- 2021-05-28
1. Can you briefly describe the history and importance of ISO 37001?
ISO 37001 History
ISO 37001 originated as the result of a meeting held in London in June 2013 and had its scope and title approved by the ISO Technical Management Board, in September 2013. ISO/PC 278 Anti-Bribery Management Systems was then subsequently created.
The first official meeting occurred in March 2014 in Madrid, where two important decisions were made:
- to use the British Standard BS 10500 as a basis, which deals with an Anti-Bribery Management System; and
- to adopt the same structure as the ISO Management System Standards, for example ISO 9001, in order to ensure compatibility among the various ISO Management System standards, facilitating its implementation.
To complete the standard, four more meetings were held in Miami, Paris, Kuala Lumpur and Mexico, the last one having occurred from May 31 to June 2, 2016. Sixty-five experts from thirty-three countries, including the Brazilian Delegation, have participated in this meeting.
Officially, on October 15th, 2016 ISO 37001 was published in Genève.
Importance of ISO 37001
As it is widely-known, bribery is one of the world’s most destructive and challenging issues. With over US$ 1.5 trillion paid in bribes every year according to the World Bank estimate, the consequences are catastrophic – reducing quality of life, increasing poverty, and eroding public trust. It is a major obstacle for democracy and the rule of law. As such, ISO 37001 is considered to be a huge benefit for the civil society.
Impact of bribery on Society
The impacts that bribery has on society are vile, some to mention are:
- allows organized crime, terrorism and other threats to human security,
- hampers development,
- drives away investments,
- leads to loss of confidence in government and institutions, and
- causes serious social, moral, economic, and political problems.
Impact of bribery on Individuals
- denies access to basic services,
- erodes the quality of life,
- denies opportunities for employment,
- ruins careers and reputation
The countries bribed had to suffer the consequences of rising costs for hospitals, roads, and other basic services.
Impact of Bribery on Business
Businesses are impacted by bribery in various aspects including:
- distortion of markets and competition,
- increases in the cost of doing business,
- causes in loss of business reputation, and
- wrong incentives
Bribery scandals have caused reputational damage to the companies involved.
World Bribery Cases
Bribery is a world phenomenon that goes from A, Argentina, up to Z, Zambia.
A report by the OECD found that more than 50% of foreign bribery cases between 1999 and 2014, occurred in just four sectors: construction, extraction, transportation, and IT/communication. We can add here the defense sector too.
A German conglomerate was embroiled in the largest bribery case seen in history years ago. Bribery payments between 2001 – 2007, the majority of which were made via external consultants, let us say business associates, totaled a staggering US $1.4bn.
Unfortunately, bribery is many organization’s business model. Among the biggest examples of this Germany organization, was a US $40m bribe payout to the president of Argentina to obtain a one-billion-dollar contract for producing national identity cards.
Other payouts included US $16m of bribe to build rail lines in Venezuela and US $14m for medical equipment in China.
In 2009, a Texas-based engineering and construction company, pleaded guilty to paying government officials in Nigeria to win engineering, procurement and construction contracts – worth more than US $6bn for a liquefied natural gas plant.
Furthermore, one of the world’s biggest defense companies, had bribed foreign officials with payments worth hundreds of millions of US $, to obtain defense contracts in Saudi Arabia. In Bangladesh officials received US $5m in bribe to obtain a mobile phone contract.
For years, Latin America’s construction giant, built some of the region’s most crucial infrastructure projects. In 2016, the Brazilian-based group signed what has been described as the world’s largest leniency deal with US and Swiss authorities, in which it confessed to corruption and paid $2.6bn in fines.
And this is just the tip of the iceberg. Every week we have a new bribery case.
2. What is the difference between bribery and corruption?
The figure below explains very well the difference between bribery and corruption:
Figure 1. The difference between bribery and corruption
It is also important to know the generic definition of bribery in the ISO 37001 standard:
Bribery: offering, promising, giving, accepting or soliciting of an undue advantage of any value (which could be financial or non-financial), directly or indirectly, and irrespective of location(s), in violation of applicable law, as an inducement or reward for a person acting or refraining from acting in relation to the performance of that person’s duties.
3. Does ISO 37001 address all types of bribery?
ISO 37001 can help the organization to implement reasonable and proportionate controls designed to prevent, detect, and respond to bribery.
It specifies the implementation by the organization of policies, procedures and controls which are reasonable and proportionate according to the bribery risks the organization faces.
4. Which are the most important clauses of this standard?
All of the requirements of ISO 37001 are important since we have to follow the PDCA Cycle. So, from 4.1 Understanding the organization and its context up to 10.2 Continual improvement, the organization shall meet all its requirements.
Nevertheless, for sure that the following requirements are crucial for the success of ISO 37001, if very well implemented:
- 5.1 Governing Body as well as Top management leadership and commitment,
- 6.1 Actions to address risks and opportunities,
- 7.3 Awareness and training,
- 8.2 Due diligence,
- 8.5. Implementation of anti-bribery controls by controlled organizations and by business associates,
- 8.9 Raising concerns,
- 8.10 Investigating and dealing with bribery.
5. Is ISO 37001 related to other ISO standards?
ISO 37001 standard conforms to ISO’s requirements for management system standards. These requirements include a high level structure, identical core text, and common terms with core definitions, designed to benefit users implementing multiple ISO management system standards.
ISO 37001 can be used in conjunction with other management system standards, such as the newest ISO 37301, ISO 9001 and other ISO management system standards.
6. Which industries can benefit the most from this standard and how?
The requirements of the ISO 37001 standard are generic and are intended to be applicable to all organizations (or parts of an organization), regardless of their type, size, nature of activity, or whether it fits the public, private or not-for-profit sectors.
7. How does ISO 37001 help an organization comply with other anti-bribery laws?
ISO 37001 standard sets out requirements and provides guidance for a management system designed to:
- help an organization to prevent, detect and respond to bribery,
- comply with anti-bribery laws and voluntary commitments applicable to its activities,
- be in conformity with the organization´s policies and procedures.
8. How does the certification audit against ISO 37001 help companies?
ISO 37001 certification provided by an Accredited Certification Body is surely a demonstration to enforcement agencies, investors, shareholders, suppliers, collaborators and society that the organization is fully committed to adopting effective controls to combat bribery in all its forms.
9. Does conformity with ISO 37001 guarantee that no briberies will happen?
Conformity with ISO 37001 cannot provide assurance that no bribery has occurred or will occur in relation to the organization, as it is not possible to completely eliminate the risk of bribery.
So the organization has to identify the potential bribery risk areas that will be confirmed through the bribery risk assessment. This assessment identifies the bribery risks the organization will focus on in order to treat the risks, implement the controls (preventive, detective and corrective) and allocate the anti-bribery compliance personnel, resources as well as the activities.
10. What are some tips and advices to get ready for a certification audit against ISO 37001?
Please, be very careful when designing your Anti-bribery Management System (ABMS) and take into account the message from one of the management’s Guru (Dr. Joseph Juran), who recommends organizations to implement a management system, part by part. In order words, the ABMS shall be implemented processes by processes and not in the entire organization at once.
So, choose 3 or 4 areas/processes, define your high and very high bribery risks (such as business associates and other interested parties), and then implement the ISO 37001.
Also, please take into account that differently from other ISO MSS, ISO 37001 relies heavily on human ware. Based on this scenario and on the requirements of ISO 37001, the five personnel behaviors: Integrity, Honesty, Ethics, Transparency, and Respect, are expected from everyone in the organization, and shall be described in the organization´s Code of Conduct, from top-down to bottom up, including the business associates and other interested parties, in order to be in compliance with the law and regulations, as well as the organization´s anti-bribery policies and procedures.
This is the way for a successful implementation of an ABMS.
1. What is the purpose of ISO/IEC 27701 and why is it so important?
The purpose of the ISO/IEC 27701 requirements is to incorporate the protection of Privacy Information in a client’s Management System. Within the past few years, many countries and states have implemented legislation and guidelines to protect the privacy of personal information.
The ISO/IEC 27701 standard provides guidance for organizations how to review, evaluate and to maintain principal’s privacy information, and the technical/security controls needed to protect the management, the processing, the storage and the deletion of this data. Additionally, ISO/IEC 27701 helps organizations to demonstrate through third party audits that they have taken the steps to incorporate the various controls in accordance with regulatory requirements.
Furthermore, for organizations which have been already certified to the ISO/IEC 27001 standard, ISO/IEC 27701 serves as a continual improvement of ISO/IEC 27001 since it chooses to implement and enhance their management system with the protection of Privacy Information.
Governments are also requiring evidence from their supply chain to demonstrate that CUI – Controlled Unclassified Information – is protected by their vendors.
2. Which are the most important clauses of this standard?
The following clauses are very important to the standard:
- “Information Security” shall be extended to the protection of privacy as potentially affected by the processing of PII (Clause 5.1).
- The organization should ensure that people under PII control are made aware of the definition of PII and how to recognize information that is PII (Clause 6.5.2.2).
- The organization shall include among its interested parties (see ISO/IEC 27001:2013, 4.2), those parties having interests or responsibilities associated with the processing of PII, including the PII principals (Clause 5.2.2).
- The organization shall apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability, within the scope of the PIMS.
- The organization shall apply privacy risk assessment process to identify risks related to the processing of PII, within the scope of the PIMS (Clause 5.4.1.2).
- The organization shall ensure throughout the risk assessment processes that the relationship between information security and PII protection is appropriately managed (Clause 5.4.1.2).
3. Which industries can benefit the most from this standard and how?
Almost all industries would benefit from this standard if they engage with employees and work with software vendors where information is stored, processed or used in a transaction. Even if a vendor makes widgets, there would still be some information either employee, clients or vendor information.
The process to identify Personal Identifiable Information (PII) should be performed. Invoices created or any other business processes transacted on the web will determine that in some way or another the exchange or handling of PII or CUI will occur. Thus, all organizations should seek to get certification against ISO/IEC 27701, for instance, service companies or any other company that handles and processes PII, CUI or data processing.
4. What is Personally Identifiable Information (PII)?
Personally Identifiable Information (PII) is considered to be any information that can be used to recognize a specific person. By having access to PII without the person’s knowledge, this rogue party can use this information to take advantage of the other person’s credentials, without the person’s permission or knowledge in a compromising way.
5. What is the difference between PII Processor and PII Controller?
A PII Processor is an entity (company), who processes, or uses the PII for legitimate purpose and with the person’s consent for the purpose given. They may use this information for the purpose of processing a transaction on behalf of the PII Principal, i.e., credit card processing, processing and sharing PII data with other parties for the purpose of Payroll and benefits, etc.
PII Controller receives the PII data by permission and for the purpose of something specific. The PII controller protects the PII data but does not change it or use in any unlawful way.
6. What is the relation between ISO/IEC 27701 and ISO/IEC 27001?
The relationship between the ISO/IEC 27001 and ISO/IEC 27701 is that they apply the basic principle and process of protection for both Information Security and Privacy. The additional Annex A Controls of ISO/IEC 27701, enables companies to build on the foundation of the ISO/IEC 27001 standard, by implementing the additional controls, specifically, those for handling the protection of privacy of information.
7. Is it necessary for an organization to be certified with ISO/IEC 27001 before seeking ISO/IEC 27701 certification?
Yes, considering that ISO/IEC 27701 is an extension to ISO/IEC 27001, organizations seeking certification against ISO/IEC 27701 need to be first certified against ISO/IEC 27001.
8. Will the ISO/IEC 27701 certificate prove that you are in compliance with GDPR?
The certification indicates that the organizations meet the requirements of the ISO/IEC 27701 standard, however, the organization can implement appropriate controls as required by regulatory and legal requirements i.e. GDPR, CCPA and NY Shield Act, and other state requirements for the protection of data. The ISO/IEC 27701 has a very detailed and clear mapping to GDPR clauses, therefore, when the standard is implemented with GDPR as a primary focal point, it ensures that all the clauses of GDPR have been taken into consideration.
Thus, organizations can demonstrate alignment and governance to the GDPR requirements, though they should not claim certification to GDPR.
9. How does the certification audit against ISO/IEC 27701 help organizations?
The certification against ISO/IEC 27701 helps organizations to be cognizant of how and where PII information is being used by them, and their responsibility to protect this data and not be sued for a security breach, or misuse of information. Organizations can ensure that any legal, contractual and regulatory requirements have been evaluated and are managed as required. The certification process will enable organizations to review and address any gaps and mitigate risks through careful review and data impact analysis (DIA).
11. What would be your advice towards the organizations that are thinking of getting certified?
As more states and countries adopt privacy laws, it has become a critical requirement for many if not all businesses to implement and manage the security and protection of PII. Organizations may face loss of business and reputation, get penalized by clients, partners or vendors if they have a security breach without appropriate security controls. The protection of information, is also a protection from threats and vulnerabilities which cause harm to the company.
About Author
Ariosto Farias Jr has been an ISO Management Systems Senior Advisor, Instructor and Auditor for the past 25 years, helping more than 30 organizations to establish, implement, maintain, review and improve their Management Systems, based on ISO Standards, including here ISO 37001. He has been acting since 2016 as a Brazilian Expert on ISO/TC 309, that is the Committee responsible for ISO 37001 and ISO 37301, having participated in all ISO 37301 meetings. Ariosto Farias Jr is approved as an MSECB Auditor for ISO/IEC 27001 and ISO 37001.
