[Complete Guide] Everything about ISO 37001:2016

Thousands of companies worldwide are now certified, seeking to improve their compliance programs by following the pillars of prevention, detection, and response to bribery.

In this article, we will explain in detail everything about ISO 37001 – Anti-Bribery Management Systems.

What is ISO 37001?

ISO 37001:2016 – Anti-Bribery Management Systems is an ISO standard that specifies requirements and provides guidance for the establishment, implementation, maintenance, critical analysis, and improvement of an anti-bribery management system.

The standard reflects international practices and is applicable to any organization, regardless of size, industry, and whether it is for-profit or non-profit. The standard is based on the pillars of prevention, detection, and response to bribery.

It is one of the standards developed by the ISO technical committee, ISO/TC 309 – Corporate Governance. Among the numerous standards developed by this committee are ISO 37000 – Corporate Governance and ISO 37301 – Compliance Management Systems, among others.

Does ISO 37001 certify that a company does not engage in corruption or bribery?

Firstly, it is important to emphasize that the standard applies only to bribery. However, as the standard itself establishes, if an organization wants to extend its scope to include prevention, detection, and response to other corrupt practices, such as fraud, cartels, money laundering, and other offenses, this is possible through risk management and specific controls.

ISO 37001 does not certify that a company does not engage in bribery or is inherently ethical, but it certifies that the company has a robust enough management system to prevent, detect, and respond to bribery. It is common for companies that implement the standard to more easily detect possible bribery practices due to the established controls and risk management.

A company with ISO 37001 implemented and certified demonstrates to the market that it uses the best global practices on the subject and also that it utilizes the most recognized anti-bribery/anti-corruption framework in the world.

ISO 37001 or ISO 37301: Differences and Which to Start With?

There is no specific order for implementation. After the publication of ISO 37301 – Compliance Management Systems, many companies choose to implement both simultaneously. Both standards have similar requirements and offer great value in certification. With the same effort applied, a company can obtain two internationally renowned certifications.

Is ISO 37001 Certifiable?

Yes, ISO 37001 is certifiable, as it is a requirements standard. Currently, there are thousands of certified companies around the world.

Brazil stands out with one of the highest numbers of certifications, largely because multinational companies view the country and Latin America as regions with significant corruption risks. Therefore, certification is highly sought after in these markets as a way to ensure effective internal controls and security in business relations.

Which Companies Can Be Certified in ISO 37001?

All companies, regardless of size or industry, can be certified in ISO 37001. At QMS, we have notable examples of certifications in Brazil, including large Brazilian companies and small and medium-sized organizations.

The standard specifies that the anti-bribery management system should be reasonably and proportionally adapted to the type of organization and the risks faced, meaning that each company will have a customized management system, based on its organizational context.

Who Can Implement ISO 37001?

Any competent professional with the necessary training, education, and experience can implement ISO 37001.

To achieve the required competence, it’s important to study the standard in depth through courses on interpretation, internal auditing, lead auditing, among others. Companies can choose to implement the standard with their own internal workforce or hire specialized technical consultancy.

It’s crucial to note that a certifying body, like QMS, does not offer consultancy to maintain impartiality in the certification process.

How Does the ISO 37001 Certification Process Work?

If your organization already has a compliance program, it is a step ahead in implementing ISO 37001. In this case, it’s recommended to conduct a Gap Analysis audit to identify existing gaps relative to the standard and implement the necessary changes. If your company does not yet have a compliance program, implementation should start from scratch.

Define who will be responsible for implementing ISO 37001. The organization can opt to conduct the entire process internally or hire specialized consultancy. If the company lacks experience with ISO standards, the assistance of a consultant can be invaluable.

After implementation, conduct an internal audit to ensure everything is aligned with the standard.

The final step is the certification itself. Look for an accredited certifying body and schedule your certification audit. During this audit, auditors will verify if all the requirements of the standard are being met.

How to Choose an ISO 37001 Certifying Body?

When choosing a certifying body, the first question to ask is about its accreditation. Accreditation is a recognition from a higher body that validates the certifying body’s competence to carry out certifications. Checking for accreditation is essential to ensure the credibility and recognition of your certification.

How to Verify if the Certifying Body is Accredited?

To find out if a certifying body is accredited, first ask them which accreditor they use for ISO 37001.

With this information, visit the IAF (International Accreditation Forum) website and check if the accreditor is active on the list.

Finally, visit the accreditor’s website and search for the name of the certifying body.

We hope this has been helpful!