ISO 37001

Anti-bribery management system

Your implementation guide
ISO 37001 helps create a culture of
integrity, transparency, openness and
compliance
Published in 2016 to response to the growing threat Suitable for businesses of all sizes, in all sectors
of bribery and corruption, ISO 37001 is the world’s including the private and public sector as well as not-
first international anti-bribery management system for-profit sectors, it’s designed to be really flexible so
standard. Not only can it help organizations comply you can make it relevant to the scale and complexity
with regulatory requirements it’s also an excellent of your organization and the bribery risks it faces.
framework to help put in place robust controls and At BSI we have the experience to help make sure that
processes to protect your organization from the you get the most from ISO 37001. In fact it was our
threat of bribery. It provides customers, shareholders experts who helped shape the standard BS 10500
and other stakeholders with the ability to better upon which it is based.
understand a company’s commitment to compliance,
and allows them to feel more secure about whether This guide shows you how to implement ISO 37001
the company is operating responsibly when it comes in your business and get the most out of it for the
to anti-bribery. long term. We also showcase our additional support
services which help you not only achieve certification
but can help you to continually improve and increase
resilience in your organization.

“…an effective anti-bribery policy and procedure is

simply good business practice.”
Yan Phoenix, Digital Advanced Control Ltd,
UK-based electronic component supplier

Contents (referring to BS 10500 certification)

• Benefits
• ISO 37001 clause by clause
• Top tips from our clients
• Your ISO 37001 journey
• BSI Training Academy
• BSI Entropy™ Software


2
How ISO 37001 works and what it
delivers for you and your company
ISO 37000 is an invaluable tool to help your organization demonstrate compliance and a commitment to
ethical behaviour. It also helps you to identify threats from bribery beyond your business. In a world where
supply chains are increasing in size and complexity bribery is a growing risk. ISO 37001 empowers an
organization to benchmark the anti-bribery programs of others in its value chain, in turn helping to improve
relationships, make them more transparent and establish a resilient supply chain.

To meet the standard you’ll need to have in place an anti-bribery policy, commit to continually improving
it and keep it up-to-date. This should be a component of your overall compliance policy. It is important
however to note that even when this standard is in place, it cannot provide complete control over human
activity as it does not guarantee that people in your organization will not:
• Be offered bribes by organizations and/or other people
• Accept and/or offer bribes
• Be subject to legal charges and prosecution based on their actions and local laws

Benefits of ISO 37001

20-50% 77% 40%
the estimated amount stock saw organizational believe that the top
values are enhanced by culture as one of risks to their anti-
establishing a reputation as the most effective bribery and corruption
an ethical organization.1 tools for preventing programs will come
domestic corruption3 from third party
violations.5
77%
are supportive of new
10%
initiatives to hold individual The increase in the
executives to account for cost of doing business
misconduct.2 due to corruption.4

Source: “Trust and Integrity: The Value of a Company’s Reputation”, Michael Volkov, May 2016. 2 Source: EY - Europe, Middle East, India and Africa fraud
1

survey, 2017. 3 Source: Deloitte AU/NZ Bribery and corruption survey 2017. 4 Source: The World Economic Forum 2014. 5 Source: Kroll Anti-bribery and
corruption benchmarking poll 2017.
3
How ISO 37001 works
ISO 37001 was published in 2016 in response to the growing risks from corruption and bribery. It is the first
international management system standard on anti-bribery and is based on the British Standard BS 10500.
It’s based on the high level structure (Annex
Organization and bery Management
i-bri
SL) which is a common framework for all its context (4) Ant (4)

ISO management systems. This helps keep Support

& Operation
consistency, align different management (7, 8)
system standards, offer matching sub-clauses Plan Do
against the top level structure and apply
common language across all standards. Planning Leadership Performance Intended
(6) (5) evaluation Outcomes
It makes it easier for organizations to (9)
incorporate their Anti-bribery Management
System (ABMS), into core business processes, Act Check
make efficiencies, and get increased
involvement form senior management. Improvement
Needs and (10)
Plan-Do-Check-Act (PDCA) is the operating expectations of relevant
interested parties (4)
principle of ISO 37001. It’s applied to all
processes and the QMS as a whole. This diagram shows how clauses 4 to 10 of ISO 37001
can be grouped in relation to PDCA

Some of the core concepts of ISO 37001 are:

Concept Comment

Context of the Consider the combination of internal and external factors and conditions that are relevant
organization to the objectives of the organization’s ABMS.
Bribery Offering, promising, giving, accepting or soliciting of an undue advantage of any value, in
violation of applicable law, as an inducement or reward for a person acting or refraining
from acting in relation to the performance of that person’s duties.
Interested parties A person or organization that can affect, be affected by, or perceive themselves to be
affected by a decision or activity. Examples include suppliers, customers or competitors.
You may refer to them as stakeholders.
Top management A person or group of people who directs and controls an organization at the highest level.

Governing body The group or body that has ultimate responsibility and authority for an organizations
activities, governance and policies and to which top management reports and by which
top management is held accountable. (Where this is the case it could be, for example, a
board of directors, trustees, etc.)
Business associate An external party with whom the organization has, or plans to establish some form of
business relationship..
Public official Not all examples will exist in all jurisdictions, but could include public office holders at
national, state/provincial or municipal level, including members of legislative bodies,
executive holders and the judiciary
Documented Information that must be controlled and maintained by an organization and the medium
information on which it is contained. It can be in any format.
Nonconformity and Non-fulfilment of a requirement, and the action to eliminate the cause of a non-
corrective action conformity.

4
Key requirements
of ISO 37001

Clause 1: Scope By using the process approach you’ll need to show how
you establish, implement, maintain, and continually
This clause details the scope of the standard. (Note – improve the QMS in relation to the standard. Finally
it is only applicable to bribery and does not address a regular bribery risk-assessment must also be
subjects such as fraud, cartels or money-laundering completed, documented and reviewed on a regular
for example). basis to assess the nature and level of risks.

Clause 2: Normative references Clause 5: Leadership

There are no normative references in this document.. This clause is all about the role of “top management”
which is the group of people who direct and control
Clause 3: Terms and definitions your organization at the highest level.
This clause references the terms and definitions that They need to ensure that the ABMS and its
need to be understood in relation to this standard. requirements are integrated into the organization’s
processes and the policy and objectives are aligned
Clause 4: Context of the organization with the strategic direction of the organization. They
This is a new clause that establishes the context also need to make sure that the anti-bribery policy
of the ABMS and how the business strategy is made available, communicated, maintained and
supports this. “Context of the organization’ is the understood by all parties.
clause that underpins the rest of the standard. It There’s also a focus on promoting an anti-bribery
gives an organization the opportunity to identify culture within the organization and that any reports
and understand the factors and parties in their of a violation that are made in good faith are without
environment that support the ABMS. retaliation, discrimination or disciplinary action. The top
The starting point is to identify all external and management needs to assign the implementation and
internal issues relevant to the ABMS. Then you need organization of the ABMS to an anti-bribery compliance
to establish all “interested parties”, their needs and function which must be adequately resourced. This
expectations and how they are relevant to your ABMS. function needs to have access to the governing body
You might refer to these as stakeholders. You will also of the organization (if one exists) should an issue or
need to decide on the scope of your QMS, particularly concern regarding the ABMS arise. If required some or
in relation to the relevant issues already considered in all of this function can be assigned to persons external
this clause. to the organization.

5
Clause 6: Planning Clause 7: Support
This clause focuses on how an organization plans This section of ISO 37001 is all about getting the right
actions to address both risks and opportunities. resources, the right people, and the right infrastructure
in place to maintain and improve the ABMS. This
Consideration of risks needs to be proportionate to
includes identifying the necessary competencies of the
the potential impact they may have and organizations
people delivering work that affect the organizations anti-
may decide to categorize risks into different levels
bribery performance. Documented information needs to
from low to high. If an activity is determined to be
be kept to provide evidence of this.
high risk and that the organization cannot manage it,
then it should not be undertaken. The next part of this clause covers the requirement
for due diligence on all personnel in positions which
Actions to address bribery risks and opportunities
are identified as having more than a low anti-bribery
must be monitored, managed and communicated
risk. This includes performing pre-employment checks
across the organization. Another key area of this
on people before they join the organization or before
clause is, if practicable, to establish measureable
they are transferred or promoted. It also requires
objectives for the AMBS. Finally there is a requirement
organizations to review performance bonuses and other
to keep documented information on the objectives of
incentives to prevent them from encouraging bribery.
the ABMS.
Organizations need to ensure that adequate anti-
bribery awareness and training is provided. As well as
employees of the business anti-bribery procedures must
also address anti-bribery training for business associates
who act on the organizations behalf.
This must all be contained in documented information
which must be kept up-to-date, made available when
required and, recognizing the need to information
security best-practice, adequately protected.

6
Clause 8: Operation Clause 9: Performance evaluation
This clause is all about the planning and control of ISO This is all about measuring and evaluating your ABMS
37001 and covers due diligence, financial controls and to ensure that it is effective and it helps you to maintain
non-financial controls. a robust ABMS. You will need to consider what should
be measured, the methods employed, and when data
Where there is more than a low bribery risk,
should be analysed and reported on.
organizations need to carry out checks in relation to
specific transactions, projects activities or business Internal audits will need to be carried out. These will
associates and decide whether to continue those need to be reasonable, proportionate and risk-based.
relationships.
Finally, top management reviews will need to be carried
Acknowledging the risks that supply chains can pose, out and “documented information” must be kept as
organizations also need to put in place anti-bribery evidence of these. If an organization has a governing
procedures for all organizations over which is has body, they will also need to undertake periodic reviews
control. This could include suppliers and may include of the ABMS as will those who perform the anti-bribery
controls over gifts and hospitality. These anti-bribery compliance function in the organization.
controls may be implemented as part of a contract
and considered part of the due diligence process when Clause 10: Improvement
working with third parties or business associates.
This clause requires organizations to determine and
The final element in this clause requires organizations identify opportunities for continual improvement of
to have in place procedures with allow persons to the ABMS.
raise concerns in relation to anti-bribery, including
anonymous reporting. The standard details actions that are required
that cover handing of nonconformities. Should a
nonconformity be identified, organizations need
to react promptly and take action. They need to
identify whether similar nonconformities exist or
could potentially occur and implement appropriate
corrective action. Documented information must be
kept so as to provide evidence of the nature of any
nonconformities, what actions were taken, and the
results of any corrective actions.
7
Top tips on making ISO 37001
effective for you

 Top management commitment

commitment is key to making
this a success.
Keep staff informed of what’s
going on, create a team or assign
a champion, as this will increase
motivation. This could include
a well communicated plan of
activities and timescales.
Think about how different
departments work together
to avoid silos. Make sure the
organization works as a team for
the benefit of customers and the
organization.
Review systems, policies,
procedures and processes
you have in place – you may
already do much of what’s in the
standard and make it work for
your business.
Speak to your customers and
suppliers. They may be able to
suggest improvements and give
feedback on your service.

Train your staff to carry out

internal audits. This can help with
their understanding, but it could
also provide valuable feedback
on potential problems or
opportunities for improvement.

And finally, when you gain

certification celebrate your ISO
achievement and use the BSI 37001
Anti-Bribery
Assurance Mark on your literature, Management
website and promotional material.

8
 Your ISO 37001 Journey
If you want to use and adopt ISO 37001 to protect and preserve the integrity of your organization, we
have the right resources and training courses to help you understand and implement the standard. But
our support doesn’t stop there. We can help make sure your system keeps on delivering for best for your
business.

You We
need to: help you:
• Buy the standard and read it; understand the • Buy the standard
and prepare
Understand

content, your requirements and how it will • Discover information on our website, including
improve your business case studies, whitepapers and webinars
• Contact us. We can propose a solution tailored to visit bsigroup.com
your organization’s needs. • Attend a BSI ISO 37001 Requirements training
course

• Ensure your organization understands the • Download the self-assessment checklist

ready you are

principles of ISO 37001 and the roles individuals • Attend a BSI Implementing ISO 37001 training
See how

will need to play, and review your activities and course

processes against the standard • Book a BSI gap assessment to see where you are
• BSI Entropy Software could help ISO 37001
implementation
Review and get

• Contact us to book your certification assessment • Attend a BSI ISO 37001 Internal or Lead Auditor
certified

• Ensure the right people are available for your training course
audit visit(s). This is a two-stage process. The • BSI Entropy Software could help your ISO 37001
length varies depending on the size of your implementation
organization
• Your BSI certification assessment

Continually improve and make excellence a habit

Your journey doesn’t stop with certification. We can help you to fine-tune your organization so it performs at its best.
• C
 elebrate and promote your success – download • Y our BSI Client Manager will visit you regularly
and use the BSI Assurance Mark to show you are to make sure you remain compliant and
certified. support your continual improvement.
• U
 se BSI Entropy Software to help you to manage • Consider integrating other management system
systems and drive performance standards to maximize business benefits.

9
BSI Training Academy
The BSI Training Academy is a world leader in helping clients develop the knowledge and skills they
need to embed excellence in their organizations. We offer a range of ISO 37001 training solutions that
can be tailored to your needs. Our training courses are developed by experts in their fields who have
been directly involved in the development of ISO 37001 so when you train with us you’ll benefit from
their expertise.
Using the latest research, our accelerated learning approach is proven to fast-track learning and im-
prove knowledge retention. Our experienced tutors can help you get to grips with the matters that con-
cern you and your organization directly, whether delivered in-house or as part of an open course where
other delegates can share their experience.

Courses that help you understand ISO 37001 include:

ISO 37001 Requirements ISO 37001 Internal Auditor
• One-day classroom-based training course • Two-day classroom-based training course
• L earn about the structure and key requirements • Learn how to initiate an audit, prepare and
of ISO 37001 conduct audit activities, compile and distribute
• E ssential for anyone involved in the planning, audit reports and complete follow-up activities
implementing, maintaining, supervising or auditing • Ideal for anyone involved in auditing, maintaining
of an ISO 37001 Anti-bribery Management System or supervising an ISO 37001 ABMS
(ABMS)

Understanding bribery and effective due

ISO 37001 Implementation diligence
• Two-day classroom based training course
• Two-day classroom based training course
• R
 ecognize the threat of bribery within the context
• D
 iscover the operational and technical challenges
of your organisation
faced in understanding bribery and effective due
• D
 iscover how to implement your ABMS using the diligence
aides included in the take-home reference toolkit
• Recommended for anyone involved working in
• R
 ecommended for anyone involved in the the public, private and voluntary sectors who
planning, implementing, maintaining, supervising wishes to learn more about risk assessment
or auditing of an ISO 37001 ABMS methodologies for bribery.

10
BSI Entropy™ Software
Accelerate implementation time and It can help you to:
deliver continual improvements • Accelerate implementation time by up to 50%
The decision to implement a new management • Manage your document control effectively
system standard is a huge opportunity to drive • P
 rovide company-wide visibility on
business improvement, but initiating, implementing implementation of the standard so you know
and maintaining this can also be a challenge. Ensuring exactly where you are at any one time
you get the most from your investment is a key driver
to your future success. • Y
 ou can easily and accurately input actions related
to audits, incidents/events, risk and performance
BSI Entropy™ Software provides a powerful solution • T hrough its customizable dashboards and
that can significantly reduce the cost and effort to reporting tools it gives you early insight into
implement an effective management system such as trends that help you make business decisions
ISO 37001. It can be configured to the requirements early on and drive improvement
of ISO 37001 and provide your organization with the
tools necessary to manage essential elements of ISO The savings are the costs you
37001 across your organization.
avoid because you could not see
The start of your ISO 37001 journey is an ideal time
to implement BSI Entropy Software and sustain the what was happening at
standard successfully. the facility level.

11
Why BSI?
ISO
37001
Anti-Bribery
Management

BSI has been at the forefront of ISO 37001 since the start. It’s based on BS 10500 which was
developed by BSI to help organizations implement robust anti-bribery practices. We continue to
lead the way as we currently hold the secretariat of the International Committee responsible for
the development of ISO 37001. That’s why we’re best placed to help you understand, implement and
benefit from the standard.
At BSI we create excellence by driving the success of our clients through standards. We help
organizations embed resilience, helping them to grow sustainably, adapt to change, and prosper for
the long term. We make excellence a habit.
For over a century our experts have been challenging mediocrity and complacency to help embed
excellence into the way people and products work. With 81,000 clients in 181 countries, BSI is an
organization whose standards inspire excellence across the globe.

Our products and services

We provide a unique combination of complementary products and services, managed through our three
business streams; Knowledge, Assurance and Compliance.

Knowledge Assurance Compliance

The core of our business centres Independent assessment of To experience real, long-term
on the knowledge that we the conformity of a process benefits, our clients need to

Copyright ©2017 The British Standards Institution. All rights reserved. BSI/UK/xxxx/SC/0516/EN/BLD
create and impart to our clients. or product to a particular ensure ongoing compliance to
In the standards arena we standard ensures that our clients a regulation, market need or
continue to build our reputation perform to a high level of standard so that it becomes an
as an expert body, bringing excellence. We train our clients embedded habit. We provide a
together experts from industry in world-class implementation range of services and
to shape standards at local, and auditing techniques to differentiated management
regional and international levels. ensure they maximize the tools to facilitate this process.
In fact, BSI originally created benefits of standards.
eight of the world’s top 10
management system standards.

Find out more

Visit: bsigroup.com/en-my