What is the primary objective of **ISO 37001**?

**ISO 37001 specifies requirements for establishing, implementing, maintaining, reviewing, and improving an Anti-Bribery Management System (ABMS) to prevent, detect, and respond to bribery.** It enables organizations to demonstrate reasonable, proportionate measures addressing bribery risks, complying with anti-bribery laws and voluntary commitments, without guaranteeing bribery will never occur. Applicable to all sectors and sizes, it follows the PDCA cycle across Clauses 4–10, emphasizing leadership, risk assessment, due diligence, controls, evaluation, and continual improvement.

Who is legally or professionally required to comply with **ISO 37001**?

**ISO 37001 is voluntary and applicable to any organization—public, private, or not-for-profit—regardless of size, type, or location.** No legal mandates exist, but it is professionally required for high-risk entities like multinationals in extractives, construction, or public procurement facing FCPA, UK Bribery Act, or tender requirements. Certification signals due diligence to regulators, investors, and partners, especially where **95% of bribery cases involve third parties**.

Does **ISO 37001** require an external audit or third-party certification?

**ISO 37001 certification is optional but involves accredited third-party audits in two stages: Stage 1 (documentation review) and Stage 2 (effectiveness verification).** Successful certification yields a 3-year certificate with annual surveillance audits (every 12–24 months). Internal audits are mandatory per Clause 9.2, but external certification amplifies evidentiary value, potentially reducing liability in investigations.

How often should an assessment for **ISO 37001** be performed?

**Bribery risk assessments under ISO 37001 Clause 4.5 and 6.1 must be performed periodically and whenever significant changes occur, such as new markets or M&A.** Mature programs conduct onboarding due diligence (99% of firms), contract renewals, and independent periodic reviews (56% of firms). Internal audits occur at planned intervals (typically annually), feeding management reviews.

What are the consequences of non-compliance with **ISO 37001**?

**Non-conformity with ISO 37001 can result in certification denial, suspension, or withdrawal, plus major/minor non-conformities requiring Corrective Action Plans (CAPs) within 10–90 days.** Operationally, it exposes organizations to unmitigated bribery risks, enforcement fines (e.g., FCPA extraterritorial penalties), reputational damage, and lost contracts. Certification provides no absolute immunity but evidentiary mitigation.

An **ISO 37001** be mapped to other international frameworks?

**Yes, ISO 37001 aligns with the ISO Harmonized Structure (HS), enabling seamless integration with standards like ISO 9001, ISO 14001, and ISO/IEC 27001.** Its PDCA architecture (Clauses 4–10) supports combined management systems, reducing duplication in audits, reviews, and documentation. It complements FCPA/UK Bribery Act expectations without replacing legal obligations.

What is the first step to begin implementing **ISO 37001**?

**The first step is determining organizational context and scope per Clause 4, including bribery risk assessment (Clause 4.5).** Conduct a gap analysis against Clauses 4–10, secure leadership commitment (Clause 5), and define ABMS boundaries based on internal/external issues and interested parties. This risk-based foundation informs policy, planning, and controls.

What is the primary objective of **MLPS 2.0 (Multi-Level Protection Scheme)**?

**The primary objective of MLPS 2.0 (Multi-Level Protection Scheme) is to establish a graded cybersecurity protection system ensuring security controls match the potential harm from system compromise to national security, social order, and public interests.** It classifies information systems into five levels (1-5) based on impact severity, mandating commensurate technical, management, physical, and personnel controls per GB/T 22239-2019 and related standards. This framework operationalizes Article 21 of China's Cybersecurity Law, applying to all network operators.

Who is legally or professionally required to comply with **MLPS 2.0 (Multi-Level Protection Scheme)**?

**MLPS 2.0 (Multi-Level Protection Scheme) legally requires compliance from all network operators in mainland China, including domestic enterprises, foreign-invested entities, and operators of cloud, IoT, big data, or industrial systems.** Virtually any entity managing networks or information systems must classify and protect them, with Levels 2+ needing PSB filing. Critical sectors like finance, energy, and telecom often classify at Level 3+.

Does **MLPS 2.0 (Multi-Level Protection Scheme)** require an external audit or third-party certification?

**Yes, MLPS 2.0 (Multi-Level Protection Scheme) mandates external security reviews by licensed Chinese firms for Level 2+ systems, targeting a minimum score of 75/100 per GB/T 28448-2019.** Operators submit results and documentation to local PSBs for approval and certification. Level 1 requires only self-assessment; higher levels demand periodic re-evaluations.

How often should an assessment for **MLPS 2.0 (Multi-Level Protection Scheme)** be performed?

**Assessments under MLPS 2.0 (Multi-Level Protection Scheme) must occur biennially for Level 2, annually for Level 3, semi-annually for Level 4, and as mandated for Level 5.** Re-evaluations are also required after major system changes. Self-inspections apply to all levels, with external reviews mandatory for Level 2+.

What are the consequences of non-compliance with **MLPS 2.0 (Multi-Level Protection Scheme)**?

**Non-compliance with MLPS 2.0 (Multi-Level Protection Scheme) results in administrative fines up to 100,000 yuan, operational suspensions, system shutdowns, and intensified PSB inspections.** Enforcement links certification to business license renewals; severe cases involve blacklisting or criminal liability, as seen in financial sector fines exceeding RMB 200 million.

An **MLPS 2.0 (Multi-Level Protection Scheme)** be mapped to other international frameworks?

**Yes, MLPS 2.0 (Multi-Level Protection Scheme) control domains—physical, network, data, governance—map to ISO 27001 Annex A and NIST CSF categories.** Organizations leverage existing ISMS Statements of Applicability for gap analysis, though MLPS adds prescriptive grading, PSB oversight, and data localization absent in voluntary frameworks.

What is the first step to begin implementing **MLPS 2.0 (Multi-Level Protection Scheme)**?

**The first step for implementing MLPS 2.0 (Multi-Level Protection Scheme) is conducting a provisional self-assessment to classify systems into Levels 1-5 based on impact to national security and public interests.** Inventory assets, evaluate harm severity per GB/T 22239-2019, document rationale, and prepare for Level 2+ expert review and PSB filing within 30 days.

ISO 37001 vs MLPS 2.0 (Multi-Level Protection Scheme)

Standards Comparison

ISO 37001

Voluntary

2025

International standard for anti-bribery management systems

MLPS 2.0 (Multi-Level Protection Scheme)

Mandatory

2019

China's regulation for graded cybersecurity protection of networks

Quick Verdict

ISO 37001 offers voluntary global anti-bribery certification for risk mitigation and trust, while MLPS 2.0 mandates China's graded cybersecurity for all networks, enforced by PSBs. Companies adopt ISO for ethics leadership; MLPS to avoid fines and operate legally.

Anti-Bribery/Compliance

ISO 37001

ISO 37001 Anti-Bribery Management Systems

Cost

€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Risk-based anti-bribery management system framework
Third-party due diligence and monitoring requirements
Leadership commitment with dedicated compliance function
PDCA cycle for continual improvement and audits
Financial and non-financial controls proportionality

Cybersecurity

MLPS 2.0 (Multi-Level Protection Scheme)

Multi-Level Protection Scheme 2.0 (MLPS 2.0)

Cost

€€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Five-level impact-based system classification
Mandatory PSB registration and audits for Level 2+
Technical controls for cloud, IoT, big data
Governance and personnel security requirements
Law enforcement oversight and periodic re-evaluations

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

ISO 37001 Details

What It Is

ISO 37001:2025 Anti-Bribery Management Systems is an international certifiable standard providing requirements for establishing, implementing, and improving an ABMS. It focuses on preventing, detecting, and responding to bribery risks across organizations, using a risk-based, proportionate approach aligned with the ISO Harmonized Structure and PDCA cycle.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operations, evaluation, improvement.
Core elements: anti-bribery policy, risk assessments, due diligence, financial/non-financial controls, training, reporting, audits.
Built on proportionality to bribery risks; optional third-party certification with surveillance audits.

Why Organizations Use It

Mitigates legal risks (e.g., FCPA, UK Bribery Act) via evidentiary due diligence.
Enhances reputation, stakeholder trust, ESG alignment; reduces compliance costs up to 15%.
Provides competitive edge in tenders, third-party management; drives cultural integrity.

Implementation Overview

Phased: gap analysis, risk assessment, control design, training rollout, audits.
Scalable for all sizes/sectors; 6-12 months typical; certification via accredited bodies.

MLPS 2.0 (Multi-Level Protection Scheme) Details

What It Is

MLPS 2.0 (Multi-Level Protection Scheme) is China's mandatory regulatory framework for graded cybersecurity of information systems, mandated by the 2016 Cybersecurity Law (Article 21). It classifies networks into five levels based on compromise impact to national security, social order, and public interests, applying impact-based risk assessment across technical, governance, and physical domains.

Key Components

Core pillars: physical security, network protection, data security, access control, monitoring, governance.
Standards like GB/T 22239-2019, GB/T 25070-2019 define controls; extended for cloud, IoT, big data.
Built on common baselines plus level-specific requirements; compliance via PSB filing, third-party audits (75/100 score minimum for Level 2+).

Why Organizations Use It

Legal obligation for China network operators; avoids fines, suspensions.
Enhances resilience, aligns with data laws; builds regulator trust.
Competitive edge in critical sectors like finance, energy.

Implementation Overview

Phased: classify, gap analysis, remediate, audit, ongoing re-evaluation.
Applies to all sizes in China; Level 2+ needs licensed audits, PSB approval. (178 words)

Key Differences

Aspect	ISO 37001	MLPS 2.0 (Multi-Level Protection Scheme)
Scope	Anti-bribery management systems only	All network cybersecurity graded protection
Industry	All sectors globally, any organization	All network operators in China specifically
Nature	Voluntary international certification standard	Mandatory national regulatory scheme enforced by PSBs
Testing	Third-party certification audits, PDCA cycle	Expert reviews, PSB approvals, periodic re-evaluations
Penalties	No legal penalties, loss of certification	Fines, operational suspensions, enforcement actions