ISO 37301 

is perhaps the newest “brand” among the published standards defined by

the International Organization for Standardization (ISO). We seldom see the “ISO 37301
Certified” banners proudly displayed outside an organisation facilities or documents.
Nevertheless, today many large organizations insist that they are to be ISO
37301 certified. An entire industry has sprung up around the topic of ISO
standards, – including the “37000” family of standards that are focused on compliance. 
To newbies, the ISO 37301 certification might sound like an enigmatic and highly technical
undertaking, full of detailed specifications that dictate exactly how an organization should
safely conduct its business. Though, these standards have everything to do with creating a
corporate culture where compliance can flourish. A culture of compliance begins with a
clear understanding of the big picture: 
I. Clause 4 of ISO 37301 calls for companies to focus on the external and internal issues
must be determined to establish the compliance management system (CMS): Context,
interested parties’ needs, scope, good governance principles, compliance obligations,
risk assessment. Here, good governance is essential where direct access of the
compliance function to the governing body (Board), independence from line
management, appropriate authority, and adequate resources.

II. Clause 5 addresses is all about leadership and commitment; a policy needs to be
established and the roles and responsibilities at all levels must be established. For a CMS
to be effective the governing body and top management need to lead by example, by
adhering to and actively supporting compliance and the CMS.

III. Clauses 6 and 7, planning and support are considered the context of the organization
and establish the CMS objectives and determine and provide the resources needed.
These include training, awareness, behaviour, communication, and documentation. The
development of a compliance culture requires the active, visible, consistent, and
sustained commitment of the governing body and top management towards a common,
published standard of behaviour that is required throughout every area of the
organization.

IV. Clauses 8 and 9, operation and performance evaluation are about planning,
implementation and controlling of the processes, including outsourced processes,
needed to meet the compliance obligations. Determine monitoring and performance
measurement, audits, and reporting of the results to the governing body and top
management. The governing body, management and the compliance function should
ensure that they are effectively informed on the performance of the organization’s CMS

V. Clause 10 Improvement talks about the organization should react when noncompliance
occurs, evaluate the need for action to eliminate the root cause and make necessary
changes to the CMS. A reporting mechanism should be implemented and a process for
continual improvement. To have an effective CMS should include a mechanism for
 employees and/or others to report suspected or actual misconduct of the organization’s
compliance obligations on a confidential basis and without fear of retaliation.

Whether an organisation is already ISO 37301 certified, or just getting a compliance

management program off the ground, ABAC can help you in your own journey
of continuous improvement. ABAC help companies streamline and improve their
compliance management processes that virtually anyone can tailor to fit their own unique
needs.