ISO 37001 is the international standard for anti-bribery management systems (ABMS). It provides a structured framework to help organisations prevent, detect, and respond to bribery risks across their operations and supply chains.
ISO 37001 certification demonstrates that an organisation has proportionate controls in place to reduce bribery risk and promote ethical business practices.
What is ISO 37001?
ISO 37001 is an international standard published by the International Organization for Standardization. It specifies requirements and guidance for establishing, implementing, maintaining, and improving an anti-bribery management system.
The standard is risk-based and scalable, meaning controls are designed to be proportionate to the organisation’s size, activities, and exposure to bribery risk. It applies to both public and private sector organisations.
What does ISO 37001 cover?
ISO 37001 focuses on preventing bribery in all forms (direct and indirect). Key areas include:
- Anti-bribery policy and ethical commitments
- Leadership responsibility and tone from the top
- Bribery risk assessment and due diligence
- Financial and non-financial controls
- Gifts, hospitality, donations, and sponsorship controls
- Third-party and business associate management
- Reporting, investigation, and corrective action
- Monitoring, review, and continual improvement
The standard does not guarantee that bribery will never occur, but it requires organisations to take reasonable and demonstrable steps to prevent it.
Who is ISO 37001 for?
ISO 37001 is suitable for organisations of all sizes and sectors, particularly those that:
- Operate internationally or in high-risk markets
- Use agents, intermediaries, or third parties
- Bid for public or regulated contracts
- Are subject to anti-corruption laws and regulations
- Want to demonstrate ethical governance to stakeholders
It is commonly adopted by construction, engineering, energy, financial services, professional services, and public sector organisations.
ISO 37001 requirements explained
To achieve ISO 37001 certification, an organisation must demonstrate:
Leadership and governance
- A documented anti-bribery policy
- Appointment of anti-bribery compliance responsibility
- Clear roles, responsibilities, and authority
Bribery risk assessment and due diligence
- Identification and assessment of bribery risks
- Due diligence on business associates and partners
- Risk-based controls tailored to exposure
Financial and operational controls
- Controls over payments, procurement, and contracts
- Approval and monitoring of gifts and hospitality
- Segregation of duties and record keeping
Reporting and investigation
- Confidential reporting channels
- Investigation and response procedures
- Protection for whistleblowers
Performance evaluation and improvement
- Monitoring and internal audits
- Management review
- Corrective actions and continual improvement
Auditors focus on evidence that controls are operating in practice, not just written policies.
How to get ISO 37001 certified
The certification process typically includes:
- Defining the scope of the anti-bribery management system
- Conducting a bribery risk assessment
- Developing policies, procedures, and controls
- Implementing due diligence and training programmes
- Establishing reporting and investigation mechanisms
- Carrying out internal audits and management review
- Passing a Stage 1 and Stage 2 certification audit
ISO 37001 is often implemented alongside wider compliance or governance frameworks.
How long does ISO 37001 certification take?
Indicative timeframes are:
- Small organisations: 6–12 weeks
- Medium organisations: 2–4 months
- Large or high-risk organisations: 3–6 months+
Timelines depend on organisational complexity, geographic footprint, and existing compliance maturity.
How much does ISO 37001 certification cost?
Indicative total costs (initial certification):
- Small organisations:
£3,000–£8,000 | $4,000–$10,000 | €3,500–€9,000 - Medium organisations:
£8,000–£20,000 | $10,000–$26,000 | €9,000–€22,000 - Large or complex organisations:
£20,000–£40,000+ | $26,000–$50,000+ | €22,000–€45,000+
Costs vary depending on bribery risk exposure, audit duration, and preparation approach.
Benefits of ISO 37001 certification
Organisations commonly achieve:
- Reduced risk of bribery and corruption
- Clearer ethical standards and accountability
- Stronger third-party and procurement controls
- Improved confidence from customers and partners
- Support for regulatory and contractual compliance
- Demonstrable commitment to ethical business conduct
ISO 37001 can be particularly valuable where reputation and trust are critical.
Common ISO 37001 mistakes to avoid
- Treating ISO 37001 as a tick-box exercise
- Inadequate bribery risk assessment
- Weak controls over third parties
- Poor staff awareness and training
- Failing to monitor and review controls
Auditors expect anti-bribery measures to be proportionate, practical, and actively enforced.
ISO 37001 certification FAQs
No. ISO 37001 is voluntary, but it is often used to demonstrate compliance with anti-bribery and anti-corruption expectations.
No. ISO 37001 supports compliance but does not replace applicable laws or regulations.
Certification is typically valid for three years, with regular surveillance audits.
Yes. ISO 37001 integrates well with ISO 9001, ISO 37301, and ISO 27001 within an integrated management system.
Next steps
If you are considering ISO 37001 certification:
- Assess bribery risk across your activities and markets
- Define a clear and proportionate ABMS scope
- Decide whether to prepare internally or use external support
- Plan realistic timescales and costs
ISOcertified.net provides detailed guidance on ISO 37001 certification, including risk assessment, audit preparation, costs, and ongoing anti-bribery governance.