ISO 37301 Compliance Management: From Policing to Culture

Compliance has an image problem: the team that blocks things. ISO 37301 reframes it as a management system that makes doing the right thing the path of least resistance — and, unlike its predecessor ISO 19600, it's a requirements standard you can actually be certified against.

Start with your obligations

The foundation of a compliance management system (CMS) is knowing what you must comply with. ISO 37301 distinguishes compliance obligations into requirements (laws, regulations, permits, contracts you must meet) and commitments (codes, standards, principles you've chosen to adopt). You can't manage compliance you haven't mapped.

Then assess compliance risk

Not all obligations carry equal risk. ISO 37301 asks you to assess where non-compliance is most likely and most damaging, and to prioritise accordingly — the same risk-based thinking that runs through modern management standards.

The shift ISO 37301 demands: from compliance as after-the-fact enforcement to compliance built into how decisions are made.

Independence and leadership

Two features give a CMS teeth. Leadership must visibly own compliance and set the tone. And the compliance function needs appropriate independence and authority — it can't be quietly overruled by the people it's meant to check. A compliance officer who reports only to the person creating the risk isn't independent.

Culture is the real deliverable

ISO 37301 explicitly targets compliance culture — the shared values and behaviours that determine what people do when no one's watching. Policies and controls matter, but a healthy culture is what makes them stick. Monitoring, addressing non-compliance fairly, and protecting those who raise concerns all feed it.

Why certify

• Demonstrates due diligence to regulators and partners.
• Reduces the cost and frequency of compliance failures.
• Integrates cleanly with anti-bribery (ISO 37001) and whistleblowing (ISO 37002) systems.

Questions

← All articles