1. What is ISO 37001?

ISO 37001 is an international standard developed by the International Organization for Standardization (ISO) for anti-bribery management systems. It provides a systematic framework for organizations of all types and sizes to prevent, identify, and address internal and external bribery risks.

This standard is applicable to organizations across all industries and is not limited to the commercial sector. Its core objective is to reduce the likelihood of bribery by establishing policies, processes, control measures, and monitoring mechanisms, while ensuring compliance with relevant laws, regulations, and other compliance requirements.

2. Core Control Measures of ISO 37001

(1) Anti-bribery Policy and Commitment

Develop a clear anti-bribery policy, signed and publicly disclosed by top management; commit to zero tolerance for bribery, clarify compliance responsibilities and reward/punishment mechanisms, and ensure the policy is appropriate to the organization’s size, industry characteristics, and bribery risk level.

(2) Risk Assessment and Risk-based Control

Comprehensively identify internal and external bribery risk points, including commercial bribery, bribery of public officials, and third-party-related bribery; classify risks based on their likelihood and impact, and develop special control plans for high-risk areas such as procurement, bidding and tendering, and overseas business.

(3) Organizational Responsibilities and Authority

Clearly define the roles and responsibilities of the anti-bribery management representative and the anti-bribery team, and provide them with sufficient resources and independent investigation authority; establish an anti-bribery oversight mechanism to ensure that the responsibilities of various departments (especially procurement, sales, and finance) are clear and mutually checks and balances.

(4) Personnel Control Measures

Conduct background checks on key positions to exclude individuals with a history of bribery-related misconduct; provide anti-bribery training to all employees, covering laws and regulations, policy requirements, and case warnings; establish employee reporting channels and ensure the confidentiality of whistleblowers and protection from retaliation.

(5) Third-party Management Measures

Conduct anti-bribery due diligence on suppliers, distributors, partners, and other third parties; include anti-bribery clauses in contracts and specify the consequences of non-compliance; regularly monitor the compliance status of third parties and impose stricter controls on high-risk third parties.

(6) Financial and Resource Control Measures

Standardize processes for expense reimbursement, gifts and hospitality, donations and sponsorships, and set clear monetary limits and approval authorities; prohibit the establishment of “secret funds” or off-book accounts; strengthen financial audits and conduct special checks on abnormal transactions.

(7) Project and Business Activity Control Measures

Establish compliance review processes for high-risk business activities such as bidding and tendering, market expansion, and administrative approval; clarify the rules for receiving or offering gifts, hospitality, rebates, and commissions to ensure compliance with local laws, regulations, and industry standards.

(8) Reporting and Investigation Mechanisms

Establish convenient and confidential reporting channels (including online, offline, and third-party channels); develop investigation procedures for bribery incidents, clarifying investigation authority, evidence preservation, and handling timeframes; for confirmed bribery cases, take disciplinary actions and legal liability in accordance with relevant regulations.

(9) Monitoring, Audit, and Improvement

Conduct regular internal audits of the anti-bribery management system, at least once a year; top management shall chair management reviews to evaluate the effectiveness of the system; develop corrective and preventive actions for issues identified in audits or bribery incidents, and continuously optimize the control system.

(10) Compliance Culture Building

Carry out regular anti-bribery publicity and education, and integrate anti-bribery concepts into the organizational culture; recognize and reward individuals or departments with outstanding compliance performance to foster a culture of compliance across the entire organization.