Definition and purpose

The purpose of ISO 37001 is to assist organizations in implementing effective measures to combat bribery and promote an ethical business culture. It provides a comprehensive approach to mitigating bribery risk in all business activities and across all sectors, including public, private, and non-profit sectors.

Governing Body

The standard is developed and published by the International Organization for Standardization (ISO).

Last updated

ISO 37001 was published in 2016.

Applies to

ISO 37001 is applicable to all organizations, regardless of size, type, and nature of activity, whether in the public, private, or non-profit sector. It is especially relevant for organizations operating in high-risk or highly regulated sectors, such as finance, construction, energy, and government services.

Controls and requirements

ISO 37001 includes a series of measures and controls that an organization can implement to prevent, detect, and address bribery, including:

• Anti-Bribery Policy: Establishing and enforcing a clear policy against bribery.
• Leadership and Commitment: Ensuring top management commitment to the anti-bribery policy.
• Personnel Training and Awareness: Training employees to recognize and avoid bribery.
• Risk Assessment: Conducting periodic bribery risk assessments.
• Due Diligence: Implementing due diligence procedures, particularly in high-risk scenarios.
• Financial and Non-Financial Controls: Establishing controls to prevent bribery through financial and other means.
• Reporting and Investigation Procedures: Creating mechanisms for reporting bribery and conducting thorough investigations.
• Monitoring and Review: Regularly reviewing and monitoring the effectiveness of the anti-bribery management system.

Please refer to the official ISO 37001 documentation for details on controls and requirements.

Audit type, frequency, and duration

Audits for ISO 37001 compliance typically involve an external certification process, where an accredited third-party body assesses the organization's anti-bribery management system. The frequency of audits can vary, but typically a surveillance audit is conducted annually, with a recertification audit required every three years.

The duration of the audit depends on the size and complexity of the organization, the scope of the anti-bribery management system, and the extent of the existing controls and procedures.