Quick Answer: ISO 37001:2025 requires every anti-bribery control to be calibrated to documented bribery risk β not applied uniformly. “Reasonable and proportionate” is a design instruction: risk assessment outputs must drive control intensity per function, geography, and third-party category. Uniform single-tier controls fail this test. (46 words)
Edit intensity: Light β Quick Answer block added (46 words). H2s converted to interrogative form per AEO preference. Primary keyword inserted in opening paragraph. Confirmed internal links placed. No structural, argumentative, or tonal changes.
ISO 37001 control calibration:
Your anti-bribery management system applies the same due diligence process to every third party. Same questionnaire. Same screening depth. Same monitoring frequency. The controls exist, so the system looks compliant. But ISO 37001:2025 doesn’t ask whether controls exist β it asks whether they’re reasonable and proportionate to the bribery risk your organisation actually faces. Most aren’t.
What Does “Reasonable and Proportionate” Mean Under ISO 37001:2025?
The phrase “reasonable and proportionate” runs through ISO 37001:2025 as the governing design principle for the entire anti-bribery management system. It isn’t a concession β it’s an instruction. Controls must be designed and scaled to match bribery risk exposure, with risk assessment outputs determining control intensity per function, geography, and third-party category.
Three clauses anchor this calibration logic.
Clause 4.5 β Bribery Risk Assessment β is the engine. The 2025 edition made this more prescriptive than its 2016 predecessor: documented assessment intervals, significant-change triggers that mandate reassessment, and tighter documentation requirements. The risk assessment is not a one-time implementation artefact you complete at certification and file away β it is the binding input that determines what controls apply, where, at what intensity, and under what conditions reassessment becomes mandatory. That last part is new.
Clause 8.2 β Due Diligence β is where calibration becomes visible. Due diligence on business associates must be categorised by risk level, with explicit high-risk focus. The 2025 edition formalises ongoing monitoring and update frequency tied to risk exposure β not applied as a uniform annual cycle across all third parties.
Then there is Clause 4.3 β Scope Definition. This is a 2025 addition. The ABMS scope must now reference bribery risk assessment results, a requirement that didn’t exist in ISO 37001:2016. It creates an auditable link between risk exposure and the system boundary itself. Scope can no longer be drawn along corporate legal entity lines without documented risk rationale.
Clause reference reflects mapped standard requirement. Verify against current edition before audit use.
Where Do Organisations Get This Wrong?
The pattern repeats across industries. Organisations complete a bribery risk assessment at implementation, file it, and build a single-tier control set: one due diligence questionnaire, one set of contractual anti-bribery terms, one monitoring cycle. A domestic office supplies vendor and a government-facing agent in a high-corruption jurisdiction receive identical treatment.
The risk assessment exists. The controls exist. Nothing connects them.
An auditor can verify that due diligence was performed on a high-risk agent β but cannot trace a path from the Clause 4.5 risk output to the Clause 8.2 control intensity applied. The question that matters isn’t “did you do due diligence?” It’s “why does your due diligence on this high-risk agent look identical to what you ran on a low-risk domestic supplier?”
That gap is structural. Organisations read “reasonable and proportionate” as permission to apply the minimum that satisfies a documentation check, rather than as an instruction to scale controls to risk exposure at the level of individual business associates, transaction types, and geographies where the organisation actually operates. The result: an ABMS that survives a control-existence audit but fails the calibration test the standard is built on.
UKAS characterised the ISO 37001:2025 changes as “limited in nature” β transition assessment for certification bodies estimated at 1.25 days, desktop-only. The calibration logic is not new. It was always there. The 2025 edition clarified and reinforced it.
What Does Audit-Defensible Calibration Look Like?
Start with the third-party register. Each business associate needs a documented risk classification β and the classification rationale must reference Clause 4.5 risk assessment output. Not a generic “low/medium/high” label assigned without criteria. A documented decision with a documented basis.
From there, different control responses per tier. High-risk third parties get deeper screening, more restrictive contractual terms, shorter monitoring intervals, and documented escalation triggers. Low-risk third parties receive a lighter but still documented process. The difference must be recorded and traceable to the risk tier.
The scope document matters more under the 2025 edition than most organisations realise. Clause 4.3 now requires the ABMS boundary to reflect where bribery risk sits β not where the legal entity structure happens to end. If high-risk procurement functions or agent-managed government relationships exist outside the scope, an auditor will ask why.
Version control. Clause 4.5 requires defined review intervals and significant-change triggers. New market entry, new transaction types, changes to the regulatory environment β each triggers a documented reassessment that feeds back into control calibration. A risk assessment dated three years ago tells an auditor everything they need to know about how seriously an organisation takes proportionality, and it isn’t a flattering signal.
How Do You Fix the Calibration Gap?
- Rebuild the risk assessment as a decision-driving document. Conduct a documented bribery risk assessment with explicit outputs: risk tier per function, geography, transaction type, and third-party category. Set defined review intervals. Document the significant-change triggers that mandate reassessment. This output becomes the mandatory input for everything downstream.
- Map risk tiers to documented control responses. For each tier, document which controls apply at what intensity and why. Update the ABMS scope to reference the risk assessment results. The documented rationale β “this control at this intensity because this risk level” β is the audit evidence that demonstrates calibration.
- Tier the due diligence and monitoring programme. Replace the single-tier process with a risk-tiered model: different questionnaire scope, screening depth, contractual requirements, and monitoring frequency per tier. Document the tier assignment for each business associate. Set review frequencies linked to risk assessment output β not a blanket annual cycle. For organisations building this gap analysis from scratch, the risk assessment must be the starting point.
The Missing Audit Protocol
No certification body or accreditation body has published a methodology for auditing whether an organisation’s control selection is proportionate to its documented risk exposure. UKAS CIS 14 (Edition 2, May 2024) addresses CB accreditation requirements for ABMS certification but contains no proportionality-of-control-selection audit methodology. IAF MD 30:2025 covers transition requirements only.
The audit protocol hasn’t caught up with the standard’s own design logic. Organisations that build the calibration chain now β documented risk outputs driving documented control intensity β hold audit-defensible evidence that most peers lack. The transition deadline for ISO 37001:2025 is 28 February 2027 per the UKAS Technical Bulletin. Certified organisations that treated “reasonable and proportionate” as a low bar have less than a year to rebuild the linkage.
The 2025 edition also tightened requirements around anti-bribery function independence β another area where documentation must now demonstrate structural separation rather than nominal designation.
Key Takeaway
“Reasonable and proportionate” is not a permission to do less. It is an instruction to calibrate. Every anti-bribery control in your ABMS must trace back to a documented risk output β and the intensity of that control must match the exposure it addresses. Build the chain from risk assessment to control selection, make it auditable, keep the risk assessment live. That is what ISO 37001:2025 requires. The standard always required it. The 2025 edition makes it harder to pretend otherwise.
About AEC International
AEC International provides ISO certification, training, and consultancy services at the intersection of governance, compliance, and anti-bribery management. We support organisations across industries in achieving and maintaining ISO certification β from gap analysis and implementation through audit preparation and continual improvement.
Learn more: www.aec.llc