verified_user
Standardful
Homechevron_rightStandardschevron_rightISO 37001:2025
ActiveInternational Standardupdate Standard Updated: February 2025fact_check Fact checked: Jun 28, 2026

ISO 37001:2025

Anti-bribery management systems — Requirements with guidance for use

apartmentPublishing Organization:International Organization for Standardization (ISO)

Standard Introduction

ISO 37001:2025 is the current international standard for anti-bribery management systems (ABMS). The 2025 edition replaces ISO 37001:2016 and specifies requirements for establishing, implementing, maintaining, and continually improving measures to prevent, detect, and respond to bribery. The standard applies to any organization regardless of size, sector, or location — including public, private, and not-for-profit entities.

The standard requires organizations to conduct bribery risk assessments, implement proportionate anti-bribery policies and controls, establish due diligence procedures for business associates and transactions, and create independent compliance oversight with reporting and whistleblowing mechanisms. ISO 37001 certification demonstrates reasonable anti-bribery procedures and may support defense under laws such as the US FCPA and UK Bribery Act. A revised edition (ISO 37001:2025) was published in February 2025 with a transition deadline of February 2027.

shield

Anti-Bribery Controls

Provides a framework for implementing policies, procedures, and controls to prevent, detect, and respond to bribery within an organization and its business associates.

assessment

Bribery Risk Assessment

Requires systematic identification and assessment of bribery risks based on factors including country, sector, transaction type, and business associate relationships.

account_balance

Regulatory Alignment

Supports compliance with anti-bribery laws such as the US FCPA, UK Bribery Act, and similar legislation worldwide. Certification may serve as evidence of reasonable procedures.

list_alt ABMS Core Elements

  • Anti-bribery policy and objectives
  • Bribery risk assessment methodology
  • Due diligence on business associates and transactions
  • Financial and non-financial controls
  • Anti-bribery compliance function independence
  • Reporting and whistleblowing mechanisms
  • Investigation and remediation procedures
  • Training, awareness, and communication

Who Needs to Comply?

groups

Any organization — public, private, or not-for-profit — seeking to establish or strengthen anti-bribery controls. Particularly valuable for organizations operating in high-risk sectors or countries, government contractors, and entities subject to the FCPA, UK Bribery Act, or similar laws.

Key Requirements

1

Anti-Bribery Policy

Top management must establish an anti-bribery policy that prohibits bribery, requires compliance with applicable laws, and is communicated to all personnel and business associates.

2

Bribery Risk Assessment

Conduct regular assessments to identify, analyze, and evaluate bribery risks. Consider country, sector, transaction, and business relationship risk factors. Prioritize and treat identified risks.

3

Due Diligence

Apply risk-based due diligence to business associates, personnel, and specific transactions. The extent of due diligence should be proportionate to the assessed bribery risk.

4

Financial & Non-Financial Controls

Implement controls to manage bribery risk including approval authorities, segregation of duties, gift and hospitality policies, and adequate record-keeping of all transactions.

5

Anti-Bribery Compliance Function

Appoint an independent anti-bribery function with authority, resources, and direct access to governing body. Responsible for overseeing the ABMS design, implementation, and effectiveness.

Implementation Roadmap

1
Phase 1schedule Duration: 2-4 weeks

Prepare scope, ownership and regulatory context

Define the anti-bribery management system scope across business units, controlled entities, joint ventures, agents, suppliers, and high-risk transactions. Assign accountable owners, identify applicable legal, customer, certification, or market-access drivers, and agree the evidence model before remediation starts.

2
Phase 2schedule Duration: 4-8 weeks

Gap analysis and risk-based planning

Assess current practices against ISO 37001 expectations and risk context. Review anti-bribery policy, leadership commitment, compliance function independence, bribery risk assessment, due diligence, financial and non-financial controls, gifts and hospitality, reporting, investigations, and corrective action, then prioritize gaps by legal exposure, customer impact, safety or privacy risk, and audit or submission readiness.

3
Phase 3schedule Duration: 8-20 weeks

Implement controls, documentation and evidence

Deploy the required processes, controls, reviews, training, supplier controls, and documented information. Build traceable evidence around bribery risk assessments, due-diligence files, training records, approval logs, gifts and hospitality registers, investigation records, corrective actions, and management reviews.

4
Phase 4schedule Duration: Ongoing

Review, audit and maintain compliance

Complete internal reviews, readiness checks, and corrective actions before the certification audit. Keep the program current after product, supplier, legal, customer, incident, or operational changes.

Compliance Checklist

0 / 12

checklist Scope and accountability

checklist Controls and records

checklist Monitoring and improvement

Penalties & Enforcement

warning

ISO 37001 is voluntary with no direct penalties for non-certification. However, underlying anti-bribery laws carry severe penalties: FCPA fines up to $2 million per violation for entities and 5 years imprisonment for individuals; UK Bribery Act penalties include unlimited fines and up to 10 years imprisonment.

Frequently Asked Questions

Who needs ISO 37001?

expand_more

ISO 37001 is relevant for organizations whose activities fall within business units, controlled entities, joint ventures, agents, suppliers, and high-risk transactions. It is commonly driven by regulation, customers, procurement requirements, market access, or the need to demonstrate disciplined control over high-impact risks.

What is the core purpose of ISO 37001?

expand_more

The core purpose is to create a repeatable program for anti-bribery policy, leadership commitment, compliance function independence, bribery risk assessment, due diligence, financial and non-financial controls, gifts and hospitality, reporting, investigations, and corrective action. The details vary by sector, but the practical goal is to make obligations visible, assign ownership, operate controls, and keep evidence current.

What should be done first?

expand_more

Start by confirming scope and ownership. Many failures come from unclear boundaries, missing accountable owners, or evidence that does not match the actual product, service, system, or data flow.

How long does implementation take?

expand_more

A focused implementation can take several months. Timelines depend on maturity, number of products or sites, supplier involvement, technical complexity, test evidence, and the depth of external review required.

What evidence is most useful?

expand_more

Useful evidence includes bribery risk assessments, due-diligence files, training records, approval logs, gifts and hospitality registers, investigation records, corrective actions, and management reviews. Auditors, regulators, customers, or reviewers usually expect evidence that controls are operating, not only that policies exist.

How should suppliers be handled?

expand_more

Supplier responsibilities should be defined contractually and operationally. High-risk suppliers need due diligence, flow-down requirements, evidence requests, performance monitoring, and escalation routes for findings or incidents.

How often should the program be reviewed?

expand_more

Review frequency should follow risk and change. Annual reviews are common, but product releases, incidents, regulatory changes, customer requirements, major suppliers, or audit findings should trigger targeted review sooner.

Can this be integrated with other compliance programs?

expand_more

Yes. ISO 37001 can often share governance, training, supplier management, document control, issue tracking, internal audit, and management review with related standards, while keeping its specific legal or technical evidence separate.

Official Documentation

View All

Implementation Timeline

group_work
2013
ISO/PC 278 project committee established to develop anti-bribery standard
flag
Oct 2016
ISO 37001:2016 first edition published
public
2017-2019
Rapid global adoption — certifications issued in 40+ countries
new_releases
Feb 2025
ISO 37001:2025 second edition published with enhanced culture and conflict-of-interest requirements
event_busy
Feb 2027
Deadline for transition from 2016 to 2025 edition

Related Categories