AI security, trust, assurance and risk specialists

Cabahu Pty Ltd (ABN 60 100 065 334) dba axigetik
805/220 Collins St, Melbourne VIC 3000 Australia
[email protected]

ISO/IEC 42001:2023 Support

ISO/IEC 42001 is the world's first international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS) within organizations. It is designed for entities providing or utilizing AI-based products or services, ensuring responsible development and use of AI systems.We can help you with all foundational and preparatory aspects of ISO/IEC 42001:2023:

AI System Impact Assessments

An AI System Impact Assessment considers the impact on individuals, groups of individuals and society by AI producers (developers) for AI systems they produce, and by AI users or consumers for AI systems they employ.ISO/IEC 42005:2005 provides guidance on how and when to perform AIIAs. An AIIA must be completed at the very beginning of the AI lifecycle, prior to inception or use of the AI technology, and must also be regularly updated and maintained throughout the system’s lifecycle / whilst the system is in use.An artificial intelligence system impact assessment, or AI impact assessment (AIIA) is by far the most substantial piece of work that you will undertake in the development and implementation of an ISO/IEC 42001:2023 conformant artificial intelligence management system (AIMS). But whether you are chasing ISO/IEC 42001:2023 or another AI certification, or simply investing in an structured approach to inventory and analysis of AI in-use in your organization, an AI System Impact Assessment can provide significant value.

CSA STAR for AI Support

STAR for AI extends CSA’s globally recognized Security, Trust, Assurance and Risk (STAR) program to address the unique risks of AI. Built on the AI Controls Matrix (AICM), AI-CAIQ, and ISO/IEC 42001, it provides a transparent path to evaluate and validate AI safety and governance practices.We can help you across the range of CSA STAR for AI activities:

AIUC-1 Support

AIUC-1 is the world's first standard for AI agents. It covers data & privacy, security, safety, reliability, accountability and societal risks.AIUC-1 has 51 requirements, with 65 mandatory and 65 optional controls across 6 foundational principles: Data & Privacy, Security, Safety, Reliability, Accountability, Society.Certified organizations demonstrate they conduct leading technical, operational, and legal activities. Auditors assess compliance through upfront technical testing and review of operational controls (conducted annually), and ongoing technical testing (conducted at least quarterly to keep up with ongoing changes to AI risk & mitigation techniques).Like ISO 27001, FedRAMP, and CSA STAR, AIUC-1 requires ongoing technical testing and compliance. It must be renewed annually to remain current.We can help you with a number of AIUC-1 related activities:

FAQs

There's always questions ...Q: Do you provide ISO/IEC 42001:2023 audits ?
A: No. While we hold ISO/IEC 42001:2023 lead auditor qualifications, axigetik itself is not accredited to provide certification of compliance. We routinely work with several audit companies who are accredited certification bodies.Q: Do I really need an ISO/IEC 42001:2023 certification to submit for and achieve CSA STAR for AI Level 2 ?
A: Yes you do. You can however get CSA STAR for AI Level 1 or Level 1 (Valid-AI-ted) without having ISO/IEC 42001:2023.Q: What locations / markets do you support ?
A: Our home region is Australia, New Zealand, ASEAN (Indonesia, Malaysia, Philippines, Singapore, Thailand), but we regularly work with customers and auditors who are based in the USA or Europe and have meaningful timezone overlaps with them and long and sustained experience in working across timezones.Q: Do you provide ISO/IEC 27001:2022 services (consulting or audits) ?
A: No. We can recommend consultants or auditors who specialise in ISO/IEC 27001:2002 if that is helpful. Please get in touch and we'll introduce you.Q: Do you provide SOC2 services (consulting or audits) ?
A: No. We can recommend consultants or auditors who specialise in SOC2 if that is helpful. Please get in touch and we'll introduce you.Q: Do you have a preferred/recommended GRC automation platform ?
A: No we don't, there are a number in the market with different feature sets and price points. What we find is that for ISO/IEC 42001:2023 the value of a GRC automation platform is quite limited compared to ISO/IEC 27001:2022, because of the focus areas of the AI standard which lends itself to less technical integration and continuous esting. Presently there are few GRC automation platforms that have support for CSA STAR for AI, and none that have support for AIUC-1.Q: We're not an AWS customer, or not using Marketplace for purchases, can we still access your services ?
A: Yes, we can set things up commercially as a direct B2B arrangement or through AWS Marketplace depending on your preference.Q: I don't quite know what it is that we need in terms of AI security & compliance support, can we talk ?
A: Sure, lets work out what help means for you :-)

General AI Security & Compliance Advice & Support

We also provide general purpose AI security and compliance advice and support, including in areas such as:

- other AI frameworks (EU AI Act, NIST AI RMF, MITRE ATLAS, OWASP for LLM Applications)
- N-party supply chain analysis for AI (TPRM) and Bill of Materials
- cloud-specific AI security and compliance implementation (hyperscalers especially AWS, and across foundation model providers, and frontier labs)
- use of GRC automation platforms (eg Drata, Vanta) supporting AI security and compliance
- providing independent or observer roles on customer's AI governance functions (boards, committees, panels etc)

Every advisory engagement is different, and we're happy to work with you to shape an approach that delivers the AI security, trust, assurance and risk outcomes that create value for your business.

XX About Us

Lorem ipsum dolor sit amet, etiam lorem sed et adipiscing elit cras turpis veroeros.

Deets

Contact Us

If you've got a general enquiry, please use the form below to get in touch. You can also direct mail us via [email protected]

ISO/IEC 42001:2023 AI Management System Implementation

How we can helpTo fully implement an ISO/IEC 42001:2023 AI Management System (AIMS) you must address 27 required activities and 16 required documentation artefacts in a way that allows an auditor to assess conformance.We can help with:
- Qualified ISO/IEC 42001:2023 Lead Implementers
- running an initial AIMS health check - what elements of an AIMS do you have already, where are the gaps, and what needs to be improved or enhanced to meet the conformance criteria ?
- providing program/project management for coordination across the variety of activities needed to implement an AIMS, which typically requires concentrated effort by several key contributors in your organization - this may include:
- planning, implementing and controlling processes required for an AIMS
- performing risk assessments regularly
- implementing risk treatment plans as required
- performing AI system impact assessments (also see our standalone service)
- making sure you have evidence of monitoring and measurement
- provisioning an internal audit program
- interacting with management to review results
- dealing with any non-conformities, corrections and corrective actions that arise from internal or external audits
- using your preferred GRC automation platform to support governance and operational policies and capture ISO/IEC 42001:2023 audit evidence

ISO/IEC 42001:2023 Internal Audit

How we can help
Did you know under Clause 9.2 you require an impartial internal audit for both the initial certification and maintenance cycle of ISO/IEC 42001:2023 ? That means anyone who implements your AI management system internally, or provides external audit/certification can't fill this role. We can provide independent internal audit services either one-off or across a full stage 1, stage 2 and surveillance cycle.We can help with:- Qualified ISO/IEC 42001:2023 Internal Auditors
- Pre-certification single cycle internal audit (ie before Stage 1/2 certification)
- Post-certification single cycle internal audit (ie Surveillance in Year 1 or 2)
- Full lifecycle internal audit (pre Stage 1/2 and post certification, with 2x Surveillance)Full lifecycle is preferred because it allows selection and internal audit coverage of components of your AIMS across a 3 year cycleWith our internal audit service, we can:
- Act as objective and impartial internal auditors
- Plan, establish, and maintain an internal audit program - defining scope, frequency, and methods
- Audit all parts of the AIMS at planned intervals
- Report internal audit results to relevant management for corrective actions
- Retain documented information as evidence of internal audit results and follow-up, including making those records available to external auditors

ISO/IEC 42001:2023 Audit Team Augmentation

How we can helpAre you an auditor/certification body looking for an extra pair of hands ? We can act as technical specialists and auditors on a whitelabel basis to supplement your existing resources and expertise, to deliver better outcomes for your customers.We can help with:- Qualified ISO/IEC 42001:2023 Lead Auditors
- Easy reach into/across the APAC region (Australia, New Zealand, South East Asia) if you need audit support for multiple sites within an organization
- Broad and deep engineering experience in designing, building, operating, maintaining AI systems of different types (from expert systems, neural networks, statistical natural language processing, information retrieval, big data, deep learning, transformers, LLMs, agentic AI)Our audit augmentation resources can be contracted on a day rate, per audit, or retained as flexible bench capability.

Develop AI Impact Assessments

How we can helpThere is some flexibility around how AIIAs are conducted; the best approach will depend on the specifics of your organisation.The basic approach to conducting an AIIA is similar to a data and systems inventory and audit – we need to gather and document information in line with each section of the assessment. Unlike an audit, there is no need to gather evidence to support the assessment, which makes process slightly easier and more efficient.How we can help ...
- Confirming your position with regard to AI systems - are you a developer/producer or a user/consumer or both ?
- Determining the most relevant and useful approach to grouping or splitting AI system impact assessments
- Identifying the most useful template for AI system impact assessments (there are a number of commonly used variations - ISO/IEC 42001:2023 isn't prescriptive, but ISO/IEC 42001:2025 is a good default)
- Facilitating the gathering of information to complete the AI system impact assessment
- Developing the draft AI system impact assessment itself - typically a very substantial documentHowever, it is important to remember that if you are using AI systems for different outcomes and with different associated risks, you may need to conduct multiple separate assessments of those systems.

Review and Update AI Impact Assessments

How we can helpWe can also work with you to review and update existing AI system impact assessments, including using historical and overlapping documentation to make the end-to-end process more time and cost efficient, and cross-validate the documentation against systems in use using our extensive engineering knowledge.We usually suggest a bi-annual / 6 monthly review of AIIAs, owing to the speed at which AI systems are incrementally changed and improved.

CSA STAR for AI Trustworthy Pledge

How we can help
As the first step on CSA STAR for AI journey, an organization must sign on to the AI Trustworthy Pledge—CSA’s high-level framework of principles for responsible AI development.We can:
- Quantify the competitive advantage you would gain by signing the AI Trustworthy Pledge (ie make the business case and describe the ROI)
- Help facilitate internal discussions, reviews and signoffs
- Identify practical implications and remediations from having signed the AI Trustworthy PledgeNote: there is no cost to sign the AI Trustworthy Pledge.

CSA STAR for Level 1

How we can helpCSA STAR for AI Level 1 is the foundational STAR for AI designation earned by completing and submitting the AI-CAIQ self-assessment to the STAR Registry.For CSA STAR for AI Level 1, we can:
- Help you complete the Consensus Assessment Initiative Questionnaire for AI (AI-CAIQ), which applies the AI Controls Matrix (AICM) to your specific organization
- Facilitate the submission process to the Cloud Security Alliance's STAR registry to achieve CSA STAR for AI Level 1 Certification and the right for your organization to use the CSA STAR for AI Level 1 badge.Note: There may be membership agreements or fees associated with engagement with Cloud Security Alliance around STAR for AI, and these will be borne directly by your organization - we will help you understand the costs, but we do not pay them on your behalf, nor do we make any margin on them in terms of our own fees.

CSA STAR for Level 1 Valid-AI-ted

How we can helpCSA STAR for AI Level 1 (Valid-AI-ted) is an enhanced version of STAR for AI Level 1, earned when an organization’s AI-CAIQ passes the Valid-AI-ted automated assessment system. It shows structured, explainable scoring and higher transparency.For CSA STAR for AI Level 1 (Valid-AI-ted), we can:
- Explain how the CSA STAR for AI tool uses LLM technology to provide automated, actionable feedback on submissions
- Perform a dry-run assessment to identify any likely issues from the validation and remediate them in advance
- Facilitate submission process to Cloud Security Alliance's Valid-AI-ted tool for evaluating STAR Level 1 self-assessments to achieve CSA STAR for AI Level 1 (Valid-AI-ted) certification.Note: There may be membership agreements or fees associated with engagement with Cloud Security Alliance around STAR for AI, and these will be borne directly by your organization - we will help you understand the costs, but we do not pay them on your behalf, nor do we make any margin on them in terms of our own fees.

CSA STAR for AI Level 2

How we can helpCSA STAR for AI Level 2 is the most advanced STAR for AI designation and requires both a third-party ISO/IEC 42001 certification and a Valid-AI-ted AI-CAIQ. It demonstrates global AI compliance, safety, and operational transparency.For CSA STAR for AI Level 2, we can:
- Provide you with advice and assistance on implementation of a full ISO/IEC 42001:2023 compliant AI Management System
- Recommend or help you select and engage qualified auditors who provide ISO/IEC 42001:2023 certifications
- Provide ISO/IEC 42001:2023 internal audit services (if not precluded from doing so by impartiality requirements)Note: There may be membership agreements or fees associated with engagement with Cloud Security Alliance around STAR for AI, and these will be borne directly by your organization - we will help you understand the costs, but we do not pay them on your behalf, nor do we make any margin on them in terms of our own fees.

XX CSA STAR for AI Audit Team Augmentation

How we can help

AIUC-1 Relevance and Readiness

How we can helpWe can help you:
- determine whether AIUC-1 is relevant to your company and use case in terms of technical scope and business benefits (the business case)
- if AIUC-1 is relevant, identifying the extent to which the policies, processes, systems and oversight you have in place will meet the requirements of AIUC-1, or will need to be implemented or significantly improved prior to a formal audit and certification process (a maturity/gap analysis)
- the sequencing of AIUC-1 audit and certification activities against progression towards other frameworks eg ISO/IEC 42001:2023, CSA STAR for AI, NIST AI RMF (an integrated program)

AIUC-1 Operational & Technical Management System Implementation

How we can helpAIUC-1 has 51 requirements, with 65 mandatory and 65 optional controls across 6 foundational principles: Data & Privacy, Security, Safety, Reliability, Accountability, Society.We take a specific interest in automation and integration of technical aspects of compliance given there is a requirement for quarterly (not annual) testing and evidence collection.We can help you by:
- control selection: whether there are obvious gaps around the mandatory controls and confirming how many of the optional controls are likely to be addressed in your organizational context
- control execution: where current technology and processes do not sufficiently address the control requirements, what meaningful options are there to close those gaps
- control integration: where current technology and processes do address control requirements, whether this is done in an integrated and efficient fashion
- control evidence: co-developing technical and operational evidence against the controls in scope

AIUC-1 Audit Preparation

How we can helpWe can help you prepare for the initial audit by ensuring all of the techhnical and operational controls are in place and their accumulated documentation and evidence are sourced and arranged in a fashion which will expedite the external audit process. This includes:- reviewing evidence of both technical and operational controls status (a form of internal audit)
- ensuring any prior adverse/qualified findings have been addressed (again a form of internal audit)
- draft of the audit scoping document, including assembly/linkage to all supporting evidence across system documentation & governance, agent configuration & capabilities and guardrails, and any optional controls which will be scoped in