Compliance Obligations in ISO 37301 – Compliance Management System

Compliance Obligations in ISO 37301 – Compliance Management System

Compliance obligations in ISO 37301 are essential for maintaining an effective compliance management system, requiring continuous identification, review, and management to mitigate risks.

Within the ISO 37301 standard, there is requirement 4.5: Compliance Obligations, which many consider to be the simplest, especially because many companies already have a compliance program in place. However, it deserves much more attention.

The organization must systematically identify these compliance obligations, meaning it should be an ongoing process and not just a one-time assessment.

Thus, the auditor responsible for the management system must continuously monitor the identification of new compliance obligations and verify whether the previously identified obligations have been reviewed.

This aspect of reviewing is extremely important, particularly in countries like Brazil, where legal instability is significant. Laws are constantly being revised, new laws and regulations emerge, leaving organizations vulnerable to this risk.

Documented Information in Requirement 4.5

The standard requires that these compliance obligations be documented information, and there are various ways you can gather this information.

In the market, you will find numerous systems, which, in addition to software, often have a team working continuously on identifying compliance obligations.

Despite the availability of systems, simpler methods can be used if resources are limited, such as a spreadsheet or matrix, as long as review dates are established.

 

Map the Impact and Management of Compliance Obligations

The standard also provides some guidance in Annex A, which is not mandatory but, in my opinion, is the most important recommendation:

“A risk-based approach should be taken, meaning that organizations should start by identifying the most important compliance obligations relevant to their business and then focus on all other compliance obligations.” – ISO 37301:2021

This recommendation follows the Pareto principle (80/20 rule), which suggests that 80% of effects come from just 20% of causes. Therefore, start by focusing on the compliance obligations that pose the greatest risk to your business, analyze them, and set your priorities.

Following this recommendation, we naturally address other aspects: map the impact of these compliance obligations and how they are being managed, as well as establish controls. Managing these obligations is crucial so that if one of the obligations is revised, as an auditor, you can more easily reorganize how to handle the change and whether it will affect other processes.

Of course, these recommendations can overlap with the company’s risk analysis, but each company must determine the best approach.

QMS Certification

QMS is an accredited third party certification body, it is currently present in 33 countries and focuses on the certification of management systems. QMS America is managed by the US office and has consistently grown in market recognition by technical level, customer satisfaction and competitive pricing.

AI Governance What It Is and How It Works

AI Governance: What It Is and How It Works

The rise of artificial intelligence has optimized workflows, but the risks and responsibilities for companies have grown proportionally with the benefits of technological advancement. For this reason, AI governance is essential to ensure that ethical principles and regulations are respected.

Read More »
Scroll to Top