CA-17 · Compliance · antisoborno

ISO 37001

The international anti-bribery management standard. Formally certifies your criminal compliance programme before any external audit and accredits you with clients, public authorities and international partners.

StandardISO 37001:2025 (2nd edition; transition until Feb 2027)
Duration5-8 months depending on size
ScopeSMEs and mid-market with public-sector exposure

ISO 37001:2016 is the standard published by the International Organization for Standardization for anti-bribery management systems. Unlike UNE 19601, which is strictly Spanish in scope and oriented towards corporate criminal liability exemption, ISO 37001 carries international recognition, is certifiable by an accredited third party (AENOR, Bureau Veritas, SGS, TÜV…) and is designed for organisations operating across multiple countries or needing to demonstrate their programme to foreign clients or contracting authorities. In Spain both standards coexist; many companies implement them in parallel to cover both the internal criminal compliance front and international recognition.

The standard requires the organisation to adopt a risk-based approach: systematically assessing where and with whom bribery exposure exists (commercial partners, intermediaries, agents, M&A transactions, public-sector contracts), establishing controls proportionate to that exposure and maintaining auditable records that demonstrate their operation. The standard incorporates specific requirements on third-party due diligence, conflict-of-interest management, gifts and hospitality, donations and sponsorships, and anti-fraud financial controls. The anti-bribery function must have documented authority and independence, which in practice obliges many SMEs to redefine their internal governance structure.

Summum Calidad guides the organisation from the initial gap assessment through to certification audit by the accredited body. We do not certify: the certificate is issued by an ENAC-accredited third party. Our work is to build the system, document it rigorously, train the team and prepare the organisation to pass the first-party audit. Since 2007 we have been implementing management systems in Castilian and Canary Island SMEs; we know first-hand the points that certification auditors typically examine most closely and how to anticipate them.

The ISO 37001 process.

The process · four stages
01

Diagnosis and risk analysis

We map the organisation's context: sectors of operation, geographies, types of third-party relationship (public contracts, intermediaries, commercial agents, M&A). We identify inherent and residual bribery risks, weight them by probability and impact, and prioritise controls. The output is the Bribery Risk Assessment (BRA), the core document of ISO 37001.

02

System design and documentation

We draft the anti-bribery policy, the third-party due diligence manual, procedures for managing gifts and hospitality, anti-fraud financial controls and the incident investigation protocol. Every document is adapted to the company's real operational context — no generic templates, with actual workflows and named responsible parties. We define the anti-bribery function with the authority and independence the standard requires.

03

Training, whistleblowing channel and implementation

We deliver role-differentiated training: senior management (tone from the top), middle management (operational application) and exposed personnel (sales, procurement, administration). We configure or audit the whistleblowing channel in compliance with the applicable legislation on whistleblower protection and with the confidentiality and non-retaliation requirements of ISO 37001. We support the live roll-out of the system through at least one full operating cycle.

04

Pre-audit and certification

We conduct an internal mock audit applying the criteria the certification body will use, identify non-conformities and close corrective actions before the formal audit. We coordinate selection of an ENAC-accredited certification body (AENOR, Bureau Veritas, SGS, Lloyd's Register or others), prepare the documentary file and support the organisation throughout the audit days. Once the certificate has been issued, we plan the triennial maintenance of the system.

What is included

What ISO 37001 includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Bribery Risk Assessment

    Complete exposure map by geography, sector, type of commercial partner and contract value. The foundation of the anti-bribery policy and third-party due diligence.

  • Anti-bribery policy and code of ethics

    High-level document approved by management, with concrete commitments on gifts, hospitality, donations, sponsorships and facilitation payments. Adapted to the company's size and sector.

  • Due diligence procedure

    Questionnaire and review protocol for commercial partners, intermediaries, agents and counterparties in M&A transactions, with control levels proportionate to the detected risk.

  • Anti-bribery financial controls

    Review and design of controls on unusual payments, entertainment expenses, third-party commissions and cash transactions. Coordinated with the finance team and accounting requirements.

  • Whistleblowing channel

    Configuration or review of the internal channel: confidentiality guarantees, acknowledgement and resolution timescales, whistleblower protection and coordination with data processing (GDPR).

  • Role-differentiated training plan and internal audit

    Training by profile (management, middle managers, exposed personnel), attendance and comprehension records, and internal mock audit before external certification.

Frequently asked questions about ISO 37001.

Does ISO 37001 replace UNE 19601 in Spain?

No. They are complementary standards with different purposes. UNE 19601 is the Spanish criminal compliance standard, designed to demonstrate to Spanish courts that the company had an effective crime-prevention programme (exemption or mitigation of corporate criminal liability under Article 31 bis of the Spanish Criminal Code). ISO 37001 focuses exclusively on bribery and has international scope. Many organisations implement both within an integrated system: UNE 19601 covers domestic criminal compliance while ISO 37001 provides international recognition and certification by an accredited third party. The Summum team coordinates both implementations to avoid duplicated documentation.

Which body certifies ISO 37001 in Spain?

Certification is issued by a certification body accredited by ENAC (the Spanish National Accreditation Body), not by Summum. The most common ones in Spain are AENOR, Bureau Veritas, SGS, Lloyd's Register and TÜV Rheinland. Summum Calidad prepares the organisation to pass the audit, but the certificate is signed and backed by the independent third-party body. ENAC accreditation is what gives the certificate official validity in Spain and in the countries that are signatories to the EA/IAF multilateral recognition agreements.

How long does it take to implement ISO 37001 in an SME?

Between 5 and 8 months in an SME of 20-100 employees, depending on the starting point (whether a compliance programme already exists) and the complexity of the third-party map. The process includes diagnosis, system design, training, a live operating cycle and an internal audit before certification. If the company already has UNE 19601 implemented, timescales are shorter because the base documentation and compliance culture already exist.

Is ISO 37001 mandatory for public procurement in Spain?

There is currently no direct legal obligation in Spain to certify ISO 37001 in order to bid for public contracts. However, Law 9/2017 on Public Sector Contracts requires tenderers to declare they have not been convicted of bribery offences (Article 71), and many high-value tenders already include the certification as a criterion of technical solvency or award. In the private sector, listed companies and multinationals are increasingly requiring it of first-tier suppliers as part of their supply-chain due diligence.

What about ISO 37001:2025? Do we need to migrate?

ISO published the second edition, ISO 37001:2025, on 28 February 2025. The main changes reinforce alignment with the High Level Structure (HLS) harmonised with ISO 9001, 14001, 45001…, expand requirements on digital due diligence, add clauses on compliance culture and conflict of interest, and update references to the international anti-corruption legal framework. The IAF has set 28 February 2027 as the transition deadline; after that date certificates issued under the 2016 edition will no longer be valid. Summum includes migration support within the system maintenance service.