Skip to content

ISO 37301: your next step in compliance?

Investment in compliance management continues to grow exponentially. In Macquarie Group’s latest financial results, compliance spend amounted to 17% of net profit and is only expected to grow in years to come. In April 2021, ISO released the certifiable standard ISO 37301 on compliance management systems. With compliance on the move, should your next move be to get ISO 37301 certified?

In this blog we cover:

  • What does the ISO 37301 compliance management standard cover?
  • What are the benefits to being certified?
  • What are the elements of a strong compliance system?
  • What are recommended best practices to conform to the standard?
  • Where do you start?
  • What resources do you need?
  • Does the standard provide value if you don’t need to be certified?

Listen to this episode of the GRC Professional Podcast:
Showing Evidence In ISO 37301

What does the ISO 37301 compliance management standard cover?

ISO 37301 includes requirements and guidance on compliance management systems and practices, designed to enable the organisation to meet its obligations. It was released in April 2021 and replaces ISO 19600.

While the content is very similar, the most important change is that ISO 37301 is a Type A or management standard, which means you can be certified against the standard. ISO 37301 replaces the word ‘may’ with ‘shall’ for the elements that must be in place to be certified.

Like all of ISO’s management standards, it includes what is required to conform while also being adaptable and applicable to organisations of any size.

What are the benefits to being certified?

The compliance management standard sets a high bar. Being certified against the standard builds confidence and trust with your stakeholders, internal and external, and demonstrates that you have a strong compliance system in place.

Instances of noncompliance and regulatory action are becoming increasingly common across multiple jurisdictions, with the financial news regularly featuring stories of heavy fines and other sanctions for breaches.

Certification goes beyond simply telling your business partners that you’ve got things in hand: the independent process gives them assurance the compliance management system is operating effectively. Certification gives you a competitive advantage through improved credibility and enhanced reputation.

Internal stakeholders including management and top governing bodies gain increased confidence that compliance outcomes are being well managed. Increased confidence allows you to push boundaries in pursuit of your commercial objectives. At Protecht we refer to this as the ‘licence to go faster’. We can do more with the confidence that compliance risks are being well managed.

What are the elements of a strong compliance system?

The key elements that demonstrate a strong compliance system include:

  • Visible leadership and commitment
  • Adequately resourced compliance function to achieve compliance objectives
  • Processes in place to monitor the changing obligation landscape
  • Embedded compliance culture across the organisation
  • Documented information that is accessible and relatable to different audiences
  • Measurable objectives supported by timely indicators

All of these are interwoven into the overall compliance management system and support each other; strong leadership will commit resources; effective resources allow comprehensive monitoring and business partnerships; strong partnerships and processes help embed culture; consistently documented information allows for measurement; and reporting against objectives provides leadership with evidence on how the compliance management system is operating. Strengthening any element also strengthens the whole.

Where do you start?

The first step is to identify whether there are, and who has authority to commit, adequate resources to bridge the gap to certification.

The second step is to conduct a gap analysis of the ISO 37301 standard against your current practice.

Leadership and commitment of the top governing body isn’t just best practice; it’s a requirement to conform to the standard. This may be the biggest challenge for compliance teams that are in the early part of their journey; that achieving compliance is an outcome of everyone’s efforts, not just the compliance team.

Your gap analysis should include an assessment of the tools that you are using to manage compliance:

  • How do we identify changing obligations?
  • How do we identify internal changes and their effect on obligations?
  • Are our compliance assessments integrated with our enterprise risk framework?
  • How do we communicate with other teams?
  • How do we track changes in assessments? Can we monitor them over time?

Once you’ve conducted your gap analysis, you can develop a plan to address those gaps.

What resources do you need?

The standard requires you to have sufficient resources to establish, implement, maintain and improve your compliance management system, which includes technical resources. If you are limited to using spreadsheets, word processors and emails, you will find it difficult to maintain a compliance management system of any reasonable size.

Compliance management software can help provide a comprehensive compliance management capability designed to support your journey to conforming to the ISO 37301 standard, including:

  • Complete libraries of regulatory obligations expressed in plain language
  • Alerts when regulatory change affects your organisation
  • The ability for your compliance teams to assess obligations and assign responsibilities
  • Integration with control assessments
  • Automated and timely compliance attestations and workflows
  • Dashboards that provide an integrated view of the management of your obligations by aggregating a range of information over those obligations such as related control effectiveness, incidents and audit findings

Importantly these tools help you demonstrate that you have the documented information required by the standard, including version control and how information has changed over time.

Does the standard provide value if you don’t need to be certified?

In short, yes. It sets the standard for an effective compliance program, which is designed to deliver outcomes aligned with your compliance objectives. Many of the benefits outlined above can still be realised by demonstrating conformance to the standard.

Completing a gap analysis against the standard provides benchmark and a maturity pathway for your compliance program, even if you aren’t planning to be certified any time soon.


If you are interested in finding out more about ISO 37301 and how it could help your business, please listen to the latest GRC Professional Podcast featuring Protecht's Research & Content Lead, Michael Howell.

Join us later this month for our Managing Compliance Obligations Under ISO 37301 webinar. In this live session, we will demonstrate how Protecht.ERM and LexisNexis can help you implement a best practice compliance management system. Register for the webinar now.

If you would like to know more about how Protecht can help your business achieve sustainable compliance and risk operations, request a demo of our Protecht.ERM system now.

About the author

For over 20 years, Protecht has redefined the way people think about risk management with the most complete, cutting-edge and cost-effective solutions. We help companies increase performance and achieve strategic objectives through better understanding, monitoring and management of risk.