Quick Read
The 2025 second edition of ISO 37001 elevates anti-bribery culture from aspiration to formal requirement, making it a defined term and standalone normative obligation for the first time. Most organisations certified under the 2016 edition have relied on policies and training alone without building genuine cultural change, a gap that will surface during surveillance audits. This whitepaper identifies seven common culture failures and six practical markers of effective anti-bribery culture, grounded in Speeki's audit experience across more than 100 countries.
1. Executive Summary
The second edition of ISO 37001, published in 2025, made a change that deserves far more attention than it has received. For the first time, the standard formally defines anti-bribery culture as a requirement — not a recommendation, not aspirational language tucked inside the guidance annex, but a defined term (Clause 3.30) and a standalone normative requirement (Clause 5.1.3). Organisations that certified to the first edition and have coasted on existing documentation since 2016 may be in for a significant surprise when their next surveillance audit arrives.
This matters because the failure mode in anti-bribery programmes is rarely a missing policy. Most organisations that experience bribery incidents have an anti-bribery policy. They have a training programme. They have a gifts register. They may even have ISO 37001 certification. What they do not have is a culture in which people genuinely believe that the organisation means it — and act accordingly.
This whitepaper examines what the 2025 standard actually requires on culture, what auditors look for when assessing it, and what separates organisations that have built something real from those that are running an expensive fiction. Drawing on our experience as ISO 37001 certification auditors operating across more than 100 countries, we identify seven common culture gaps that appear repeatedly — and set out six practical markers of what good looks like. We also address the measurement question: how do you know whether your anti-bribery culture is working?
A policy without a culture is a liability dressed up as a defence.
The audience for this paper is compliance officers, general counsel, chief executive officers, board members, and any professional responsible for implementing, auditing, or certifying anti-bribery management systems. The perspective throughout is practical — what actually happens inside organisations, what auditors see, and what needs to change.
2. The Standard Has Changed — And Most Organisations Have Not Noticed
ISO 37001 was first published in 2016 as a landmark document: the first international standard specifically designed to help organisations prevent, detect, and respond to bribery. In the nine years since publication, thousands of organisations worldwide have sought certification, and the standard became a reference point for regulators, prosecutors, and procurement functions assessing the credibility of anti-bribery programmes.
The 2025 second edition revised the standard in several areas. Most revisions are relatively technical — alignment with updated harmonised structure language, renumbering of definitions, adjustments to references. But two changes are substantively important for any organisation serious about running an effective anti-bribery management system.
2.1 A New Defined Term: Anti-Bribery Culture (Clause 3.30)
The 2025 edition introduces for the first time a formal definition of anti-bribery culture:
Clause 3.30 — Anti-bribery culture (ISO 37001:2025)
"values, ethics, beliefs and conduct that exist throughout an organisation and interact with the organisation's structures and control systems to produce behavioural norms that are conducive to the anti-bribery policy and the anti-bribery management system"
Note 1: This term has been adapted from ISO 37301:2021, 3.28, "compliance culture".
The definition is important for what it explicitly connects. Culture is not defined as tone at the top, a speak-up programme, or training completion rates. It is the interaction between values and beliefs on the one hand, and structures and control systems on the other, that produces behavioural norms. This framing places culture squarely inside the management system — not above it, not beside it, but woven into how the system actually operates in practice.
This has audit implications. Culture can no longer be assessed by asking whether the CEO has signed the anti-bribery policy. An auditor examining Clause 3.30 needs to see evidence that structures and controls are producing the right behavioural norms across the organisation — including in the locations, functions, and roles where bribery risk is highest.
2.2 A New Normative Requirement: Anti-Bribery Culture (Clause 5.1.3)
The 2025 edition also introduces Clause 5.1.3 as a standalone normative clause under Section 5 (Leadership), separate from the existing requirements on leadership commitment (5.1.1 and 5.1.2). Its requirements are specific:
Clause 5.1.3 — What the standard now requires
The organisation shall develop, maintain, and promote an anti-bribery culture at all levels within the organisation.
The governing body, top management, and management shall demonstrate an active, visible, consistent, and sustained commitment towards a common standard of behaviour and conduct that is required throughout the organisation.
Top management shall encourage behaviour that supports the anti-bribery policy and the anti-bribery management system.
Top management shall prevent and not tolerate behaviour that compromises anti-bribery.
Each word in these requirements carries weight when read by an auditor. "Active" distinguishes genuine engagement from passive endorsement. "Visible" requires evidence of leadership behaviour that can be observed and documented. "Consistent" means culture cannot be episodic — a tone-at-the-top message at annual risk training does not satisfy a consistent commitment. "Sustained" means the commitment must persist across personnel changes, business cycles, and competitive pressure. And "all levels" means the requirement applies to line managers and supervisors, not only the executive team.
This is not aspirational language. These are "shall" requirements in the normative body of the standard. An organisation that cannot demonstrate them against objective evidence is non-conformant — regardless of how polished its written anti-bribery programme appears on paper.
3. The Infrastructure Trap — Why Most Anti-Bribery Programmes Are Incomplete
The compliance industry has become very good at building anti-bribery infrastructure. A typical ISO 37001-certified organisation will have a documented anti-bribery policy, a risk assessment methodology, a gifts and hospitality register, third-party due diligence procedures, training records, a whistleblowing channel, investigation procedures, and a set of management review records. Certification bodies inspect this documentation and, if the paperwork is in order, award a certificate.
The problem is that none of this infrastructure tells you what people actually do when they face a real bribery decision. Infrastructure tells you what the organisation says it will do. Culture tells you what it actually does — under pressure, in markets where bribery is normalised, when a deal is at risk, and when the person being bribed is a long-standing business partner rather than an abstract category in a risk assessment.
Infrastructure tells you what the organisation says it will do. Culture tells you what it actually does.
The gap between the two is where real bribery risk lives. Consider three scenarios that appear repeatedly across industries and jurisdictions:
Scenario A: The Compliant Sales Team That Ignores the Policy
A multinational organisation has an ISO 37001-certified anti-bribery management system. Its sales team operating in a high-risk market understands that certain government procurement processes involve facilitation payments. Nobody has formally approved this — it is simply how business is done in the market. Sales managers route the payments through a local agent whose commission structure provides sufficient margin. Training completion rates are 94%. The gifts register shows no entries above the threshold. The certification audit passed cleanly.
Scenario B: The Reporting Channel Nobody Trusts
An organisation has a third-party ethics hotline, consistent with ISO 37001 Clause 8.9. The procedure is documented. Employees are told they can report anonymously. What the organisation has never measured is whether employees actually believe they will face retaliation if they report. In exit interviews — which the anti-bribery compliance function never sees — employees consistently describe instances where the organisation declined business to protect key relationships, and where those who raised concerns were quietly managed out of commercial roles. The hotline receives zero reports. Management interprets this as a clean culture. An auditor might reach the opposite conclusion.
Scenario C: The Governing Body That Reviews Without Oversight
A board of directors receives a quarterly compliance dashboard from the Chief Compliance Officer. It shows green across all key indicators: training completion, hotline activity, due diligence volumes, gifts register entries. The board asks no questions. No director has any independent knowledge of how the business handles high-risk transactions in its most exposed markets. When bribery is later discovered in a joint venture, the board's defence is that it received regular reporting and had no reason for concern. Auditors examining Clause 5.1.1 (governing body responsibilities) will look at the substance of the governing body's engagement, not just whether reporting occurred.
Each scenario involves an organisation with complete anti-bribery infrastructure. Each scenario involves a culture failure. And in each case, that culture failure would not be visible in a document review. It requires a different kind of assessment.
4. Seven Culture Gaps — What Auditors Find
Based on our experience conducting ISO 37001 certification and surveillance audits across organisations of varying sizes, sectors, and jurisdictions, the following seven culture gaps appear most consistently. These are not theoretical weaknesses — they are the findings that generate nonconformities, corrective action requests, and, in the most serious cases, suspension of certification.
# | Culture Gap | What Auditors Observe | ISO 37001:2025 Clause |
|---|---|---|---|
1 | Leadership by signature, not by conduct | Governing body and top management have approved and signed the anti-bribery policy but cannot articulate bribery risk in the organisation's own operations. Leadership visibility in culture promotion is absent from documented evidence. | 5.1.1, 5.1.2, 5.1.3 |
2 | Training completion ≠ comprehension or belief | Organisation tracks training completion rates as its primary culture metric. Personnel who have completed training cannot explain what they should do if asked to facilitate a payment, or are unaware of the reporting channel. Training is event-based, not role-calibrated. | 7.3.1, 7.3.2, 7.3.4 |
3 | The reporting channel nobody uses | Whistleblowing or concerns channel exists and is documented. Zero or near-zero reports across extended periods. No analysis of why reporting is low; volume interpreted as positive indicator. Personnel in interviews express doubt that reporting would be safe or effective. | 5.1.2(k), 5.1.2(l), 8.9 |
4 | Middle management as the culture gap | Senior leadership communicates anti-bribery expectations. Operational teams generally understand the policy. The layer of line managers and supervisors — who exercise day-to-day authority over decisions with bribery risk — receives no specific anti-bribery leadership guidance and is never assessed. | 5.1.3, 7.3.2 |
5 | Conflicts of interest treated as a form, not a risk | Conflict of interest declarations are collected annually. No analysis of whether declared interests create actual bribery risk. Nobody follows up on missing declarations. Undeclared conflicts that later become relevant to bribery findings are common. | 3.29, 7.2.2.1(e), A.8.3 |
6 | Governing body oversight is nominal | Board receives compliance dashboard. Never requests independent verification. Never asks for information about high-risk markets or third-party relationships. Cannot describe recent bribery risks discussed at board level. No evidence of governing body initiating any compliance inquiry. | 5.1.1, 9.3.2 |
7 | Culture is never measured | Organisation has no structured method for assessing whether its anti-bribery culture is effective. KPIs are all lagging (reports, incidents, training rates). No perception surveys, no independent assessment, no audit of whether behavioural norms match policy intent. | 9.1, 9.4 |
Organisations that have multiple gaps from this list face a compounded risk: each gap reinforces the others. A governing body that provides nominal oversight will not challenge inadequate culture measurement. A middle management layer without anti-bribery leadership guidance will not encourage reporting. A reporting channel nobody trusts will leave culture failures undetected. The infrastructure can look complete while the culture has never been built.
5. What Good Looks Like — Six Markers of Genuine Anti-Bribery Culture
The inverse of the seven gaps is not their absence — it is the presence of something more durable. Based on the ISO 37001:2025 requirements and what high-performing organisations actually do, the following six markers characterise genuine anti-bribery culture. They are observable, documentable, and auditable. They are also genuinely hard to fake over time.
5.1 Leaders Who Know the Risk, Not Just the Policy
In organisations with genuine anti-bribery culture, governing body members and senior leaders can speak specifically about the organisation's bribery risks — not in generic terms, but in relation to actual markets, business models, and third-party relationships. They receive briefings on specific risk categories, ask informed questions in management reviews, and can articulate how the organisation's commercial decisions interact with bribery risk.
This is qualitatively different from leaders who have signed a policy and attended an annual training. ISO 37001:2025 Clause 5.1.3 requires "active, visible, consistent, and sustained commitment" — all four adjectives point toward engagement that can be demonstrated, not merely asserted. Evidence includes meeting minutes that record substantive anti-bribery discussions, governing body requests for specific information, and documented instances where leadership behaviour was specifically intended to reinforce anti-bribery culture.
5.2 Managers at Every Level Who Own Their Responsibility
The 2025 standard states explicitly that "managers at every level shall be responsible for requiring that the anti-bribery management system requirements are applied and complied with in their department or function" (Clause 5.3.1). In organisations where this works, line managers understand that anti-bribery responsibility is not confined to the compliance function — they own it in their own domain.
Practically, this means line managers can name the highest bribery risks in their team's work, know the procedure for raising a concern or refusing a problematic instruction, and would not authorise a payment or a third-party engagement that does not meet the organisation's standards without escalating. Anti-bribery is a regular topic in operational meetings, not only an annual compliance event.
5.3 A Reporting Environment People Actually Trust
Clause 8.9 requires reporting procedures to encourage and enable reporting, protect confidentiality, permit anonymity, and prohibit retaliation. Clause 5.1.2(l) places personal responsibility on top management to ensure no personnel suffer retaliation for good-faith reports. But the test of whether this works is not the documented procedure — it is whether people actually use it, and why.
Organisations that have built genuine reporting cultures know why their reporting volumes look the way they do. They have asked personnel whether they trust the channel. They understand what barriers exist — fear of exposure, scepticism about outcomes, cultural norms around hierarchy. They take targeted action to address those barriers. And when reports do come in, they respond in a way that demonstrates to the broader workforce that reporting has consequences — not for reporters, but for the conduct that was reported.
A reporting channel measures trust. Zero reports is a data point, not a clean bill of health.
5.4 Conflicts of Interest Are a Dynamic Risk, Not an Annual Form
ISO 37001:2025 introduces a fully revised definition of conflict of interest (Clause 3.29) and adds a new requirement under Clause 7.2.2.1(e) that personnel are made aware of the necessity to report potential and actual conflicts of interest. The new Annex guidance (A.8.3) expands the treatment of conflicts significantly, including examples covering directors with concealed interests in competing organisations and managers with financial interests in suppliers.
Organisations that handle this well treat conflicts as a live risk management issue, not a compliance formality. Declarations are reviewed analytically. Where a declared interest creates a risk relevant to a specific procurement, project, or relationship, someone is responsible for managing it. Undeclared conflicts are treated as a conduct issue, not a paperwork failure. And the anti-bribery compliance function has a genuine view of where conflicts exist across the organisation's highest-risk functions.
5.5 Due Diligence That Matches the Risk
One of the most reliable markers of anti-bribery culture is how an organisation behaves when due diligence reveals a problem with a third party. The procedure for conducting due diligence is relatively easy to document. The culture question is what happens when the due diligence identifies adverse findings, and the commercial relationship in question is valuable.
In organisations with genuine culture, due diligence findings are escalated to the anti-bribery compliance function and, where appropriate, to top management. Decisions to proceed despite adverse findings are documented with a clear rationale and enhanced controls. Decisions to walk away from a relationship on anti-bribery grounds are treated as evidence of the system working — not as commercial failures. Organisations that routinely reclassify adverse findings as low-risk in order to proceed are demonstrating a culture failure that will eventually produce an incident.
5.6 Culture Is Formally Assessed, Not Assumed
The most significant marker separating high-performing organisations from those running compliance theatre is whether they have ever formally assessed whether their anti-bribery culture is working. Most organisations have not. They have infrastructure assessments (certification audits), document reviews, and training completion data. They have not measured whether personnel at different levels believe the organisation means what it says, whether they know what to do in a real bribery situation, or whether they trust the structures in place to protect them if they act with integrity.
Formal culture assessment can take several forms: structured surveys using validated instruments, focus groups with personnel in high-risk functions, independent interviews with middle management, behavioural observation during operations, or specialist assessment by an external party with expertise in anti-bribery culture. ISO 37001:2025 Clause 9.4 requires the anti-bribery compliance function to assess on a continual basis whether the management system is adequate and being effectively implemented. A culture that has never been assessed cannot be said to have met this standard.
6. The Governing Body's Critical Role
ISO 37001:2025 is unambiguous about the governing body's responsibilities. Clause 5.1.1 requires the governing body to exercise "reasonable oversight over the implementation of the organisation's anti-bribery management system by top management, its intended results and its effectiveness." Clause 5.1.3 specifically names the governing body alongside top management and management as collectively responsible for demonstrating "active, visible, consistent, and sustained commitment" to the anti-bribery culture.
This matters because the governing body is the only entity in the organisation with the authority and independence to hold top management accountable for anti-bribery performance. If the governing body's oversight is nominal — receiving periodic dashboards without critical engagement — it creates a structural gap that no amount of operational procedure can fill.
The question for any governing body is not whether it has received anti-bribery reporting. The question is whether it has exercised genuine oversight. A useful diagnostic for boards and audit committees includes:
Can the governing body describe the organisation's top three bribery risks in its current operations, independent of what management has told it?
Has the governing body ever requested independent verification of any aspect of the anti-bribery management system — an external assessment, a culture survey, or information from the anti-bribery compliance function directly?
Has the governing body discussed what it would expect to happen if a serious bribery allegation were made? Does it know the investigation procedure?
Has the governing body considered whether commercial pressure, incentive structures, or market entry strategies create anti-bribery risks that management may be motivated to underweight?
Has any member of the governing body ever spoken directly with operational personnel — without management present — about how anti-bribery policy is experienced in practice?
These are not abstract governance questions. They are the questions that regulators and prosecutors ask when investigating whether an organisation's anti-bribery programme was genuine. Governing bodies that cannot answer them credibly face significant personal and institutional risk — and are not meeting the requirements of ISO 37001:2025.
The governing body is the only entity with the authority to hold management accountable for anti-bribery performance. Nominal oversight is not oversight at all.
7. Measuring What Matters — Anti-Bribery Culture Indicators
ISO 37001:2025 Clause 9.1 requires the organisation to determine what needs to be monitored and measured, and to establish methods for analysis and evaluation. Applied to culture, this means organisations need a structured set of indicators that go beyond lagging compliance metrics and into the territory of cultural health.
The table below organises anti-bribery culture indicators into seven categories, distinguishing between what can be measured and what the measurement actually signals. A critical principle: any individual indicator can be gamed or misread. It is the pattern across categories, assessed over time, that reveals whether a culture is healthy or deteriorating.
Category | What to Measure | What It Signals |
|---|---|---|
Leadership Behaviour | Documented instances of governing body/management anti-bribery engagement beyond policy approval: substantive board discussion minutes, management decisions based on anti-bribery grounds, leadership-initiated culture communications | Whether commitment is performative or operational |
Reporting Channel Health | Volume and type of reports over time; proportion reported anonymously; resolution time; outcome distribution; comparison with comparable organisations or industry benchmarks; perception surveys on trust in reporting | Whether personnel believe it is safe and effective to speak up |
Training Quality & Reach | Role-specific training design; comprehension test results (not just completion); scenario-based recall after 90 days; bespoke content vs. generic module; training reaching middle management and business associates | Whether training changes knowledge and behaviour, not just ticks a box |
Conflict of Interest Management | Declaration completion rate; proportion triggering follow-up; identified but unmitigated conflicts; time between declaration and review action; number of undeclared conflicts discovered retrospectively | Whether the organisation treats COI as a live risk or a form |
Due Diligence Outcomes | Proportion of third-party reviews resulting in enhanced scrutiny or adverse findings; proportion of adverse findings resulting in enhanced controls vs. risk reclassification; relationships exited on anti-bribery grounds | Whether due diligence drives decisions or justifies pre-made decisions |
Culture Perception | Anonymous personnel surveys: do employees believe senior leaders mean it? Do they know what to do if asked to facilitate a payment? Would they report a concern? Do they trust the outcome? | The gap between stated culture and experienced culture |
Incident & Near-Miss Learning | Number and type of bribery-related concerns raised; near-miss reports; proportion resulting in system change; time to corrective action; quality of post-incident review documentation | Whether the organisation learns from imperfection or suppresses it |
One point requires particular emphasis: report volume as a standalone metric is misleading in both directions. Zero reports does not indicate a clean culture — it may indicate a culture in which people do not trust the reporting system or fear retaliation. High report volumes do not indicate a failing culture — they may indicate a confident workforce that believes the organisation responds effectively. Understanding the pattern behind the data, not just the data itself, is the competence that culture measurement requires.
Organisations that have only ever used lagging, operational metrics to assess their anti-bribery programme have a structural blind spot. The culture assessment capability implied by ISO 37001:2025 is not something that can be built from existing compliance dashboards. It requires deliberate investment in methodology, in independence, and in willingness to hear uncomfortable findings.
8. Practical Steps — A Culture Assessment Roadmap
For organisations that have identified culture gaps, or that want to verify whether their current culture assessment approach is adequate against the 2025 standard, the following roadmap provides a structured starting point. It is not prescriptive — the appropriate depth and method depend on the organisation's size, risk profile, and existing maturity.
Phase 1: Establish the Baseline (Months 1–2)
Review existing anti-bribery culture activities and documentation against Clauses 3.30 and 5.1.3 requirements. Identify what evidence exists and where the gaps are.
Map the organisation's highest bribery-risk functions and geographies. These are the priority areas for culture assessment — not the headquarters compliance function.
Assess the governing body's current engagement against the Clause 5.1.1 oversight requirements. Is oversight substantive or nominal?
Review the most recent training cycle for role specificity, comprehension measurement, and coverage of middle management and business associates.
Phase 2: Structured Perception Assessment (Months 2–4)
Deploy an anonymous perception survey across a representative sample of personnel, with specific questions on: belief in leadership commitment; willingness to report a concern; understanding of what to do in a real bribery situation; trust in the reporting channel.
Conduct focus groups or individual interviews with middle managers and supervisors in high-risk functions. These conversations — conducted by someone independent of the management hierarchy — reveal culture gaps that surveys cannot surface.
Review conflict of interest declarations and follow-up actions for the past two years. Assess whether declared interests are being managed as risks.
Interview a sample of personnel who have used the reporting channel. How was their experience? Would they report again?
Phase 3: System Alignment and Corrective Action (Months 4–6)
Map perception assessment findings against existing infrastructure. Where gaps exist between stated requirements and experienced culture, identify the root cause — is it a control failure, a leadership failure, or a structural design flaw?
Develop targeted corrective actions. Culture gaps rarely respond to more documentation. They respond to changed behaviour by specific people in specific roles.
Brief the governing body on findings with full transparency, including adverse findings. The governing body's engagement with uncomfortable information is itself a culture signal.
Establish ongoing measurement cadence: which indicators will be tracked quarterly, which annually, and what thresholds trigger escalation to the anti-bribery compliance function or governing body.
Phase 4: Independent Verification (Ongoing)
Commission periodic independent assessment of anti-bribery culture by a party with no organisational interest in the findings. For most organisations, this means an external specialist — not the organisation's internal audit function, which typically lacks the specific methodology and independence required.
Ensure that external assessors have access to personnel without management present, and that findings are reported directly to the anti-bribery compliance function and governing body.
Document the assessment process, findings, and corrective actions as part of the management system's documented information under Clause 7.5.
Feed assessment findings into the management review process under Clause 9.3 and the anti-bribery compliance function review under Clause 9.4.
None of these steps are optional in the sense that they may be safely omitted — but the depth and rigour required is proportionate to the organisation's risk profile. An organisation operating in low bribery-risk environments with limited third-party exposure will apply a different level of rigour than a multinational construction company operating in multiple high-risk jurisdictions. ISO 37001:2025 Clause 4.1 requires the organisation to determine the issues relevant to its context, and culture assessment methodology should reflect that context.
9. Conclusion
The introduction of anti-bribery culture as a defined term and normative requirement in ISO 37001:2025 reflects an important evolution in how the international community understands what effective anti-bribery management actually requires. A policy is not a programme. A programme is not a culture. And a culture that has never been tested under pressure is not a defence.
Organisations that have ISO 37001 certification, or that are working toward it, should use the 2025 second edition as an occasion to look honestly at whether what they have built is genuinely embedded in how people think and behave — or whether it is a well-documented fiction that would not survive scrutiny in the event of an actual incident.
The culture gaps identified in this paper are not theoretical. They appear in audit after audit, across sectors and jurisdictions, in organisations that have invested seriously in anti-bribery infrastructure. The infrastructure problem has largely been solved by the first decade of ISO 37001 implementation. The culture problem has not. That is where the work is now.
The infrastructure problem has largely been solved. The culture problem has not. That is where the work is now.
Organisations that address culture systematically — measuring it, challenging it, and holding leaders accountable for it — will find that their anti-bribery programme becomes something qualitatively different from a certification exercise. It becomes a genuine operational asset: one that actually reduces bribery risk, that creates the conditions for early detection, and that provides a credible defence if the worst occurs. That is what ISO 37001 was always intended to produce. The 2025 second edition makes clear that it requires something more than documentation to get there.
Speeki
Speeki is an ISO-accredited ESG assurance and certification firm operating across more than 100 countries, with offices in Singapore, the United Kingdom, and France. Speeki is accredited under ISO 17021-1 through COFRAC (France) and ANAB (USA), providing management system certification including ISO 37001 anti-bribery. Speeki provides other certifications according to ISO 37301 compliance, ISO 37002 whistleblowing, and a broad range of other governance and sustainability standards which it may or may not be accredited for. Please refer to our website for Speeki’s latest accreditations which are regularly being expanded.
Speeki's ISO 37001 practice combines certification audit capability with specialist advisory on anti-bribery management system design, culture assessment, due diligence programme development, and executive education. Speeki Executive Education delivers practitioner-led anti-bribery training programmes including a dedicated ISO 37001 three-day executive course using live case study methodology.
For enquiries: info@speeki.com | speeki.com
The views expressed in this whitepaper are those of Speeki and are intended to contribute to practitioner and governance discourse on anti-bribery management system culture. They do not constitute legal advice. ISO 37001 is a registered trademark of ISO.