Quick Read
ISO 37001 certification requires more than existing anti-bribery controls—it demands a formal management system built on continuous improvement cycles, including mandatory internal audits, structured management reviews, and documented non-conformity processes that most traditional compliance programmes lack. The distinction lies not in having anti-bribery policies and procedures, but in how those elements are governed, measured, and systematically improved over time. Compliance teams accustomed to regulatory frameworks often underestimate the operational rigor and standardised governance structure that ISO 37001 certification entails.
Executive Summary
Many organisations operating anti-bribery and anti-corruption (ABAC) compliance programmes believe that their existing policies, training, and controls can simply be "certified" under ISO 37001. This assumption is understandable but fundamentally incorrect.
An ABAC compliance programme and an ISO 37001 Anti-Bribery Management System (ABMS) are not the same thing. They are different in concept, structure, and operation. The compliance programme is essentially linear: it is designed, implemented, and maintained as a set of controls. The management system is circular: it is a living, self-evaluating system governed by a formal Plan-Do-Check-Act (PDCA) cycle that requires ongoing evidence of performance and continuous improvement.
ISO 37001 introduces mandatory requirements that most compliance programmes do not address — including formal internal audit programmes, structured management reviews, documented non-conformity management, and systematic performance measurement. For compliance professionals unfamiliar with ISO management systems, these concepts can be surprising and the path to certification more demanding than anticipated.
This white paper explains the differences in plain terms, identifies the specific ISO requirements that go beyond a typical compliance programme, and helps organisations understand what genuine ISO 37001 certification requires.
Key Insight |
|---|
ISO 37001 certification is not a stamp of approval on your existing ABAC programme. It is the recognition that you operate a management system — one that is structured, measured, reviewed, and continuously improved. If your programme cannot demonstrate these qualities, it is not yet a management system. |
1. The Common Misconception
When organisations first explore ISO 37001 certification, a typical reaction from compliance teams is: "We already have all of this." They point to their anti-bribery policy, their third-party due diligence process, their gifts and hospitality register, their training programme, and their reporting hotline. On the surface, many of these elements do overlap with ISO 37001 requirements. This creates a false sense of readiness.
The misunderstanding stems from a failure to distinguish between having anti-bribery controls and operating an anti-bribery management system. Controls are components of a system, but they do not in themselves constitute one. A management system is defined not only by what controls exist, but by how they are governed, evaluated, measured, and improved over time.
Compliance professionals are, by training and experience, expert in regulatory frameworks: laws, regulations, enforcement priorities, and risk mitigation through policies and procedures. ISO management systems come from a different tradition — one rooted in operational quality, standardised governance, and continuous improvement methodology. The language, structure, and expectations of ISO standards are often unfamiliar to compliance teams, and this creates a gap between what organisations think they have and what certification actually requires.
The Core Question |
|---|
The question is not: "Do we have anti-bribery controls?" Almost every organisation of scale does. |
The question is: "Do we operate a system that continuously plans, implements, monitors, measures, reviews, and improves those controls?" That is a different question entirely, and one that most ABAC programmes cannot yet answer affirmatively. |
2. The ABAC Compliance Programme: A Linear Approach
A traditional ABAC compliance programme follows a broadly linear logic. It is designed in response to legal risk, regulatory expectation, or enforcement guidance. It is implemented through a set of controls and then maintained as those controls are updated or refreshed. The typical lifecycle looks something like this:
Risk Assessment | ► | Policies & Procedures | ► | Training & Awareness | ► | Controls & Monitoring | ► | Incident Response |
|---|
Each stage flows to the next. Once implemented, the programme is reviewed periodically — typically when triggered by a change in law, a regulatory development, or an internal incident. In between these trigger events, the programme largely operates as a steady-state set of controls.
2.1 Characteristics of a Linear ABAC Programme
A linear compliance programme typically has the following characteristics:
It is designed and deployed as a project with a defined scope and endpoint.
It is governed through compliance ownership — usually a compliance officer, general counsel, or ethics function.
Policies and procedures are documented but reviewed on an ad hoc or annual basis.
Training is delivered on a scheduled cycle, often driven by onboarding or annual refresher obligations.
Monitoring is undertaken through controls testing, internal audit activities, or periodic compliance reviews.
Non-compliance is managed reactively, typically through the investigations and disciplinary process.
There is no formal mechanism for feeding operational data back into the design of the programme in a structured, recurring cycle.
This is not a criticism of the compliance programme model. For many organisations, a well-designed linear ABAC programme is an effective and appropriate response to bribery risk. The point is that it is structurally different from a management system — and that difference has real implications for certification.
2.2 What Drives the Linear Programme
Linear compliance programmes are typically driven by:
Regulatory requirements — such as the UK Bribery Act 2010, the US Foreign Corrupt Practices Act, or equivalent national legislation.
Enforcement guidance — for example, the UK Ministry of Justice guidance on "adequate procedures" or DOJ guidance on effective compliance programmes.
Industry standards or best practice frameworks — such as the OECD Good Practice Guidance, Transparency International guidance, or equivalent sector-specific frameworks.
Internal audit findings or regulatory examinations.
These drivers produce a compliance programme that is responsive to external expectation. It is designed to demonstrate that the organisation is doing the right things. What it does not inherently require is a structured mechanism for demonstrating that the system itself is working, improving, and governed over time. That is the domain of the management system.
3. ISO 37001: A Circular Management System
ISO 37001 is a management system standard. This is a critical phrase that is frequently misunderstood. A management system standard does not simply define what controls an organisation should have. It defines how an organisation should govern, operate, evaluate, and improve those controls as part of a continuous cycle.
The architecture of all ISO management system standards — whether ISO 9001 (quality), ISO 14001 (environment), ISO 45001 (occupational health and safety), or ISO 37001 (anti-bribery) — follows a common structure known as the High Level Structure (HLS). This structure is built around the Plan-Do-Check-Act (PDCA) cycle, a methodology developed in quality management and now applied universally across ISO standards.
The Plan-Do-Check-Act (PDCA) Cycle in ISO 37001 |
|---|
PLAN: Establish the context, identify risks, set objectives, design the management system. |
DO: Implement and operate the controls, processes, and procedures. |
CHECK: Monitor, measure, analyse, and evaluate performance. Conduct internal audits. Hold management reviews. |
ACT: Address non-conformities, implement corrective actions, drive continual improvement. |
This cycle is not completed once. It repeats — continuously and in perpetuity. Each cycle feeds the next. That is what makes it a management system. |
3.1 Why the Circular Model Matters
The circular nature of the management system has profound practical implications. It means that:
The system is never "finished." There is no completion date. The PDCA cycle repeats indefinitely.
Performance data from the Check stage must feed back into the Plan stage, informing how objectives, risks, and controls are set in the next cycle.
Non-conformities identified in the Check stage must be formally managed, root-cause analysed, and corrected — with evidence that the correction has been effective.
Management at the highest level must be engaged not just at inception but on a recurring, structured basis through formal management reviews.
The organisation must demonstrate, with documented evidence, that the system is operating and improving — not just that controls exist.
For a certification body (also called a Conformity Assessment Body or CAB), the audit of an ISO 37001 management system is not a review of whether policies exist. It is a review of whether the entire PDCA cycle is operating effectively and can be evidenced. This is a fundamentally different scope from a compliance programme review.
3.2 ISO 37001 and the High Level Structure
ISO 37001 is organised into ten clauses. Clauses 4 through 10 define the management system requirements. They map directly onto the PDCA cycle:
Clause 4 Context | Understanding the organisation, its context, interested parties, and the scope of the management system. This is not a one-off exercise — it must be reviewed and maintained. |
|---|
Clause 5 Leadership | Top management commitment, roles, responsibilities, and the ABMS policy. Leadership must demonstrably support the system, not just endorse a policy document. |
|---|
Clause 6 Planning | Bribery risk assessment, legal and other requirements, setting objectives. Planning must be documented and revisited in each PDCA cycle. |
|---|
Clause 7 Support | Resources, competence, awareness, communication, and documented information. Document control is a formal requirement, not just good practice. |
|---|
Clause 8 Operation | Operational planning and controls, due diligence, financial and non-financial controls, gifts and hospitality, raising concerns. This is where the compliance programme lives within the management system. |
|---|
Clause 9 Performance Evaluation | Monitoring, measurement, analysis, evaluation, internal audit, and management review. This is where most compliance programmes have significant gaps. |
|---|
Clause 10 Improvement | Non-conformity, corrective action, and continual improvement. These must be formally managed and evidenced, not handled informally. |
|---|
Clauses 4 to 7 (Plan and support), Clause 8 (Do), Clause 9 (Check), and Clause 10 (Act) map precisely onto the PDCA cycle. An organisation seeking ISO 37001 certification must demonstrate conformity with all clauses, not just those that overlap with their existing compliance programme.
4. Where Compliance Programmes Fall Short: ISO-Specific Requirements
Most ABAC compliance programmes have reasonable coverage of Clause 8 (Operation). Policies, due diligence, training, financial controls — these are familiar territory. The gaps typically emerge in the areas that are specific to the management system architecture: the Check and Act phases. Below are the areas where compliance programmes most commonly fall short.
4.1 Monitoring, Measurement, Analysis and Evaluation (Clause 9.1)
ISO 37001 requires the organisation to determine what needs to be monitored and measured, what methods will be used, when monitoring will occur, and when results will be analysed and evaluated. This must be documented and maintained.
Most compliance programmes do monitor to some degree — transaction testing, hotline metrics, training completion rates. But ISO 37001 requires this to be systematic: the organisation must define its monitoring framework, apply it consistently, retain documented results, and use those results to draw conclusions about whether the ABMS is achieving its objectives.
The distinction is between ad hoc monitoring and a structured, evidenced monitoring programme that feeds into the management review cycle. Many compliance programmes cannot demonstrate the latter.
Common Gap – Monitoring |
|---|
Having a compliance dashboard is not the same as operating a documented monitoring and measurement programme under ISO 37001. The standard requires the organisation to define its monitoring criteria, apply them consistently, and retain evidence that the results have been analysed and acted upon. The monitoring must also address whether the ABMS is performing as intended — not just whether training was completed. |
4.2 Internal Audit Programme (Clause 9.2)
ISO 37001 requires the organisation to conduct internal audits at planned intervals to provide information on whether the ABMS conforms to its own requirements and to the requirements of the standard, and whether it is effectively implemented and maintained.
This is a formal audit programme — planned, scoped, conducted by competent auditors who are independent of the activity being audited, documented, and followed up. It is not the same as a compliance review, a risk assessment, or a controls testing exercise.
Many organisations have internal audit functions that test financial controls or operational processes. Fewer have audit programmes specifically designed to audit the ABMS as a system — testing not just whether controls exist but whether the management system is operating in conformity with ISO 37001.
The internal audit function must also have sufficient independence and competence in ISO 37001 requirements. This is frequently a capability gap: internal auditors who are expert in financial audit may have limited knowledge of management system auditing methodology.
Common Gap – Internal Audit |
|---|
A compliance review is not an ISO internal audit. An ISO internal audit tests the management system against the requirements of the standard, using management system audit methodology. It requires planning (audit programme), scope definition, competent independent auditors, documented findings, and follow-up on corrective actions. Most compliance programmes do not have this. |
4.3 Management Review (Clause 9.3)
Top management must review the organisation's ABMS at planned intervals to ensure its continuing suitability, adequacy, effectiveness, and alignment with the strategic direction of the organisation. This is not an optional or informal activity. It is a mandatory, documented review with specific required inputs and outputs.
The inputs to a management review include: the status of actions from previous reviews, changes in external and internal issues, information on ABMS performance (including monitoring results, non-conformities, audit findings, and fulfilment of objectives), adequacy of resources, relevant communications from interested parties, and opportunities for continual improvement.
The outputs must include decisions and actions related to continual improvement opportunities, any need for changes to the ABMS, and resource needs. These outputs must be retained as documented information.
For most compliance programmes, "management review" translates to an annual board presentation on compliance status. This falls well short of the ISO 37001 requirement, which demands a structured review with defined inputs, documented outputs, and evidence of follow-up action.
Common Gap – Management Review |
|---|
A board compliance report is not a management review under ISO 37001. The standard requires a structured review with defined inputs (including audit results, monitoring data, and the status of previous actions), documented outputs (including specific decisions on improvement), and evidence that outputs are followed up. The review must also involve top management — not just the compliance function. |
4.4 Non-Conformity and Corrective Action (Clause 10.1)
When a non-conformity occurs — meaning a failure to meet a requirement of the ISO 37001 standard or the organisation's own ABMS requirements — the organisation must react to it, take action to control and correct it, deal with the consequences, evaluate whether similar non-conformities exist or could occur, implement any necessary corrective actions, review their effectiveness, and update the ABMS if required.
Non-conformities and corrective actions must be documented. The organisation must retain evidence of the nature of the non-conformity, actions taken, and the results of those actions.
This is a concept that many compliance professionals find uncomfortable because it requires the organisation to formally document its failures as part of the management system. In a compliance programme mindset, non-compliance events are managed through investigations and disciplinary processes, often with a degree of confidentiality and sensitivity. The ISO 37001 requirement is different: non-conformities with the management system itself must be recorded, analysed, and actioned in a structured and evidenced way.
Critically, non-conformities under ISO 37001 are not only bribery incidents. They include any failure of the management system to meet its own requirements — a missed audit, an incomplete management review, a monitoring gap, or a failure to maintain documented information correctly. Compliance programmes typically have no mechanism for identifying and managing this type of systemic non-conformity.
Common Gap – Non-Conformity Management |
|---|
In a compliance programme, non-compliance means a bribery-related incident or policy breach. In ISO 37001, a non-conformity is any failure to meet the requirements of the management system — including operational failures, process gaps, and documentation failures. These must be formally logged, root-cause analysed, corrected, and reviewed for effectiveness. Most compliance programmes have no process for this type of systemic non-conformity management. |
4.5 Continual Improvement (Clause 10.2)
ISO 37001 requires the organisation to continually improve the suitability, adequacy, and effectiveness of its ABMS. This is not aspirational language. It is a mandatory requirement that must be evidenced.
Continual improvement means the organisation is not merely maintaining the status quo — it is actively identifying opportunities to make the management system better. The outputs of monitoring, internal audits, management reviews, and non-conformity management should all be feeding into an improvement agenda. Where improvement opportunities are identified, they must be actioned and the results reviewed.
For a compliance programme, "improvement" often means updating a policy, refreshing training content, or adding a new control in response to a specific risk. For a management system, improvement is a structured, ongoing process with defined objectives, evidenced actions, and measured results. This is a different operating discipline.
4.6 Documented Information and Document Control (Clause 7.5)
ISO 37001 requires the organisation to maintain documented information to support the operation of the ABMS and to retain documented information to provide evidence that the ABMS is operating as planned. Documented information must be controlled: it must be available and suitable for use, adequately protected, distributed appropriately, stored and preserved, controlled for changes, and retained and disposed of according to defined rules.
This is a formal document management requirement. It goes beyond having policies filed in a document management system. The organisation must be able to demonstrate, at any point, that its documented information is current, controlled, accessible, and evidenced. For a certification audit, this means being able to produce records — audit reports, monitoring results, management review minutes, corrective action logs — on demand.
Many compliance programmes have good policy libraries but weak controls over other forms of documented information, particularly operational records. The ISO requirement for documented information spans the entire management system, not just the policy framework.
5. Side-by-Side: Comparison of Key Dimensions
The following table summarises the key differences between a typical ABAC compliance programme and an ISO 37001 Anti-Bribery Management System across the dimensions most relevant to certification readiness.
Dimension | ABAC Compliance Programme | ISO 37001 Management System |
|---|---|---|
Nature | A set of controls and policies implemented to manage bribery risk. | A governed system with a formal structure, PDCA cycle, and continuous improvement obligation. |
Logic | Linear: designed, implemented, maintained. | Circular: plan, do, check, act — repeatedly and indefinitely. |
Trigger for review | Driven by external events: regulatory change, incidents, audits. | Driven by internal system requirements: scheduled audits, management reviews, monitoring cycles. |
Governance | Owned by compliance function. Board receives periodic reports. | Top management has formal, recurring, documented governance obligations (management review). |
Monitoring | Ad hoc or scheduled controls testing. Compliance metrics. | Formal, documented monitoring and measurement programme with defined criteria and evidenced results. |
Internal audit | May be included in internal audit scope. Often compliance-focused. | Mandatory, planned internal audit programme using management system audit methodology. Must be independent and competent. |
Non-conformity | Managed through investigations and disciplinary process (bribery events). | Formal non-conformity management covering any ABMS failure — documented, root-cause analysed, corrected, reviewed for effectiveness. |
Improvement | Periodic updates to policies and controls. Reactive. | Mandatory continual improvement with defined objectives, actions, and measured results. |
Document control | Policy library. Documents updated on review cycle. | Formal documented information control covering all records across the management system lifecycle. |
Certification basis | Not designed for external certification. Demonstrates adequate procedures. | Designed for third-party certification. Requires conformity across all ten clauses of the standard. |
Evidence for audit | Policies, training records, due diligence files, incident reports. | All of the above, plus: audit reports, management review minutes, monitoring records, non-conformity logs, corrective action evidence, improvement records. |
6. ISO Management Systems: A Different Professional Discipline
It is worth acknowledging directly that ISO management systems come from a professional tradition that is largely separate from legal and compliance practice. Quality management, environmental management, and occupational health and safety management all developed as operational disciplines, with their own methodologies, audit approaches, and professional communities.
For compliance professionals, engaging with ISO 37001 is often their first encounter with management system thinking. The language can feel unfamiliar: "context of the organisation," "interested parties," "documented information," "nonconformity," "continual improvement" — these are terms of art within the ISO world that do not map neatly onto compliance terminology.
This is not a reason for concern. It is a reason to invest in building capability and to seek guidance from professionals who understand both compliance and management system requirements. The two disciplines are complementary: the compliance programme provides the substantive anti-bribery content; the management system provides the operational framework for governing, evaluating, and improving that content.
What ISO Auditors Look For |
|---|
A certification audit for ISO 37001 is conducted by an accredited certification body using management system audit methodology. Auditors will look for evidence of the full PDCA cycle in operation — not just whether controls exist. |
They will sample documented information, interview personnel at multiple levels, review audit records and management review minutes, examine non-conformity logs, and assess whether the system is genuinely self-evaluating and improving. |
An organisation that presents a well-documented compliance programme but cannot demonstrate the Check and Act phases of the management system cycle will not achieve certification. |
6.1 The Role of the Compliance Function Function in an ISO 37001 ABMS
In an ISO 37001 management system, the compliance function — or the ABAC function — continues to play a central role. The ABMS Policy, the bribery risk assessment, operational controls, due diligence, and incident management remain within the compliance domain. But the compliance function must now operate within a governance framework that includes:
Defined roles and responsibilities for the management system (including an ABMS function — as required by clause 5.3).
A reporting line from the ABMS function to top management or the governing body.
Formal participation in the management review process.
Ownership of the internal audit programme for the ABMS (while ensuring auditor independence).
Responsibility for the non-conformity and corrective action process.
Maintenance of all documented information required by the standard.
For many compliance professionals, this represents an expansion of their traditional role. It requires them not only to manage anti-bribery risk but to operate and govern a management system — a skill set that may need to be developed or supplemented.
7. The Path to Certification: Practical Implications
For organisations considering ISO 37001 certification, the practical implication of the distinction between a compliance programme and a management system is significant. Readiness for certification is not measured by the quality of the compliance programme alone. It is measured by the maturity and completeness of the management system.
7.1 Gap Assessment
The starting point for any certification journey is a structured gap assessment against the full requirements of ISO 37001. This should evaluate not only whether the required controls and policies are in place (Clause 8) but whether the full management system architecture exists, including:
Clause 4: Is the context formally documented and maintained? Are interested parties and their requirements identified?
Clause 5: Is top management commitment evidenced through formal roles, responsibilities, and the ABMS policy? Is there an ABMS function with appropriate authority and independence?
Clause 6: Is the bribery risk assessment documented, current, and integrated into planning?
Clause 7: Is documented information controlled? Are competence and awareness requirements defined and evidenced?
Clause 9: Is there a formal monitoring and measurement programme? Is there a planned internal audit programme? Are management reviews conducted, documented, and followed up?
Clause 10: Is there a non-conformity management process? Is there evidence of continual improvement?
7.2 Building the Management System
For most organisations, achieving ISO 37001 certification requires more than updating existing documentation. It requires building the management system infrastructure that most compliance programmes currently lack. This typically includes:
Establishing a formal ABMS governance structure with defined roles and reporting lines.
Designing and implementing a monitoring and measurement programme with defined criteria, methods, and reporting.
Developing an internal audit programme, including training or appointing competent ABMS auditors.
Instituting a formal management review process with the required inputs and documented outputs.
Creating a non-conformity and corrective action process that captures systemic management system failures, not only bribery incidents.
Implementing document control across all documented information required by the standard.
Establishing an improvement programme with defined objectives and measurable targets.
7.3 Operating the System Before Certification
Certification bodies typically require evidence that the management system has been operating for a meaningful period before the certification audit — commonly at least three months, and often longer. This means the organisation must not only build the system but operate it through at least one cycle before seeking certification.
In practical terms, this means the organisation should be able to demonstrate at least one completed internal audit, at least one management review, active monitoring and measurement results, and a functioning non-conformity and corrective action process before inviting a certification audit. Building these records takes time and sustained operational commitment.
Certification Readiness Checklist |
|---|
✓ Context of the organisation documented and current |
✓ ABMS Policy issued and communicated by top management |
✓ ABMS function established with defined authority and reporting line |
✓ Bribery risk assessment documented and current |
✓ All Clause 8 controls documented and operating |
✓ Monitoring and measurement programme operating with documented results |
✓ Internal audit programme in place and at least one audit completed |
✓ Management review conducted and documented with required inputs and outputs |
✓ Non-conformity and corrective action process operating with records |
✓ Evidence of continual improvement activity |
✓ All documented information controlled and retained |
8. Conclusion
The distinction between an ABAC compliance programme and an ISO 37001 Anti-Bribery Management System is not merely semantic. It reflects a fundamental difference in approach: linear versus circular, reactive versus systematic, controls-focused versus system-governed.
Compliance programmes are valuable — often essential — and many of their components form the operational core of an ISO 37001 management system. But they do not, of themselves, constitute a management system. To achieve ISO 37001 certification, an organisation must build and operate the full management system architecture, including the Check and Act phases that compliance programmes typically lack.
For compliance professionals, the journey to ISO 37001 requires an investment in understanding management system principles, building new process capabilities, and operating a governance framework that is more demanding than most compliance programmes currently require. The reward is a certification that carries genuine credibility — because it is based on evidence of a system that works, not merely documentation of controls that exist.
How Speeki can help
Speeki is an assurance and AI technology company providing independent, technology-driven assurance over compliance and management system programmes. We help organisations understand whether their anti-bribery and corruption (ABAC) programme or ISO 37001 management system is genuinely effective, not simply documented.
Using advanced AI, Speeki delivers objective, evidence-based assurance that goes beyond traditional audit approaches. Our assessments cover the full scope of ISO 37001, including controls, governance, monitoring, internal audit, management review, and non-conformity processes.
We provide independent assurance only. We do not design or implement programmes. Our role is to deliver credible, impartial opinions on whether systems are operating as intended and meeting applicable requirements.
If you are seeking assurance over your existing ABAC programme or ISO 37001 system, or want to assess your readiness for certification, contact Speeki to learn more.
Speeki
Speeki provides independent assurance across a range of compliance and sustainability areas, including anti-bribery and corruption, ESG programmes, and ethics and conduct frameworks.
Our AI-driven approach enables deeper, faster, and more objective assessments than traditional methods, supporting organisations and their stakeholders with clear, evidence-based insights.
For further information, please visit speeki.com or contact us at info@speeki.com.
Disclaimer
This white paper is provided for general information purposes only. It does not constitute legal advice and should not be relied upon as such. The content reflects Speeki's interpretation of ISO 37001 requirements as of the date of publication. Organisations should obtain independent professional advice specific to their circumstances before undertaking any ISO 37001 certification project. ISO 37001 is published by the International Organization for Standardization and is subject to revision. Always refer to the current version of the standard.