What is the primary objective of **ISO 37001**?

**ISO 37001 specifies requirements for establishing, implementing, maintaining, and improving an Anti-Bribery Management System (ABMS) to prevent, detect, and respond to bribery.** It enables organizations to demonstrate reasonable, proportionate measures aligned with anti-bribery laws and voluntary commitments, following the PDCA cycle across Clauses 4–10. The standard covers direct/indirect bribery by/for the organization, personnel, and business associates, but does not guarantee bribery will never occur.

Who is legally or professionally required to comply with **ISO 37001**?

**ISO 37001 applies voluntarily to any organization—public, private, or not-for-profit—regardless of size, type, or sector.** It is not legally mandatory but is professionally required for high-risk entities (e.g., multinationals in extractives, construction, or public procurement) facing FCPA/UK Bribery Act exposure or tender prerequisites. Certification signals due diligence to regulators, investors, and partners.

Does **ISO 37001** require an external audit or third-party certification?

**ISO 37001 certification requires external audits by accredited third-party bodies, typically in two stages: Stage 1 (documentation review) and Stage 2 (on-site effectiveness verification).** Certificates are valid for 3 years, with annual surveillance audits (12–24 months) and recertification. Internal audits (Clause 9.2) are mandatory, but external certification is optional yet amplifies evidentiary value.

How often should an assessment for **ISO 37001** be performed?

**Bribery risk assessments under ISO 37001 must be performed periodically and whenever significant changes occur, such as new markets, M&A, or regulatory shifts.** Internal audits occur at planned intervals (Clause 9.2), management reviews are regular (Clause 9.3), and surveillance audits happen annually. The 2025 revision emphasizes continual reassessment tied to context (Clause 4).

What are the consequences of non-compliance with **ISO 37001**?

**Non-compliance with ISO 37001 results in certification denial, suspension, or withdrawal, plus weakened legal defense in bribery probes.** It offers no absolute prosecution immunity but evidences "reasonable steps," potentially reducing liability (e.g., fines, penalties). Operationally, it risks lost tenders, reputational harm, and up to 15% higher compliance costs without structured controls.

Can **ISO 37001** be mapped to other international frameworks?

**Yes, ISO 37001 aligns with the Harmonized Structure (HS), enabling seamless integration with ISO management systems like quality or information security standards.** Its PDCA architecture (Clauses 4–10) maps to broader risk frameworks, supporting FCPA/UK Bribery Act due diligence without overlap. The 2025 revision enhances HS compatibility for unified governance.

What is the first step to begin implementing **ISO 37001**?

**The first step is determining organizational context, scope, and bribery risk assessment per Clause 4.** Leadership must then commit (Clause 5), establishing an anti-bribery policy and compliance function. Conduct a gap analysis against Clauses 4–10 to prioritize actions, ensuring proportionality to risks like third-party exposure.

What is the primary objective of **ISO/IEC 42001:2023**?

**The primary objective of ISO/IEC 42001:2023 is to establish requirements for an Artificial Intelligence Management System (AIMS) to responsibly govern AI risks and opportunities across the full AI lifecycle.** Published in December 2023 by ISO/IEC JTC 1/SC 42, it employs the Plan-Do-Check-Act (PDCA) methodology and High-Level Structure (HLS) via Clauses 4-10, addressing AI-specific issues like bias, transparency, and model drift through Annex A controls (38 in 10 themes) and mandatory AI Impact Assessments (AIIAs) for high-risk systems.

Who is legally or professionally required to comply with **ISO/IEC 42001:2023**?

**ISO/IEC 42001:2023 applies universally to any organization developing, providing, using, or otherwise involved with AI-based products or services, regardless of size, type, or sector.** It covers roles such as AI developers, providers, producers, and users, with no legal mandates but professional imperatives for roles in high-risk AI ecosystems; exclusions are limited to non-applicable requirements justified in Clause 4.3 scope statements.

Does **ISO/IEC 42001:2023** require an external audit or third-party certification?

**ISO/IEC 42001:2023 does not require external audits or third-party certification, but certification via accredited bodies like BSI or Schellman validates AIMS conformance.** Organizations pursue voluntary certification through two-stage audits (documentation review and operational verification), with 3-year validity and annual surveillance, as demonstrated by early adopters like Microsoft (Copilot) and UiPath (platform-level).

How often should an assessment for **ISO/IEC 42001:2023** be performed?

**Assessments for ISO/IEC 42001:2023 must be performed regularly as part of Clause 9 performance evaluation, including internal audits, management reviews, and monitoring of AI-specific KPIs like model drift.** Clause 10 mandates continual improvement with annual AI Impact Assessments (AIIAs) for high-risk systems, post-deployment monitoring (e.g., F1-score delta ≤0.03), and reviews of interested parties' needs per Clause 4.2.

What are the consequences of non-compliance with **ISO/IEC 42001:2023**?

**Non-compliance with ISO/IEC 42001:2023 results in internal risks like unmitigated AI biases, model failures, and lost opportunities, but no direct legal penalties as it is voluntary.** Certification lapses lead to audit non-conformities (e.g., 32% from model-drift KPIs), reputational damage, procurement exclusions (e.g., Microsoft SSPA requirements), and regulatory misalignment with frameworks like the EU AI Act.

An **ISO/IEC 42001:2023** be mapped to other international frameworks?

**Yes, ISO/IEC 42001:2023 can be mapped to other international frameworks due to its Annex SL High-Level Structure (HLS) and PDCA alignment.** It integrates seamlessly with standards sharing HLS (e.g., 64% evidence overlap with ISO/IEC 27001), enabling "One-MMS" playbooks that reduce implementation from 12 to 4.5 months.

What is the first step to begin implementing **ISO/IEC 42001:2023**?

**The first step to implement ISO/IEC 42001:2023 is to determine the organizational context and define AIMS scope per Clause 4.** This involves identifying internal/external issues (Clause 4.1), interested parties' needs (Clause 4.2), and boundaries/roles (e.g., AI provider/user), followed by a gap analysis against Clauses 4-10 and Annex A controls.

ISO 37001 vs ISO/IEC 42001:2023

Standards Comparison

ISO 37001

Voluntary

2025

International standard for anti-bribery management systems

ISO/IEC 42001:2023

Voluntary

2023

International standard for AI management systems

Quick Verdict

ISO 37001 establishes anti-bribery management systems to prevent corruption globally, while ISO/IEC 42001:2023 governs AI responsibly across lifecycles. Companies adopt them for certification, risk mitigation, regulatory alignment, and stakeholder trust in high-risk operations.

Anti-Bribery/Compliance

ISO 37001

ISO 37001: Anti-Bribery Management Systems

Cost

€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Risk-based bribery assessment and proportionate controls
Mandatory third-party due diligence and monitoring
Leadership commitment and compliance function requirement
PDCA cycle for continual ABMS improvement
Internationally certifiable management system standard

AI Management

ISO/IEC 42001:2023

ISO/IEC 42001:2023 Artificial Intelligence Management System

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

PDCA-based framework for AI lifecycle governance
Mandatory AI Impact Assessments for high-risk systems
Annex A with 38 AI-specific controls
Seamless integration with ISO 27001 and 9001
Third-party AI supplier risk management

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

ISO 37001 Details

What It Is

ISO 37001: Anti-Bribery Management Systems is an international certifiable standard for establishing, implementing, and improving an Anti-Bribery Management System (ABMS). It applies to all organization types and sizes, focusing on preventing, detecting, and responding to bribery risks through a risk-based PDCA (Plan-Do-Check-Act) approach, covering direct/indirect bribery by/for the organization and associates.

Key Components

Clauses 4-10: context, leadership, planning, support, operation, evaluation, improvement.
Core controls: policy, risk assessment, due diligence, financial/non-financial controls, training, reporting/investigations.
Built on ISO Harmonized Structure for integration with standards like ISO 9001.
Third-party certification with audits.

Why Organizations Use It

Mitigates legal risks (e.g., FCPA, UK Bribery Act) via evidentiary "reasonable steps".
Builds reputational trust, stakeholder confidence, ESG alignment.
Delivers 15% compliance cost reductions, operational efficiencies.
Enables market access, competitive tenders.

Implementation Overview

Phased: gap analysis, risk assessment, controls design, training, audits.
Scalable for SMEs to multinationals, all sectors/geographies.
Optional certification via accredited bodies; transition to 2025 version by 2027.

ISO/IEC 42001:2023 Details

What It Is

ISO/IEC 42001:2023 is the world's first international standard for Artificial Intelligence Management Systems (AIMS). It provides requirements to establish, implement, maintain, and improve AIMS, managing AI risks and opportunities responsibly. Applicable to any organization using or providing AI, it uses Plan-Do-Check-Act (PDCA) methodology and High-Level Structure (HLS) for integration with other ISO standards.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, evaluation, and improvement.
Annex A lists 38 AI-specific controls across 10 themes like data governance, transparency, and resiliency.
Built on PDCA and HLS; supports certification via third-party audits.

Why Organizations Use It

Mitigates AI risks (bias, ethics, drift) while enabling innovation.
Aligns with regulations like EU AI Act; enhances trust and compliance.
Delivers competitive edges via reputation, procurement advantages, and insurance savings.

Implementation Overview

Phased gap analysis, risk assessments, training, and audits.
Suited for all sizes/sectors; 6-12 months typical, faster with existing ISO systems like 27001.

Key Differences

Aspect	ISO 37001	ISO/IEC 42001:2023
Scope	Bribery prevention, detection, response	AI lifecycle governance, ethics, risks
Industry	All sectors, high-risk like extractives	All sectors, AI developers/users/providers
Nature	Voluntary certifiable management standard	Voluntary certifiable management standard
Testing	Annual audits, surveillance every 12-24 months	Two-stage audits, annual surveillance, AIIAs
Penalties	Certification loss, no direct legal penalties	Certification loss, no direct legal penalties

Scope

ISO 37001

Bribery prevention, detection, response

ISO/IEC 42001:2023

AI lifecycle governance, ethics, risks

Industry

ISO 37001

All sectors, high-risk like extractives

ISO/IEC 42001:2023

All sectors, AI developers/users/providers

Nature

ISO 37001

Voluntary certifiable management standard

ISO/IEC 42001:2023

Voluntary certifiable management standard

Testing

ISO 37001

Annual audits, surveillance every 12-24 months

ISO/IEC 42001:2023

Two-stage audits, annual surveillance, AIIAs

Penalties

ISO 37001

Certification loss, no direct legal penalties

ISO/IEC 42001:2023

Certification loss, no direct legal penalties

Frequently Asked Questions

Common questions about ISO 37001 and ISO/IEC 42001:2023

ISO 37001 FAQ

ISO/IEC 42001:2023 FAQ

You Might also be Interested in These Articles...

Top 10 SOC 2 Mistakes Startups Make (and Fixes with Automation)

Avoid top 10 SOC 2 mistakes like scope creep & evidence gaps. See fail/pass visuals, client quotes, Vanta/Drata automation fixes for bootstrapped startups. Quic

NIST CSF 2.0 Plain English Decoder: Translating Govern, Supply Chain, and Core Functions from Jargon to Actionable Insights

Demystify NIST CSF 2.0 jargon with plain English tables for Govern, Supply Chain & Core Functions. Actionable steps for risk oversight & vendor management. Empo

SOC 2 for Fintech Startups: First 5 Steps to Compliance with Confidentiality Criterion Infographic

First 5 steps to SOC 2 compliance with Confidentiality for fintech SaaS. Infographic maps controls to risks like encryption & TPRM. Integrates GLBA/PCI DSS over

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

APRA CPS 234 vs 23 NYCRR 500

Unlock APRA CPS 234 vs 23 NYCRR 500: Compare Australia's cyber resilience std with NY's finance cybersecurity reg. Governance, risks, 3rd-party & incident insights. Secure compliance now!

ISO 37001 vs CIS Controls

Compare ISO 37001 vs CIS Controls: Anti-bribery systems meet cybersecurity safeguards. Mitigate risks, ensure compliance, build resilience. Discover key differences now!

HIPAA vs ISO 55001

Compare HIPAA vs ISO 55001: HIPAA protects health data privacy/security; ISO 55001 drives asset lifecycle value. Discover key differences, compliance strategies & synergies for resilient ops.

ISO 37001

ISO/IEC 42001:2023

Quick Verdict

ISO 37001

Key Features

ISO/IEC 42001:2023

Key Features

Detailed Analysis

ISO 37001 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

ISO/IEC 42001:2023 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

ISO 37001 FAQ

What is the primary objective of ISO 37001?

Who is legally or professionally required to comply with ISO 37001?

Does ISO 37001 require an external audit or third-party certification?

How often should an assessment for ISO 37001 be performed?

What are the consequences of non-compliance with ISO 37001?

Can ISO 37001 be mapped to other international frameworks?

What is the first step to begin implementing ISO 37001?

ISO/IEC 42001:2023 FAQ

What is the primary objective of ISO/IEC 42001:2023?

Who is legally or professionally required to comply with ISO/IEC 42001:2023?

Does ISO/IEC 42001:2023 require an external audit or third-party certification?

How often should an assessment for ISO/IEC 42001:2023 be performed?

What are the consequences of non-compliance with ISO/IEC 42001:2023?

An ISO/IEC 42001:2023 be mapped to other international frameworks?

What is the first step to begin implementing ISO/IEC 42001:2023?

You Might also be Interested in These Articles...

Top 10 SOC 2 Mistakes Startups Make (and Fixes with Automation)

NIST CSF 2.0 Plain English Decoder: Translating Govern, Supply Chain, and Core Functions from Jargon to Actionable Insights

SOC 2 for Fintech Startups: First 5 Steps to Compliance with Confidentiality Criterion Infographic

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

APRA CPS 234 vs 23 NYCRR 500

ISO 37001 vs CIS Controls

HIPAA vs ISO 55001