ISO 37301 is the international standard for compliance management systems (CMS). It provides a structured framework to help organisations identify, manage, and demonstrate compliance with applicable laws, regulations, codes, and internal policies.
ISO 37301 certification shows that an organisation has effective, proportionate systems in place to meet compliance obligations and to respond appropriately when issues arise.
What is ISO 37301?
ISO 37301 is an international standard published by the International Organization for Standardization. It sets out requirements and guidance for establishing, implementing, maintaining, and continually improving a compliance management system.
The standard replaced ISO 19600 (which was a guidance-only standard) and is certifiable, allowing organisations to demonstrate compliance maturity through independent audit.
What does ISO 37301 cover?
ISO 37301 focuses on building a robust, organisation-wide approach to compliance. Key areas include:
- Compliance policy and objectives
- Leadership, accountability, and independence
- Identification and assessment of compliance obligations
- Risk-based compliance controls
- Training, awareness, and communication
- Reporting, investigation, and corrective action
- Monitoring, measurement, and continual improvement
The emphasis is on systematic compliance, not ad-hoc controls or isolated policies.
Who is ISO 37301 for?
ISO 37301 is suitable for organisations of all sizes and sectors, particularly those that:
- Operate in regulated or high-risk environments
- Manage complex legal or regulatory obligations
- Work across multiple jurisdictions
- Rely on third parties, agents, or suppliers
- Want to demonstrate strong governance and accountability
It is commonly adopted by financial services, energy, healthcare, construction, technology, public sector, and multinational organisations.
ISO 37301 requirements explained
To achieve ISO 37301 certification, an organisation must demonstrate:
Leadership and governance
- A documented compliance policy
- Clear roles, responsibilities, and authority
- Independence of the compliance function where appropriate
Compliance obligations and risk assessment
- Identification of applicable laws, regulations, and commitments
- Assessment of compliance risks
- Risk-based planning of controls and activities
Operational compliance controls
- Procedures to ensure compliance is embedded in operations
- Controls over high-risk activities
- Integration with procurement, HR, finance, and operations
Reporting and response
- Mechanisms for reporting concerns and breaches
- Investigation and corrective action processes
- Protection against retaliation for reporting
Performance evaluation and improvement
- Monitoring and measurement of compliance performance
- Internal audits
- Management review and continual improvement
Auditors focus on evidence that compliance controls operate in practice, not just on documented intent.
How to get ISO 37301 certified
The certification process typically includes:
- Defining the scope of the compliance management system
- Identifying compliance obligations and risks
- Developing compliance policies, procedures, and controls
- Implementing training and communication programmes
- Establishing reporting and investigation processes
- Carrying out internal audits and management review
- Passing a Stage 1 and Stage 2 certification audit
ISO 37301 is often implemented alongside broader governance, risk, and ethics frameworks.
How long does ISO 37301 certification take?
Indicative timeframes are:
- Small organisations: 6–12 weeks
- Medium organisations: 2–4 months
- Large or complex organisations: 3–6 months+
Timelines depend on regulatory complexity, geographic footprint, and existing compliance maturity.
How much does ISO 37301 certification cost?
Indicative total costs (initial certification):
- Small organisations: £3,000–£8,000 | $4,000–$10,000 | €3,500–€9,000
- Medium organisations: £8,000–£20,000 | $10,000–$26,000 | €9,000–€22,000
- Large or complex organisations: £20,000–£40,000+ | $26,000–$50,000+ | €22,000–€45,000+
Costs vary depending on scope, regulatory exposure, audit duration, and preparation approach.
Benefits of ISO 37301 certification
Organisations commonly achieve:
- Stronger compliance governance and accountability
- Reduced risk of regulatory breaches and penalties
- Improved transparency and reporting
- Better integration of compliance into daily operations
- Increased confidence from regulators, partners, and stakeholders
- Demonstrable commitment to ethical and lawful conduct
ISO 37301 supports consistent, auditable compliance rather than reactive enforcement.
Common ISO 37301 mistakes to avoid
- Treating compliance as a legal-only function
- Failing to identify all applicable obligations
- Weak reporting and investigation processes
- Insufficient staff awareness and training
- Lack of monitoring and continual improvement
Auditors expect compliance systems to be practical, proportionate, and embedded across the organisation.
ISO 37301 certification FAQs
No. ISO 37301 is voluntary, but it is often used to demonstrate robust compliance governance.
No. ISO 37301 supports compliance management but does not replace legal or regulatory requirements.
Certification is typically valid for three years, with regular surveillance audits.
Yes. ISO 37301 integrates well with ISO 37001, ISO 9001, ISO 27001, and ISO 22301.
Next steps
If you are considering ISO 37301 certification:
- Identify your compliance obligations and risks
- Define a clear CMS scope
- Decide whether to prepare internally or use external support
- Plan realistic timescales and budgets
ISOcertified.net provides detailed guidance on ISO 37301 certification, including compliance risk assessment, audit preparation, costs, and ongoing governance best practice.