What ISO 37301 Actually Requires: Building a Compliance Management System That Meets the Standard

ISO 37301 is the first international standard for compliance management systems. It covers territory no previous standard has addressed at this level of specificity.

ISO 37301:2021 — Compliance Management Systems — was published in April 2021, replacing the earlier ISO 19600 guidance document with a certifiable standard. The upgrade from guidance to certifiable standard is significant: it means that ISO 37301 now carries the same third-party verification mechanism as ISO 37001 — an accredited certification body can audit an organisation's compliance management system against the standard's requirements and issue a certificate confirming conformity.

The standard addresses a question that compliance frameworks have always implied but rarely made explicit: what does a well-governed compliance programme look like as a management system? Not what should it prohibit, not which risks should it address, not which controls should it include — but how should it be built, governed, resourced, monitored, and improved so that it functions reliably across changing conditions, changing personnel, and changing risk environments.

The answer ISO 37301 provides is structured around the same High Level Structure used by ISO 37001 and other ISO management system standards. But the content within that structure is broader and, in some respects, more demanding than ISO 37001 — because it addresses the compliance management system as a whole, rather than a specific risk category within it. An organisation that meets ISO 37301 has demonstrated that its compliance infrastructure is systematic, governed, and capable of managing whatever compliance obligations the organisation carries.

Broader scope, stronger governance requirements, and a more demanding approach to compliance culture.

ISO 37301 requires the organisation to identify all of its compliance obligations — not just those relating to bribery, but the full range of legal, regulatory, contractual, and voluntarily assumed obligations that apply to its operations. This obligation identification exercise is the foundation of the compliance management system, and the standard requires it to be systematic, documented, and updated when the organisation's circumstances change. An organisation that cannot demonstrate a comprehensive and current picture of its compliance obligations has not met this foundational requirement.

The governance requirements of ISO 37301 are more specific and more demanding than those of ISO 37001 in one critical respect: the standard addresses the governing body — the board — separately from top management. It requires the governing body to oversee top management's implementation of the compliance management system, to satisfy itself that the system is effective, and to promote a compliance culture at the highest level of the organisation. This creates a direct line from the standard's requirements to board-level accountability that was implicit in ISO 37001 but is explicit in ISO 37301.

The standard's approach to compliance culture — Clause 5 — is more developed and more operational than in ISO 37001. It requires the organisation to assess its current compliance culture, to identify gaps between the culture it has and the culture it needs, and to take active steps to close those gaps. This is not a soft requirement. The auditor will look for evidence that the culture assessment has been conducted, that the findings have been documented, and that the actions taken in response are traceable to the assessment's conclusions.

ISO 37301 requires the organisation to know whether its compliance programme is working.

Clause 9 — Performance Evaluation — is one of the areas where ISO 37301 goes furthest beyond what most compliance programmes have built. The standard requires the organisation to monitor, measure, analyse, and evaluate its compliance performance against defined indicators; to conduct internal audits of the compliance management system at planned intervals; and to conduct management reviews at planned intervals that use compliance performance data to make decisions about the system's ongoing adequacy and effectiveness.

The monitoring and measurement requirement is demanding because it requires the organisation to define what it is monitoring — which indicators, which processes, which outcomes — and to demonstrate that the monitoring is producing information that is used to evaluate compliance performance. A compliance programme that tracks completion rates and case counts but does not connect those metrics to the risks the programme is designed to address has not met the monitoring requirement. The indicators must be meaningful — connected to the compliance obligations and risks that the programme exists to manage.

The internal audit requirement is distinct from the compliance function's own monitoring activities. The standard requires that internal audits of the compliance management system be conducted by persons who are independent of the activities being audited — which typically means either a dedicated internal audit function or an external provider, depending on the size and structure of the organisation. The audits must be planned, must cover the full scope of the compliance management system over an appropriate cycle, and must produce documented findings that are reported to appropriate management.