ISO 37301 vs 37001: How will the new general compliance standard work with other ISO compliance standards?

Since 2014, ISO has been making a concerted effort towards standardising the area of governance, assembling the ISO/TC 309 committee with the goal of achieving “an understanding of what good governance of organisations should look like.” Until the start of this year though, only ISO 37001 and ISO 19600 had been published. ISO 37301’s recent publication has caused many compliance professionals to re-think the value of ISO 37001, because “compliance management system” does not provide a clear definition of the standard's scope. As experts in the area, we have taken it upon ourselves to answer the two most common questions we have been hearing from clients: What is the purpose of these two standards? What is the effect of this new general compliance standard on current and future ISO compliance standards?

What is the purpose of each standard?

While traditional anti-bribery programmes are often perceived as being merely a set of procedures that could hamper an organisation’s ability to optimally conduct business, ISO 37001 was designed to accentuate the benefits of compliance. The simplest explanation of its purpose is: to use the high-level structure of ISO management systems to ingrain anti-bribery into organisations’ daily operations. This transforms anti-bribery procedures from being an obstacle to an advantage for  overall success. The standard also allows organisations to demonstrate the strength of their anti-bribery efforts by certifying their ABMS against a global framework. It is important to emphasise that ISO 37001 requirements focus exclusively on anti-bribery, thus making it an attractive proposition for organisations whose primary risk is that of bribery prevention.

ISO 37301 shares many similarities with ISO 37001 including its goal of accentuating the benefits of compliance, its high-level structure, and its ability to demonstrate general compliance strength. However, the nature of general compliance means that instead of it requiring an extremely prescriptive system for an area such as anti-bribery, ISO 37301 should be considered as more of a coordination tool which requires that all your other compliance programmes or systems function harmoniously. Therefore, certification against this standard will demonstrate that you have a compliance management system in line with general compliance best practices and ultimately one which will reduce your overall compliance risk. However, what it will not do is demonstrate that your programmes like anti-bribery or AML have been built to any specific prescriptive requirements which reduce your organisational risk in their respective areas (i.e. bribery or money laundering for our examples).

Roadmap of the ISO Technical Committee ISO/TC 309 for governance of organisations
Roadmap of the ISO Technical Committee ISO/TC 309 for governance of organisations

Technical Areas where 37001 differs

You might still find yourself asking, if both standards follow ISO’s high-level structure, then where do their requirements actually differ?

As mentioned, ISO 37001’s focus on anti-bribery requires that the system be built around prescriptive requirements and include the implementation of operational controls. Chapter 8 of ISO 37001 highlights the main contrast between the two standards, with text on non-financial controls, due diligence, or a gift and invitations policy. This increased focus on controls is only natural as each area of compliance has a different set of “best practices”, which the drafting committee considers when building the requirements for each standard.

Another point of differentiation can be found in the “context of the organisation” chapter. Though it is a cornerstone of all ISO management system standards, the risk analysis that is required by ISO 37001 must focus on bribery risks rather than general compliance risks. This emphasis on each distinct compliance area is essential for identifying areas of your business where offenses are likely to occur. Your compliance team can then reduce the risk of them occurring by building its system with stronger controls in these areas.

Unifying the two standards

ISO 37301’s role as a compliance coordination tool, means that implementing it with an ABMS that is built according to ISO 37001 is not only possible, but also advisable for organisations whose primary area of risk is anti-bribery. This is also great news for organisations who have already implemented an ABMS according to the requirements of ISO 37001, as it will be easily incorporated into their new compliance management system.

The standards share elements of their high-level structure, including: management review, internal audit programme, common boards where anti-bribery and compliance topics are addressed, whistleblowing and common investigation process, and a process of continual improvement. This reduces the time and effort that will be required of your compliance team for both the drafting and maintenance of the system, because there will be limited repetitive work. It also puts organisations who have already implemented an ABMS according to ISO 37001 at an advantage, because they have already completed these sections.

The standards also share several of the same procedures, including: role of the top management and the board, management review, fixing of objectives, internal audit, continuous improvement. The familiarity of the compliance team with the requirements of each section will reduce the time it spends on establishing the system. These procedural similarities are also extremely important for “non-compliance specialised” employees, as their consistency makes expectations a lot easier to understand.

A framework for new ISO compliance standards

A key benefit of ISO 37301 is its flexibility, which is highlighted by the both the varied systems that it can produce and the infinite number of compliance programmes or systems that it can incorporate. This second point is highly important when you consider that ISO is also planning to launch several more compliance standards, which your organisation might want to integrate into your compliance management system in the future. The current planned standard agenda only includes ISO 37002 whistleblowing management systems, but discussions are underway for an anti-fraud controls, governance maturity model, and indicators for governance, accountability, and decision-making. All of these planned guidelines and requirements will use ISO’s high-level structure too, making their integration into ISO 37301’s compliance management system just as seamless as that of an ISO 37001 AMBS.

An expedited certification process

If you would like to take advantage of the expedited certification process, there are two things to be aware of. Firstly, that your ABMS or any future ISO compliance management systems are integrated into your compliance management system. The second is that you select a certification body, like ETHIC Intelligence, who has the capability to conduct integrated audits. We ensure that the auditors conducting your certification will have the correct compliance specialisation to audit any of your management systems, while the integration of these systems will eliminate the need to re-audit the different parts of the high-level structure.

Whether you choose to implement these standards individually or prefer to implement them simultaneously, ETHIC Intelligence has a broad range of services, content, and tools which can help you to achieve your goals. Read our past blog posts, watch the recordings of our webinars, try some of the tools on our website, or contact our friendly team for more information. If you are interested in ISO 37301 specifically, we are also hosting remote training courses on this new standard for both lead implementers and auditors – an unmatched preparation for attendees.