Product & Regulatory
An anti-bribery management system that moves compliance from a policy PDF into documented due diligence, monitored controls, and evidence the board can defend in a regulator's office.
ISO 37001 specifies requirements and provides guidance for establishing, implementing, maintaining, and improving an anti-bribery management system. It is applicable to organisations of any size and any sector and addresses bribery by the organisation, by its personnel, and by third parties acting on its behalf — whether the bribery is of or by public officials or between private parties.
The standard does not prevent bribery on its own. It requires an organisation to apply reasonable and proportionate measures to prevent, detect, and address bribery, and to demonstrate that those measures have been applied in good faith. Certification is independent confirmation that the measures exist, that they have been tested, and that leadership is engaged in the outcome.
Infrastructure and EPC contractors, defence suppliers, pharmaceutical companies, extractive industries, public-sector suppliers, financial services firms, and any organisation operating through sales intermediaries in higher-risk jurisdictions. In India, ISO 37001 is increasingly pursued by PSUs, large listed groups, and private-sector businesses responding to stakeholder activism, FCPA and UK Bribery Act exposure, or internal incident response.
FCPA, UK Bribery Act, and India's Prevention of Corruption Act all provide defences or mitigations where an organisation can demonstrate it had adequate procedures. ISO 37001 is the most widely recognised evidence of that.
Intermediaries — agents, distributors, consultants — are the predominant source of corruption risk. Clause 8 forces documented due diligence and monitoring.
Public sector and multilateral tenders increasingly require either ISO 37001 or equivalent anti-bribery commitments, including from listed suppliers.
The standard requires explicit governing-body oversight — a helpful corrective to compliance functions that lack senior air cover.
Investigation procedures, whistleblowing channels, and escalation protocols are set up in advance rather than in the middle of a crisis.
The internal effect of a credibly implemented anti-bribery system is often larger than the external effect. Personnel know that the policy has teeth.
Clause 4 requires understanding the organisation, its context, interested parties, and a formal bribery risk assessment. Clause 5 addresses leadership — an anti-bribery policy, defined roles, explicit accountability of the governing body and top management, and appointment of an anti-bribery compliance function with direct access to top management and independence from operational line management.
Clause 6 covers planning, including anti-bribery objectives. Clause 7 addresses resources, due diligence, employment conditions and controls on personnel, training and awareness, communication, and documented information. Clause 8 is the operational core — due diligence on business associates, financial and non-financial controls, controls on gifts, hospitality, donations and similar benefits, raising concerns (whistleblowing), investigation of bribery concerns, and responses to confirmed bribery. Clause 9 covers performance evaluation including internal audit, management review, and governing-body review. Clause 10 covers non-conformity and continual improvement. The requirement for proportionality runs through every clause.
Geography-by-geography, activity-by-activity bribery risk assessment — the foundation that proportionality rests on. Without this, every subsequent control decision is harder to defend.
Anti-bribery policy, terms of reference for the compliance function, board and top-management accountability structures, and reporting lines compatible with independence.
Tiered due diligence for business associates proportionate to risk, contractual anti-bribery clauses, and ongoing monitoring. This is where auditors look hardest.
Payment controls, approval matrices, hospitality and gift registers, training tailored by role, and a whistleblowing channel that personnel actually trust.
Stage 1 and Stage 2 attendance, with particular support on evidence of due diligence, investigation records, and management review depth.
An organisation with reasonable compliance infrastructure in place typically reaches Stage 2 in twelve to eighteen weeks. Organisations starting without a bribery risk assessment, or operating through a large population of third-party intermediaries, typically run to five to six months.
Fees depend on organisational scope, number of third parties in due-diligence scope, and the geography of operations. Certification body fees are separate. Where legal privilege and investigation protocols matter, we coordinate with external counsel from the start.
Not automatically. Certification is evidence that the organisation had a reasonable anti-bribery management system in place, which supports an "adequate procedures" defence under regimes like the UK Bribery Act — but courts and regulators examine the substance, not just the certificate.
The function must have sufficient authority, resources, and independence from management to carry out its role. In smaller organisations the function can be part of a broader compliance role, provided the governance and reporting lines support independence in practice.
The code of conduct is typically broader than anti-bribery; ISO 37001 addresses the subset of controls focused on bribery specifically. The two should be aligned, with the ABMS referenced from the code of conduct rather than replacing it.
The standard does not mandate a prohibition on facilitation payments but requires the organisation to explicitly state its position and control any exceptions. Most implementations prohibit them; the discipline is in how exceptions are documented and escalated.
The standard addresses controlled organisations within your scope, and requires due diligence on — not control of — business associates including non-controlled JVs. Minority-stake JVs are treated as third parties, with proportionate due diligence and contractual protections.
Embed a quality management system that customers, regulators, and auditors recognise on sight.
Learn moreInformation security management aligned to Annex A controls, ready for customer and regulator scrutiny.
Learn moreBusiness impact analysis, continuity plans, and rehearsed recovery — ready for the worst day.
Learn moreHalf a day with a senior consultant, a clause-level gap report, and a candid timeline. No commitment beyond the assessment itself.