What is the primary objective of **ISO 37001**?

**ISO 37001 establishes requirements for an Anti-Bribery Management System (ABMS) to prevent, detect, and respond to bribery.** It follows the PDCA cycle across Clauses 4–10, requiring proportionate controls like risk assessments, due diligence, financial controls, training, and reporting. Applicable to all organization sizes and sectors, it demonstrates compliance with anti-bribery laws without guaranteeing bribery will never occur. The 2025 revision adopts the Harmonized Structure, enhancing integration and emphasizing anti-bribery culture.

Who is legally or professionally required to comply with **ISO 37001**?

**ISO 37001 is voluntary with no universal legal mandates but is professionally required for high-risk organizations.** It applies to public, private, and not-for-profit entities facing bribery exposure via third parties (95% of cases), such as multinationals, extractives, defense, and public contractors. Certification signals due diligence to regulators (e.g., FCPA, UK Bribery Act), investors, and tender processes; 99% of firms perform onboarding due diligence per surveys.

Does **ISO 37001** require an external audit or third-party certification?

**ISO 37001 certification requires external audits by accredited bodies but is optional.** Stage 1 reviews documentation; Stage 2 verifies effectiveness on-site. Certificates last 3 years with annual surveillance audits (12–24 months). Certification amplifies evidentiary value, potentially reducing liability, though internal audits suffice for non-certified ABMS.

How often should an assessment for **ISO 37001** be performed?

**Bribery risk assessments under ISO 37001 must be performed periodically and when changes occur.** Clause 4.5 mandates ongoing reviews; surveys show 99% at onboarding, 56% periodic independent of contracts. Internal audits occur at planned intervals (risk-based), with management reviews at least annually.

What are the consequences of non-compliance with **ISO 37001**?

**Non-conformance to ISO 37001 risks certification denial, surveillance failures, or certificate withdrawal.** Operationally, weak ABMS exposes organizations to fines (e.g., up to 15% higher compliance costs without it), reputational damage, and liability; certification may mitigate penalties as evidence of "reasonable steps" but offers no absolute immunity.

Can **ISO 37001** be mapped to other international frameworks?

**Yes, ISO 37001 maps seamlessly to frameworks sharing the Harmonized Structure (HS).** Its Clauses 4–10 align with ISO 9001, ISO 14001, and ISO/IEC 27001 for integrated management systems, reducing duplication in audits and reviews. The 2025 HS adoption enhances compatibility.

What is the first step to begin implementing **ISO 37001**?

**The first step is determining organizational context and scope per Clause 4.** Identify internal/external issues, interested parties (e.g., regulators, third parties), and bribery risks; document scope boundaries. This risk-based foundation informs leadership commitment (Clause 5) and planning (Clause 6).

What is the primary objective of **EU AI Act**?

**The primary objective of the EU AI Act is to establish a risk-based regulatory framework that prohibits unacceptable-risk AI practices, imposes strict obligations on high-risk AI systems, mandates transparency for limited-risk systems, and leaves minimal-risk systems largely unregulated.** Regulation (EU) 2024/1689, entered into force on 1 August 2024, operationalizes safety, fundamental rights protection, and transparency through lifecycle controls like risk management (**Article 9**), data governance (**Article 10**), and conformity assessments (**Article 43**).

Who is legally or professionally required to comply with **EU AI Act**?

**Providers, deployers, importers, distributors, and authorized representatives of AI systems are legally required to comply if systems are placed on the EU market or outputs are used in the EU, regardless of location.** Providers develop or place high-risk systems on the market (**Article 3(3)**); deployers are professional users (**Article 3(4)**). High-risk applies to Annex I/II/III uses like biometrics, employment, and critical infrastructure (**Article 6**); GPAI providers face Chapter V duties (**Articles 51–56**).

Does **EU AI Act** require an external audit or third-party certification?

**High-risk AI systems require conformity assessment, which may involve third-party notified bodies for certain Annex III uses or when internal assessment is insufficient, leading to CE marking (**Article 48**) and EU database registration (**Article 49**).** Providers perform internal assessments (**Annex VI**) or engage notified bodies (**Annex VII**, **Articles 28–39**); GPAI systemic-risk models trigger AI Office evaluations (**Article 55**).

How often should an assessment for **EU AI Act** be performed?

**Risk classification and conformity assessments must be performed prior to placing high-risk systems on the market or into service, with continuous post-market monitoring (**Article 72**) and re-assessment upon substantial modifications (**Article 3(23)**).** Logs retained at least six months (**Article 19**); serious incidents reported without undue delay (**Article 73**).

What are the consequences of non-compliance with **EU AI Act**?

**Non-compliance with prohibited practices incurs fines up to 7% of worldwide annual turnover or €40 million; other violations up to 4% or €20 million, and lesser breaches up to 2% or €10 million (**Chapter XII**).** Remedies include market withdrawal, corrective actions, and personal liability; enforced by national authorities and AI Office (**Articles 70, 64**).

Can **EU AI Act** be mapped to other international frameworks?

**No, the EU AI Act must stand alone as a directly applicable EU regulation without formal mapping to other frameworks specified in its text.** Compliance leverages harmonized standards (**Article 40**) for presumption of conformity, but obligations like RMS (**Article 9**) and GPAI duties (**Article 53**) are self-contained.

What is the first step to begin implementing **EU AI Act**?

**The first step is to conduct an AI inventory and classify all systems by risk tier: screen for prohibited practices (**Article 5**), check high-risk status via Annexes I/III (**Article 6**), and document decisions.** Prioritize cessation of bans (effective February 2025) and GPAI obligations (August 2025).

ISO 37001 vs EU AI Act

Standards Comparison

ISO 37001

Voluntary

2025

International standard for anti-bribery management systems

EU AI Act

Mandatory

2024

EU regulation for risk-based AI safety and governance

Quick Verdict

ISO 37001 offers voluntary anti-bribery certification for global risk mitigation, while EU AI Act mandates risk-based AI governance for EU markets with heavy fines. Companies adopt ISO for trust and efficiency; AI Act for legal compliance and market access.

Anti-Bribery/Compliance

ISO 37001

ISO 37001:2025 Anti-Bribery Management Systems

Cost

€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Risk-based Anti-Bribery Management System framework
Mandatory third-party due diligence and controls
Leadership commitment and compliance function
PDCA cycle with Harmonized Structure integration
Certifiable evidentiary value for liability mitigation

Artificial Intelligence

EU AI Act

Artificial Intelligence Act (Regulation (EU) 2024/1689)

Cost

€€€

Complexity

Medium

Implementation Time

18-24 months

Key Features

Risk-based four-tier AI classification framework
Prohibits unacceptable-risk AI practices outright
High-risk conformity assessments and CE marking
GPAI systemic risk evaluations and reporting
Tiered fines up to 7% global turnover

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

ISO 37001 Details

What It Is

ISO 37001:2025 Anti-Bribery Management Systems is an international certifiable standard for establishing and maintaining an Anti-Bribery Management System (ABMS). It enables organizations to prevent, detect, and respond to bribery through a risk-based, proportionate approach, covering direct/indirect bribery by/for the organization, personnel, and business associates across all sectors.

Key Components

Clauses 4–10 aligned with Harmonized Structure (HS) and PDCA cycle
Core elements: leadership commitment, anti-bribery policy, risk assessment, due diligence, financial/non-financial controls, training, reporting, audits, continual improvement
Dedicated compliance function and third-party controls
Optional certification via accredited bodies with surveillance audits

Why Organizations Use It

Mitigates legal risks (e.g., FCPA, UK Bribery Act) as due-diligence evidence
Builds stakeholder trust, reputational assurance, ESG alignment
Achieves operational efficiencies (up to 15% compliance cost reduction)
Facilitates market access and competitive differentiation

Implementation Overview

Phased: context/risk assessment, control design, training, monitoring, certification
Scalable for SMEs/multinationals, all industries/geographies
Typically 6–12 months, emphasizing documentation, internal audits, management reviews

EU AI Act Details

What It Is

The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) is a comprehensive regulation establishing the first horizontal framework for AI governance across the EU. It adopts a risk-based approach, prohibiting unacceptable-risk practices, imposing strict rules on high-risk systems, transparency for limited-risk, and minimal oversight for others. Scope covers providers, deployers, and value-chain actors for AI systems used in the EU.

Key Components

**Four risk tiersProhibited (Art. 5), high-risk (Annexes I/III, Arts. 9-15), limited-risk transparency (Art. 50), minimal-risk.
Core requirements: risk management, data governance, documentation, human oversight, cybersecurity.
GPAI models (Ch. V) with systemic risk duties.
Conformity assessments, CE marking, EU database registration; tiered fines up to 7% global turnover.

Why Organizations Use It

Mandatory for EU market access; mitigates legal risks, fines, bans. Enhances trust, safety; enables compliant innovation in high-impact sectors like employment, biometrics.

Implementation Overview

Phased rollout (6-36 months); inventory/classify AI, build RMS/QMS, conformity processes. Cross-functional for all sizes; audits/notified bodies for high-risk. (178 words)

Key Differences

Aspect	ISO 37001	EU AI Act
Scope	Anti-bribery management systems only	Risk-based AI systems lifecycle governance
Industry	All sectors worldwide, any size	All sectors, EU market focus
Nature	Voluntary certifiable management standard	Mandatory EU regulation with fines
Testing	Annual certification audits, internal reviews	Conformity assessments, post-market monitoring
Penalties	Loss of certification, no legal fines	Up to 7% global turnover fines

Scope

ISO 37001

Anti-bribery management systems only

EU AI Act

Risk-based AI systems lifecycle governance

Industry

ISO 37001

All sectors worldwide, any size

EU AI Act

All sectors, EU market focus

Nature

ISO 37001

Voluntary certifiable management standard

EU AI Act

Mandatory EU regulation with fines

Testing

ISO 37001

Annual certification audits, internal reviews

EU AI Act

Conformity assessments, post-market monitoring

Penalties

ISO 37001

Loss of certification, no legal fines

EU AI Act

Up to 7% global turnover fines

Frequently Asked Questions

Common questions about ISO 37001 and EU AI Act

ISO 37001 FAQ

EU AI Act FAQ

You Might also be Interested in These Articles...

The 'Black Box' Risk: Why Human-in-the-Loop is the Ultimate Fail-Safe for 2026 Security Operations

Uncover the black box AI risk in security ops. Learn why human-in-the-loop auditing is crucial for 2026. Upskill analysts to ensure data privacy and robust secu

Using CIS Controls v8.1 as a ‘Compliance On-Ramp’: Map One Security Program to NIST CSF, ISO 27001, PCI DSS, and NIS2

Use CIS Controls v8.1 as your compliance on-ramp. Map one security program to NIST CSF, ISO 27001, PCI DSS, and NIS2 without duplicating work via practical mapp

Why applying the NIST CSF Standard is a Life-Saver!

Discover why NIST CSF 2.0 is a life-saver for organizations. This flexible framework's 6 functions—Govern, Identify, Protect, Detect, Respond, Recover—boost res

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

TOGAF vs EN 1090

Discover TOGAF vs EN 1090: Enterprise architecture framework meets steel/aluminium structural standards. Compare ADM phases, execution classes, FPC certification for IT & construction pros. Dive in!

SOX vs ISO 17025

Discover SOX vs ISO 17025: SOX enforces ICFR & financial accountability for public firms; ISO 17025 ensures lab testing competence & impartiality. Compare key differences & master compliance now!

REACH vs FedRAMP

Compare REACH vs FedRAMP: EU chemicals regs vs US cloud security. Key diffs in reqs, enforcement & strategies for global ops. Boost compliance now!

ISO 37001

EU AI Act

Quick Verdict

ISO 37001

Key Features

EU AI Act

Key Features

Detailed Analysis

ISO 37001 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

EU AI Act Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

ISO 37001 FAQ

What is the primary objective of ISO 37001?

Who is legally or professionally required to comply with ISO 37001?

Does ISO 37001 require an external audit or third-party certification?

How often should an assessment for ISO 37001 be performed?

What are the consequences of non-compliance with ISO 37001?

Can ISO 37001 be mapped to other international frameworks?

What is the first step to begin implementing ISO 37001?

EU AI Act FAQ

What is the primary objective of EU AI Act?

Who is legally or professionally required to comply with EU AI Act?

Does EU AI Act require an external audit or third-party certification?

How often should an assessment for EU AI Act be performed?

What are the consequences of non-compliance with EU AI Act?

Can EU AI Act be mapped to other international frameworks?

What is the first step to begin implementing EU AI Act?

You Might also be Interested in These Articles...

The 'Black Box' Risk: Why Human-in-the-Loop is the Ultimate Fail-Safe for 2026 Security Operations

Using CIS Controls v8.1 as a ‘Compliance On-Ramp’: Map One Security Program to NIST CSF, ISO 27001, PCI DSS, and NIS2

Why applying the NIST CSF Standard is a Life-Saver!

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

TOGAF vs EN 1090

SOX vs ISO 17025

REACH vs FedRAMP