ISO 37001 or ISO 37301: What to Certify First (and Why)

If you’re a Compliance Manager, you’ve likely faced this exact situation: leadership wants a certification “quickly”, commercial teams want something that signals trust to customers, and auditors want evidence that your compliance programme is more than a PDF policy.

The most common question is: (Anti-Bribery) ISO 37001 or ISO 37301 (Compliance Management System) — which one should you certify first?

There isn’t a one-size-fits-all answer, but there is a practical decision logic that helps you avoid duplication, shorten delivery time, and build a programme that actually works in the real world. This guide gives you a clear decision framework, practical steps, roles, timelines, common pitfalls, one mini real-world scenario, and a copy-paste “downloadable” template to kick-start your plan.

1) What each standard does in plain English

ISO 37301 — Compliance Management System (CMS)

Treat ISO 37301 as your compliance operating system. It structures how you identify obligations, assess compliance risks, design controls, manage evidence, monitor performance, run internal audits, and improve continuously — while strengthening culture and governance.

Best fit when

• You must manage multiple compliance obligations and stakeholders.

• You want a repeatable system rather than ad-hoc initiatives.

• You need traceability: obligation → risk → control → evidence → review.

ISO 37001 — Anti-Bribery Management System (ABMS)

ISO 37001 is more focused: it targets preventing, detecting and responding to bribery risk. It pushes rigour in areas that typically fail in practice: third-party due diligence, gifts and hospitality, donations/sponsorship, financial and non-financial controls, reporting/investigations, and corrective actions.

Best fit when

• Your business relies heavily on intermediaries, agents, consultants or distributors.

• You work with public procurement, licensing, high-risk markets or commission-based sales.

• You have “red flags”, incidents, or direct external pressure to show anti-bribery maturity.

Key takeaway:

• ISO 37301 builds the governance backbone for compliance.

• ISO 37001 strengthens one high-impact risk domain: bribery.

2) The 7 questions that decide 80% of the outcome

Score each question honestly. Your answer will usually become obvious.

1. Is bribery risk material to the organisation (third parties, tenders, commissions, high-risk markets)?

2. Do you need a cross-functional compliance system (multiple legal/contractual obligations)?

3. Is there explicit external pressure for ISO 37001 (customer, tender, parent group)?

4. Do you have enough maturity (policies, records, audit, evidence) to survive certification now?

5. Are reporting and investigation processes (incl. whistleblowing) operational and trusted?

6. Will leadership provide visible sponsorship (tone from the top) and resources?

7. Do you have a structured way to manage obligations, controls and evidence (not scattered files)?

Practical rule of thumb

• If 1+3 are strong → ISO 37001 first (direct risk/pressure).

• If 2+4+7 are weak → ISO 37301 first (build the base).

• If both are strong and chaos exists → implement 37301 core and build 37001 in parallel, certify in phases.

3) Three realistic strategies (and when to use them)

Strategy A — Certify ISO 37301 first (the foundation approach)

Choose this if

• Your compliance scope is wide and fragmented.

• You need one governance system that covers multiple obligations.

• You want ISO 37001 to be faster later with minimal rework.

Pros

• Less duplication: document control, audits, management review, corrective actions, KPIs and evidence all become reusable.

• More consistency: compliance becomes a system, not a campaign.

Risk

• If the market demands ISO 37001 immediately, leadership may feel it’s “too slow”. Mitigate with a phased plan and visible anti-bribery deliverables early.

Strategy B — Certify ISO 37001 first (the high-risk / urgent approach)

Choose this if

• Bribery is your top organisational risk.

• You need to signal trust quickly to customers, tenders or investors.

Pros

• Fast risk reduction where it matters most.

• Strong commercial signal.

Risk

• Creates an anti-bribery “island” disconnected from broader compliance. Mitigate by planning your ISO 37301 integration from day one.

Strategy C — Integrated implementation, phased certification (fast + efficient)

Choose this if

• You want speed without waste.

• You can build a core system while developing the anti-bribery module.

How it works

1. Build the ISO 37301 core: obligations, risk assessment, controls, evidence, audit cycle.

2. Implement the ISO 37001 module: third-party due diligence, gifts/hospitality, controls, investigations.

3. Certify whichever is most urgent first, then complete the second with minimal additional effort.

Ask for the checklist (in comments of this article)

4) Roles & accountability: what auditors will actually test

Certification projects fail less because of missing documents and more because of weak governance. Keep it simple:

• Top management / Board: approves policy, sets risk appetite, assigns resources, reviews performance.

• Compliance function: designs and maintains the system, coordinates risks/controls/evidence, runs monitoring and reporting.

• Process owners (Procurement, Sales, HR, Finance, Legal, Operations): execute controls and keep records.

• Internal audit / assurance (where applicable): evaluates effectiveness and independence.

• Reporting & investigations: triage, investigate, protect confidentiality, document outcomes, drive corrective actions.

Critical note: whistleblowing and investigations are “truth points”. If they are weak, your programme becomes fragile — and your reputational risk increases.

5) A realistic timeline (no magic promises)

For a focused SME / mid-market organisation:

Phase 0 (2 weeks) — Scope + gap assessment

• Define scope boundaries (entities, countries, processes, third parties).

• Quick gap assessment and plan.

Phase 1 (4–6 weeks) — Build ISO 37301 core

• Obligations register + compliance risk assessment.

• Policies, objectives, evidence model.

• Document control, corrective actions, monitoring structure.

Phase 2 (4–6 weeks) — Implement ISO 37001 module

• Bribery risk assessment + treatment plan.

• Risk-based third-party due diligence and contracting.

• Gifts/hospitality rules, donations/sponsorship, conflict of interest.

• Financial & non-financial controls, segregation of duties, investigation process.

Phase 3 (3–4 weeks) — Operate, audit, management review

• Run controls and collect real evidence.

• Internal audit + fixes.

• Management review + readiness.

Certification (2–6 weeks)

• Stage 1 + Stage 2 audits.

Honest shortcut: if you currently lack a compliance system, ISO 37301 first usually reduces total time because most management-system mechanics are reusable for ISO 37001.

6) The pitfalls that derail most teams

1. “Policy theatre”: perfect documents, poor practice.

2. Evidence gaps: controls leave no trace.

3. Weak third-party due diligence (a top ISO 37001 failure point).

4. Low-trust reporting channels (people won’t speak up).

5. Ad-hoc investigations (no criteria, timelines, documentation).

6. Generic training (not tailored to high-risk roles).

7. Vanity metrics (training clicks vs control effectiveness).

8. No leadership sponsorship (culture doesn’t move).

9. Tool sprawl (risks in Excel, evidence in email, actions in chat).

10. Ignoring GDPR: whistleblowing and investigations require disciplined privacy design.

7) Mini real-world scenario: how a phased approach wins

Company: “TechManufacture”, 180 employees, sells to large groups and participates in tenders. Uses distributors and commercial consultants.

Problem:
Policies exist but are scattered. Training is annual and generic. Reporting is underused. Procurement and sales have inconsistent third-party controls.

Recommended decision (phased):

• Weeks 1–2: scope + gap assessment.

• Weeks 3–8: implement the ISO 37301 core (obligations, risks, control ownership, evidence model, internal audit cycle).

• Weeks 6–12 (parallel): implement the ISO 37001 module for critical processes (third parties, gifts/hospitality, financial controls, investigations).

• Certify ISO 37001 first (customer pressure), then certify ISO 37301 2–4 months later once the wider system is fully operational.

Why technology reduces effort

• A reporting channel focused on confidentiality and traceability increases trust and improves triage/closure.

• A platform to manage obligations, controls, evidence and audits reduces fragmentation and speeds up external audits.

• Specialist support accelerates design and readiness without reinventing the wheel.

Ask for the checklist (in comments of this article)

8) So… what should you certify first?

Use this operational rule today:

• Bribery is the #1 risk and external pressure is immediate? → ISO 37001 first, with a planned ISO 37301 integration.

• You need a scalable compliance system across multiple obligations? → ISO 37301 first, then ISO 37001 faster.

• You need speed without waste? → Integrated implementation + phased certification.

The goal is not “a certificate”. The goal is a system that:

• reduces real risk,

• builds stakeholder trust,

• and makes evidence requests and audits dramatically easier.

9) Next Steps:

• iCompliance.eu – Implementation Services
• iPrivacy.eu – GDPR / DPO Services
• iComply.pt – multi-standard compliance platform
• Ask for the checklist (in comments of this article)

Be part of the conversation that is shaping the future of work! Book a meeting!

See other articles that may be of interest to you.

We hope you enjoyed this article.

Thank you!

Constantino Ferreira

iBlow.eu

 Liked? Subscribe to receive future articles