- 2021-05-20
Introduction
This article highlights the benefits of the integration that the new ISO 37301 standard together with the ISO 37001 standard have to organizations.
The decision to adopt both, the new ISO 37301 and the ISO 37001 standards, should take into account the context of the organization, the results of the compliance and bribery risk assessments, the requirements of the interested parties that are relevant to the ISO management systems, the regulatory authorities, and the identification of the organization’s compliance obligations.
It is common for an organization to improve the way it operates to achieve conformity with the requirements specified in ISO 37001, as well as to be in compliance with ISO 37301, and then make the necessary improvements, so one can fulfill the requirements of the other.
However, the organization should be aware of the differences that the rationales for adopting ISO 37301 and ISO 37001 have:
- The adoption of ISO 37301 is to establish a good governance, with elements such as integrity, culture, conformity, reputation, values and ethics, while also identifying and managing the organization’s compliance obligations in order to satisfy a wide spectrum of regulatory obligations;
- The adoption of ISO 37001 is often predominantly motivated by the wish or the need to demonstrate to interested parties that the organization has put in place adequate measures to prevent, detect, and respond to corruption, while aiming to avoid or reduce its corporate criminal liability as well as its negative media exposure if acts of bribery are or have been committed within its sphere of activity. This can be done preventively, but also after or in the course of a prosecution for bribery in order to demonstrate that further instances of bribery are unlikely to occur.
It is important to highlight that conformity with ISO 37001 cannot provide assurance that no bribery has occurred or will occur in relation to the organization, as it is not possible to completely eliminate the risk of bribery. Nevertheless, ISO 37001 can help the organization to implement reasonable and proportionate controls designed to prevent, detect and respond to bribery.
As it is well-known, bribery is one of the world’s most destructive and challenging issues. With over US$ 1.5 trillion paid in bribes every year according to the World Bank estimates, the consequences are catastrophic – reducing quality of life, increasing poverty and eroding public trust. It is a major obstacle to democracy and the rule of law. As such, ISO 37001 is considered to be a huge benefit for Civil Society.
Despite their differences, the Figure 1 shows the relationship between ISO 37301 and ISO 37001.
Figure 1: The relationship between ISO 37301 and ISO 37001.
Overlapping Requirements
ISO 37301 and ISO 37001 conform to ISO’s requirements for Management System Standards. Such requirements include:
- High-Level Structure,Â
- Identical Core Text, andÂ
- Common Terms with Core Definitions.
Each of these requirements are designed to help organizations to implement both ISO management system standards.
Benefits of Integrating ISO 37001 and ISO 37301
The benefits for the integration of ISO 37301 and ISO 37001 are presented below:
- It increases the organization’s credibility by demonstrating that it has effective and optimized ISO management systems to combat bribery and to meet its compliance obligations;
- Reduces the cost of implementation by having an integrated ISO management system;
- Reduces the time for implementation due to the integrated development of processes, common to both standards;
- Improves communication, reduces cost, and improves operational efficiency through elimination of unnecessary duplication;
- Improves the understanding between the compliance and anti-bribery community regarding the organization’s ISO management systems to combat bribery and to meet its compliance obligations.
The integrated implementation of both ISO Standards is for those organizations that intend to either:
- Implement ISO 37301 when ISO 37001 is already implemented; or
- Implement both ISO 37301 and ISO 37001 at the same time.
An organization already certified in ISO 37001 by an Accredited Certification Body, can fulfill the requirements specified in ISO 37301 more easily, as both ISO Management Systems Standards are complementary in requirements, and are based on the Annex SL.
About the Authors
Ariosto Farias Jr has been an ISO Management Systems Senior Advisor, Instructor and Auditor for the past 25 years, helping more than 30 organizations to establish, implement, maintain, review and improve their Management Systems, based on ISO Standards, such as ISO/IEC 27001, ISO/IEC 27701, ISO 9001, ISO 37001, and now the new ISO 37301. He has been acting since 2016 as a Brazilian Expert on ISO/TC 309, which is the Committee responsible for ISO 37001 and ISO 37301, having participated in all of the ISO 37301 meetings. Furthermore, he is one of the ISO 37001 Handbook authors, together with other ISO/TC 309 experts/colleagues. Since 2000, he is the expert and head of the Brazilian Delegation on the ISO SC 27 International Committee, responsible for the ISO/IEC 27000 Series of Standards. Ariosto is approved as an MSECB Auditor for ISO/IEC 27001 and ISO 37001.Â
Dr. Jean-Pierre Méan is a lawyer admitted in Switzerland and Canada. He has been General Counsel and Chief Compliance Officer of SGS, Chief Compliance Officer of the European Bank for Development and Reconstruction (EBRD) and President of the Swiss Chapter of Transparency International. He has been a member of the ISO Committee working on the Anti-Bribery Management Systems Standard (ISO 37001) and led the Working Group that issued the Technical Specification on Competence requirements for auditing and certification of anti-bribery management systems (ISO/IEC TS 17021-9). He is now the Convenor of the Working Group in charge of post-publication issues and of issuing a Handbook on ISO 37001 as well as preparing the revision of the standard due in 2021. Dr. Méan is conducting evaluations and audits of anti-bribery management systems and advising clients on setting up such systems. He has published extensively and is a frequent speaker on anti-corruption in international fora.
About MSECB
MSECB is accredited by IAS to offer audit and certification services against ISO 37001. If you are interested in certifying your organization against ISO 37001 and/or ISO 37301 start by getting a Free Quote.Â