The 2025 revision of ISO 37001 (Anti-bribery management systems) retains the core structure and requirements of the 2016 edition, ensuring continuity for certified organizations. It aligns with the new ISO Harmonized Structure (HS), replacing the High Level Structure, with minor terminology updates (e.g., “stakeholders” to “interested parties”) and clearer guidance. Most organizations will need minimal updates for recertification by February 2027, when the 2016 version is withdrawn.
Key changes include:
A clause-by-clause comparison highlights additions, modifications, restructurings, and clarifications, with minor wording changes throughout for HS consistency.
| Clause | 2016 Revision | 2025 Revision | Key Difference |
| 1 Scope | Applies to all organizations for preventing bribery; covers public/private sectors | Similar, but emphasizes domestic/international bribery and integration with broader compliance. | Clarification on applicability to SMEs and alignment with ESG/sustainability; minor wording updates. |
| 3 Terms and definitions | Defines key terms (e.g., bribery, compliance function). | Updated definitions (e.g., “facilitation payments,” “emerging bribery risks,” “governing body”); adds notes for SMEs. | Enhanced clarity; introduces terms like “anti-bribery culture” and “conflicts of interest”; “anti-bribery compliance function” renamed to “anti-bribery function.” |
| 4 Context of the organization | Covers internal/external context, stakeholders’ needs, scope, ABMS establishment, and bribery risk assessment. | Similar structure, but 4.2 uses “interested parties” instead of “stakeholders.” | Additions in 4.1 and 4.2: Explicit requirement to consider climate change (e.g., as an external issue or interested party concern, per ISO London Declaration 2021). Risk assessments now encourage integration with enterprise risk management. |
| 5 Leadership | 5.1–5.3: Leadership commitment (governing body/top management), policy, roles/responsibilities (including compliance function and delegated decisions). | Similar, but 5.3 titled “Roles, responsibilities and authorities” (removes “Organizational”). | Addition in 5.1.3: New subclause on “Anti-bribery culture,” requiring top management to promote ethical behavior, intolerance of bribery, and cultural integration at all levels. Modification in 5.3.1: Renamed from “Roles and responsibilities” to “General.” Modification in 5.3.2: “Anti-bribery compliance function” → “Anti-bribery function” with clarified independence, resources, and access to leadership. Stronger emphasis on leadership accountability and ethical oversight. |
| 6 Planning | 6.1–6.2: Actions for risks/opportunities; objectives and planning. | Similar, but page shifts due to prior changes. | Addition in 6.3: New clause on “Planning of changes” (e.g., for ABMS modifications), aligning with HS for structured change management. Objectives now include KPIs and continuous review of emerging threats. |
| 7 Support | 7.1–7.5: Resources, competence (general/employment), awareness/training, communication, documented information. | Similar structure. | Modification in 7.2.2 (Employment process): Adds awareness of conflicts of interest (e.g., screening for personal/financial biases). Restructuring in 7.3: Renamed from “Awareness and training” to “Awareness”; split into sub-clauses: 7.3.1 (personnel awareness), 7.3.2 (personnel training), 7.3.3 (training for business associates), 7.3.4 (programmes overview). Enhances third-party training requirements. Modification in 7.5.2: Adds “documented” to title for clarity. Greater focus on competence in digital tools and ethics. |
| 8 Operation | 8.1–8.10: Planning/control, due diligence, financial/non-financial controls, implementation by controlled entities/associates, commitments, gifts/hospitality, inadequacy management, raising concerns, investigating bribery. | Similar structure, with page shifts. | Enhancement in 8.2 (Due diligence): More rigorous for third parties (e.g., ongoing monitoring, high-risk areas like joint ventures/M&A, PEPs). Addition in 8.4 (Non-financial controls): Explicitly lists mergers/acquisitions as a risk area. Expanded guidance on conflicts of interest and whistleblower channels (8.9); promotes data analytics for detection. |
| 9 Performance evaluation | 9.1–9.4: Monitoring/analysis, internal audit, management review (top/governing body), review by compliance function. | Similar, but restructured sub-clauses. | Restructuring in 9.2 (Internal audit): Adds sub-clauses: 9.2.1 (General), 9.2.2 (programme), 9.2.3 (procedures/controls/systems), 9.2.4 (objectivity/impartiality). Requires more frequent/rigorous audits with KPIs. Restructuring in 9.3 (Management review): 9.3.1 (General), 9.3.2 (inputs), 9.3.3 (results). Combines top management/governing body reviews into a unified process; adds climate/ethics inputs. Modification in 9.4: “Review by anti-bribery compliance function” → “Review by anti-bribery function.” Emphasizes real-time monitoring and fraud detection tools. |
| 10 Improvement | 10.1–10.2: Nonconformity/corrective action; continual improvement. | Similar content, but order swapped. | Restructuring: Now 10.1 (Continual improvement first), 10.2 (Nonconformity/corrective action). Promotes proactive improvement via analytics and reporting. |
| Annex A (informative) Guidance | detailed implementation guidance. | updated examples (e.g., climate risks, digital tools). | Enhanced with modern scenarios (e.g., third-party monitoring, ethical culture); aligns with ISO 37002 for whistleblowing. |
| Bibliography | lists related standards. | updated to include newer standards (e.g., ISO 37301, ISO 37002). | Additions for harmonization (e.g., compliance and whistleblowing standards). |
These updates make the standard more proactive and integrated with contemporary challenges like sustainability and digital risks, while facilitating easier adoption alongside other ISO systems. For full transition, organizations should review their ABMS against the new edition, focusing on culture, climate, and conflicts.
