ISO 37301 is the international standard for compliance management systems. As it becomes increasingly difficult and at the same time more important for organisations to implement legal requirements, contractual obligations, and internal policies in order to remain compliant, ISO 37301 is gaining significance even for SMEs.
In a nutshell
- ISO 37301 outlines how organisations can systematically implement legal requirements, contractual obligations, and internal policies.
- It defines the requirements for establishing a compliance management system. Certification is possible.
- Organisational culture, top management, and the Compliance Officer play a key role in ISO 37301.
- Thanks to its structure, which aligns with other ISO standards, ISO 37301 is well-suited for managing all compliance requirements or for use within an integrated management system.
What is ISO 37301?
Compliance, the adherence to legal regulations, regulatory requirements, and internal company policies, is essential for organisations to ensure legal certainty, avoid financial penalties, and protect their reputation.
A compliance management system helps organisations minimise risks such as corruption, fraud, or data protection violations, and ensures that business processes align with applicable laws and internal rules. This not only helps avoid sanctions but also strengthens trust among customers, business partners, and investors.
Since 13 April 2021, the ISO 37301 standard has provided a structured framework for companies and other organisations to comply with legal requirements, contractual agreements, internal policies, and ethical standards.
ISO 37301 promotes the implementation of procedures to prevent breaches of rules, placing particular emphasis on risk management, clearly defined responsibilities, and employee training. The aim of the standard is to establish a culture of integrity and transparency within the organisation.
To achieve this, ISO 37301 outlines how to establish and continuously improve a compliance management system. This is intended to help sustainably reduce financial, legal, and reputational risks.
Tip: Learn more about the scope, implementation, and benefits of a compliance management system.
ISO 37301 vs. ISO 19600
Differences and similarities between the standards
ISO 37301 replaces the earlier compliance standard ISO 19600. While ISO 19600 only provided guidelines, ISO 37301 allows organisations to obtain official certification of their compliance similar to the certification of an information security management system (ISMS) in accordance with DIN EN ISO/IEC 27001:2024. A key advantage of ISO 37301 certification is that the standard is internationally recognised and comparable.
Another notable difference between the two compliance standards lies in how the content is formulated. Whereas ISO 19600 only offered recommendations, ISO 37301 is much more binding, setting out specific requirements for organisations. At the same time, it remains flexible, allowing the requirements to be implemented in a way that suits the organisation’s structure and culture.
In terms of content, the requirements of ISO 37301 differ only slightly from those of its predecessor. One major change concerns the roles and responsibilities of the individuals and departments responsible for monitoring and ensuring compliance with legal, regulatory, and internal requirements (the compliance function), particularly in areas such as HR processes, whistleblowing systems, and the investigation of compliance incidents.
Organisations that have already implemented the ISO 19600 guidelines only need to make minor adjustments to transition to ISO 37301. One exception is the area of whistleblowing.
New protection for whistleblowers
One of the key innovations compared to the previous standard is the emphasis on protecting whistleblowers. ISO 37301 places great importance on whistleblowing systems as an essential part of an effective compliance management system. The standard outlines best practices for establishing and operating such systems to foster a culture of trust and transparency within the organisation. Key requirements include:
- Confidentiality and protection of whistleblowers: The identity of whistleblowers must be safeguarded, for example through the use of anonymous reporting channels.
- Accessibility for all relevant parties: The whistleblowing system should be easily accessible to employees, business partners, and other relevant stakeholders.
- Thorough and timely investigation: Every report must be investigated independently, fairly, and efficiently.
- Protection against retaliation: The standard calls for measures to ensure that whistleblowers do not face negative consequences for making a report.
- Complete documentation and follow-up: All reports and actions taken must be clearly and comprehensively documented.
These extensive whistleblowing requirements in ISO 37301 are designed to help organisations detect compliance violations at an early stage and take targeted countermeasures to minimise further damage.
Tip: Learn everything you need to know about whistleblowing in organisations, the German Whistleblower Protection Act (HinSchG), and how a whistleblowing ombudsperson can help ensure compliance with the regulations.
The importance of compliance culture in ISO 37301
ISO 37301 highlights the crucial role of fostering a compliance culture through a strong “tone from the top” from senior management down to every individual employee.
To implement and maintain an effective compliance management system, a lived compliance culture is essential. According to ISO 37301, such a culture encompasses the values, beliefs, and behaviours that exist throughout the organisation, and that together with the corporate structure create a behavioural standard that promotes compliance within the company.
Compliance culture is therefore fundamental to shaping employee behaviour, values, and attitudes towards the adherence to laws, contracts, policies, and voluntary codes.
In this context, the leadership role of top management is vital. Only when those at the top send clear signals about the importance of compliance will this mindset be reflected and taken seriously throughout the entire organisation.
The role of top management in ISO 37301
The attitude of top management towards compliance culture is considered crucial to the effectiveness of a company’s compliance management system. According to ISO 37301, management is required to demonstrate leadership and commitment to compliance across all areas of the organisation.
One of the responsibilities outlined in the standard is the development and establishment of a strategy that defines compliance-related objectives and values. These objectives and values must be clearly communicated to employees. It is equally important that leadership visibly supports the compliance management system (CMS) to foster trust and acceptance among the workforce.
Another key responsibility is the provision of adequate resources whether financial, through new hires, or via the acquisition of technical equipment or specialised software. In addition, top management must ensure that the effectiveness of the CMS is regularly monitored and evaluated to guarantee its functionality and to address any potential issues at an early stage.
Compliance is particularly significant for top management, as breaches of compliance obligations can lead not only to severe reputational damage but also to legal liability for the executives themselves. In some cases, the consequences can even pose an existential threat.
The role of compliance officer (CO) in ISO 37301
While top management holds overall responsibility for the compliance management system, the Compliance Officer also plays a central role. Acting as an extension of management, the Compliance Officer coordinates the implementation, maintenance, and monitoring of the compliance management system within the organisation. It is particularly important that the Compliance Officer can carry out these duties objectively and free from any conflicts of interest.
Key responsibilities include collaborating with other departments, providing advice, reporting to top management, and identifying potential risks arising from non-compliance with laws and regulations. The Compliance Officer is also responsible for training employees to ensure they are aware of relevant legal requirements and develop a strong compliance mindset.
In larger corporate groups, the appointment of a Group Compliance Officer can be especially important. Due to their size, international operations, and complex structures, such organisations face unique compliance challenges. A Group Compliance Officer assumes a higher-level role, ensuring consistent implementation of group-wide compliance standards. They coordinate the compliance strategy across all subsidiaries and business units to maintain a coherent and effective compliance management system. This involves not only adherence to national and international laws but also consideration of group-specific policies and values.
Many large organisations also operate with a decentralised compliance structure, in which regional or department-specific Compliance Officers work alongside the Group Compliance Officer and in close cooperation with group management.
Tip: For most organisations, appointing an external Compliance Officer is advisable to prevent conflicts of interest.
Why is ISO 37301 important for organisations?
ISO 37301 offers numerous benefits by defining the requirements for an effective compliance management system. Additionally, the standard follows the same structure as other management system standards (e.g. ISO 9001, ISO 14001), allowing the compliance management system to be integrated into existing systems (integrated management system). This enhances efficiency and avoids duplication of effort, as shared processes and structures can be used where they cover overlapping activities. It also allows risks from various areas to be addressed and managed holistically.
Another benefit of an integrated management system is cost savings: Combined audits can reduce external audit expenses and lower administrative effort by using shared resources.
Moreover, a compliance management system enables the early identification and management of compliance risks. This reduces liability risks for the organisation and ensures security and continuity in business operations especially in light of European supply chain requirements.
