AI specific risks such as bias, transparency and accountability.
As an indicative guide, the gap analysis and AI system inventory take about three to six weeks, and full implementation through to audit readiness about four to nine months. The number of AI systems in scope and your existing governance maturity set the real timeline.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- ISO/IEC 42001:2023, Information technology, Artificial intelligence, Management system, December 2023
- Voluntary AI Safety Standard, Department of Industry, Science and Resources, September 2024
- ISO/IEC 27001:2022, Information security management systems, 2022, for the shared clause 4 to 10 backbone
Last updated: 21 June, 2026