verified_user
Standardful
Governance & Risk

ISO 37001 Explained: Building an Anti-Bribery Management System in 2026

ISO 37001 is the international standard for an anti-bribery management system (ABMS). Here's what the 2016 standard requires and how to actually get certified.

calendar_today Juneschedule 12 min readperson Standardful Team
ISO 37001 Explained: Building an Anti-Bribery Management System in 2026

Bribery is one of those risks that almost every company insists it doesn't have — right up until a sales agent in a foreign market does something nobody approved, and a regulator asks what your "adequate procedures" actually were. The hard part isn't agreeing that bribery is bad. It's proving, in advance and on paper, that you built a real system to stop it.

That's what ISO 37001 is for. It's the international standard for an anti-bribery management system — an ABMS — and it has become the reference point compliance officers reach for when they need a structured, auditable program rather than a one-page policy that lives in a forgotten folder.

I've watched a lot of teams treat anti-bribery as a checkbox. ISO 37001 is what happens when you treat it as a system instead. Here's what the standard requires, how it lines up with enforcement laws like the FCPA and the UK Bribery Act, and what it takes to get certified.

What ISO 37001:2025 Actually Is

ISO 37001 was published in October 2016 under the full title "Anti-bribery management systems — Requirements with guidance for use." It's a single standard that lays out the requirements for setting up, running, maintaining, and improving a program designed to prevent, detect, and respond to bribery.

A few things to be clear about up front. ISO 37001 addresses bribery — offering, promising, giving, accepting, or soliciting an undue advantage. It covers bribery by the organization, by its staff, and by its business associates acting on its behalf. It covers bribery in the public and private sectors, both direct and indirect. What it does not try to do is tackle fraud, antitrust, money laundering, or other financial crimes. It's deliberately narrow. The trade-off for that narrowness is depth: it goes deep on the one risk it covers.

It's also a certifiable standard. An accredited body can audit your ABMS and issue a certificate, the same way they would for an ISO 31000 risk management program or a quality management system. You can find the full standard reference and scope details on our ISO 37001:2025 standard page.

The Annex SL structure

If you've worked with any modern ISO management system standard, ISO 37001 will feel familiar — and that's by design. It follows Annex SL, the common high-level structure ISO uses across its management system standards. That means the same ten-clause skeleton you'd see in ISO 27001 or ISO 9001:

  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Context of the organization
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance evaluation
  10. Improvement

The practical payoff of Annex SL is integration. Because ISO 37001 shares this structure with the broader ISO 37301 compliance management system, you can bolt an ABMS onto an existing compliance program without reinventing your documentation, your audit cycle, or your management review process. If you already run a Plan-Do-Check-Act loop somewhere, ISO 37001 slots into it.

The Core Requirements

This is the part teams underestimate. A real ABMS is more than a policy PDF. Here's what ISO 37001 expects you to actually have in place.

Leadership and the anti-bribery policy

The standard puts leadership front and center. Top management has to demonstrate commitment — not in a vague "tone from the top" sense, but with documented responsibilities. You need a published anti-bribery policy that prohibits bribery, requires compliance with applicable anti-bribery laws, encourages people to raise concerns in good faith, and makes clear there will be no retaliation for doing so. The policy has to be communicated internally and, where appropriate, to business associates.

ISO 37001 also introduces the concept of the "governing body" — the board or equivalent — as distinct from top management. The governing body is expected to exercise oversight of the ABMS without being involved in the day-to-day. That separation matters, because it mirrors how real accountability is supposed to flow in a well-governed organization.

The anti-bribery compliance function

Someone has to own this. The standard requires an anti-bribery compliance function — a person or team with the responsibility and authority to oversee the design and implementation of the ABMS, provide advice and guidance, and report on performance. Critically, this function must have direct access to the governing body. If your compliance officer can't get a meeting with the board, the standard considers that a structural weakness.

Bribery risk assessment and due diligence

You can't manage a risk you haven't measured. ISO 37001 requires a bribery risk assessment that looks at your sectors, geographies, transactions, and relationships, then rates them. From there, you apply proportionate due diligence on specific transactions, projects, business associates, and personnel where the assessed risk is more than low.

Due diligence is where anti-bribery programs live or die, because most enforcement actions involve a third party — an agent, distributor, consultant, or joint-venture partner. The standard expects you to vet these business associates before you onboard them and to monitor them after.

Financial and non-financial controls

ISO 37001 distinguishes between two kinds of controls. Financial controls address how money moves — approvals, segregation of duties, payment verification, and oversight of accounts payable. Non-financial controls cover everything else procurement, operations, legal, and commercial — like requiring competitive tenders, verifying that goods and services were actually delivered, and approval steps for contracts. Both are required, because bribery rarely shows up only in the ledger.

Gifts, hospitality, donations, and similar benefits

Gifts and hospitality are the classic gray zone, so the standard calls them out specifically. You're expected to have controls that prevent gifts, hospitality, donations, and similar benefits from being used as a vehicle for bribery — thresholds, registers, approval workflows, the works. The point isn't to ban a customer lunch; it's to make sure a "lunch" isn't really a payoff.

Raising concerns, investigation, and response

Two more pillars round it out. First, the standard requires a mechanism for raising concerns — whistleblowing — that allows people to report suspected or actual bribery confidentially and without fear of reprisal. Second, you need defined procedures to investigate and respond to bribery that's reported or detected, including what happens to the people and relationships involved when something is substantiated.

How ISO 37001 Maps to Enforcement Laws

Here's where I have to be precise, because this is the question that gets oversold by certification consultants.

ISO 37001 is a management system standard. It is not a law, and certification is not a legal safe harbor. Getting certified does not grant immunity from prosecution under the US Foreign Corrupt Practices Act (FCPA), the UK Bribery Act 2010, or any other regime. If bribery happens, you can still be charged.

What certification can do is serve as evidence. Both major enforcement frameworks reward companies that maintain genuine compliance programs:

  • The UK Bribery Act includes a corporate offense of "failure to prevent bribery," but provides a defense if the organization had "adequate procedures" in place. ISO 37001 was explicitly designed with this kind of expectation in mind, and a certified ABMS is reasonable evidence that you took the obligation seriously.
  • The US FCPA doesn't have a formal "adequate procedures" defense, but the US Department of Justice and SEC weigh the existence and effectiveness of a compliance program when deciding whether to charge, and how heavily to penalize. DOJ's own guidance on evaluating corporate compliance programs asks the same questions ISO 37001 forces you to answer.

The honest framing: a certificate on the wall is a strong signal and useful evidence, but a regulator will look past the certificate to whether the program actually worked in practice. A paper ABMS that nobody followed won't save you. A living one might significantly reduce your exposure.

This is also where anti-bribery overlaps with adjacent obligations like sanctions and financial crime. If you operate internationally, your ABMS needs to coexist with US OFAC sanctions screening and your US Bank Secrecy Act / AML controls — different regimes, overlapping data, and the same underlying need to know who you're really doing business with.

DimensionISO 37001:2025ISO 37301:2021FCPA / UK Bribery Act
TypeCertifiable ABMS standardCertifiable compliance MS standardLaws / enforcement regimes
ScopeBribery onlyAll compliance obligationsBribery & corruption (FCPA also books-and-records)
CertificationYes, by accredited bodyYes, by accredited bodyNo certification — legal duty
Legal effectVoluntary; evidence of diligenceVoluntary; evidence of diligenceBinding; penalties for violations
StructureAnnex SL (10 clauses)Annex SL (10 clauses)Statute plus regulator guidance
Best used forDemonstrating "adequate procedures"Governing many obligations at onceDefining what you must comply with

The clean way to think about it: the laws tell you what you must achieve, ISO 37001 gives you a system to achieve it for bribery specifically, and ISO 37301 gives you the umbrella to run that system alongside every other compliance obligation.

An ISO 37001 Implementation Checklist

If you're starting from scratch, this is roughly the order that works. None of it is glamorous, but each step is something an auditor will eventually ask to see.

  • Secure top management and governing body sponsorship. Without documented commitment from the top, nothing downstream holds up.
  • Define the scope of your ABMS. Which entities, sites, and activities are covered. Be honest — gaps you exclude can come back to bite you.
  • Run a bribery risk assessment. Map sectors, geographies, transactions, and relationships. Rate them. Document the methodology.
  • Appoint an anti-bribery compliance function with authority, resources, and direct access to the governing body.
  • Write and publish the anti-bribery policy, then communicate it internally and to relevant business associates.
  • Build financial and non-financial controls proportionate to the assessed risks.
  • Establish due diligence procedures for business associates, transactions, projects, and personnel above low risk.
  • Set up gifts, hospitality, and donations controls — thresholds, registers, approvals.
  • Stand up a confidential raise-a-concern channel with anti-retaliation protection.
  • Define investigation and response procedures for suspected bribery.
  • Deliver training and awareness tailored to roles and risk exposure.
  • Run an internal audit of the ABMS and conduct a management review.
  • Engage an accredited certification body for the Stage 1 and Stage 2 audit.

Treat the bottom of that list as a milestone, not the finish line. Certification is the start of a continuous improvement cycle, not the end of the project.

The Certification Process and Who Needs It

The certification path mirrors other ISO management system standards. After you've built and run the ABMS for long enough to generate evidence — usually a few months of records, internal audit results, and at least one management review — you bring in an accredited certification body.

That body conducts a two-stage audit. Stage 1 is a documentation and readiness review: do you have the policies, the risk assessment, the procedures, the structure. Stage 2 is the deeper, on-site (or remote) audit that tests whether the system actually operates as documented. Pass both, and you receive a certificate, typically valid for three years with annual surveillance audits in between and a full recertification at the end of the cycle.

One useful note: ISO publishes 37001, but ISO itself does not certify anyone. Certification comes from independent bodies, ideally ones accredited by a recognized national accreditation authority. "Accredited" is doing real work in that sentence — an unaccredited certificate carries far less weight with regulators and buyers.

So who actually needs this? In my experience, the strongest cases are:

  • Companies in high-corruption-risk sectors — construction, extractives, defense, infrastructure, pharmaceuticals, and anywhere large public contracts are common.
  • Organizations operating in high-risk markets where facilitation payments and intermediaries are part of the landscape.
  • Government and state-owned-enterprise suppliers, since procurement rules in many jurisdictions now favor or require certified anti-bribery programs.
  • Multinationals with sprawling third-party networks — agents, distributors, resellers — where most bribery risk hides.
  • Businesses already exposed to the FCPA or UK Bribery Act that want defensible evidence of adequate procedures.

If you're a small, domestic, low-risk business, full certification may be more than you need — though the structure of the standard is still a useful template for a proportionate program.

The Bottom Line

ISO 37001 won't make bribery impossible, and it won't put a force field around your company in court. Anyone who tells you a certificate equals immunity is selling something. What it does give you is a disciplined, auditable, internationally recognized way to build the kind of program that prevents most problems and demonstrates good faith when problems happen anyway.

For a compliance officer, that's the real value. When the regulator or the major customer asks "show me your anti-bribery procedures," there's a meaningful difference between handing over a policy document and handing over a certified management system with risk assessments, due diligence records, controls, training logs, and an audit trail behind it. ISO 37001 is how you make sure you're holding the second one.

FAQ

What is ISO 37001? ISO 37001 is the international standard for an anti-bribery management system (ABMS), published in October 2016. It specifies requirements and guidance for establishing, implementing, maintaining, and improving a program designed to prevent, detect, and respond to bribery.

Is ISO 37001 certification mandatory? No. ISO 37001 certification is voluntary. However, some governments, state-owned enterprises, and large buyers require or strongly favor certified suppliers, and certification is increasingly used to demonstrate due diligence in high-corruption-risk markets.

Does ISO 37001 certification protect a company from FCPA or UK Bribery Act prosecution? No. Certification is not a legal safe harbor and does not grant immunity. It can serve as evidence that a company maintained an adequate compliance program, which prosecutors and regulators may weigh, but it does not prevent enforcement if bribery occurs.

What is the difference between ISO 37001 and ISO 37301? ISO 37001 is a focused anti-bribery management system addressing one specific risk. ISO 37301 is a broader compliance management system covering all of an organization's compliance obligations. They share the same Annex SL structure and are designed to work together.

How long does it take to get ISO 37001 certified? For most mid-sized organizations, implementation and certification take roughly six to eighteen months depending on existing controls, scope, and complexity. The timeline includes a gap assessment, building the management system, an internal audit, and a two-stage external certification audit.

Who needs ISO 37001? Organizations operating in high-corruption-risk sectors or markets, companies that bid for government contracts, multinationals with extensive third-party networks, and businesses subject to laws like the FCPA or UK Bribery Act benefit most from an ISO 37001 ABMS.

References

  1. ISO 37001 — Anti-bribery management systems — International Organization for Standardization
  2. ISO 37001 standard family page — International Organization for Standardization
  3. Bribery Act 2010 — Guidance ("adequate procedures") — UK Ministry of Justice
  4. A Resource Guide to the U.S. Foreign Corrupt Practices Act — U.S. Department of Justice & SEC
  5. Evaluation of Corporate Compliance Programs — U.S. Department of Justice

Related Topics

ISO 37001Anti-BriberyAnti-Bribery Management SystemComplianceCorporate GovernanceABMSFCPAUK Bribery Act