Quick Read
ISO 37001:2025 establishes a comprehensive framework of financial and non-financial controls that organisations must implement, document, and maintain within their Anti-Bribery Management Systems to prevent, detect, and respond to bribery. Most organisations already operate many of these required controls across finance, procurement, legal, HR, and operations functions; the primary work is identifying and formally integrating existing controls into the ABMS rather than building new ones from scratch. The standard applies to all organisation types and sizes and follows the ISO High Level Structure, enabling integration with other management system standards like ISO 14001 and ISO 27001.
1. Executive Summary
ISO 37001 is the international standard for Anti-Bribery Management Systems (ABMS). Its second edition, published in 2025, sets out a comprehensive framework of requirements that organisations must satisfy to prevent, detect and respond to bribery. Central to this framework is an extensive set of controls — both financial and non-financial — that must be implemented, documented and actively maintained.
A common misconception among organisations beginning or advancing their ABMS journey is that implementing ISO 37001 requires building an entirely new control environment from scratch. In practice, most organisations already operate many of the required controls across their finance, procurement, legal, human resources, and operations functions. The real work is not creation — it is identification, documentation, and formal inclusion of those existing controls within the ABMS.
This whitepaper provides a comprehensive catalogue of every anti-bribery control required or described in ISO 37001:2025. It covers financial controls, non-financial controls, and the full surrounding system of governance, employment procedures, training, due diligence, third-party management, gifts and hospitality, conflicts of interest, speak-up mechanisms, investigation procedures, and performance evaluation. For each control, we describe what the standard requires and what practical steps are needed to bring existing organisational controls formally within the scope of the ABMS.
Key Message ISO 37001:2025 does not demand a parallel compliance universe. It demands that bribery risk is systematically managed through controls that are documented, proportionate, assigned, monitored and continuously improved. The majority of those controls will already exist in your organisation. The ABMS is the system that brings them together under a single, coherent anti-bribery governance framework. |
2. Introduction: ISO 37001:2025 and the ABMS
2.1 What Is ISO 37001?
ISO 37001 is the internationally recognised standard for Anti-Bribery Management Systems. First published in 2016, the standard provides a framework of requirements and guidance enabling organisations to prevent, detect and address bribery. It is applicable to all organisations — public, private and not-for-profit — regardless of sector, size or geography.
The second edition, ISO 37001:2025, was published in 2025 and supersedes the 2016 edition (including its 2024 amendment). It was developed by ISO/TC 309, the technical committee responsible for governance of organisations, and follows the ISO High Level Structure (HLS), making it compatible and integrable with ISO 9001, ISO 14001, ISO/IEC 27001, ISO 37301, and other management system standards.
2.2 What Is an Anti-Bribery Management System?
An ABMS is not simply a policy or a set of rules. It is a documented management system — a structured, evidence-based framework of policies, objectives, processes, controls, responsibilities, and assurance mechanisms designed to help an organisation manage its bribery risk on an ongoing basis.
ISO 37001:2025 defines the ABMS as containing measures designed to identify and evaluate the risk of bribery, and to prevent, detect and respond to that risk. The system must be documented, must be reasonable and proportionate to the bribery risks the organisation faces, and must be continually reviewed and improved.
2.3 Key Changes in the 2025 Edition
Compliance officers and legal teams working with ISO 37001:2016 should be aware of the following significant changes introduced in the 2025 edition:
Area of Change | Description |
|---|---|
Anti-Bribery Culture (New Clause 5.1.3) | Organisations must now formally develop, maintain and promote an anti-bribery culture at all levels. Leadership must demonstrate active, visible and sustained commitment. |
Conflicts of Interest (Enhanced) | A new defined term (3.28) and expanded guidance in Annex A.8.3. Organisations must identify and evaluate COI risks, maintain a declaration register, and review declarations at least annually. |
Training (Restructured Clause 7.3) | Expanded into four sub-clauses: awareness of personnel (7.3.1), training for personnel (7.3.2), training for business associates (7.3.3), and awareness and training programmes (7.3.4). |
Planning of Changes (New Clause 6.3) | Any changes to the ABMS must be carried out in a planned and controlled manner. |
Management Review (Restructured Clause 9.3) | Governing body review responsibilities are formally integrated alongside top management review, with explicit governing body reporting requirements. |
Non-Financial Controls (Expanded Clause 8.4) | Now explicitly includes mergers and acquisitions and regulatory activities as areas subject to non-financial controls. |
Anti-Bribery Function (Clarified Clause 5.3.2) | Renamed from “anti-bribery compliance function.” Responsibilities reordered to reflect strategic importance: conformance and reporting come first, followed by design oversight and advice. |
Climate Change (New Clause 4.1 requirement) | Organisations must now determine whether climate change is a relevant issue in their context when establishing the ABMS. |
3. The “Include, Don’t Just Create” Principle
One of the most practically important insights in implementing ISO 37001 is understanding that the standard does not require an organisation to replace or duplicate its existing control environment. Rather, it requires that controls which manage bribery risk — wherever they currently sit in the organisation — are formally identified, documented, and brought within the scope of the Anti-Bribery Management System.
Most organisations that operate in regulated industries or that have mature governance structures will already have in place many of the following:
Financial approval authorities and segregation of duties in their finance and accounts teams
Procurement policies with competitive tendering and multi-person contract approval requirements
Human resources procedures including background screening, codes of conduct, and disciplinary processes
Ethics hotlines or speak-up channels for reporting concerns
Gifts and hospitality registers and approval processes
Third-party due diligence processes in their legal or procurement functions
Conflict of interest disclosure policies
Internal audit programmes reviewing financial and operational controls
The ABMS does not require these to be rebuilt. It requires them to be:
Assessed for their effectiveness in managing bribery risk specifically
Documented as part of the ABMS scope and documented information register
Referenced in bribery risk assessments as identified mitigating controls
Assigned clear ownership and responsibility within the ABMS governance structure
Subject to monitoring, audit and management review as part of ABMS performance evaluation
Reviewed and updated where gaps are identified against the standard’s requirements
Practical Insight When scoping your ABMS documentation, map each control required by ISO 37001:2025 to the existing policies, procedures or systems in your organisation that serve the same purpose. Where a gap exists — where no existing control adequately addresses the bribery risk — then and only then is a new control required. |
The sections that follow catalogue every anti-bribery control required or described in ISO 37001:2025, organised by control category. For each control, we describe the standard’s requirement and the practical steps needed to ensure it is properly included within the ABMS.
4. The Anti-Bribery Controls Framework
ISO 37001:2025 establishes anti-bribery controls across thirteen functional categories. These are not limited to the two clauses labelled “financial controls” (8.3) and “non-financial controls” (8.4). The full control framework spans the entire lifecycle of the ABMS — from leadership and context-setting, through planning and operational controls, to monitoring, audit and improvement.
The sections below address each control category in turn, drawing on both the normative requirements (Clauses 4–10) and the informative guidance (Annex A) of ISO 37001:2025.
4.1 Leadership and Governance Controls (Clause 5)
Governance controls are the foundational layer of any ABMS. They establish accountability, direction and commitment at the highest organisational level. ISO 37001:2025 is explicit that no policy document or set of operational procedures will be effective without genuine leadership commitment and clearly assigned governance responsibility.
4.1.1 Governing Body Oversight (Clause 5.1.1)
Where an organisation has a separate governing body (board of directors, supervisory board, trustees), it must demonstrate leadership and commitment to the ABMS by: approving the anti-bribery policy; ensuring strategy and policy alignment; receiving and reviewing ABMS information at planned intervals; requiring adequate resources to be allocated; and exercising reasonable oversight over ABMS implementation, intended results and effectiveness.
Including This Control in the ABMS Document the governing body’s ABMS responsibilities in the board or audit committee terms of reference. Establish a formal reporting cycle from the anti-bribery function to the governing body. Retain records of information received and review outcomes as documented information. |
4.1.2 Top Management Commitment (Clause 5.1.2)
Top management must demonstrate leadership and commitment by: ensuring the anti-bribery policy and objectives are established; integrating ABMS requirements into business processes; ensuring adequate resources are available; communicating the policy internally and externally; promoting anti-bribery culture; ensuring no retaliation for good-faith reporting (except where the reporter participated in the violation); and reporting to the governing body at planned intervals.
Including This Control in the ABMS Include ABMS performance as a standing agenda item on management meetings. Ensure the CEO or equivalent has formally acknowledged responsibility for the ABMS. Capture evidence of top management communications (policy sign-offs, town hall addresses, training participation) in the ABMS document register. |
4.1.3 Anti-Bribery Culture (New in 2025: Clause 5.1.3)
The 2025 edition introduces a mandatory requirement to actively develop, maintain and promote an anti-bribery culture at all levels of the organisation. The governing body, top management and all managers must demonstrate active, visible, consistent and sustained commitment to a common standard of behaviour and conduct. Top management must actively encourage behaviour that supports the anti-bribery policy and prevent and not tolerate behaviour that compromises it.
Evidence of an anti-bribery culture includes: the degree to which personnel understand and value the ABMS, the consistency of corrective actions regardless of the seniority of the individual involved, and the visible participation of management in anti-bribery activities.
Including This Control in the ABMS Develop a culture assessment or indicator framework. Include anti-bribery culture indicators in management reviews. Document management’s visible anti-bribery activities. Reference culture metrics in the ABMS performance monitoring process. |
4.1.4 Anti-Bribery Policy (Clause 5.2)
Top management must establish an anti-bribery policy that prohibits bribery; requires compliance with applicable anti-bribery laws; provides a framework for setting objectives; commits to meeting applicable requirements; encourages good-faith reporting without fear of reprisal; commits to continual improvement; explains the authority and independence of the anti-bribery function; and explains the consequences of non-compliance.
The policy must be communicated within the organisation and to business associates who pose more than a low risk of bribery, in appropriate languages, and must be made available to interested parties as appropriate.
Including This Control in the ABMS Review the existing anti-bribery or code of conduct policy against all nine content requirements. Update where gaps exist. Ensure version control, a documented distribution and acknowledgement process, and confirm distribution to relevant business associates is retained as documented information. |
4.1.5 Anti-Bribery Function (Clause 5.3.2)
The anti-bribery function holds responsibility and authority for: ensuring ABMS conformance to the standard; reporting on ABMS performance to the governing body and top management; overseeing ABMS design and implementation; and providing advice and guidance to personnel and interested parties. The function must be adequately resourced, staffed by persons with appropriate competence, status, authority and independence, and must have direct and prompt access to the governing body and top management.
Including This Control in the ABMS Formally document the anti-bribery function’s mandate, reporting lines, resources and terms of reference in an appointment letter, job description or committee charter. Record evidence of direct access to the governing body. |
4.1.6 Delegated Decision-Making Controls (Clause 5.3.3)
Where top management delegates authority for decisions involving more than a low risk of bribery, the organisation must establish and maintain a decision-making process ensuring the level of authority and the decision-making process are appropriate and free of actual or potential conflicts of interest. These processes must be reviewed at planned intervals.
Including This Control in the ABMS Map delegation of authority frameworks from finance, procurement and HR into the ABMS. Ensure decisions with bribery risk implications (contract awards, agent appointments, high-value transactions) involve appropriate COI checks and approval authorities. |
4.2 Bribery Risk Assessment Controls (Clause 4.5)
The bribery risk assessment is both a control in its own right and the foundation upon which all other ABMS controls are calibrated. ISO 37001:2025 requires the organisation to undertake risk assessments at planned intervals. The assessment must: identify bribery risks the organisation can reasonably anticipate; analyse, assess and prioritise those risks; and evaluate the suitability and effectiveness of existing controls to mitigate assessed risks.
The organisation must establish risk evaluation criteria, review the assessment at planned intervals and in the event of significant structural or operational changes, and retain documented information as evidence.
Including This Control in the ABMS Establish a formal bribery risk assessment methodology and documented cadence. Map existing controls to identified risks. Retain the risk register and evidence of periodic review. The risk assessment must drive the design and intensity of all other ABMS controls, including the financial and non-financial controls described below. |
4.3 Employment and Human Resources Controls (Clause 7.2)
People — both as potential perpetrators and potential victims of bribery — are at the centre of bribery risk. ISO 37001:2025 requires specific controls across the full employment lifecycle.
4.3.1 General Employment Controls (Clause 7.2.2.1)
For all personnel, the organisation must ensure that: employment conditions require compliance with the anti-bribery policy and ABMS and give the right to discipline for non-compliance; personnel receive the policy and related training within a reasonable period of commencing employment; the organisation has procedures enabling disciplinary action for violations; personnel will not suffer retaliation for refusing to engage in bribery-related activity or for good-faith reporting (with the noted exception); and personnel are aware of the necessity to report potential and actual conflicts of interest.
Including This Control in the ABMS Review employment contracts and staff handbooks to confirm ABMS compliance obligations are embedded. Confirm disciplinary procedures reference anti-bribery violations. Document the non-retaliation commitment. Add the COI reporting obligation to onboarding communications. Retain records of policy distribution and acknowledgements. |
4.3.2 Enhanced Controls for Higher-Risk Positions (Clause 7.2.2.2)
For positions exposed to more than a low bribery risk, the organisation must additionally: conduct due diligence on persons before employment, transfer or promotion; review performance bonuses and incentive-based remuneration at planned intervals to verify safeguards against bribery incentives; and require relevant personnel, top management and the governing body to file compliance declarations at planned intervals proportionate with identified bribery risk.
Including This Control in the ABMS Define which roles are “more than low bribery risk.” Establish a pre-employment due diligence checklist for those roles. Build a remuneration review process specifically assessing bribery incentive risk. Implement an annual anti-bribery compliance declaration. Retain completed declarations as documented information. |
4.4 Training and Awareness Controls (Clause 7.3)
ISO 37001:2025 significantly restructures the training requirements into four distinct sub-clauses, recognising that awareness and training serve different purposes and different audiences.
4.4.1 Awareness of Personnel (Clause 7.3.1)
All personnel must be aware of: the anti-bribery policy, procedures and ABMS and their duty to comply; their contribution to ABMS effectiveness; the implications of non-conformance; the benefits of reporting suspected bribery; and how and to whom to report concerns. Documented information on the awareness programme and its delivery must be retained.
Including This Control in the ABMS Include the required awareness topics in onboarding and annual refreshers. Implement a simple acknowledgement mechanism. Retain records of delivery (dates, audience). Ensure awareness is recognised as distinct from formal training. |
4.4.2 Training for Personnel (Clause 7.3.2)
Anti-bribery training for personnel must address: applicable policies and procedures; the bribery risk and resulting damage; the circumstances in which bribery can occur in their role; how to recognise and respond to solicitations or offers of bribes; how to prevent and avoid bribery and recognise key risk indicators; and available training and resources. Documented information on training content and delivery must be retained.
Including This Control in the ABMS Map the six required training content areas to existing modules and update where gaps exist. Ensure training is risk-based: more detailed and frequent for higher-risk roles. Retain training completion records with dates and participants. |
4.4.3 Training for Business Associates (Clause 7.3.3)
The organisation must implement procedures addressing anti-bribery training for business associates acting on its behalf or for its benefit that pose more than a low bribery risk. These procedures must identify which business associates require training, the content required, and the means of delivery. Documented information on training provided must be retained.
Including This Control in the ABMS Identify business associates posing more than a low risk. Determine appropriate training content and delivery (online module, contractual requirement, provision of materials). Retain evidence of training delivery or contractual training obligations. |
4.4.4 Awareness and Training Programmes (Clause 7.3.4)
Training must be provided from the commencement of employment and at planned intervals, appropriate to the role, risks, and changing circumstances. Programmes must be updated at planned intervals to reflect relevant new information, including regulatory changes, lessons from investigations, and changes in the bribery risk landscape.
Including This Control in the ABMS Establish a documented annual training calendar with role-based training plans. Include a process for updating content when the risk landscape changes. Retain programme documentation. |
4.5 Due Diligence Controls (Clause 8.2, Annex A.10)
Due diligence is a targeted, deeper assessment of bribery risk applied to specific transactions, projects, activities, or relationships where the risk assessment has identified a more than low bribery risk. It serves the dual purpose of further evaluating the specific risk and acting as a targeted preventive control.
Due diligence applies in three contexts: (a) specific categories of transactions, projects or activities; (b) planned or ongoing relationships with specific categories of business associates; and (c) specific categories of personnel in certain positions (Clause 7.2.2.2). The assessment must be updated at a defined frequency.
4.5.1 Transaction and Activity Due Diligence
Factors to evaluate in a transaction or project context include: structure, nature and complexity; financing and payment arrangements; level of control and visibility; the business associates and public officials involved; the location; and adverse reports in the market or press.
Including This Control in the ABMS Establish a transaction due diligence trigger list. Document the procedure and checklist. Ensure finance, legal and compliance apply the procedure before entering high-risk transactions. Retain due diligence records. |
4.5.2 Business Associate Due Diligence
Before engaging with a business associate posing more than a low bribery risk, the organisation should verify: the legitimacy of the business entity (registration documents, accounts, tax identification); qualifications and resources; any history of bribery, fraud, dishonesty, sanctions or debarment; the identity and background of beneficial owners and top management; and the structure of payment arrangements.
Due diligence methods may include self-certification questionnaires, web searches, debarment list checks, judicial record searches, and third-party background screening services.
Including This Control in the ABMS Map the business associate due diligence process from procurement or legal teams into the ABMS. Define due diligence tiers by risk level. Establish a refresh cadence. Retain completed due diligence records as documented information. |
4.6 Financial Controls (Clause 8.3, Annex A.11)
Financial controls are the management systems and processes implemented to manage financial transactions properly and to record them accurately, completely and in a timely manner. ISO 37001:2025 observes that well-designed anti-bribery financial controls act as checks and balances to deter improper behaviour by raising the risk of detection and capturing information to enable investigation.
These controls are fundamental because bribery almost always has a financial dimension: a payment, a commission, a benefit, or an undisclosed financial arrangement. Effective financial controls make it significantly harder to conceal such transactions.
Clause | Control | What It Requires / What to Include in the ABMS |
|---|---|---|
8.3 / A.11(a) | Separation of Duties | The same person cannot both initiate and approve a payment. Finance functions must have segregated roles for transaction initiation, approval and recording. This prevents a single individual from concealing a bribery-related payment. |
8.3 / A.11(b) | Tiered Payment Authority | Larger transactions must require more senior management approval. A payment authority matrix should define approval thresholds by transaction value and type, ensuring significant payments receive proportionate scrutiny. |
8.3 / A.11(c) | Payee Verification | The payee’s appointment and the work or services carried out must be verified and approved by the organisation’s relevant approval mechanisms before payment is made. Invoices must be matched to approved contracts or purchase orders. |
8.3 / A.11(d) | Dual Signature on Payments | Payment approvals should require at least two authorised signatures or electronic approvals, particularly for higher-value or higher-risk transactions. This provides a second layer of scrutiny for every significant disbursement. |
8.3 / A.11(e) | Supporting Documentation | Appropriate supporting documentation (invoices, contracts, delivery notes, completion records) must be annexed to payment approvals. Payments must not be approved without adequate evidentiary support of the goods or services received. |
8.3 / A.11(f) | Cash Controls | The use of cash must be restricted and effective cash control methods implemented. Cash payments are particularly vulnerable to bribery as they leave limited audit trails. Where cash is necessary, strict procedures and receipt documentation are required. |
8.3 / A.11(g) | Accurate Payment Categorisation | Payment categorisations and descriptions in the accounts must be accurate and clear. Disguising bribery payments as legitimate expenses (e.g. “consulting fees,” “hospitality,” “facilitation charges”) is a common concealment method. Vague account coding must be prevented and challenged. |
8.3 / A.11(h) | Periodic Review of Significant Transactions | Significant financial transactions must be subject to management review at planned intervals, examining transactions above defined thresholds for unusual patterns, anomalies, or red flags. |
8.3 / A.11(i) | Independent Financial Audits | Independent financial audits must be implemented at planned intervals, rotating the auditor (person or organisation) on a regular basis. Independence prevents auditors from overlooking issues in areas for which they have responsibility. |
Including These Controls in the ABMS Most organisations already have finance policies, payment authority matrices and internal audit programmes. Map each of the controls above to existing finance policies. Identify gaps (e.g. no dual signature for certain payment types, no documented payee verification step, no cash control policy) and address them. Formally reference the financial controls framework in the ABMS documented information register. |
4.7 Non-Financial Controls (Clause 8.4, Annex A.12)
Non-financial controls are the management systems and processes that help ensure the procurement, operational, sales, commercial, human resources, legal, mergers and acquisitions, and regulatory activities of the organisation are properly managed from a bribery risk perspective. The 2025 edition explicitly adds mergers and acquisitions and regulatory activities to this list.
Bribery does not only occur through direct cash payments — it can involve the award of contracts, the granting of permits, the manipulation of procurement processes, or the use of intermediaries to secure business advantage. Non-financial controls address these vectors.
Clause | Control | What It Requires / What to Include in the ABMS |
|---|---|---|
8.4 / A.12(a) | Approved Contractor and Supplier Process | Using approved contractors, sub-contractors, suppliers and consultants that have undergone a pre-qualification process assessing the likelihood of their participation in bribery. This includes due diligence of the type specified in Annex A.10. |
8.4 / A.12(b) | Legitimacy and Payment Assessment for Business Associates | Assessing the necessity and legitimacy of services to be provided by a business associate (excluding clients/customers), whether services were properly carried out, and whether payments are reasonable and proportionate. Particularly critical for agents and intermediaries paid on commission or contingency. |
8.4 / A.12(c) | Competitive Tendering | Awarding contracts, where possible and reasonable, only after a fair and transparent competitive tender process between at least three competitors. This prevents contracts being awarded on the basis of bribery rather than merit. |
8.4 / A.12(d) | Dual Evaluation of Tenders and Contract Awards | Requiring at least two persons to evaluate tenders and approve contract awards. A single evaluator with unilateral award authority is a significant bribery risk. |
8.4 / A.12(e) | Procurement Separation of Duties | Personnel who approve contract placement must be different from those requesting it and from those managing the contract or approving work under it. This three-way separation prevents collusive abuse of the procurement process. |
8.4 / A.12(f) | Dual Signatures on Contracts | Requiring at least two authorised signatures on contracts, on documents modifying contract terms, and on documents approving work or supplies provided under a contract. |
8.4 / A.12(g) | Enhanced Oversight for High-Risk Transactions | Placing a higher level of management oversight on potentially high bribery risk transactions, such as large construction contracts, agent appointments, public sector interactions, or transactions in high-risk jurisdictions or sectors. |
8.4 / A.12(h) | Tender Integrity Controls | Protecting the integrity of tenders and other price-sensitive information by restricting access to appropriate personnel only. Leakage of tender information enables competitors to be given unfair advantage in exchange for bribes. |
8.4 / A.12(i) | Operational Tools, Templates and Workflows | Providing appropriate guidance tools and templates, including practical do’s and don’ts, approval ladders, checklists, forms and IT workflow systems. These reduce the risk of inadvertent non-compliance and create an auditable approval trail. |
Including These Controls in the ABMS Procurement policies, contract approval procedures and vendor management frameworks typically contain many of these controls. Particular attention should be paid to the legitimacy and proportionality assessment for agents and intermediaries — a high-risk area where controls are often less well developed. Ensure the ABMS formally references all relevant procurement and commercial control documentation. |
4.8 Business Associate and Third-Party Controls (Clauses 8.5, 8.6)
Third parties acting on behalf of or for the benefit of an organisation are one of the highest bribery risk categories. Regulatory enforcement actions globally demonstrate that organisations face significant legal liability for bribery committed by their agents, intermediaries, joint venture partners and other business associates. ISO 37001:2025 establishes a structured framework for managing this risk.
4.8.1 Controls for Controlled Organisations (Clause 8.5.1)
The organisation must implement procedures requiring that all organisations over which it has control (e.g. subsidiaries, joint ventures over which it exercises management control) either implement the organisation’s ABMS, or implement their own anti-bribery controls, in each case to the extent reasonable and proportionate to the bribery risks faced.
Including This Control in the ABMS Map all entities over which the organisation has management control. Document which approach applies for each. Retain evidence of subsidiary or joint venture anti-bribery arrangements. Include oversight of controlled organisations in the anti-bribery function’s review activities. |
4.8.2 Controls for Non-Controlled Business Associates (Clause 8.5.2)
For business associates not controlled by the organisation but posing more than a low bribery risk, the organisation must: determine whether the business associate has anti-bribery controls in place managing the relevant risk; where they do not (or this cannot be verified), require the associate to implement controls (where practicable), or take the absence of controls into account in evaluating the overall bribery risk and how it is managed.
The type of controls required scales with risk: high-risk, complex-scope associates may be required to implement controls equivalent to those required by this standard; medium-risk associates may require minimum requirements such as an anti-bribery policy, relevant training, a responsible manager, and controls over key payments; smaller or lower-risk associates may only require training for relevant employees and controls over key payments and gifts.
Including This Control in the ABMS Establish a tiered business associate control framework based on bribery risk level. Document the determination process. Include anti-bribery requirements in standard commercial agreements. Retain evidence of assessments and contractual provisions. |
4.8.3 Anti-Bribery Commitments from Business Associates (Clause 8.6)
For business associates posing more than a low bribery risk, the organisation must, as far as practicable, obtain commitments that the associate will prevent bribery in connection with the relevant transaction, project, activity or relationship, and that the organisation may terminate the relationship in the event of such bribery. These commitments should be obtained in writing — either as a standalone commitment document or as part of the contract.
Including This Control in the ABMS Review standard contractual terms to ensure anti-bribery representations, warranties and termination rights are included for higher-risk business associates. Implement an anti-bribery commitment form or certification for such parties. Retain signed commitments as documented information. |
4.9 Gifts, Hospitality, Donations and Similar Benefits (Clause 8.7, Annex A.15)
Gifts, hospitality, donations and similar benefits are among the most common mechanisms through which bribery is offered or accepted. ISO 37001:2025 requires the organisation to implement procedures preventing the offering, provision or acceptance of such benefits where this is, or can reasonably be perceived as, bribery.
The types of benefit subject to these controls include: gifts, entertainment and hospitality; political or charitable donations; client representative or public official travel; promotional expenses; sponsorship; community benefits; training; club memberships; personal favours; and confidential or privileged information.
4.9.1 Gifts and Hospitality Controls
Procedures may be designed to control the extent and frequency of gifts and hospitality either through total prohibition, or through limits based on: a maximum expenditure (which may vary by location and type); frequency (small gifts can accumulate); timing (not during or immediately before or after tender negotiations); reasonableness (accounting for location, sector and seniority of the giver and receiver); the identity of the recipient (those with authority to award contracts or approve permits carry greater risk); reciprocity (no one may receive a gift greater than they are permitted to give); and the applicable legal and regulatory environment.
In addition to limits, procedures should: require advance approval for gifts or hospitality above a defined value or frequency threshold; and require documentation in a register or accounts ledger for gifts and hospitality above those thresholds.
Including This Control in the ABMS Review the existing gifts and hospitality policy against the requirements above. Ensure a register exists and is actively maintained. Confirm donation and sponsorship approval and due diligence processes are documented. Formally reference these procedures in the ABMS. Extend the policy to cover all personnel and relevant business associates where it does not already do so. |
4.9.2 Donations, Sponsorship and Promotional Expenses Controls
For political or charitable donations, sponsorship, promotional expenses and community benefits, procedures should: prohibit payments intended or reasonably perceived to influence a tender or decision in favour of the organisation; require due diligence on the recipient to confirm legitimacy and absence of bribery-channel use; require manager approval; require public disclosure of payments; ensure compliance with applicable law; and avoid making contributions immediately before, during or after contract negotiations.
4.9.3 Public Official Travel Controls
Where the organisation funds travel for client representatives or public officials, procedures should: only permit payments allowed by the procedures of the client/public body and by applicable law; only allow travel necessary for legitimate business purposes; require manager approval; require, where possible, notification to the official’s supervisor or employer; restrict payments to necessary travel, accommodation and meal expenses only; limit associated entertainment to a reasonable level; and prohibit payment of family members’ expenses or holiday and recreational expenses.
4.10 Conflict of Interest Controls (New Emphasis in 2025)
Conflicts of interest represent a significant gateway risk for bribery. ISO 37001:2025 introduces a formal definition of “conflict of interest” (Clause 3.28) as a situation in which an interested party has a personal or organisational interest, directly or indirectly, that can compromise or interfere with the ability to act impartially in carrying out their duties in the best interest of the organisation.
The 2025 edition’s enhanced treatment — including the expanded guidance in Annex A.8.3 — reflects growing recognition that undisclosed conflicts of interest are a primary mechanism through which bribery occurs or is concealed. Examples include: a purchasing manager with an undisclosed financial interest in a supplier; a sales manager related to a customer’s procurement decision-maker; a board director with personal interests in an acquiring entity; or a procurement manager in a joint venture who holds a financial stake in a competing bidder.
Required controls include:
Identifying, analysing and evaluating the risks of internal and external conflicts of interest across the organisation
Clearly informing all personnel of their duty to report any potential and actual conflict of interest (family, financial, professional, religious, political or other connection) directly or indirectly related to their line of work
Maintaining a register of all conflict of interest declarations, recording the nature of the conflict and any actions taken to mitigate it
Reviewing declarations at least once a year to ensure they remain relevant and up to date
Ensuring employment conditions require personnel to report potential and actual conflicts (Clause 7.2.2.1(e))
Ensuring delegated decision-making processes are free of actual or potential conflicts of interest (Clause 5.3.3)
Including These Controls in the ABMS Establish a formal conflict of interest declaration process covering all types of interest (financial, family, professional, religious, political). Implement a disclosure register. Require annual re-declaration for all personnel, with enhanced frequency for higher-risk roles. Document the process for managing and mitigating disclosed conflicts. Retain records as documented information. |
4.11 Raising Concerns Controls (Clause 8.9)
An effective speak-up mechanism is one of the most powerful controls available for detecting bribery. ISO 37001:2025 requires the organisation to implement reporting procedures that create a genuinely safe, accessible and trusted channel for personnel and others to report concerns.
Required controls include:
Encouraging and enabling persons to report in good faith or on the basis of a reasonable belief: attempted, suspected and actual bribery; or any violation of or weakness in the ABMS
Treating reports confidentially, to the extent required to progress an investigation, to protect the identity of the reporter and others involved or referenced
Allowing anonymous reporting
Prohibiting retaliation and protecting those who make reports in good faith from any form of retaliation, including threats, isolation, demotion, dismissal, bullying, victimisation or other harassment
Enabling personnel to receive advice from an appropriate person on what to do if faced with a concern or situation that may involve bribery
All personnel must be aware of the reporting procedures and of their rights and protections under them. The speak-up procedures can be the same as, or form part of, those used for reporting other concerns (e.g. safety, malpractice, wrongdoing). The organisation can use a third party to manage the reporting system.
Including This Control in the ABMS Review the existing ethics hotline or whistleblowing procedure against the requirements above. Ensure it explicitly covers bribery reporting, allows anonymous submissions, and includes written non-retaliation protections. Include the reporting channel contact details in all training materials and internal communications platforms. Formally reference the speak-up procedure in the ABMS. |
4.12 Investigation and Response Controls (Clause 8.10)
Detecting a potential bribery concern is only the beginning. ISO 37001:2025 requires robust procedures for assessing, investigating and responding to any bribery concern that is raised, detected or reasonably suspected. These controls are critical to managing legal risk and demonstrating genuine commitment to the ABMS.
Required investigation controls include procedures that:
Require assessment and, where appropriate, investigation of any bribery, violation of the anti-bribery policy or ABMS, which is reported, detected or reasonably suspected
Require appropriate action in the event the investigation reveals bribery or violation
Empower and enable investigators with appropriate authority, resources and access to information
Require co-operation in the investigation by relevant personnel
Require that the status and results of the investigation are reported to the anti-bribery function and other compliance functions
Require that investigations are carried out confidentially and that outputs are maintained confidentially
Investigations must be conducted by, and reported to, personnel who are not part of the role or function being investigated. Where an investigation establishes that bribery has occurred, follow-up actions may include:
Terminating, withdrawing from, or modifying the organisation’s involvement in the relevant project, transaction or contract
Repaying or reclaiming any improper benefit obtained
Disciplining responsible personnel, ranging from a formal warning to dismissal for a serious offence
Reporting the matter to the relevant authorities
Addressing any consequential legal offences (e.g. false accounting, tax offences, money laundering)
Including This Control in the ABMS Review the existing investigation procedure and confirm it covers anti-bribery investigations specifically. Confirm investigators have independence from the function under investigation. Document the escalation and reporting pathway. Ensure the anti-bribery function receives all investigation outcomes. Reference the investigation procedure in the ABMS. |
4.13 Monitoring, Audit and Management Review Controls (Clause 9)
Performance evaluation controls ensure that the ABMS is not merely documented but is actually effective. ISO 37001:2025 requires four overlapping mechanisms for evaluating ABMS performance.
4.13.1 Monitoring, Measurement, Analysis and Evaluation (Clause 9.1)
The organisation must determine what needs to be monitored and measured, the methods for doing so, when monitoring shall be performed, and when results shall be analysed and evaluated. Documented information shall be available as evidence.
Indicators may include: effectiveness of training; effectiveness of controls (e.g. sample testing outputs); effectiveness of responsibility allocation; whether audits are performed as scheduled; non-compliance instances and near-misses; instances where objectives are not achieved; and the status of the anti-bribery culture.
Including This Control in the ABMS Establish an ABMS KPI dashboard or scorecard. Define monitoring frequency and responsible owners for each indicator. Include monitoring results in management review reporting. |
4.13.2 Internal Audit (Clause 9.2)
The organisation must conduct internal audits at planned intervals to determine whether the ABMS conforms to requirements and is effectively implemented. The audit programme must address: bribery or suspected bribery; violation of the anti-bribery policy or ABMS; failure of business associates to conform to applicable requirements; and weaknesses or improvement opportunities. Audits must be reasonable, proportionate and risk-based, and conducted to ensure objectivity and impartiality — no auditor audits their own area of work.
Including This Control in the ABMS Formally include ABMS topics in the internal audit plan. Ensure audit scope explicitly covers anti-bribery controls — both financial and non-financial. Confirm auditor independence. Retain audit reports and track findings to closure as documented information. |
4.13.3 Management Review (Clause 9.3)
Top management must review the ABMS at planned intervals to ensure continuing suitability, adequacy and effectiveness. The governing body must also undertake reviews of top management’s implementation of the ABMS at planned intervals, based on information provided by top management and the anti-bribery function.
Management review inputs must include: status of actions from previous reviews; changes in external and internal issues; changes in needs and expectations of interested parties; ABMS performance information (non-conformities, audit results, bribery reports, investigations, bribery risk status); effectiveness of actions taken to address bribery risks; and opportunities for continual improvement. Outputs must include decisions on continual improvement and any need for ABMS changes, and a summary must be reported to the governing body.
Including This Control in the ABMS Establish a formal ABMS management review at least annually. Define the standard agenda using the required input items. Document outputs and track decisions. Report the management review summary to the governing body. Retain records as documented information. |
4.13.4 Review by the Anti-Bribery Function (Clause 9.4)
The anti-bribery function must assess on a continual basis whether the ABMS is adequate to effectively manage the bribery risks faced by the organisation, and whether it is being effectively implemented. The function must report at planned intervals, and on an ad hoc basis, to the governing body and top management on the adequacy and implementation of the ABMS, including the results of investigations and audits.
Including This Control in the ABMS Establish a formal reporting cadence from the anti-bribery function to top management and the governing body. Document the structure and content of these reports. Retain records of reports provided and the meetings at which they were considered. |
4.14 Managing Inadequacy of Anti-Bribery Controls (Clause 8.8)
ISO 37001:2025 recognises that due diligence will sometimes reveal situations where existing anti-bribery controls cannot manage the identified bribery risks, and the organisation cannot or does not wish to implement additional controls or change the nature of the transaction or relationship to reduce the risk to an acceptable level.
In such cases, the standard requires the organisation to:
In the case of an existing transaction, project, activity or relationship: take steps appropriate to the bribery risks and the nature of the relationship to terminate, discontinue, suspend or withdraw from it as soon as practicable
In the case of a proposed new transaction, project, activity or relationship: postpone or decline to continue with it
Including This Control in the ABMS Establish a formal escalation and decision process for situations where anti-bribery controls are assessed as inadequate and additional controls cannot be implemented. Define who has authority to make the exit or decline decision, and document that decision and the rationale as retained documented information. |
5. Integrating Existing Controls into the ABMS
Having catalogued the full range of controls required by ISO 37001:2025, the practical challenge for most compliance officers is integration: taking controls that already exist in the organisation — many not originally designed with the standard in mind — and formally including them within the Anti-Bribery Management System. The following six-step approach is recommended.
Step 1: Conduct a Control Inventory
Systematically identify all existing policies, procedures, systems and controls across the organisation that have a bearing on bribery risk. This should cover: finance and accounts, procurement and supply chain, human resources and employment, legal and contracts, sales and commercial, IT and systems, internal audit, corporate governance, and risk management. Interview function heads to surface controls that may not be centrally documented.
Step 2: Map Controls to ISO 37001:2025 Requirements
Create a structured mapping table that aligns each identified control to the relevant clause(s) of ISO 37001:2025. For each control, record: which clause(s) it addresses; the current owner; the current status (documented, implemented, monitored, effective); and whether the control explicitly references bribery risk or only manages it incidentally.
Step 3: Conduct a Gap Analysis
For each clause of the standard, assess whether the existing mapped controls fully satisfy the requirement or whether gaps remain. Common gaps include: no formal bribery risk assessment distinct from general enterprise risk management; no conflict of interest register with annual review; no anti-bribery commitment clause in commercial contracts; no documented training records for business associates; no anonymous reporting capability; no formal process for managing inadequate controls (Clause 8.8); and no documented anti-bribery function mandate.
Step 4: Formally Adopt and Document Controls in the ABMS
For all controls identified as satisfying (or partially satisfying) a clause requirement, formally adopt them into the ABMS by: referencing them in the ABMS scope document and documented information register; ensuring they include an explicit reference to bribery risk in their purpose statement; assigning a named ABMS owner; including them within the ABMS monitoring and audit framework; and ensuring they are reviewed as part of the ABMS management review cycle.
Step 5: Address Identified Gaps
For requirements not met by existing controls, develop new or enhanced controls proportionate to the identified bribery risk. Prioritise gaps in high-risk areas such as third-party management, public official interactions, high-risk jurisdictions or sectors, and conflict of interest management. Document a remediation plan with timelines and accountable owners.
Step 6: Maintain and Continuously Improve
The ABMS is a living system. Controls must be monitored for effectiveness, updated when circumstances change, and improved through lessons learned from audits, investigations and management reviews. Revisit the control mapping whenever the bribery risk assessment is updated, when significant business changes occur, or when new legal or regulatory requirements emerge.
6. Conclusion
ISO 37001:2025 provides a comprehensive, internationally recognised framework for preventing, detecting and responding to bribery. Its controls framework spans governance, risk assessment, employment, training, due diligence, financial management, procurement, third-party relationships, gifts and hospitality, conflicts of interest, speak-up mechanisms, investigations and performance evaluation. The 2025 edition strengthens several areas that deserve particular attention from compliance officers: the mandatory anti-bribery culture requirement, the enhanced conflict of interest provisions, the restructured and more demanding training framework, and the upgraded governing body oversight requirements.
The breadth of this framework can appear daunting. But for most organisations, the challenge is not one of building from scratch — it is one of recognising, documenting and formally integrating the extensive controls that already exist across the organisation into a single, coherent and properly governed Anti-Bribery Management System. The most common finding in any ABMS gap analysis is not that controls are absent, but that they are not yet “in” the ABMS: they have no identified bribery risk purpose, no ABMS ownership, and no inclusion in bribery-specific monitoring, audit or management review.
Addressing that gap — systematically mapping, documenting, adopting and improving existing controls under the ABMS framework — is the central task of ISO 37001 implementation for most organisations. When that task is completed with genuine intent and appropriate rigour, the result is an anti-bribery management system that is both certifiable and genuinely effective: one that is embedded in how the organisation makes decisions, manages relationships, and conducts its business.
Reference Note This whitepaper is based on ISO 37001:2025, Anti-bribery management systems — Requirements with guidance for use (Second Edition). References to clause numbers are to this edition. The informative guidance in Annex A of the standard provides additional practical context for all requirements described in this paper. ISO 37301:2021 (Compliance management systems) and ISO 37000:2021 (Governance of organisations) provide complementary guidance. |