ISO/IEC 42005:2025 (AI System Impact Assessment) one assessment, five regulatory hooks

Why it matters for NETEVO

ISO/IEC 42005:2025 is the operational companion to ISO/IEC 42001 — the standard that specifies how an AI system impact assessment is actually developed, documented, and maintained. It turns ISO/IEC 42001 Clause 6.1.4 and Annex A.5 from a conformity obligation into a runnable process, supported by five informative annexes; Annex A Table A.1 provides the clause-level mapping back to ISO/IEC 42001.

A single assessment, multiple regulatory hooks. An impact assessment developed under the 42005 process can carry weight across five instruments at once: ISO/IEC 42001 conformity, the EU AI Act Article 27 fundamental rights impact assessment, privacy impact assessment expectations under the AU Privacy Act 1988 (Cth), OAIC AI guidance, and the NSW AI Assessment Framework. 42005 is what makes that single-assessment coverage implementable: it specifies the process, the documentation, and the maintenance discipline against which each of those instruments can be mapped.

Modality preservation matters. The standard is should-heavy, with shall used sparingly. The substantive normative force sits in the should obligations rather than the headline mandatory clauses, so any paraphrase that flattens the modal verbs misplaces the compliance weight. Encoding obligations of this shape into executable controls — the practitioner discipline of the Law-to-Code Methodology — depends on preserving that modality exactly.

A board-readable harms-and-benefits taxonomy. Annex C supplies seven objective categories for classifying AI harms and benefits, a structure that maps cleanly to the harms-and-benefits disclosure shape already familiar in AU listed-company board papers. The deeper point is evidentiary: an assessment produced by a documented, repeatable process is engineered evidence, and engineered evidence — not assertion — is what distinguishes a defensible AI claim from marketing posture.