What is the primary objective of ISO 37001?

ISO 37001 establishes requirements for an Anti-Bribery Management System (ABMS) to prevent, detect, and respond to bribery. It follows the PDCA cycle across Clauses 4–10, enabling organizations to implement proportionate controls, comply with anti-bribery laws, and demonstrate reasonable measures through risk assessments, due diligence, training, financial controls, monitoring, audits, and continual improvement, without guaranteeing bribery will never occur.

Who is legally or professionally required to comply with ISO 37001?

ISO 37001 is voluntary and applicable to all organizations regardless of size, type, or sector. Public, private, and not-for-profit entities in high-risk areas like extractives, construction, or public procurement adopt it for evidentiary value in enforcement under laws like FCPA or UK Bribery Act, third-party risk management (95% of cases involve third parties), and market access; no legal mandates exist, but certification signals due diligence to regulators, partners, and investors.

Does ISO 37001 require an external audit or third-party certification?

ISO 37001 certification is optional but involves accredited third-party audits. It features Stage 1 (documentation review) and Stage 2 (on-site effectiveness testing), yielding a 3-year certificate with annual surveillance audits (every 12 months); internal audits are mandatory under Clause 9.2, while external certification amplifies evidentiary value, potentially reducing liability in investigations.

How often should an assessment for ISO 37001 be performed?

Bribery risk assessments under ISO 37001 must be conducted periodically and when significant changes occur. Clause 4.5 requires ongoing reviews integrated into PDCA; best practice includes annual reassessments, onboarding (99% of firms), contract renewals, and 56% perform independent periodic checks, triggered by mergers, new markets, or incidents to ensure proportionate controls.

What are the consequences of non-compliance with ISO 37001?

Non-conformity with ISO 37001 leads to audit findings, certification suspension, or withdrawal. Major nonconformities require corrective actions within 90–180 days; operational risks include fines, debarment, reputational damage, and liability under anti-bribery laws, as certification provides mitigation evidence but no absolute immunity; up to 15% compliance cost increases without mature ABMS.

An ISO 37001 be mapped to other international frameworks?

Yes, ISO 37001 aligns with the Harmonized Structure (HS) for integration with other ISO management systems. Its Clauses 4–10 enable seamless mapping to standards sharing PDCA logic, reducing duplication in audits, reviews, and documentation; the standard's structure enhances HS compatibility for unified governance without scope overlap.

What is the first step to begin implementing ISO 37001?

The first step is determining organizational context and scope per Clause 4. Identify internal/external issues, interested parties, and bribery risks to define ABMS boundaries; conduct a gap analysis against Clauses 4–10, secure leadership commitment (Clause 5), and develop an anti-bribery policy to initiate the PDCA cycle.

What is the primary objective of ISO 19600?

ISO 19600 provides guidelines for establishing, developing, implementing, evaluating, maintaining, and improving a Compliance Management System (CMS). Published in 2014 as a Type B guidance standard, it follows a risk-based approach structured around ten clauses mirroring Annex SL (context, leadership, planning, support, operation, performance evaluation, improvement). Core principles include good governance, proportionality, transparency, and sustainability, enabling organizations of all sizes to integrate compliance obligations into operations without mandatory requirements.

Who is legally or professionally required to comply with ISO 19600?

No organization is legally required to comply with ISO 19600, as it is a voluntary Type B guidance standard, not a certifiable or mandatory framework. It applies universally to all organization sizes, sectors, and geographies facing statutory, regulatory, contractual, or internal policy obligations, including financial services, manufacturing, healthcare, technology, public sector, SMEs, and startups. Stakeholders such as CCOs, boards, and risk committees use it for benchmarking CMS effectiveness to regulators, customers, and partners.

Does ISO 19600 require an external audit or third-party certification?

ISO 19600 does not require external audits or third-party certification, as it is a non-certifiable Type B guidance document containing recommendations, not mandatory requirements. Organizations conduct internal audits per Clause 9.2 (aligned with ISO 19011) and self-assessments, with management reviews (Clause 9.3) evaluating performance. Benchmarking against its clauses demonstrates CMS alignment without formal certification.

How often should an assessment for ISO 19600 be performed?

ISO 19600 assessments should be performed continuously through monitoring, with planned internal audits at defined intervals and reassessments triggered by changes in context, obligations, or incidents. Clause 9.1 requires ongoing monitoring, measurement, analysis, and evaluation of CMS effectiveness, including Key Compliance Indicators (KCIs). Quarterly management reviews (Clause 9.3), risk reassessments (Clause 4.6), and PDCA cycles ensure dynamic evaluation, with horizon scanning for regulatory changes.

What are the consequences of non-compliance with ISO 19600?

There are no direct consequences for non-compliance with ISO 19600 itself, as it imposes no legal penalties or enforceable requirements. However, lacking a structured CMS increases exposure to regulatory fines, operational disruptions, reputational damage, and higher insurance costs from unaddressed compliance obligations. Adoption mitigates these by formalizing risk identification and controls, as evidenced by cases like fines for inadequate anti-bribery programs.

An ISO 19600 be mapped to other international frameworks?

Yes, ISO 19600 can be mapped to other international frameworks due to its Annex SL structure and risk-based principles aligned with ISO 31000. Its ten clauses enable integration with existing management systems, avoiding duplication through shared processes like risk registers and PDCA cycles. This supports scalability and benchmarking while transitioning to successors like ISO 37301.

What is the first step to begin implementing ISO 19600?

The first step to implement ISO 19600 is securing leadership commitment through top-management endorsement and establishing a Compliance Steering Committee (Phase 0). Clause 5 requires a signed commitment charter, defining CMS scope (Clause 4), appointing a CCO or equivalent, and cross-functional oversight. This aligns with good governance principles, enabling contextual analysis and gap assessment.

Standards Comparison

ISO 37001 vs ISO 19600

ISO 37001

Voluntary

2025

International standard for anti-bribery management systems

ISO 19600

Voluntary

2014

International guidelines for compliance management systems

Quick Verdict

ISO 37001 provides certifiable anti-bribery controls for high-risk organizations, while ISO 19600 offered broad compliance guidance. Companies adopt 37001 for assurance and tenders; 19600 (now withdrawn) built foundational CMS frameworks.

Anti-Bribery/Compliance

ISO 37001

ISO 37001:2016 Anti-bribery management systems

Cost

€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Risk-based bribery risk assessment and controls
Mandatory third-party due diligence and monitoring
Leadership commitment and compliance function requirements
PDCA management system for continual improvement
Internationally certifiable anti-bribery standard

Compliance Management

ISO 19600

ISO 19600:2014 Compliance management systems — Guidelines

Cost

€€€

Complexity

Medium

Implementation Time

6-12 months

Key Features

Risk-based CMS framework with PDCA cycle
Principles of good governance and proportionality
Scalable for all organization sizes and sectors
Integration with existing management systems
Guidance on compliance obligations and controls

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

ISO 37001 Details

What It Is

ISO 37001:2016 Anti-bribery management systems is an international certifiable standard specifying requirements for establishing, implementing, and improving an Anti-Bribery Management System (ABMS). It applies to all organization types and sizes, focusing on preventing, detecting, and responding to bribery risks through a risk-based, proportionate approach aligned with PDCA (Plan-Do-Check-Act) and Harmonized Structure (HS).

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, evaluation, and improvement.
Core controls: anti-bribery policy, risk assessments, due diligence, financial/non-financial controls, training, reporting, investigations.
Built on leadership accountability, third-party management, and evidence-based auditing.
Optional third-party certification with 3-year cycles and surveillance audits.

Why Organizations Use It

Mitigates legal risks (e.g., FCPA, UK Bribery Act) without guaranteeing immunity.
Builds stakeholder trust, enhances reputation, reduces compliance costs up to 15%.
Enables market access, ESG alignment, operational efficiencies.

Implementation Overview

Phased: gap analysis, risk assessment, control design, training, audits.
Scalable for SMEs to multinationals across sectors/geographies.
Involves documentation, internal audits, management reviews; certification optional but recommended.

ISO 19600 Details

What It Is

ISO 19600:2014, titled Compliance management systems — Guidelines, is a Type B guidance standard from the International Organization for Standardization. Its primary purpose is to provide recommendations for establishing, implementing, evaluating, maintaining, and improving a Compliance Management System (CMS). It adopts a risk-based approach, aligned with Annex SL structure and PDCA cycle, applicable to all organizations regardless of size or sector.

Key Components

10 clauses covering context, leadership, planning, support, operation, performance evaluation, and improvement.
Core principles: good governance, proportionality, transparency, sustainability.
Focus on compliance obligations, risk assessment, controls, training, monitoring.
Non-certifiable; benchmarking tool, predecessor to certifiable ISO 37301.

Why Organizations Use It

Mitigates legal, regulatory, reputational risks; reduces penalties and disruptions.
Enhances decision-making, efficiency (10-20% cost savings), market access.
Builds integrity culture, stakeholder trust; future-proofs for ISO 37301.

Implementation Overview

Phased roadmap: leadership commitment, gap analysis, design, rollout, continuous improvement.
Scalable for SMEs to multinationals; integrates with ISO 9001/14001.
No formal certification; internal audits and self-assessments.

Key Differences

Aspect	ISO 37001	ISO 19600
Scope	Specific: anti-bribery management only	Broad: all compliance obligations
Industry	All sectors, high-risk bribery areas	All sectors, universal applicability
Nature	Certifiable requirements standard	Non-certifiable guidance (withdrawn)
Testing	Certification audits, surveillance	Internal audits, self-assessment
Penalties	No direct penalties, certification loss	No penalties, no certification

Scope

ISO 37001

Specific: anti-bribery management only

ISO 19600

Broad: all compliance obligations

Industry

ISO 37001

All sectors, high-risk bribery areas

ISO 19600

All sectors, universal applicability

Nature

ISO 37001

Certifiable requirements standard

ISO 19600

Non-certifiable guidance (withdrawn)

Testing

ISO 37001

Certification audits, surveillance

ISO 19600

Internal audits, self-assessment

Penalties

ISO 37001

No direct penalties, certification loss

ISO 19600

No penalties, no certification

Frequently Asked Questions

Common questions about ISO 37001 and ISO 19600

ISO 37001 FAQ

ISO 19600 FAQ

You Might also be Interested in These Articles...

NIST CSF 2.0 Deep Dive: Mastering the Updated Framework Core Functions

Unpack NIST CSF 2.0's enhanced Core Functions: Govern, Identify, Protect, Detect, Respond, Recover. Get SME playbooks, governance shifts & strategies for cyber

The Service-Oriented SOC: Leveraging Maturity Assessments to Guarantee SLOs and Operational Predictability

Transform your SOC into a service provider using maturity assessments to standardize workflows, guarantee SLOs, and ensure predictability amid turnover and risi

Top 5 Reasons NIST SP 800-53 Rev 5 Overlays Unlock AI Risk Management for Private Sector Enterprises in 2025

Top 5 reasons NIST SP 800-53 Rev 5 AI overlays unlock risk management for private enterprises. Tailorable controls combat model poisoning & data leakage. CISO i

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how ISO 37001 and ISO 19600 compare against other standards

Other ISO 37001 Comparisons

Other ISO 19600 Comparisons

What It Is

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, evaluation, and improvement.

Core controls: anti-bribery policy, risk assessments, due diligence, financial/non-financial controls, training, reporting, investigations.

Built on leadership accountability, third-party management, and evidence-based auditing.

Optional third-party certification with 3-year cycles and surveillance audits.

What It Is

Key Components

10 clauses covering context, leadership, planning, support, operation, performance evaluation, and improvement.

Core principles: good governance, proportionality, transparency, sustainability.

Focus on compliance obligations, risk assessment, controls, training, monitoring.

Non-certifiable; benchmarking tool, predecessor to certifiable ISO 37301.

Aspect

ISO 37001

ISO 19600

Scope

Specific: anti-bribery management only

Broad: all compliance obligations

Industry

All sectors, high-risk bribery areas

All sectors, universal applicability

Nature

Certifiable requirements standard

Non-certifiable guidance (withdrawn)

Testing

Certification audits, surveillance

Internal audits, self-assessment

Penalties

No direct penalties, certification loss

No penalties, no certification