What is the primary objective of ISO 37001?

ISO 37001 specifies requirements for establishing, implementing, maintaining, reviewing, and improving an Anti-Bribery Management System (ABMS) to prevent, detect, and respond to bribery. It enables organizations to demonstrate reasonable, proportionate measures addressing bribery risks, including direct/indirect bribery by personnel and business associates, while complying with anti-bribery laws and voluntary commitments. Applicable to all organization types and sizes, it follows the PDCA cycle across Clauses 4–10 but does not guarantee bribery will never occur.

Who is legally or professionally required to comply with ISO 37001?

ISO 37001 is voluntary and applies to any public, private, or not-for-profit organization regardless of size, type, or sector. No legal mandates exist, but it is professionally essential for high-risk entities like multinationals in extractives, construction, or public procurement, where third-party exposure is high (95% of cases). Certification signals due diligence to regulators, investors, and partners under laws like FCPA or UK Bribery Act.

Does ISO 37001 require an external audit or third-party certification?

ISO 37001 certification is optional but involves accredited third-party audits in two stages: Stage 1 (documentation review) and Stage 2 (effectiveness verification). Successful certification yields a 3-year certificate with annual surveillance audits (every 12–24 months). Internal audits are mandatory per Clause 9.2, but external certification amplifies evidentiary value, potentially reducing liability in investigations.

How often should an assessment for ISO 37001 be performed?

Bribery risk assessments under ISO 37001 Clause 4.5 and 6.1 must be conducted periodically and whenever significant changes occur, such as new markets or M&A. Mature programs perform onboarding due diligence (99% of firms), contract renewals, and independent periodic reviews (56%). Internal audits occur at planned intervals (typically annually), feeding management reviews per Clause 9.3.

What are the consequences of non-compliance with ISO 37001?

Non-conformance with ISO 37001 leads to audit non-conformities, certification denial/suspension, and no legal immunity from bribery prosecution. It offers no absolute protection but may reduce liability as evidence of "reasonable steps." Operationally, it risks fines, debarment, reputational damage, and up to 15% higher compliance costs without structured controls.

Can ISO 37001 be mapped to other international frameworks?

Yes, ISO 37001 aligns with the Harmonized Structure (HS) for seamless integration with ISO management system standards like ISO 9001 or ISO 27001. Its PDCA architecture (Clauses 4–10) supports combined audits, shared documentation, and unified risk processes, reducing duplication while maintaining bribery-specific controls like due diligence (Clause 8.2).

What is the first step to begin implementing ISO 37001?

The first step is determining organizational context and scope per Clause 4, including bribery risk assessment (Clause 4.5). Conduct a gap analysis against Clauses 4–10, secure leadership commitment (Clause 5), and define ABMS boundaries based on internal/external issues and interested parties. This informs proportionate planning (Clause 6).

What is the primary objective of ISO 31000?

ISO 31000 provides principles, a framework, and process for organizations to manage risk systematically and create and protect value. It defines risk as the effect of uncertainty on objectives, applicable to any organization regardless of size, type, or sector. Clause 4 outlines eight principles (integrated, structured and comprehensive, customized, inclusive, dynamic, best available information, human and cultural factors, continual improvement). Clause 5 details the framework (leadership commitment, integration, design, implementation, evaluation, improvement). Clause 6 specifies the iterative process (communication/consultation, scope/context/criteria, assessment, treatment, monitoring/review, recording/reporting). The 2018 revision emphasizes leadership integration and iterative adaptation for better decision-making and resilience.

Who is legally or professionally required to comply with ISO 31000?

No organization is legally required to comply with ISO 31000, as it provides voluntary guidelines, not certifiable requirements. ISO explicitly states it is not intended for certification purposes. Professionally, it applies universally to any entity—public, private, large, small—facing uncertainty affecting objectives. Boards, executives, risk officers, and operational leaders in all sectors use it to embed risk management into governance and strategy for value creation and protection.

Does ISO 31000 require an external audit or third-party certification?

No, ISO 31000 does not require external audit or third-party certification. As guidelines rather than auditable requirements, alignment is demonstrated through internal governance, records, and evidence of principles, framework, and process application. Assurance comes via internal audits, management reviews, and performance metrics like KRIs.

How often should an assessment for ISO 31000 be performed?

ISO 31000 requires continual, iterative risk assessments through monitoring and review, not fixed intervals. The dynamic principle and Clause 6.5 mandate ongoing monitoring of controls and context changes, with periodic reviews triggered by events, new information, or performance data. Practical cadences include monthly operational checks, quarterly evaluations, and annual framework reviews.

What are the consequences of non-compliance with ISO 31000?

Non-compliance with ISO 31000 carries no direct legal penalties, as it is a voluntary guideline. Indirect consequences include poor decision-making, unmitigated losses, regulatory scrutiny in sectors expecting systematic risk practices, reputational damage, and operational failures from unmanaged uncertainty.

Can ISO 31000 be mapped to other international frameworks?

Yes, ISO 31000 serves as a foundational framework that maps to other international risk-related standards. Its principles, framework, and process provide a base for specialized applications, enabling consistent risk language across governance systems.

What is the first step to begin implementing ISO 31000?

The first step is securing leadership commitment and establishing the risk management framework per Clause 5. Top management must issue a policy, allocate resources, define roles, integrate into governance, and design context-specific criteria before scaling the Clause 6 process.

Standards Comparison

ISO 37001 vs ISO 31000

ISO 37001

Voluntary

2025

International standard for anti-bribery management systems

ISO 31000

Voluntary

2018

International standard for risk management guidelines

Quick Verdict

ISO 37001 certifies anti-bribery systems for legal mitigation and trust, while ISO 31000 guides broad risk management for better decisions. Companies adopt 37001 for compliance defense, 31000 for strategic resilience.

Anti-Bribery/Compliance

ISO 37001

ISO 37001 Anti-Bribery Management Systems

Cost

€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Risk-based anti-bribery management system framework
Mandatory third-party due diligence controls
Leadership commitment and culture requirements
PDCA cycle for continual improvement
Internationally certifiable with surveillance audits

Risk Management

ISO 31000

ISO 31000:2018 Risk management — Guidelines

Cost

€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Eight core risk management principles
Framework integrating leadership and governance
Iterative six-step risk process
Non-certifiable flexible guidelines
Universal applicability to any organization

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

ISO 37001 Details

What It Is

ISO 37001:2016 Anti-Bribery Management Systems is an international certifiable standard providing requirements for establishing, implementing, and improving an ABMS. It focuses on preventing, detecting, and responding to bribery risks across organizations, using a risk-based PDCA (Plan-Do-Check-Act) approach applicable to all sectors and sizes.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operations, evaluation, improvement.
Core areas: risk assessment, due diligence, financial/non-financial controls, training, reporting.
Built on ISO Harmonized Structure for integration with standards like ISO 9001.
Certifiable via third-party audits with annual surveillance.

Why Organizations Use It

Mitigates legal risks under FCPA/UK Bribery Act; evidences "reasonable steps".
Builds stakeholder trust, reduces compliance costs up to 15%.
Enhances reputation, enables market access via certification.

Implementation Overview

Phased: gap analysis, risk assessment, control design, training, audits.
Scalable for SMEs to multinationals; 6-12 months typical.
Optional certification involves Stage 1/2 audits.

ISO 31000 Details

What It Is

ISO 31000:2018, Risk management — Guidelines is an international standard providing flexible, principles-based guidance for enterprise-wide risk management. It defines risk as the effect of uncertainty on objectives and applies a systematic, iterative approach to any organization, emphasizing value creation and protection through better decision-making.

Key Components

Three pillars: Eight principles (e.g., integrated, customized, dynamic), a framework (leadership, integration, design, implementation, evaluation, improvement), and a six-step process (communication, scope/context/criteria, assessment, treatment, monitoring/review, recording/reporting).
No fixed controls; focuses on adaptable practices.
Non-certifiable guidelines, not requirements.

Why Organizations Use It

Enhances governance, resilience, and strategic execution.
Drives opportunity realization and loss prevention.
Builds stakeholder trust without certification mandates.
Offers competitive edge in volatile environments.

Implementation Overview

Phased roadmap: leadership alignment, gap analysis, pilot, rollout, monitoring.
Tailored to any size/sector; involves policy, training, tools like GRC platforms.
Internal assurance via audits; universal applicability.

Key Differences

Aspect	ISO 37001	ISO 31000
Scope	Bribery prevention, detection, response	All risks affecting objectives
Industry	All sectors, high-risk emphasis	All sectors, any organization
Nature	Certifiable management system standard	Non-certifiable guidelines
Testing	Third-party certification audits	Internal monitoring, reviews
Penalties	Loss of certification, no legal	No penalties, voluntary

Scope

ISO 37001

Bribery prevention, detection, response

ISO 31000

All risks affecting objectives

Industry

ISO 37001

All sectors, high-risk emphasis

ISO 31000

All sectors, any organization

Nature

ISO 37001

Certifiable management system standard

ISO 31000

Non-certifiable guidelines

Testing

ISO 37001

Third-party certification audits

ISO 31000

Internal monitoring, reviews

Penalties

ISO 37001

Loss of certification, no legal

ISO 31000

No penalties, voluntary

Frequently Asked Questions

Common questions about ISO 37001 and ISO 31000

ISO 37001 FAQ

ISO 31000 FAQ

You Might also be Interested in These Articles...

Your Guide to Implementing PCI DSS in Your Organization

Step-by-step guide to implementing PCI DSS in your organization. Achieve compliance, protect cardholder data, and reduce risks. Start securing payments today!

NIST CSF 2.0 Implementation Tiers Roadmap: Step-by-Step Guide from Partial to Adaptive Cybersecurity Maturity

Master NIST CSF 2.0 Implementation Tiers with a step-by-step roadmap. Assess your tier, build gap analyses, and advance from Partial (Tier 1) to Adaptive (Tier

What is DORA and which Requirements does the Standard define?

Discover DORA requirements for info security, strict authority monitoring, and steps to achieve compliance. Build a resilient organization with our detailed gui

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how ISO 37001 and ISO 31000 compare against other standards

Other ISO 37001 Comparisons

Other ISO 31000 Comparisons

What It Is

Key Components

Clauses 4-10 cover context, leadership, planning, support, operations, evaluation, improvement.

Core areas: risk assessment, due diligence, financial/non-financial controls, training, reporting.

Built on ISO Harmonized Structure for integration with standards like ISO 9001.

Certifiable via third-party audits with annual surveillance.

What It Is

Key Components

Three pillars: Eight principles (e.g., integrated, customized, dynamic), a framework (leadership, integration, design, implementation, evaluation, improvement), and a six-step process (communication, scope/context/criteria, assessment, treatment, monitoring/review, recording/reporting).

No fixed controls; focuses on adaptable practices.

Non-certifiable guidelines, not requirements.

Aspect

ISO 37001

ISO 31000

Scope

Bribery prevention, detection, response

All risks affecting objectives

Industry

All sectors, high-risk emphasis

All sectors, any organization

Nature

Certifiable management system standard

Non-certifiable guidelines

Testing

Third-party certification audits

Internal monitoring, reviews

Penalties

Loss of certification, no legal

No penalties, voluntary