ISO 37301 — Compliance Management Systems (CMS)

Outcomes

• Reduced regulatory and legal exposure
• Documented due diligence and defensibility
• Clear accountability, training, and culture
• Reliable reporting, investigations, and remediation
• Tangible assurance for boards, regulators, and customers

"Which standard?"

• Enterprise-wide compliance framework → ISO 37301
• Specific anti-bribery certification → ISO 37001
• Confidential reporting & case handling → ISO 37002 (guidance)
• Enterprise risk framework → ISO 31000 (guidance)

Clauses map

• Context & Scope (4): stakeholders, obligations inventory, scope boundaries
• Leadership (5): governing body commitment, independence, policy, roles, escalation, resources
• Planning (6): risk assessment, objectives, controls, due diligence criteria
• Support (7): competence, awareness, confidential reporting, documented information, tooling
• Operation (8): controls for processes, third-parties, gifts, conflicts, donations, antitrust, privacy alignment, change management
• Performance (9): monitoring, KPIs, internal audit, MR, investigations, CAPA, discipline
• Improvement (10): nonconformity, root-cause, continual improvement

Control framework highlights

• Legal & regulatory register with ownership and review cadence
• Risk assessment per obligation/process/third-party
• Risk-based third-party due diligence (onboarding & renewal)
• Policy suite: code of conduct + ABAC, antitrust, privacy alignment, sanctions/export, HR, gifts
• Role-based training & comms with tracked completion
• Speak-up mechanism and case workflow (align ISO 37002)
• Investigations: triage, evidence, chain-of-custody, outcomes
• Monitoring & testing: design vs operating effectiveness
• KPIs & KRIs; records & evidence pack

Evidence pack checklist

• Compliance policy & code of conduct
• Governance charter; org chart; independence memo
• Obligations inventory & change-log
• Risk method & latest assessment
• Third-party DD procedures and screenings
• Policy register with version control
• Training plan, matrices, completions, attestations
• Speak-up procedure; case register
• Monitoring plan; testing results; corrective actions
• Internal audits; MR minutes; KPI dashboard

KPIs / dashboards

• % obligations mapped to owners
• % controls with tests completed
• Training completion by role/region
• High-risk third-parties cleared on time
• Speak-up rate per 1000 FTE
• Case closure time; substantiation rate
• Recurrence post-CAPA
• Audit findings closed on time

Tooling options

Legal register monitoring, case management, third-party risk screening, LMS, policy management, and control testing.

Certification cycle

• Three-year certificate with annual surveillance
• Stage 1: document readiness and scope
• Stage 2: effectiveness sampled on processes/sites
• Multi-site: risk-based sampling by the CB
• Integration: audit with 37001/9001/27001 to reduce effort

Risks & pitfalls

• Paper CMS with weak operating effectiveness
• No owner for the obligations register
• DD limited to onboarding without renewals
• Investigations lack chain-of-custody and trending
• KPIs focus on activity not outcomes

Foundation

1 day — concepts, clauses, evidence.

Internal Auditor

2 days — planning, testing, reporting.

Implementer/Practitioner

3 days — design and deployment labs.

Lead Auditor*

5 days — CQI/IRCA via partners.

Finance

Conduct risk, sanctions, AML interface, product governance.

Energy & Utilities

Permits, concessions, third-party contractors, gifts/hospitality.

Construction & EPC

Subcontractor vetting, bid-rigging prevention, site compliance.

Oil & Gas

Intermediaries due diligence, local content, sanctions.

Public sector & SOEs

Procurement compliance, conflicts, transparency.

Healthcare & Pharma

Promotional compliance, HCP ToV, data protection.