What is the primary objective of ISO 37001?

ISO 37001 specifies requirements for establishing, implementing, maintaining, and improving an Anti-Bribery Management System (ABMS) to prevent, detect, and respond to bribery. It enables organizations to demonstrate reasonable, proportionate measures aligned with anti-bribery laws and voluntary commitments, following the PDCA cycle across Clauses 4–10. The standard covers direct/indirect bribery by/for the organization, personnel, and business associates, but does not guarantee bribery will never occur.

Who is legally or professionally required to comply with ISO 37001?

ISO 37001 applies voluntarily to any organization—public, private, or not-for-profit—regardless of size, type, or sector. It is not legally mandatory but is professionally required for high-risk entities (e.g., multinationals in extractives, construction, or public procurement) facing FCPA/UK Bribery Act exposure or tender prerequisites. Certification signals due diligence to regulators, investors, and partners.

Does ISO 37001 require an external audit or third-party certification?

ISO 37001 certification requires external audits by accredited third-party bodies, typically in two stages: Stage 1 (documentation review) and Stage 2 (on-site effectiveness verification). Certificates are valid for 3 years, with annual surveillance audits (12–24 months) and recertification. Internal audits (Clause 9.2) are mandatory, but external certification is optional yet amplifies evidentiary value.

How often should an assessment for ISO 37001 be performed?

Bribery risk assessments under ISO 37001 must be performed periodically and whenever significant changes occur, such as new markets, M&A, or regulatory shifts. Internal audits occur at planned intervals (Clause 9.2), management reviews are regular (Clause 9.3), and surveillance audits happen annually. The standard emphasizes continual reassessment tied to context (Clause 4).

What are the consequences of non-compliance with ISO 37001?

Non-compliance with ISO 37001 results in certification denial, suspension, or withdrawal, plus weakened legal defense in bribery probes. It offers no absolute prosecution immunity but evidences "reasonable steps," potentially reducing liability (e.g., fines, penalties). Operationally, it risks lost tenders, reputational harm, and up to 15% higher compliance costs without structured controls.

Can ISO 37001 be mapped to other international frameworks?

Yes, ISO 37001 aligns with the Harmonized Structure (HS), enabling seamless integration with ISO management systems like quality or information security standards. Its PDCA architecture (Clauses 4–10) maps to broader risk frameworks, supporting FCPA/UK Bribery Act due diligence without overlap. The standard enhances HS compatibility for unified governance.

What is the first step to begin implementing ISO 37001?

The first step is determining organizational context, scope, and bribery risk assessment per Clause 4. Leadership must then commit (Clause 5), establishing an anti-bribery policy and compliance function. Conduct a gap analysis against Clauses 4–10 to prioritize actions, ensuring proportionality to risks like third-party exposure.

What is the primary objective of ISO/IEC 42001:2023?

The primary objective of ISO/IEC 42001:2023 is to establish requirements for an Artificial Intelligence Management System (AIMS) to responsibly govern AI risks and opportunities across the full AI lifecycle. Published in December 2023 by ISO/IEC JTC 1/SC 42, it employs the Plan-Do-Check-Act (PDCA) methodology and High-Level Structure (HLS) via Clauses 4-10, addressing AI-specific issues like bias, transparency, and model drift through Annex A controls (39 in 9 themes) and mandatory AI Impact Assessments (AIIAs) for high-risk systems.

Who is legally or professionally required to comply with ISO/IEC 42001:2023?

ISO/IEC 42001:2023 applies universally to any organization developing, providing, using, or otherwise involved with AI-based products or services, regardless of size, type, or sector. It covers roles such as AI developers, providers, producers, and users, with no legal mandates but professional imperatives for roles in high-risk AI ecosystems; exclusions are limited to non-applicable requirements justified in Clause 4.3 scope statements.

Does ISO/IEC 42001:2023 require an external audit or third-party certification?

ISO/IEC 42001:2023 does not require external audits or third-party certification, but certification via accredited bodies like BSI or Schellman validates AIMS conformance. Organizations pursue voluntary certification through two-stage audits (documentation review and operational verification), with 3-year validity and annual surveillance, as demonstrated by early adopters like Microsoft (Copilot) and UiPath (platform-level).

How often should an assessment for ISO/IEC 42001:2023 be performed?

Assessments for ISO/IEC 42001:2023 must be performed regularly as part of Clause 9 performance evaluation, including internal audits, management reviews, and monitoring of AI-specific KPIs like model drift. Clause 10 mandates continual improvement with annual AI Impact Assessments (AIIAs) for high-risk systems, post-deployment monitoring (e.g., F1-score delta ≤0.03), and reviews of interested parties' needs per Clause 4.2.

What are the consequences of non-compliance with ISO/IEC 42001:2023?

Non-compliance with ISO/IEC 42001:2023 results in internal risks like unmitigated AI biases, model failures, and lost opportunities, but no direct legal penalties as it is voluntary. Certification lapses lead to audit non-conformities (e.g., 32% from model-drift KPIs), reputational damage, procurement exclusions (e.g., Microsoft SSPA requirements), and regulatory misalignment with frameworks like the EU AI Act.

An ISO/IEC 42001:2023 be mapped to other international frameworks?

Yes, ISO/IEC 42001:2023 can be mapped to other international frameworks due to its Annex SL High-Level Structure (HLS) and PDCA alignment. It integrates seamlessly with standards sharing HLS (e.g., 64% evidence overlap with ISO/IEC 27001), enabling "One-MMS" playbooks that reduce implementation from 12 to 4.5 months.

What is the first step to begin implementing ISO/IEC 42001:2023?

The first step to implement ISO/IEC 42001:2023 is to determine the organizational context and define AIMS scope per Clause 4. This involves identifying internal/external issues (Clause 4.1), interested parties' needs (Clause 4.2), and boundaries/roles (e.g., AI provider/user), followed by a gap analysis against Clauses 4-10 and Annex A controls.

Standards Comparison

ISO 37001 vs ISO/IEC 42001:2023

ISO 37001

Voluntary

2025

International standard for anti-bribery management systems

ISO/IEC 42001:2023

Voluntary

2023

International standard for AI management systems

Quick Verdict

ISO 37001 establishes anti-bribery management systems to prevent corruption globally, while ISO/IEC 42001:2023 governs AI responsibly across lifecycles. Companies adopt them for certification, risk mitigation, regulatory alignment, and stakeholder trust in high-risk operations.

Anti-Bribery/Compliance

ISO 37001

ISO 37001: Anti-Bribery Management Systems

Cost

€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Risk-based bribery assessment and proportionate controls
Mandatory third-party due diligence and monitoring
Leadership commitment and compliance function requirement
PDCA cycle for continual ABMS improvement
Internationally certifiable management system standard

AI Management

ISO/IEC 42001:2023

ISO/IEC 42001:2023 Artificial Intelligence Management System

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

PDCA-based framework for AI lifecycle governance
Mandatory AI Impact Assessments for high-risk systems
Annex A with 39 AI-specific controls
Seamless integration with ISO 27001 and 9001
Third-party AI supplier risk management

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

ISO 37001 Details

What It Is

ISO 37001: Anti-Bribery Management Systems is an international certifiable standard for establishing, implementing, and improving an Anti-Bribery Management System (ABMS). It applies to all organization types and sizes, focusing on preventing, detecting, and responding to bribery risks through a risk-based PDCA (Plan-Do-Check-Act) approach, covering direct/indirect bribery by/for the organization and associates.

Key Components

Clauses 4-10: context, leadership, planning, support, operation, evaluation, improvement.
Core controls: policy, risk assessment, due diligence, financial/non-financial controls, training, reporting/investigations.
Built on ISO Harmonized Structure for integration with standards like ISO 9001.
Third-party certification with audits.

Why Organizations Use It

Mitigates legal risks (e.g., FCPA, UK Bribery Act) via evidentiary "reasonable steps".
Builds reputational trust, stakeholder confidence, ESG alignment.
Delivers 15% compliance cost reductions, operational efficiencies.
Enables market access, competitive tenders.

Implementation Overview

Phased: gap analysis, risk assessment, controls design, training, audits.
Scalable for SMEs to multinationals, all sectors/geographies.
Optional certification via accredited bodies; transition to updated versions within standard grace periods.

ISO/IEC 42001:2023 Details

What It Is

ISO/IEC 42001:2023 is the world's first international standard for Artificial Intelligence Management Systems (AIMS). It provides requirements to establish, implement, maintain, and improve AIMS, managing AI risks and opportunities responsibly. Applicable to any organization using or providing AI, it uses Plan-Do-Check-Act (PDCA) methodology and High-Level Structure (HLS) for integration with other ISO standards.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, evaluation, and improvement.
Annex A lists 39 AI-specific controls across 9 themes like data governance, transparency, and resiliency.
Built on PDCA and HLS; supports certification via third-party audits.

Why Organizations Use It

Mitigates AI risks (bias, ethics, drift) while enabling innovation.
Aligns with regulations like EU AI Act; enhances trust and compliance.
Delivers competitive edges via reputation, procurement advantages, and insurance savings.

Implementation Overview

Phased gap analysis, risk assessments, training, and audits.
Suited for all sizes/sectors; 6-12 months typical, faster with existing ISO systems like 27001.

Key Differences

Aspect	ISO 37001	ISO/IEC 42001:2023
Scope	Bribery prevention, detection, response	AI lifecycle governance, ethics, risks
Industry	All sectors, high-risk like extractives	All sectors, AI developers/users/providers
Nature	Voluntary certifiable management standard	Voluntary certifiable management standard
Testing	Annual audits, surveillance every 12-24 months	Two-stage audits, annual surveillance, AIIAs
Penalties	Certification loss, no direct legal penalties	Certification loss, no direct legal penalties

Scope

ISO 37001

Bribery prevention, detection, response

ISO/IEC 42001:2023

AI lifecycle governance, ethics, risks

Industry

ISO 37001

All sectors, high-risk like extractives

ISO/IEC 42001:2023

All sectors, AI developers/users/providers

Nature

ISO 37001

Voluntary certifiable management standard

ISO/IEC 42001:2023

Voluntary certifiable management standard

Testing

ISO 37001

Annual audits, surveillance every 12-24 months

ISO/IEC 42001:2023

Two-stage audits, annual surveillance, AIIAs

Penalties

ISO 37001

Certification loss, no direct legal penalties

ISO/IEC 42001:2023

Certification loss, no direct legal penalties

Frequently Asked Questions

Common questions about ISO 37001 and ISO/IEC 42001:2023

ISO 37001 FAQ

ISO/IEC 42001:2023 FAQ

You Might also be Interested in These Articles...

NIST SP 800-53 Rev 5.1 Private Sector Tailoring Blueprint: First 5 Steps to Overlay-Driven Compliance with Infographic

Step-by-step blueprint for private sector NIST SP 800-53 Rev 5.1 tailoring using overlays for AI & supply chain risks. Infographic + first 5 steps for ROI-drive

The NIS2 "FTE Trap": Why 5 Analysts for 24/7 Security is Actually 8 (and Why the Board Needs to Know)

Exposed: NIS2 FTE Trap math shows 5 analysts fail 24/7 coverage due to sickness, training, leave & 2026 churn. Line-by-line breakdown for compliance. Alert your

SOC 2 Trust Services Criteria in Plain English: Side-by-Side Decoder for Security, Availability, and Beyond

Decode AICPA Trust Services Criteria from auditor jargon to plain English with side-by-side tables, analogies & TL;DRs. CISOs & founders: implement SOC 2 contro

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how ISO 37001 and ISO/IEC 42001:2023 compare against other standards

Other ISO 37001 Comparisons

Other ISO/IEC 42001:2023 Comparisons

What It Is

Key Components

Clauses 4-10: context, leadership, planning, support, operation, evaluation, improvement.

Core controls: policy, risk assessment, due diligence, financial/non-financial controls, training, reporting/investigations.

Built on ISO Harmonized Structure for integration with standards like ISO 9001.

Third-party certification with audits.

What It Is

Aspect

ISO 37001

ISO/IEC 42001:2023

Scope

Bribery prevention, detection, response

AI lifecycle governance, ethics, risks

Industry

All sectors, high-risk like extractives

All sectors, AI developers/users/providers

Nature

Voluntary certifiable management standard

Testing

Annual audits, surveillance every 12-24 months

Two-stage audits, annual surveillance, AIIAs

Penalties

Certification loss, no direct legal penalties