ISO/IEC 42001 landed in December 2023 as the first international management system standard built specifically for artificial intelligence. Since then, more Australian mid-market boards have started asking a fair question: is this something we need, or another certificate that sits in a drawer? If you are rolling out Claude across a services firm, a health provider, or a financial business, the honest answer depends on who you sell to and how much AI now touches your customers.
What ISO 42001 actually is
ISO 42001 describes an AI management system, or AIMS. It is the AI equivalent of ISO 27001 for information security or ISO 9001 for quality. Rather than testing a single model, it asks whether your organisation has a repeatable way to govern AI: how you decide what to build, how you assess risk, how you monitor systems in production, and how you fix them when they drift. The standard is deliberately model-agnostic. Whether you run Claude, an open-weight model, or a mix, the requirements are the same.
The heart of the standard is a familiar plan, build, check, improve cycle wrapped around AI-specific controls. Those controls cover data quality, human oversight, transparency to affected people, and impact assessments for higher-risk uses. If you have already been through an ISO 27001 audit, the shape will feel recognisable, and much of your existing evidence carries across.
Who in Australia actually needs it
There is no Australian law that forces ISO 42001 on anyone today. The Privacy Act reforms, the federal government's voluntary AI Safety Standard, and sector rules from APRA and ASIC all point in the same direction as ISO 42001, but none of them name it. So the real driver is rarely compliance in the strict sense. It is commercial.
Firms selling into government or large enterprise, where procurement teams increasingly ask for evidence of AI governance in tenders
Regulated businesses in banking, insurance, and health, where APRA CPS 230 and professional obligations already demand documented controls
Companies building AI into a product that other businesses depend on, where a customer's own audit will eventually reach your systems
Any Australian business planning to sell into the EU, where the AI Act makes a recognised management system a practical way to show conformity
If none of those describe you, and Claude is mostly helping your own team draft, summarise, and analyse internally, formal certification is probably premature. You still want good governance. You may not yet want the audit bill.
What certification costs and takes
For an Australian mid-market company, budget realistically. Building the management system, writing the policies, running your first AI impact assessments, and training staff typically runs between $40,000 and $120,000 in internal time and consulting, depending on how many AI systems sit in scope. The certification audit itself, carried out by an accredited body, usually adds $15,000 to $35,000 for a business of a few hundred people, followed by annual surveillance audits. First certification generally takes four to nine months from a standing start.
The figure that surprises people is the ongoing cost. An AIMS is not a one-off. You commit to keeping records current, reviewing new AI uses before they go live, and re-auditing every year. For a firm running two or three Claude workflows, that overhead is modest. For a firm with AI scattered across forty undocumented spreadsheets and browser extensions, it is a genuine program of work before certification is even realistic.
How to get ready without stalling your Claude rollout
The mistake we see most often is treating governance and adoption as a strict sequence, where nobody is allowed to touch Claude until a full management system exists. That stalls the value and usually produces a paper system disconnected from how people actually work. A better approach runs the two together.
Start an AI register now: one simple record of every place Claude or another model touches customer data or a real decision, updated as you go
Write a short acceptable-use policy staff can actually read, covering what data can go into a model and what always needs a human check
Run a lightweight impact assessment on your two highest-risk uses before you scale them, not after
Keep the evidence as you build, so a future audit becomes a matter of tidying records rather than reconstructing history
Done this way, the governance work makes the Claude rollout safer and faster rather than blocking it. When a board or a customer later asks whether you are ready for ISO 42001, you are months ahead instead of starting cold.
The honest recommendation
For most Australian mid-market firms in 2026, the sensible move is to build the habits of ISO 42001 without rushing to the certificate. Put the register, the policy, and the impact assessments in place. Watch whether your customers and regulators start asking for the badge. If you sell into government, finance, health, or Europe, begin the formal path early, because the four to nine month timeline means the decision to certify and the moment you actually need the certificate are rarely close together.
If you want a clear view of where AI already sits in your business and what a proportionate governance program looks like, we can map it with you. Book a brainstorm and we will work through your Claude rollout and your ISO 42001 readiness in the same conversation.



