[Complete Guide] Everything about ISO 37301:2021

What is ISO 37301?

To learn everything about ISO 37301, we need to start with the basics: what is this standard?

ISO 37301 – Compliance Management System is an international standard released in June 2021, however, it replaces another standard with a different numbering that you may know, ISO 19600.

But what is ISO 37301? Like any other ISO standard, it establishes requirements to protect and continuously improve your management system following the PDCA model (plan, do, check, act), but focused on Compliance. These standards are the same worldwide, conferring an international standard. The standard also implies compliance with current laws, regulations, and internal policies of each organizational context.

What is the difference between ISO 37301 and ISO 19600?

ISO 19600 is considered the predecessor of ISO 37301, both are focused on Compliance. However, ISO 19600 was a guideline standard, meaning it could not be certified by companies, it served only as a guiding manual, it did not imply the obligation to implement everything it recommended.

ISO 37301, on the other hand, is a requirements standard, that is, organizations can be certified in it and must comply with all the guidelines passed by the standard, otherwise, they will not obtain the certificate. Another point is that ISO requirements standards are structured following Annex SL (a fixed sequence of main clauses), making them easier to be integrated with other ISO standards.

What is the difference between ISO 37301 and the Compliance Program?

Although they may seem similar at first, as both deal with Compliance, they have very distinct objectives.

The compliance program can be seen as a tool in the organization. It establishes internal policies and procedures to ensure compliance with regulations and laws.

On the other hand, ISO 37301, as the name implies, is a management system, i.e., it is much broader than the compliance program and is in constant improvement. The Compliance Program is within ISO 37301, but ISO 37301 is not within the Compliance Program.

Therefore:

• Program: a set of scheduled activities with finite sequences of steps that have been defined/programmed.
• Management System: A set of interrelated or interactive elements of an organization to establish policies, objectives, and processes to achieve these objectives.

Which is better: ISO 37301 or Compliance Program?

Objectively, between ISO 37301 and the Compliance Program, ISO 37301 is the better choice because it also encompasses the Compliance Program.

ISO 37001 covers the entire company, thus you will implement actions ranging from base employees to top management, with the intent that everyone is aligned with Compliance actions and thus can put preventive controls throughout the operation and establish a consciousness/culture of Compliance.

Furthermore, ISO 37301 is an international standard, meaning that any other company you mention the implementation of the standard to will know the level of your company’s commitment to Compliance, bringing more credibility.

What is the difference between ISO 37301 and ISO 37001?

ISO 37301 is a Compliance Management System standard, while ISO 37001 is an Anti-Bribery Management System. This means that the Compliance standard is more comprehensive, involving a larger number of controls to prevent a variety of legal problems your company may get involved in. ISO 37001, on the other hand, is focused exclusively on combating/preventing bribery.

Here at QMS, we say that ISO 37301 is a defense standard and ISO 37001 takes care of the attack.

How do ISO 37301 and ISO 37001 integrate?

Both ISO 37301 and ISO 37001 are requirement standards, meaning they are certifiable and follow the Annex SL structure.

Annex SL provides a basic structure of requirements for all standards following the PDCA cycle, thus, implementation is much simpler, being:

• Plan: 4 Context of the Organization, 5 Leadership, 6 Planning, 7 Support;
• Do: 8 Operation;
• Check: 9 Performance Evaluation;
• Act: 10 Improvement.

Both standards have requirements in all the items of the above-mentioned Annex SL, but ISO 37301 has a larger volume in those related to Plan, as it is mainly aimed at preventive actions, and ISO 37001 has more demand in Do, to combat bribery in the company’s operation.

What are the benefits of ISO 37301?

There are several benefits for companies that implement ISO 37301, among them:

Improvement of Corporate Governance

With ISO 37301, the organization demonstrates that its processes are in accordance with high ethical and legal standards, for which transparency at all levels is necessary.

Enhancement of Risk Management

The standard establishes Compliance controls at all levels of the organization, from the worker to the leader, making your risk analysis much more robust and combative. Additionally, ISO 37301 aims for continuous improvement, so frequently, the company will have to revisit the risk analysis and refine it.

Compliance Culture

Compliance is not sectorized, the entire organization gets involved with the management system, either actively or through the awareness actions established by the standard. Another favorable point for building this culture is that ISO 37301 often involves the participation of top leadership, making them examples for other employees.

Competitive Advantage

Increasingly, the ISO 37301 standard is becoming mandatory in supplier hiring processes, and the company that is already certified is one step ahead of the competition.

Is ISO 37301 certifiable?

Yes! The standard is requirements-based and, therefore, is certifiable. The company just needs to have implemented the normative requirements of ISO 37301, have an internal auditor to assist in the certification audit process, and hire an accredited certification body.

Companies of all sizes and industries can be certified. For example, here at QMS, we have clients ranging from a civil engineering company with 3 employees to a recycling company with more than 5,000 employees

What is the certification process for ISO 37301?

The certification process for ISO 37301 is the same as for any other management system standard and involves the following 6 steps:

1. Purchase the ISO 37301:2021 standard: It is essential that you acquire the ISO 37301:2021 version of the standard. You can buy the standard directly from ABNT. The standard will literally guide you throughout this journey.
2. Appoint an implementation leader: The leader will be the focal point of all implementation actions. It is essential that they have knowledge about the ISO 37301 standard.
3. Assess if you need to hire a consultancy: If it’s your company’s first time implementing an ISO standard, or if it doesn’t have a robust Compliance team to help in this work, we strongly recommend hiring a consultancy. In these cases, it’s highly indicated, as the consultancy already has experience with the standard and can guide you and make you feel more secure in this process. QMS does not carry out the implementation of the standard, but we can refer you to some professionals.
4. Conduct a pre-audit: Once the implementation of ISO 37301 is completed, you can request a pre-audit from a certification body, but this step is not mandatory. The pre-audit assesses your management system so that it can only be improved or must be implemented, like a final review, with the goal of bringing more security to the certification itself. The pre-audit can be conducted by QMS.
5. Schedule the certification audit: Once you verify that your management system is complete and your company considers itself ready for certification, you can hire an accredited certifier to schedule the certification audit. The audit is divided into 2 phases: Phase 1 and Phase 2. In Phase 1, the auditor will evaluate your company based on the documented information you recorded in the implementation and prepare a plan for what to check in practice in your company. Phase 2 consists of verifying that everything presented in the previous papers is working effectively.

Audit cycle: After approval in the audit, you will receive a certificate for your company within a time frame, stating that you are meeting the requirements of ISO 37301. From the certification, in the following 2 years, the company will undergo an audit that we call “maintenance audit,” with the purpose of verifying that the management system continues to be active and improving. These audits are simpler than the first audit. In the 3rd year, you will return to the initial cycle, i.e., maintaining an ISO certificate requires constant commitment.

How long does it take to implement ISO 37301?

The time to implement ISO 37301 varies according to each company. In the case of ISO 37301, it will be a combination of 3 factors:

• Available resources: How many employees and how much time are being allocated to focus on the implementation of the standard? The fewer resources your organization has available, the longer it will take to meet the requirements of the standard.
• Robustness of the Compliance Program: As mentioned earlier, the Compliance Program is within the Management System, so if the organization already has an active robust Compliance Program, it already has at least 40% of ISO 37301 implemented and will only need to make some adaptations.
• Size of the Organization: Companies with a large number of employees or multiple organizational units will have more work for implementation, both due to the involvement of a large number of people and the consideration of the risks involved.

To give you an idea, on average, organizations take 8 months for implementation, but this is not a rule. As mentioned, there are a series of factors involved, but in the end, the effort is always worth it!

How to choose an ISO 37301 certifier?

The certification of ISO 37301 is conducted by the certifier, not the consultancy. When researching certifiers in the market, it is essential to understand what it means when we say they need to be accredited.

Not just any company can assess whether your company is meeting the ISO 37301 standard. An accredited ISO certifier is one that has received formal authorization to assess the compliance of other companies’ management systems, like QMS, for example.

There is a hierarchy for this authorization:

1. IAF is the entity that determines which bodies can be accreditors. You can check the updated list of accreditors here.
2. Accreditors determine which certifiers can operate.
3. Accredited certifiers: certify companies.

In the case of QMS, the accreditor is IAS, and you can verify that we are authorized to act as a certifier on their website.

To be accredited, the process is not simple. The certifier undergoes annual audits and must meet a series of mandatory performance items, all to ensure your certificate has credibility. Therefore, always check if the certifier you want to hire is accredited. Value your work.

How much does ISO 37301 certification cost?

The price of ISO certification varies according to a series of factors:

• Complexity of the certification scope: At the beginning of the ISO 37301 implementation process, you will encounter the concept of certification scope, which is nothing more than a precise description of the activities and locations you want to focus your certification on. As soon as you request a quote for ISO certification, you will be asked about the scope, as it determines the difficulty of the audit and the specific knowledge of the auditors involved.
• Number of employees to be audited in the process: This number is not determined by you but by your scope and will be discussed with the commercial department to understand this information as much as possible. The employees to be audited are those involved in the process described in your scope, determining the time needed for interviews.
• Number of units to be audited: It may happen that the activities of your scope are not centralized in a single physical location, so the auditor’s travel during the audit process will need to be considered. If your company does not have a physical location, being entirely remote, this issue of travel is not applicable.

As you can see, the audit calculation aims to deliver the maximum credibility in the shortest possible time, so it is not possible to give a closed value to the market, but to give you some idea, the investment starts at a minimum of 4,000 dollars.

Who can implement ISO 37301?

It is recommended that the person leading the implementation of this standard have intermediate knowledge in Compliance, precisely because of the series of legal issues involved in the process. If you have an employee with these characteristics and who is methodical (essential for someone working with management systems), you can request their training in the standard.

Additionally, you can hire a consultancy to assist in the implementation process of the standard, thus having someone internal learning in practice and keeping the management system functioning and an external person to help with their vast experience to provide security and offer another point of view on improvements.

Is implementing ISO 37301 very difficult?

The implementation of ISO 37301 is never easy, but the level of difficulty depends on the resources the company already has.

• If the company already has another ISO standard implemented, adapting to ISO 37301 will be easier, as the normative structure is similar in many aspects, and you will have half the journey completed. But if it is your first standard, you will start from the beginning.
• Companies that already have a robust compliance program will also have a shorter implementation path, as they will only need to complement with various points of the ISO 37301 standard what already existed.
• If your organization has opted to hire a consultancy, you will have a bit more ease of implementation, as you will have the expertise of a professional who has worked with several other companies and can provide more insights to solve your implementation problems.
• Small and medium-sized companies will have fewer points of attention in implementation, as they have a smaller number of employees and units to consider at the time of applying actions.

But if you did not fit into any of the points mentioned before, don’t worry, it really won’t be easy, but start as soon as possible and everything will work out.

Another tip is that if your company wants another standard besides ISO 37301, do it at once to have an integrated management system, which is better than having to review the entire management system in the future.