Microsoft published version 10 of its Supplier Security and Privacy Assurance program in 2025. Buried inside was a clause most Australian businesses have not absorbed yet. For any supplier delivering AI services that Microsoft classifies as “sensitive use”, ISO 42001 certification is now required. There is no alternative path. No equivalent assessment. No exception for small suppliers.
In December 2025, the Australian federal government published the National AI Plan and confirmed what most of us had already suspected. Australia will not pass a dedicated AI Act. Instead, the country will rely on existing laws, sector regulators, the Voluntary AI Safety Standard, and the new AI Safety Institute. The political case for that approach is reasonable. The practical effect is that Australia has handed enforcement of AI governance over to whichever foreign vendor decides to require it first.
Microsoft got there first. The EU got there hardest. Western Australia got there earliest with the PRIS Act and IPP 10 binding state agencies to specific AI governance obligations. The combined effect for Australian businesses sitting in any of those supply chains is that voluntary AI governance is functionally over, even though Australian law still calls it voluntary.
The change sits inside the Microsoft Data Protection Requirements (DPR), version 10, applied through the Supplier Security and Privacy Assurance program from fiscal year 2025 onwards. Microsoft added a new Section K specifically for AI requirements. Microsoft’s own program guide is direct about it. If the service delivery includes “sensitive use” AI, an ISO 42001 certification will be required.
For other AI suppliers in the Microsoft ecosystem, ISO 42001 can be submitted in place of an independent assessment against Section K. So even where it is not technically mandatory, it is the most efficient path to staying green in the SSPA program. Microsoft itself has now achieved ISO 42001 certification for Azure AI Foundry, Microsoft 365 Copilot, and Security Copilot. The signal to the market is unambiguous. This is the baseline.
The cascade matters more than the headline. Microsoft sits at the top of the AI supply chain for most enterprise software in Australia. Any business building AI features into a product that Microsoft resells, embeds, or integrates with becomes a Microsoft supplier in some form. Any Australian Microsoft partner delivering Copilot configuration, custom Azure AI workloads, or AI-driven services to government and enterprise clients now operates inside an ecosystem where the procurement standard is set by Redmond, not Canberra.
This is not a hypothetical risk. It is happening now. Procurement teams at Microsoft customers in Australia are starting to ask their suppliers for the same evidence Microsoft asks its own. Cascading procurement requirements are how trust currencies actually spread.
Australia’s position is more sophisticated than the simple “no AI Act” headline suggests. The Voluntary AI Safety Standard, first published in September 2024, sets out ten guardrails for safe and responsible AI use. In October 2025, the federal government simplified that into the Guidance for AI Adoption, which distils the guardrails into six essential practices for boards and executives.
The December 2025 National AI Plan confirmed the federal strategy. No standalone AI Act. Instead, AI governance is being threaded through the Privacy Act reforms, the new AI Safety Institute, sector regulators including APRA and ASIC, and the existing fabric of corporate, consumer, and discrimination law. The Department of Industry has explicitly aligned the guardrails with ISO/IEC 42001:2023 and the NIST AI Risk Management Framework. That alignment is the lever. Australian businesses adopting the voluntary standard are, by design, on the path to ISO 42001 readiness.
Western Australia got there first at the state level. The PRIS Act and Information Privacy Principle 10 created specific obligations for WA public sector entities using AI and automated decision-making. That is real law with real consequences for any business supplying the WA government with AI-driven services. The patchwork is forming faster than the headlines suggest.
The federal Privacy Act reforms in 2026 add another layer. Provisions covering automated decision-making, transparency obligations, and a new statutory tort for serious invasions of privacy raise the cost of AI governance failure even without a dedicated AI Act. We covered the enforcement reality in detail in our piece on Privacy Act 2026 and what AU SMBs need to know before the regulator arrives.
So Australia did not choose to do nothing. Australia chose to do something diffuse, indirect, and built on voluntary uptake of international standards. That choice was deliberate. It was also a bet that the market would do most of the enforcement work for the government. Microsoft has now confirmed that bet was correct.
If trust is the new currency in enterprise procurement, ISO 27001 has been the established note for a decade. ISO 42001 is the new one. They are not interchangeable, and one does not replace the other.
ISO 27001 is the international standard for information security management. It defines how an organisation protects data through access controls, encryption, network security, incident response, and supplier oversight. It is the certification that enterprise procurement teams reach for when they want to know whether you can be trusted with their data. Most large Australian enterprises and a growing portion of mid-market businesses now have ISO 27001 either certified or in scope.
ISO 42001 is the international standard for AI management systems. Published in December 2023, it is the first certifiable standard specifically for managing AI inside an organisation. It covers AI policy, scope, risk assessment, impact analysis, lifecycle management, data governance, transparency, and third-party AI oversight. It is the certification that enterprise procurement teams are starting to reach for when they want to know whether you can be trusted with their AI exposure.
The two share the same Annex SL high-level structure that all modern ISO management system standards follow. That makes integration achievable rather than parallel. Businesses already certified to ISO 27001 typically already meet around 60 to 70 percent of the foundational controls required for ISO 42001. The gap is the AI-specific controls. Bias monitoring, model lifecycle governance, AI impact assessments, transparency obligations, supplier-of-AI controls. Those are the genuinely new requirements.
| Dimension | ISO 27001 | ISO 42001 |
|---|---|---|
| What it protects | Information assets | AI systems and decisions |
| Year published | 2005 (revised 2022) | 2023 |
| Mature in Australia? | Yes, widely held | No, early adopters only |
| Microsoft SSPA acceptance | Section J (Security) | Section K (AI) |
| EU AI Act alignment | Partial, on data security | Substantial, covers 40 to 50 percent of requirements |
| Australian regulator stance | Long-standing baseline expectation | Voluntary, aligned to VAISS guardrails |
| Typical implementation cost (AU) | $40,000 to $120,000 | $50,000 to $150,000 |
| Annual surveillance | Yes, three-year cycle | Yes, three-year cycle |
For our framework-versus-framework comparison covering ISO 42001, NIST AI RMF, and the Australian Guidance for AI Adoption, see our analysis from May 2026. The new piece here addresses a different question. Not which AI framework to choose, but whether ISO 27001 alone is still enough.
Any Australian business with EU customers needs to read the next paragraph carefully.
The EU AI Act came into force in 2024 with a staggered implementation timeline. Provisions affecting high-risk AI systems in Annex III take effect on 2 August 2026. Penalties for non-compliance reach up to €35 million or 7 percent of global annual turnover, whichever is higher. The Act applies to any provider placing AI systems on the EU market, regardless of where the provider is based. That includes Australian businesses selling AI-enabled products or services to European customers.
ISO 42001 and the EU AI Act share roughly 40 to 50 percent of substantive requirements. Risk management. Data governance. Transparency. Human oversight. Conformity assessment documentation. ISO 42001 certification does not satisfy the EU AI Act by itself, but it provides the implementation framework that makes EU AI Act compliance cheaper and faster.
For Australian exporters, the practical calculus is straightforward. If you have EU customers and your product touches Annex III categories, you are facing a 2 August 2026 deadline with global-turnover-percentage penalties. ISO 42001 is the most efficient path to readiness. Australian businesses without EU exposure can take a more relaxed view. Those with EU exposure cannot.
Every certification body in Australia is currently telling every Australian business that they need ISO 42001. That advice is wrong for most SMBs and right for a specific minority. We work with Australian businesses on AI governance every week, and the honest decision framework looks like this.
You should be on the ISO 42001 pathway now if any of the following are true. You sell into the Microsoft AI supplier chain and your services touch sensitive-use AI workloads. You export AI-enabled products or services to the EU with Annex III exposure. You operate in a regulated industry (financial services under APRA, healthcare, critical infrastructure, defence) where AI governance maturity is moving from advisory to expected. You are pursuing enterprise contracts where third-party AI governance evidence is appearing in tenders. You are an MSP, consultancy, or SaaS provider where AI governance is part of your commercial positioning.
You should not certify yet if your AI footprint is a Copilot subscription, a ChatGPT account, and some embedded AI inside SaaS products you do not control. The certification project costs the same as a senior staff hire and produces marginal commercial benefit without genuine AI exposure to govern. Adopting the Voluntary AI Safety Standard’s six essential practices, documenting your AI policy, and building an inventory of AI use is the right starting point. Certification follows when there is something material to certify.
The middle ground covers most Australian SMBs. AI is creeping into your business through tools you did not procure with governance in mind, your enterprise customers are starting to ask the AI governance question in supplier reviews, and your insurer is hinting at premium impacts within the next renewal cycle. For this group, the right move is to align with VAISS now, build the management system informally, and plan certification when commercial pressure or specific procurement requirements arrive. We covered the question of what to ask your IT partner about AI in detail recently.
The advice you will not get from a certification body is that timing matters. ISO 42001 in 2027 is not worse than ISO 42001 in 2026 if you do not have material AI exposure to defend. The standard is not a moral position. It is a commercial tool. Use it when the commercial case is real.
Across our client base in Perth, Sydney, and Brisbane, we are seeing three patterns. Microsoft partners delivering AI services are facing direct SSPA pressure. Regulated industry clients in financial services, healthcare, and defence are facing procurement and audit pressure. Mid-market businesses without either of those exposures are getting advice from compliance consultants that does not match their actual risk profile.
Our position is simple. Most Australian SMBs should be on the Voluntary AI Safety Standard pathway, not the ISO 42001 pathway, until commercial pressure arrives. We help clients adopt the VAISS guardrails inside their existing managed cyber security framework at a fraction of the cost of certification, with a clear path to ISO 42001 when it becomes the right call.
Clients facing direct Microsoft SSPA or EU AI Act exposure are a different conversation. For those businesses, ISO 42001 is no longer optional. The question is sequencing, scope, and how cleanly the new AI management system integrates with the existing ISO 27001 ISMS. That is a vCIO conversation, not a certification consultancy sales pitch.
Step one. Map your AI exposure honestly. Document where AI is being used in your business today, who controls it, what data it touches, and which customers or regulators care about it. Without this map, every decision about ISO 42001 is uninformed.
Step two. Adopt the Voluntary AI Safety Standard. The ten guardrails (simplified to six essential practices in the October 2025 Guidance for AI Adoption) are the right starting baseline for almost every Australian business. They are free, they are aligned with ISO 42001 by design, and they create the documentation foundation that certification later builds on.
Step three. Talk to a partner about the certification decision. If you are in the Microsoft AI supplier chain, the EU export market, or a regulated industry, the ISO 42001 conversation is real and should start now. If you are not, that decision can wait, and the money is better spent on the underlying AI governance maturity. Book a free AI governance review with Epic IT to get an honest read on which group you sit in.
No. Australia chose not to introduce a standalone AI Act in its December 2025 National AI Plan. ISO 42001 is voluntary in Australia. However, it is increasingly mandatory through procurement requirements, including Microsoft’s Supplier Security and Privacy Assurance program for sensitive-use AI suppliers. For Australian businesses exporting to the EU, ISO 42001 supports compliance with the EU AI Act, which has penalties up to €35 million or 7 percent of global turnover.
ISO 27001 is the international standard for information security management systems and has been the baseline data security certification since 2005. ISO 42001 is the international standard for AI management systems, published in December 2023. ISO 27001 protects information assets. ISO 42001 governs AI systems and decisions. They share the same Annex SL structure, with roughly 60 to 70 percent control overlap, but ISO 42001 adds AI-specific requirements including bias monitoring, AI impact assessments, and model lifecycle governance.
Yes, for suppliers delivering sensitive-use AI services. Microsoft’s Supplier Security and Privacy Assurance program version 10 added Section K covering AI requirements. For sensitive-use cases, ISO 42001 certification is required and no alternative assessment is offered. For other AI suppliers in the Microsoft ecosystem, ISO 42001 can be submitted in place of an independent Section K assessment, making it the most efficient compliance path.
Total cost typically runs $50,000 to $150,000 depending on organisation size and existing management system maturity. That figure covers gap analysis, implementation consulting, internal audit preparation, certification body audit fees (initial two-stage plus annual surveillance), and ongoing evidence management software. Businesses with existing ISO 27001 certification can expect lower implementation costs because the foundational management system is already in place.
Probably not yet, unless your business has direct exposure through one of three channels. First, you are a Microsoft supplier delivering sensitive-use AI services. Second, you export AI-enabled products or services to the EU. Third, you operate in a regulated industry where AI governance maturity is moving from advisory to expected. For most Australian SMBs without those exposures, adopting the Voluntary AI Safety Standard now and planning ISO 42001 for when commercial pressure arrives is the more honest call. We help clients work through this decision as part of our AI governance assessment.
The Voluntary AI Safety Standard (VAISS) is the Australian federal government’s voluntary framework for safe and responsible AI use, first published in September 2024. It sets out ten guardrails for AI governance, simplified to six essential practices in the October 2025 Guidance for AI Adoption. VAISS is aligned with ISO/IEC 42001:2023 and NIST AI Risk Management Framework 1.0, so businesses adopting it are on the pathway to international certification readiness when commercial pressure arrives.
At Epic IT, our specialists focus on long-term solutions for your business.
Our 90-day guarantee is simple: if you’re not satisfied, we’ll refund your onboarding fee and give you $5K. Contact us today!
Call Us
1300 EPIC IT
Email Us
info@epicit.com.au
Perth HQ
HQ – Unit 2, 62 Angove Street North Perth WA
Queensland Office
12 The Cct, Brisbane Airport QLD
Sydney Office
Unit 3, 104 Anglesea Street, Bondi NSW
