ISO 37001 control calibration:<\/p>\n\n\n\n

Your anti-bribery management system applies the same due diligence process to every third party. Same questionnaire. Same screening depth. Same monitoring frequency. The controls exist, so the system looks compliant. But ISO 37001:2025 doesn’t ask whether controls exist \u2014 it asks whether they’re reasonable and proportionate to the bribery risk your organisation actually faces. Most aren’t.<\/p>\n\n\n\n

What Does “Reasonable and Proportionate” Mean Under ISO 37001:2025?<\/h2>\n\n\n\n

The phrase “reasonable and proportionate” runs through ISO 37001:2025 as the governing design principle for the entire anti-bribery management system. It isn’t a concession \u2014 it’s an instruction. Controls must be designed and scaled to match bribery risk exposure, with risk assessment outputs determining control intensity per function, geography, and third-party category.<\/p>\n\n\n\n

Three clauses anchor this calibration logic.<\/p>\n\n\n\n

Clause 4.5 \u2014 Bribery Risk Assessment \u2014 is the engine. The 2025 edition made this more prescriptive than its 2016 predecessor: documented assessment intervals, significant-change triggers that mandate reassessment, and tighter documentation requirements. The risk assessment is not a one-time implementation artefact you complete at certification and file away \u2014 it is the binding input that determines what controls apply, where, at what intensity, and under what conditions reassessment becomes mandatory. That last part is new.<\/p>\n\n\n\n

Clause 8.2 \u2014 Due Diligence \u2014 is where calibration becomes visible. Due diligence on business associates must be categorised by risk level, with explicit high-risk focus. The 2025 edition formalises ongoing monitoring and update frequency tied to risk exposure \u2014 not applied as a uniform annual cycle across all third parties.<\/p>\n\n\n\n

Then there is Clause 4.3 \u2014 Scope Definition. This is a 2025 addition. The ABMS scope must now reference bribery risk assessment<\/a> results, a requirement that didn’t exist in ISO 37001:2016. It creates an auditable link between risk exposure and the system boundary itself. Scope can no longer be drawn along corporate legal entity lines without documented risk rationale.<\/p>\n\n\n\n

Clause reference reflects mapped standard requirement. Verify against current edition before audit use.<\/p>\n\n\n\n

Where Do Organisations Get This Wrong?<\/h2>\n\n\n\n

The pattern repeats across industries. Organisations complete a bribery risk assessment at implementation, file it, and build a single-tier control set: one due diligence questionnaire, one set of contractual anti-bribery terms, one monitoring cycle. A domestic office supplies vendor and a government-facing agent in a high-corruption jurisdiction receive identical treatment.<\/p>\n\n\n\n

The risk assessment exists. The controls exist. Nothing connects them.<\/p>\n\n\n\n

An auditor can verify that due diligence was performed on a high-risk agent \u2014 but cannot trace a path from the Clause 4.5 risk output to the Clause 8.2 control intensity applied. The question that matters isn’t “did you do due diligence?” It’s “why does your due diligence on this high-risk agent look identical to what you ran on a low-risk domestic supplier?”<\/p>\n\n\n\n

That gap is structural. Organisations read “reasonable and proportionate” as permission to apply the minimum that satisfies a documentation check, rather than as an instruction to scale controls to risk exposure at the level of individual business associates, transaction types, and geographies where the organisation actually operates. The result: an ABMS that survives a control-existence audit but fails the calibration test the standard is built on.<\/p>\n\n\n\n

UKAS characterised the ISO 37001:2025 changes as “limited in nature” \u2014 transition assessment for certification bodies estimated at 1.25 days, desktop-only. The calibration logic is not new. It was always there. The 2025 edition clarified and reinforced it.<\/p>\n\n\n\n

<\/figure>\n\n\n\n

What Does Audit-Defensible Calibration Look Like?<\/h2>\n\n\n\n

Start with the third-party register. Each business associate needs a documented risk classification \u2014 and the classification rationale must reference Clause 4.5 risk assessment output. Not a generic “low\/medium\/high” label assigned without criteria. A documented decision with a documented basis.<\/p>\n\n\n\n

From there, different control responses per tier. High-risk third parties get deeper screening, more restrictive contractual terms, shorter monitoring intervals, and documented escalation triggers. Low-risk third parties receive a lighter but still documented process. The difference must be recorded and traceable to the risk tier.<\/p>\n\n\n\n

The scope document matters more under the 2025 edition than most organisations realise. Clause 4.3 now requires the ABMS boundary to reflect where bribery risk sits \u2014 not where the legal entity structure happens to end. If high-risk procurement functions or agent-managed government relationships exist outside the scope, an auditor will ask why.<\/p>\n\n\n\n

Version control. Clause 4.5 requires defined review intervals and significant-change triggers. New market entry, new transaction types, changes to the regulatory environment \u2014 each triggers a documented reassessment that feeds back into control calibration. A risk assessment dated three years ago tells an auditor everything they need to know about how seriously an organisation takes proportionality, and it isn’t a flattering signal.<\/p>\n\n\n\n

How Do You Fix the Calibration Gap?<\/h2>\n\n\n\n

\n
1. Rebuild the risk assessment as a decision-driving document.<\/strong> Conduct a documented bribery risk assessment with explicit outputs: risk tier per function, geography, transaction type, and third-party category. Set defined review intervals. Document the significant-change triggers that mandate reassessment. This output becomes the mandatory input for everything downstream.<\/li>\n\n\n\n
2. Map risk tiers to documented control responses.<\/strong> For each tier, document which controls apply at what intensity and why. Update the ABMS scope to reference the risk assessment results. The documented rationale \u2014 “this control at this intensity because this risk level” \u2014 is the audit evidence that demonstrates calibration.<\/li>\n\n\n\n
3. Tier the due diligence and monitoring programme.<\/strong> Replace the single-tier process with a risk-tiered model: different questionnaire scope, screening depth, contractual requirements, and monitoring frequency per tier. Document the tier assignment for each business associate. Set review frequencies linked to risk assessment output \u2014 not a blanket annual cycle. For organisations building this gap analysis<\/a> from scratch, the risk assessment must be the starting point.<\/li>\n<\/ol>\n\n\n\n

   The Missing Audit Protocol<\/h2>\n\n\n\n

   No certification body or accreditation body has published a methodology for auditing whether an organisation’s control selection is proportionate to its documented risk exposure. UKAS CIS 14 (Edition 2, May 2024) addresses CB accreditation requirements for ABMS certification but contains no proportionality-of-control-selection audit methodology. IAF MD 30:2025 covers transition requirements only.<\/p>\n\n\n\n

   The audit protocol hasn’t caught up with the standard’s own design logic. Organisations that build the calibration chain now \u2014 documented risk outputs driving documented control intensity \u2014 hold audit-defensible evidence that most peers lack. The transition deadline for ISO 37001:2025 is 28 February 2027 per the UKAS Technical Bulletin. Certified organisations that treated “reasonable and proportionate” as a low bar have less than a year to rebuild the linkage.<\/p>\n\n\n\n

   The 2025 edition also tightened requirements around anti-bribery function independence<\/a> \u2014 another area where documentation must now demonstrate structural separation rather than nominal designation.<\/p>\n\n\n\n

   <\/figure>\n\n\n\n

   Key Takeaway<\/h2>\n\n\n\n

   “Reasonable and proportionate” is not a permission to do less. It is an instruction to calibrate. Every anti-bribery control in your ABMS must trace back to a documented risk output \u2014 and the intensity of that control must match the exposure it addresses. Build the chain from risk assessment to control selection, make it auditable, keep the risk assessment live. That is what ISO 37001:2025 requires. The standard always required it. The 2025 edition makes it harder to pretend otherwise.<\/p>\n\n\n\n

   About AEC International<\/h2>\n\n\n\n

   AEC International provides ISO certification<\/a>, training<\/a>, and consultancy services at the intersection of governance, compliance, and anti-bribery management. We support organisations across industries in achieving and maintaining ISO certification \u2014 from gap analysis and implementation through audit preparation and continual improvement.<\/p>\n\n\n\n

   Learn more: www.aec.llc<\/p>\n","protected":false},"excerpt":{"rendered":"

   Quick Answer: ISO 37001:2025 requires every anti-bribery control to be calibrated to documented bribery risk \u2014 not applied uniformly. “Reasonable and proportionate” is a design instruction: risk assessment…<\/p>\n","protected":false},"author":1,"featured_media":158,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[41,26,16,13,25,12,18],"class_list":["post-155","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audit-preparation","tag-accreditation","tag-certification-process","tag-gap-analysis","tag-internal-audit","tag-iso-37001","tag-risk-management","tag-supplier-management"],"reading_time":"6 min read","_links":{"self":[{"href":"https:\/\/aec.llc\/blog\/wp-json\/wp\/v2\/posts\/155","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aec.llc\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aec.llc\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aec.llc\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aec.llc\/blog\/wp-json\/wp\/v2\/comments?post=155"}],"version-history":[{"count":1,"href":"https:\/\/aec.llc\/blog\/wp-json\/wp\/v2\/posts\/155\/revisions"}],"predecessor-version":[{"id":159,"href":"https:\/\/aec.llc\/blog\/wp-json\/wp\/v2\/posts\/155\/revisions\/159"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/aec.llc\/blog\/wp-json\/wp\/v2\/media\/158"}],"wp:attachment":[{"href":"https:\/\/aec.llc\/blog\/wp-json\/wp\/v2\/media?parent=155"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aec.llc\/blog\/wp-json\/wp\/v2\/categories?post=155"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aec.llc\/blog\/wp-json\/wp\/v2\/tags?post=155"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}