Is ISO 37001 legal compliance?

No. ISO 37001 evidences a management system of adequate procedures. It does not guarantee compliance with any specific law.

ISO 37001 Anti-Bribery Certification

Prevent bribery. Prove due diligence. Win with compliant growth.

Get a Quote Book Readiness Assessment View Training

Sectors: Public, O&G, Construction, Life Sciences, Telecom, Logistics

Geographies: 40+ countries

Experience: 10+ years

Success: 98% certification pass

Auditor-Ready in Weeks

Evidence pack, third-party due diligence trail, and KPI dashboard prepared for Stage 1 and Stage 2 audits.

Adequate Procedures Third-Party Risk Investigations Speak-up

Who It's For

Designed for organizations facing enforcement exposure, tender eligibility demands, and third-party risk at scale.

⚖️

Legal & Compliance

General Counsel, CCO, Ethics & Compliance leads owning policy, investigations, and assurance.

🛒

Procurement

Heads of Procurement overseeing third-party onboarding, risk tiers, and ongoing monitoring.

🌎

Country / BU Heads

Operational leaders with distributor and government touchpoints who must evidence control.

Common Triggers

Market entry, distributor model launch, public tenders, PE exit readiness, or recent investigation.

Certification Scope

Entity, region, or process scope with clear boundaries and interfaces to adjacent functions.

Expected Proof

Risk-rated third parties, completed EDD files pre-onboarding, policy attestations, training, hotline, and CAPA.

What ISO 37001 Covers

Executive explainer. Focused anti-bribery controls with clear interfaces to broader integrity risks.

Scope

Anti-bribery policy, risk assessment, third-party due diligence, gifts & hospitality, charitable contributions, facilitation payments, conflicts of interest, financial and non-financial controls, training, investigations, speak-up, monitoring, and continual improvement.

Boundaries

Bribery vs wider integrity risks; interfaces with fraud and competition law; and extraterritorial exposure across your third-party network.

Business Case & Outcomes

🛡️

Reduce Enforcement Risk

Lower penalties and investigation disruption through documented adequate procedures.

📦

Win Tenders

Meet eligibility and customer due-diligence with a certifiable ABMS.

🔍

Improve 3P Posture

Risk-based onboarding and monitoring reduce exposure from agents, distributors, and brokers.

✓

KPIs

% third parties risk-rated; % high-risk EDD pre-onboarding; policy completion rate; training pass rate; hotline usage trend; investigation cycle time; CAPA closure time.

Regulatory Drivers

Non-advisory mapping. ISO 37001 is not legal compliance by itself. It evidences adequate procedures.

Key Statutes

FCPA (US), UK Bribery Act, Sapin II (FR), Brazilian Clean Company Act, Italian Legislative Decree 231.

Linked Standards

ISO 37301 (Compliance MS), ISO 37002 (Whistleblowing). Interfaces to ISO 27001, 9001, 22301.

Assurance Note

Certification supports defense arguments but does not grant immunity under any law.

Implementation Roadmap

Phase 0 - Readiness Scan (2–3 weeks)

Policy set inventory; clause-by-clause gap; data-flow mapping; high-risk third-party landscape.

Phase 1 - Design (3–6 weeks)

Risk model; due-diligence tiers; controls library; RACI; KPIs; training plan.

Phase 2 - Build (4–8 weeks)

Policies/SOPs; registers; 3P workflows; hotline & investigations; internal audit set-up.

Phase 3 - Operate & Prove (2–4 weeks)

Evidence pack; management review; corrective actions; CB coordination.

Typical Readiness

10–18 weeks SME; 16–24 weeks multi-country. Certification cycle: 3-year certificate with annual surveillance.

Deliverables Checklist

✓

ABMS Policy & Code

Approved policy and aligned Code of Conduct with bribery prohibitions.

✓

Risk Assessment

Bribery risk report, heatmap, refresh cadence.

✓

Third-Party Risk Methodology

Tiers, triggers, red flags, and screening sources.

✓

Due-Diligence Files

Questionnaires, OSINT checks, escalations, approvals.

✓

Registers

Gifts, hospitality, donations, sponsorships with thresholds.

✓

Facilitation Payments

Prohibition and exception handling with approvals and logs.

✓

Conflicts of Interest

COI declarations, recusals, periodic refresh.

✓

Financial Controls Mapping

Segregation, approvals, cash-equivalents, sponsorships.

✓

Speak-up Channels

Hotline, anti-retaliation, triage, metrics.

✓

Investigations SOP

Chain of custody, logs, sanctions matrix, closure criteria.

✓

Training Matrix

Role-based content, completions, competency verification.

✓

KPI Dashboard

Trend analysis and management inputs.

✓

Management Review

Minutes and decisions, actions tracked.

✓

CB Application Pack

Scope, sites, headcount, processes, risk overview.

Decision Help

Need anti-bribery certification?

Choose ISO 37001.

Need broader compliance MS?

Choose ISO 37301. Integrates with 37001.

Need investigations governance?

Use ISO 37002 guidance. Often combined with 37001/37301.

Topic	ISO 37001	ISO 37301	ISO 37002
Purpose	Anti-bribery MS	Compliance MS	Whistleblowing guidance
Certifiable	Yes	Yes	No
Primary users	CCO/GC	CCO/ERM	HR/Legal/Audit
Key artifacts	ABMS policy, 3P DD, gifts, COI, investigations	Compliance risk, obligations mgmt	Speak-up process, protection
Works with	9001/27001/22301	37001/27001	37001/37301

Industry Mapping

Public Sector & SOEs

Top risks: procurement integrity, grants. Controls: segregation, tender governance. KPIs: % competitive tenders, exception approvals.

Oil & Gas / Mining

Top risks: agents, JVs, customs. Controls: 3P EDD, agent monitoring. KPIs: % high-risk EDD, payment exception rate.

Construction / Real Estate

Top risks: permits, inspections. Controls: COI, gifts registers. KPIs: COI completion rate, gift threshold breaches.

Life Sciences

Top risks: HCP interactions, sponsorships. Controls: approvals, transparency. KPIs: HCP payment variance, disclosure timeliness.

Telecom / Utilities

Top risks: licensing, ROW, distributors. Controls: distributor DD, rebate controls. KPIs: distributor EDD timeliness.

Logistics / Ports

Top risks: customs brokers, security fees. Controls: receipts, incident logs. KPIs: incident closure time.

Integrated Services

Turnkey Implementation

Design to certification with change and evidence management.

Third-Party Program Build-out

DD platform selection and onboarding workflows.

Policy Modernization

Registers automation and policy attestation.

Training

Role-based, high-risk roles, country packs.

Internal Audit

Mock certification and CAPA acceleration.

Investigations Playbook

Case handling training and documentation.

Technology Enablement

GRC Stack Options

Due-diligence tools, case management, gifts registers, policy attestation, LMS, data connectors.

Tool-Agnostic

We integrate with your stack and data sources.

Dashboards

KPI and risk dashboards for management review.

ISO 37001 Training

1 Day

Foundation

Principles and requirements for all staff.

Schedule Foundation

2 Days

Internal Auditor

ISO 19011-based ABMS auditing.

Schedule Internal Auditor

3 Days

Implementer

Design and deploy ABMS effectively.

Schedule Implementer

5 Days

Lead Auditor (Partner)

CQI/IRCA through partners.

Partner Training Info

Bundle: Implementer + Internal Auditor • Save 15–25% with combined booking.

Frequently Asked Questions

Does ISO 37001 cover facilitation payments?

▼

ISO 37001 expects prohibition with narrow exception handling where legally unavoidable. All cases must be recorded and escalated.

How deep must third-party due diligence go?

▼

Risk-based. High-risk third parties require enhanced checks before onboarding, documented approvals, and periodic refresh.

Can we certify only a region or subsidiary?

▼

Yes. Define scope boundaries and interfaces. Subsidiary-only certification is common.

How does ISO 37001 align with FCPA/UKBA “adequate procedures”?

▼

It evidences systematic controls across risk assessment, due diligence, training, and monitoring. It does not guarantee compliance but supports defense arguments.

What do auditors test most?

▼

3P DD trail quality, gifts/COI registers, training and attestations, investigation handling, and CAPA closure evidence.

We already have a Code and training — enough?

▼

Not sufficient. ISO 37001 requires an integrated management system with risk-based controls and monitoring.

Multi-site sampling and corporate functions?

▼

CBs use risk-based sampling. Expect audits of central compliance plus representative sites by risk and complexity.

How long after major nonconformities?

▼

Recertification depends on correction and effectiveness verification, typically within 90 days for majors.

Assurance & Audit

CB Engagement

Accredited certification body coordination. Stage 1 readiness then Stage 2 certification.

Surveillance

Annual surveillance audits over a three-year cycle.

Common Nonconformities

Incomplete 3P DD trail, weak COI controls, unmanaged gifts registers, missing CAPA evidence. We fix these early.

Risk & Control Library (Excerpt)

Government Touchpoints

Objective: Prevent improper payments. Control: approval workflow, logs, receipts. Owner: Country Manager. Evidence: registers, approvals.

Agents & Intermediaries

Objective: Vet and monitor. Control: EDD, contracts, KPI monitoring. Owner: Procurement. Evidence: EDD files, reviews.

Tenders & Sponsorships

Objective: Fair process. Control: conflict checks, thresholds, transparency. Owner: Legal/Compliance.

Governance & Accountability

RACI

Board, C-suite, CCO, Legal, IA, Procurement, HR, Country Managers with independent oversight line.

Reporting

Quarterly management review with KPI thresholds and decision log.

Assurance

Internal audit cadence aligned to risk. Evidence repository under change control.

Measurement & Monitoring

KPI Set

Training pass rate, policy attestations, EDD completion, hotline volume and closure time, CAPA timeliness.

Data Sources

HRIS, procurement, case management, learning, finance, vendor tools.

Management Review

Inputs: KPIs, risks, incidents, audit results. Outputs: actions, resources, improvements.

Case Studies & Proof

Telecom (Multi-country)

98% high-risk EDD pre-contract within 90 days; tender wins increased by 12%.

Construction

<30-day CAPA closure and 100% policy attestations inside 60 days.

Life Sciences

Investigation cycle time cut by 35%; audit NCs closed at first follow-up.

Downloadables

Anti-Bribery Starter Kit

Policy outline, risk model, 3P DD checklist, gifts/hospitality CSV, investigation form.

Get Kit

Management Review Pack

Templates for inputs/outputs and decision tracking.

Download Pack

Webinar Replay

“Proving Adequate Procedures: What Auditors Test.”

Watch

No government or ISO logos. Informational only, not legal advice.