ISO 37001:2025
Anti-bribery management systems — Requirements with guidance for use
Standard Introduction
ISO 37001:2025 is the current international standard for anti-bribery management systems (ABMS). The 2025 edition replaces ISO 37001:2016 and specifies requirements for establishing, implementing, maintaining, and continually improving measures to prevent, detect, and respond to bribery. The standard applies to any organization regardless of size, sector, or location — including public, private, and not-for-profit entities.
The standard requires organizations to conduct bribery risk assessments, implement proportionate anti-bribery policies and controls, establish due diligence procedures for business associates and transactions, and create independent compliance oversight with reporting and whistleblowing mechanisms. ISO 37001 certification demonstrates reasonable anti-bribery procedures and may support defense under laws such as the US FCPA and UK Bribery Act. A revised edition (ISO 37001:2025) was published in February 2025 with a transition deadline of February 2027.
Anti-Bribery Controls
Provides a framework for implementing policies, procedures, and controls to prevent, detect, and respond to bribery within an organization and its business associates.
Bribery Risk Assessment
Requires systematic identification and assessment of bribery risks based on factors including country, sector, transaction type, and business associate relationships.
Regulatory Alignment
Supports compliance with anti-bribery laws such as the US FCPA, UK Bribery Act, and similar legislation worldwide. Certification may serve as evidence of reasonable procedures.
list_alt ABMS Core Elements
- Anti-bribery policy and objectives
- Bribery risk assessment methodology
- Due diligence on business associates and transactions
- Financial and non-financial controls
- Anti-bribery compliance function independence
- Reporting and whistleblowing mechanisms
- Investigation and remediation procedures
- Training, awareness, and communication
Who Needs to Comply?
Any organization — public, private, or not-for-profit — seeking to establish or strengthen anti-bribery controls. Particularly valuable for organizations operating in high-risk sectors or countries, government contractors, and entities subject to the FCPA, UK Bribery Act, or similar laws.
Key Requirements
Anti-Bribery Policy
Top management must establish an anti-bribery policy that prohibits bribery, requires compliance with applicable laws, and is communicated to all personnel and business associates.
Bribery Risk Assessment
Conduct regular assessments to identify, analyze, and evaluate bribery risks. Consider country, sector, transaction, and business relationship risk factors. Prioritize and treat identified risks.
Due Diligence
Apply risk-based due diligence to business associates, personnel, and specific transactions. The extent of due diligence should be proportionate to the assessed bribery risk.
Financial & Non-Financial Controls
Implement controls to manage bribery risk including approval authorities, segregation of duties, gift and hospitality policies, and adequate record-keeping of all transactions.
Anti-Bribery Compliance Function
Appoint an independent anti-bribery function with authority, resources, and direct access to governing body. Responsible for overseeing the ABMS design, implementation, and effectiveness.
Implementation Roadmap
Prepare scope, ownership and regulatory context
Define the anti-bribery management system scope across business units, controlled entities, joint ventures, agents, suppliers, and high-risk transactions. Assign accountable owners, identify applicable legal, customer, certification, or market-access drivers, and agree the evidence model before remediation starts.
Gap analysis and risk-based planning
Assess current practices against ISO 37001 expectations and risk context. Review anti-bribery policy, leadership commitment, compliance function independence, bribery risk assessment, due diligence, financial and non-financial controls, gifts and hospitality, reporting, investigations, and corrective action, then prioritize gaps by legal exposure, customer impact, safety or privacy risk, and audit or submission readiness.
Implement controls, documentation and evidence
Deploy the required processes, controls, reviews, training, supplier controls, and documented information. Build traceable evidence around bribery risk assessments, due-diligence files, training records, approval logs, gifts and hospitality registers, investigation records, corrective actions, and management reviews.
Review, audit and maintain compliance
Complete internal reviews, readiness checks, and corrective actions before the certification audit. Keep the program current after product, supplier, legal, customer, incident, or operational changes.
Compliance Checklist
checklist Scope and accountability
checklist Controls and records
checklist Monitoring and improvement
Penalties & Enforcement
ISO 37001 is voluntary with no direct penalties for non-certification. However, underlying anti-bribery laws carry severe penalties: FCPA fines up to $2 million per violation for entities and 5 years imprisonment for individuals; UK Bribery Act penalties include unlimited fines and up to 10 years imprisonment.
Frequently Asked Questions
Who needs ISO 37001?
expand_more
ISO 37001 is relevant for organizations whose activities fall within business units, controlled entities, joint ventures, agents, suppliers, and high-risk transactions. It is commonly driven by regulation, customers, procurement requirements, market access, or the need to demonstrate disciplined control over high-impact risks.
What is the core purpose of ISO 37001?
expand_more
The core purpose is to create a repeatable program for anti-bribery policy, leadership commitment, compliance function independence, bribery risk assessment, due diligence, financial and non-financial controls, gifts and hospitality, reporting, investigations, and corrective action. The details vary by sector, but the practical goal is to make obligations visible, assign ownership, operate controls, and keep evidence current.
What should be done first?
expand_more
Start by confirming scope and ownership. Many failures come from unclear boundaries, missing accountable owners, or evidence that does not match the actual product, service, system, or data flow.
How long does implementation take?
expand_more
A focused implementation can take several months. Timelines depend on maturity, number of products or sites, supplier involvement, technical complexity, test evidence, and the depth of external review required.
What evidence is most useful?
expand_more
Useful evidence includes bribery risk assessments, due-diligence files, training records, approval logs, gifts and hospitality registers, investigation records, corrective actions, and management reviews. Auditors, regulators, customers, or reviewers usually expect evidence that controls are operating, not only that policies exist.
How should suppliers be handled?
expand_more
Supplier responsibilities should be defined contractually and operationally. High-risk suppliers need due diligence, flow-down requirements, evidence requests, performance monitoring, and escalation routes for findings or incidents.
How often should the program be reviewed?
expand_more
Review frequency should follow risk and change. Annual reviews are common, but product releases, incidents, regulatory changes, customer requirements, major suppliers, or audit findings should trigger targeted review sooner.
Can this be integrated with other compliance programs?
expand_more
Yes. ISO 37001 can often share governance, training, supplier management, document control, issue tracking, internal audit, and management review with related standards, while keeping its specific legal or technical evidence separate.
Official Documentation
ISO 37001:2025
External Link • iso.org • Standard Purchase Page
Online Browsing Platform
External Link • iso.org • Official Preview
ISO TC 309 Anti-Bribery Resources
External Link • committee.iso.org • Committee Resources