ISO 37001:2016
Anti-bribery management systems — Requirements with guidance for use
Standard Introduction
ISO 37001:2016 is the international standard for anti-bribery management systems (ABMS). Published in October 2016, it specifies requirements for establishing, implementing, maintaining, and continually improving measures to prevent, detect, and respond to bribery. The standard applies to any organization regardless of size, sector, or location — including public, private, and not-for-profit entities.
The standard requires organizations to conduct bribery risk assessments, implement proportionate anti-bribery policies and controls, establish due diligence procedures for business associates and transactions, and create independent compliance oversight with reporting and whistleblowing mechanisms. ISO 37001 certification demonstrates reasonable anti-bribery procedures and may support defense under laws such as the US FCPA and UK Bribery Act. A revised edition (ISO 37001:2025) was published in February 2025 with a transition deadline of February 2027.
Anti-Bribery Controls
Provides a framework for implementing policies, procedures, and controls to prevent, detect, and respond to bribery within an organization and its business associates.
Bribery Risk Assessment
Requires systematic identification and assessment of bribery risks based on factors including country, sector, transaction type, and business associate relationships.
Regulatory Alignment
Supports compliance with anti-bribery laws such as the US FCPA, UK Bribery Act, and similar legislation worldwide. Certification may serve as evidence of reasonable procedures.
list_alt ABMS Core Elements
- Anti-bribery policy and objectives
- Bribery risk assessment methodology
- Due diligence on business associates and transactions
- Financial and non-financial controls
- Anti-bribery compliance function independence
- Reporting and whistleblowing mechanisms
- Investigation and remediation procedures
- Training, awareness, and communication
Who Needs to Comply?
Any organization — public, private, or not-for-profit — seeking to establish or strengthen anti-bribery controls. Particularly valuable for organizations operating in high-risk sectors or countries, government contractors, and entities subject to the FCPA, UK Bribery Act, or similar laws.
Key Requirements
Anti-Bribery Policy
Top management must establish an anti-bribery policy that prohibits bribery, requires compliance with applicable laws, and is communicated to all personnel and business associates.
Bribery Risk Assessment
Conduct regular assessments to identify, analyze, and evaluate bribery risks. Consider country, sector, transaction, and business relationship risk factors. Prioritize and treat identified risks.
Due Diligence
Apply risk-based due diligence to business associates, personnel, and specific transactions. The extent of due diligence should be proportionate to the assessed bribery risk.
Financial & Non-Financial Controls
Implement controls to manage bribery risk including approval authorities, segregation of duties, gift and hospitality policies, and adequate record-keeping of all transactions.
Anti-Bribery Compliance Function
Appoint an independent anti-bribery function with authority, resources, and direct access to governing body. Responsible for overseeing the ABMS design, implementation, and effectiveness.
Penalties & Enforcement
ISO 37001 is voluntary with no direct penalties for non-certification. However, underlying anti-bribery laws carry severe penalties: FCPA fines up to $2 million per violation for entities and 5 years imprisonment for individuals; UK Bribery Act penalties include unlimited fines and up to 10 years imprisonment.