Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Shruti J. Shah
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Will ISO 37001 become a box-checking formality?

My prior post for the FCPA Blog suggested that changes are needed to the ISO 37001 anti-bribery management system before countries, agencies, and companies move forward with large-scale adoption.

One of my suggestions in particular — that ISO replace certification with a process for obtaining reviews of compliance programs — attracted thoughtful opposing comments and some criticism.

I’d like to respond.

If well-known and respected ISO 37001 advocates such as Jean-Pierre Méan and Kristy Grant-Hart were doing all the reviews for certification, I might share their optimism about the value of ISO 37001 as currently proposed. But they are not, and I do not. 

Take a look at the Transparency International map of world corruption. Essentially any one of those countries could do what Jean-Pierre described in his comment to my earlier post, and empower an entity that will then authorize reviewing houses that grant the full “certification.” This does not fill me with confidence. 

Then consider that companies can freely shop for the entity that does their certification. This also does not fill me with confidence.

We should also be asking whether a simple, pass-fail system of “certification” makes sense or is a good idea. I have serious concerns about this. What will this do to the third-party due diligence process? Busy companies looking for third party partners are not likely to delve into the details behind a company’s certification. This can easily become a box-checking exercise, where a third party need only have some basis for claiming “certification” to get a pass.

This system also sets up what is likely a losing fight against human nature. Once you give someone a pass under a pass/fail system, you are inviting them to celebrate the success and move on. After all, once you have passed why do more? Sure the technical language used by ISO says certified companies have to keep improving, but is it really likely that the same auditors who first gave the passing grade, and who are selected and paid by the company, are going to stand on principle and demand significant innovation when they have already found the compliance program to be passing?

There may also be confusion about how much of any large company has actually been certified. There will also be questions about how deep the review actually was. How deep was the testing?  Were reviews based on any form of statistical sampling?  Did the reviewers really have free license to examine anything in the business? And what about the cost of a truly deep review? My understanding of the reviews would lead me to recommend to any company looking for a third party partner that claims to be certified, to request the full certification examination file, and not to settle for a simple certification certificate or a small summary of the review. But will companies do this? I doubt it.

As for the number of committees and countries in the drafting process, I have been a student of organizational conduct too long to find much comfort in this. I do not know how many of the meetings any one of the participants actually attended, or what compromises were made to get buy-in, or whether the enforcement people who have most familiarity with the evils of bribery were included (although I have been told they were not). 

But whatever the process might have been, all that matters is the product. And I find this troublesome. In my draft report I note some definite strong points, but also go into detail about the drafting weaknesses. It is informative to look at ISO 19600 and the predecessor British Standard; there were changes introduced to ISO 37001 that just made no sense. Yet I assume ISO 19600 and the British Standard also had expert input.

There is also the anomalous disconnect between the ISO 37001 Standard, where the drafting is particularly troublesome, and the Annex, which contains some excellent detail. Yet the Annex is stripped of any power by being limited as “illustrative” only. This is so, even though the Annex at key points speaks in compelling terms.  I see far more signs of expertise in the Annex than I do in the Standard, but only the Standard matters.

Whatever the history, we are now dealing with ISO 37001 and need to decide whether it should be adopted by companies or made a part of public policy and play an important role in the crucial fight against bribery. All that matters to me is whether it helps in that fight, or should be improved for that purpose, or should be replaced with something more effective.  We all have an interest in that debate. 


Joe Murphy is a Certified Compliance and Ethics Professional and author of 501 Ideas for Your Compliance and Ethics Program: Lessons from 30 Years of Practice (SCCE; 2008) and A Compliance & Ethics Program on a Dollar a Day. He has worked in the compliance field for over 40 years. He can be contacted here.

Share this post



  1. Thanks for this Joe; it is a debate worth keeping alive. There are some flaws in the standard for sure, but none more fundamental to me than trying to impose a standard on something so connected to culture. Ethical or anti-bribery and corruption standards without a culture of ethics are as empty as safety standards without a culture of safety. Buyer beware.

  2. Dear Joe, there is another aspect to consider the competencies of auditors, bribery risks vary from country to country and most corrupt countries where traditionally you have to pay bribery for doing business. We undertake four major audits for the scope of ISO 37001 ABMS since our accreditation and found two major companies failed to demonstrate actual implementation. There is no workable approach as "check in the box" process as issuing a certificate as a liability for accredited certification bodies and a strict surveillance audit can ensure that organization keeping the commitment while certification can be suspended. I find this Standard the best tool for this-party risk management however again the question is competencies of the audit team. Certification Bodies can't undertake a traditional audit approach and must include subject specialist having practical experience of adequate due diligence processes and operations, conflict of interest and investigative research methodologies, background investigations on major principals involved in certifying organization. I believe there will be certain improvements in the upcoming revision of this standard.

  3. I understand your concern about ISO 37001. I think that, although it has shortcomings, it is a good starting point. Since its inception, many of the ISO standards for management systems have been improving considerably as revisions have been made by ISO with the input of numerous certification entities that have in turn assessed the contributions made by local experts.

    I think it is an important advance to start from a standard that, in the same way as other known standards, is part of a certification scheme that has generally been considered solid. This is attested by the fact that many certification bodies that have not done their homework have been punished by the national accreditation bodies for the loss of their accreditation, with the consequent loss of prestige and market. Likewise, the different national accreditation entities interact with each other, establishing a high level of solidity to the scheme. I believe we should trust that the certification and accreditation scheme can also work for anti-corruption management systems, as they have been working for years for quality, environmental, occupational safety and health or food safety management systems, among others. Best regards.

  4. We've had the opportunity to investigate bribery and collusion for many years (over 40). In our experience all the companies involved in bribery and collusion schemes had good accounting systems and audited financial statements. Should we conclude that the generally accepted accounting standards (GAAS) are inefficient or that the accountants are sloppy? I don't believe so. We all agree that whatever the standard or the level of excellence desired, if the implementation work is sloppy or the certification audit is superficial, the quality of the management system in place will be affected. The purpose of ISO 37001 in addition to instituting adequate measures to prevent bribery is to develop and maintain an organizational culture of integrity supported by management and shared by employees. The ISO 37001 standard for the anti-bribery management system is no different than other management systems proposed by ISO. Yes, there are flaws and auditors of these standards must have the necessary professionnel experience and expertise to conduct professional audits. It would be a mistake to ignore the potential of ISO 37001 in preventing, detecting and managing bribery incidents. Can the standard be improved the answer is YES. Till then, should the standard be ignored, the answer is NO! We can improve the implementation and auditing processes by offering superior training programs and diligent follow-ups by accreditation bodies. After more than 50 years in public and private security I still have faith in the capacity of corporate managers to develop and maintain an ethical and conformity culture in their organization.

  5. I have written extensively about these points in my draft report, but will just note a few of the concerns here:

    1. Yes/no certification is not the only alternative. SOC illustrates an important alternative approach – a report without “pass/fail”
    2. 37001 deals with crime and fraud. So while these may occur occasionally in other areas ISO addresses, they are at the heart of bribery. This makes a huge difference.
    3. 37001 is not risk free. What happens when a certified company commits massive bribery? This could discredit the whole area of compliance management systems.
    4. ISO may be institutionally locked into methods that are suboptimal when it comes to addressing bribery.
    5. There may be effective ways to ensure audit competency, but ISO’s need for a decentralized way to accommodate so many countries may make these impossible.

    There is no one who has more faith in compliance & ethics programs and what they can achieve than I do. I have also written about the strengths in ISO 37001. But I am worried that we are locked into an ISO structure that simply does not permit alternative methods and real innovation. However, this is still a learning process for me, and I appreciate all comments. Cheers, Joe

  6. Dear Joe, your article identifies a real risk of ISO 37001 certifications. I would like to stress that the most important feature of any ISO Management System, – including ISO 37001 – is that it demonstrates that an organisation has implemented a system, which has reached a level of maturity which allows for continuing improvement year after year. The specificity – and difficulty – of ISO 37001, is that it requires a bribery risk mapping (section 4.5) in order to address properly risks that are “more than low”. Any failure in the bribery risk assessment leads to an inadequate compliance programme. Certification bodies need therefore to rely on auditors that have solid expertise in anti-corruption compliance programs in order to assess the rigour of the bribery risk assessment with a view to verify that corresponding mitigation actions are in place. This is why the ISO/TEC 309 decided to add a complement to the ISO 17021 which governs certification bodies under accreditation i.e. the section 9 (ISO 17021.9) to describe the compulsory anti-corruption expertise that auditors involved in ISO 37001 certification should demonstrate. It is the expertise of the certification body auditors in bribery prevention that ensures that ISO 37001 is not a box-checking exercise.

  7. Hi, Philippe – I agree that expertise in conducting the reviews is essential, and thus I would not rely on a third party’s being certified unless I first had a chance to examine the whole report and notes of whoever conducted the audit. I am concerned that ISO’s essentially federated structure and absence of central control makes it highly unlikely that the various entities authorized worldwide to conduct reviews will come anywhere near the standard that would be applied by an entity like ETHIC Intelligence. It is nice that ISO 17021 exists, but like company codes of conduct it is not self-executing. However, even if reviewers have the expertise and fully embrace ISO 17021, I believe any “pass/fail” system sends the wrong message.

  8. ISO 37001 does not need to be improved before large-scale adoption occurs because that is already happening. Italy, Switzerland, France, Germany, UK, Greece, Israel, United Arab Emirates, Indonesia, Korea, Bangladesh, Canada, Mexico, Peru and Brazil now have accredited certification bodies. Many (of these and other) countries now have accredited certifications with Italy, Peru, Brazil and Indonesia achieving significant numbers. Peru has jailed a number of ex presidents for corruption and other offences and has 10 accredited certifications. Brazil’s recent judicial action against corruption is well documented. Indonesia is similarly taking measures against corruption. The ISO 37001 certifications in these countries are just one part of the fight against corruption.

    A country cannot simply empower a questionable Accreditation Body (AB) as you suggest. An AB must belong to the International Accreditation Forum (IAF) and a regional accreditation group, such as the Inter American Accreditation Cooperation (IAAC) or Pacific Accreditation Cooperation (PAC). The AB must subject itself to assessment by its regional accreditation group before its accreditations are accepted as equivalent to those of other ABs and can ultimately become a participant to the IAF MultiLateral recognition Agreement (MLA). Only then will its accreditations be universally accepted. The USA has three ABs that accredit Conformity Assessment Bodies for management system certification; ANAB, IAS and UAF. ANAB and IAS are participants of the IAF MLA. The UAF is a new AB that has not been accepted as a participant of the IAF MLA so it cannot (yet) award universally recognised accreditations.

    The suggestion that a CAB would never revoke a certification is wrong. CABs can and do suspend certifications against management system standards such as ISO 9001, ISO 14001 and ISO/IEC 27001 if an annual surveillance audit reveals serious failures. That is part of the requirements of accreditation. Similarly, an AB can suspend accreditations. For example, the ANAB website provides a list of current withdrawals of accreditation.

Comments are closed for this article!