Compliance management systems -- Requirements with guidance for use

This document specifies requirements and provides guidelines for establishing, developing, implementing, evaluating, maintaining and improving an effective compliance management system within an organization. This document is applicable to all types of organizations regardless of the type, size and nature of the activity, as well as whether the organization is from the public, private or non-profit sector. All requirements specified in this document that refer to a governing body apply to top management in cases where an organization does not have a governing body as a separate function.

Systèmes de management de la conformité -- Exigences et recommandations pour la mise en oeuvre

Le présent document spécifie des exigences et fournit des recommandations pour l’établissement, le développement, la mise en œuvre, l’évaluation, la tenue à jour et l’amélioration d’un système de management de conformité efficace au sein d’un organisme. Le présent document s’applique à tous les types d’organismes, indépendamment du type, de la taille et de la nature de ses activités, qu’il appartienne au secteur public, privé ou à but non lucratif. L’ensemble des exigences spécifiées dans le présent document qui font référence à un organe de gouvernance s’appliquent à la direction lorsque l’organe de gouvernance d’un organisme n’est pas distinct de la direction.

Sistemi za upravljanje skladnosti - Zahteve z napotki za uporabo

General Information

Status
Published
Publication Date
12-Apr-2021
Current Stage
5060 - Close of voting Proof returned by Secretariat
Start Date
27-Feb-2021
Completion Date
26-Feb-2021

RELATIONS

Buy Standard

Standard
ISO 37301:2021 - BARVE na PDF-str 9
English language
48 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day
Standard
ISO 37301:2021 - Compliance management systems -- Requirements with guidance for use
English language
40 pages
sale 15% off
Preview
sale 15% off
Preview
Standard
ISO 37301:2021 - Systèmes de management de la conformité -- Exigences et recommandations pour la mise en oeuvre
French language
44 pages
sale 15% off
Preview
sale 15% off
Preview
Standard
ISO 37301:2021 - Compliance management systems -- Requirements with guidance for use
Spanish language
44 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
ISO/FDIS 37301:Version 26-dec-2020 - Compliance management systems -- Requirements with guidance for use
English language
40 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

SLOVENSKI STANDARD
SIST ISO 37301:2021
01-junij-2021
Sistemi za upravljanje skladnosti - Zahteve z napotki za uporabo
Compliance management systems - Requirements with guidance for use
Systèmes de management de la conformité - Exigences et recommandations pour la
mise en oeuvre
Ta slovenski standard je istoveten z: ISO 37301:2021
ICS:
03.100.01 Organizacija in vodenje Company organization and
podjetja na splošno management in general
03.100.70 Sistemi vodenja Management systems
SIST ISO 37301:2021 en

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST ISO 37301:2021
---------------------- Page: 2 ----------------------
SIST ISO 37301:2021
INTERNATIONAL ISO
STANDARD 37301
First edition
2021-04
Compliance management systems —
Requirements with guidance for use
Systèmes de management de la conformité — Exigences et
recommandations pour la mise en oeuvre
Reference number
ISO 37301:2021(E)
ISO 2021
---------------------- Page: 3 ----------------------
SIST ISO 37301:2021
ISO 37301:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2021

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2021 – All rights reserved
---------------------- Page: 4 ----------------------
SIST ISO 37301:2021
ISO 37301:2021(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Context of the organization ....................................................................................................................................................................... 5

4.1 Understanding the organization and its context ....................................................................................................... 5

4.2 Understanding the needs and expectations of interested parties .............................................................. 5

4.3 Determining the scope of the compliance management system ................................................................. 5

4.4 Compliance management system ........................................................................................................................................... 6

4.5 Compliance obligations ................................................................................................................................................................... 6

4.6 Compliance risk assessment ....................................................................................................................................................... 6

5 Leadership .................................................................................................................................................................................................................. 6

5.1 Leadership and commitment ..................................................................................................................................................... 6

5.1.1 Governing body and top management .......................................................................................................... 6

5.1.2 Compliance culture ........................................................................................................................................................ 7

5.1.3 Compliance governance ............................................................................................................................................. 7

5.2 Compliance policy ................................................................................................................................................................................ 8

5.3 Roles, responsibilities and authorities ............................................................................................................................... 8

5.3.1 Governing body and top management .......................................................................................................... 8

5.3.2 Compliance function ..................................................................................................................................................... 9

5.3.3 Management .....................................................................................................................................................................10

5.3.4 Personnel .............................................................................................................................................................................10

6 Planning ......................................................................................................................................................................................................................10

6.1 Actions to address risks and opportunities ................................................................................................................10

6.2 Compliance objectives and planning to achieve them .......................................................................................11

6.3 Planning of changes .........................................................................................................................................................................11

7 Support ........................................................................................................................................................................................................................12

7.1 Resources ..................................................................................................................................................................................................12

7.2 Competence ............................................................................................................................................................................................12

7.2.1 General...................................................................................................................................................................................12

7.2.2 Employment process .................................................................................................................................................12

7.2.3 Training .................................................................................................................................................................................12

7.3 Awareness ................................................................................................................................................................................................13

7.4 Communication ...................................................................................................................................................................................13

7.5 Documented information ............................................................................................................................................................14

7.5.1 General...................................................................................................................................................................................14

7.5.2 Creating and updating documented information .............................................................................14

7.5.3 Control of documented information ............................................................................................................14

8 Operation ..................................................................................................................................................................................................................15

8.1 Operational planning and control .......................................................................................................................................15

8.2 Establishing controls and procedures .............................................................................................................................15

8.3 Raising concerns .................................................................................................................................................................................15

8.4 Investigation processes ................................................................................................................................................................15

9 Performance evaluation ............................................................................................................................................................................16

9.1 Monitoring, measurement, analysis and evaluation ............................................................................................16

9.1.1 General...................................................................................................................................................................................16

9.1.2 Sources of feedback on compliance performance ............................................................................16

9.1.3 Development of indicators ...................................................................................................................................16

9.1.4 Compliance reporting ...............................................................................................................................................16

9.1.5 Record-keeping ..............................................................................................................................................................17

© ISO 2021 – All rights reserved iii
---------------------- Page: 5 ----------------------
SIST ISO 37301:2021
ISO 37301:2021(E)

9.2 Internal audit .........................................................................................................................................................................................17

9.2.1 General...................................................................................................................................................................................17

9.2.2 Internal audit programme ....................................................................................................................................17

9.3 Management review ........................................................................................................................................................................17

9.3.1 General...................................................................................................................................................................................17

9.3.2 Management review inputs .................................................................................................................................18

9.3.3 Management review results ................................................................................................................................18

10 Improvement .........................................................................................................................................................................................................18

10.1 Continual improvement ...............................................................................................................................................................18

10.2 Nonconformity and corrective action ..............................................................................................................................19

Annex A (informative) Guidance for the use of this document ..............................................................................................20

Bibliography .............................................................................................................................................................................................................................40

iv © ISO 2021 – All rights reserved
---------------------- Page: 6 ----------------------
SIST ISO 37301:2021
ISO 37301:2021(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

iso/ foreword .html.

This document was prepared by Technical Committee ISO/TC 309, Governance of organizations.

This first edition of ISO 37301 cancels and replaces ISO 19600:2014, which has been technically revised.

The main changes compared to ISO 19600:2014 are as follows:

— this document now contains requirements with additional guidance for use based on those

requirements;

— this document follows ISO’s requirements for a harmonized structure for management system

standards.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO 2021 – All rights reserved v
---------------------- Page: 7 ----------------------
SIST ISO 37301:2021
ISO 37301:2021(E)
Introduction

Organizations that aim to be successful in the long term need to establish and maintain a culture of

compliance, considering the needs and expectations of interested parties. Compliance is therefore not

only the basis, but also an opportunity, for a successful and sustainable organization.

Compliance is an ongoing process and the outcome of an organization meeting its obligations.

Compliance is made sustainable by embedding it in the culture of the organization and in the behaviour

and attitude of people working for it. While maintaining its independence, it is preferable that

compliance management is integrated with the organization’s other management processes and its

operational requirements and procedures.

An effective, organization-wide compliance management system enables an organization to

demonstrate its commitment to comply with relevant laws, regulatory requirements, industry codes

and organizational standards, as well as standards of good governance, generally accepted best

practices, ethics and community expectations.

An organization’s approach to compliance is shaped by the leadership applying core values and

generally accepted good governance, ethical and community standards. Embedding compliance in the

behaviour of the people working for an organization depends above all on leadership at all levels and

clear values of an organization, as well as an acknowledgement and implementation of measures to

promote compliant behaviour. If this is not the case at all levels of an organization, there is a risk of

noncompliance.

In a number of jurisdictions, courts have considered an organization’s commitment to compliance

through its compliance management system when determining the appropriate penalty to be imposed

for contraventions of relevant laws. Therefore, regulatory and judicial bodies can also benefit from this

document as a benchmark.

Organizations are increasingly convinced that, by applying binding values and appropriate compliance

management, they can safeguard their integrity and avoid or minimize noncompliance with the

organization’s compliance obligations. Integrity and effective compliance are therefore key elements

of good and diligent management. Compliance also contributes to the socially responsible behaviour of

organizations.

One of the objectives of this document is to assist organizations to develop and spread a positive culture

of compliance, considering that an effective and sound management of compliance-related risks should

be regarded as an opportunity to pursue and take, due to the several benefits that it provides to the

organization such as:
— improving business opportunities and sustainability;
— protecting and enhancing an organization’s reputation and credibility;
— taking into account expectations of interested parties;

— demonstrating an organization’s commitment to managing its compliance risks effectively and

efficiently;

— increasing the confidence of third parties in the organization’s capacity to achieve sustained success;

— minimizing the risk of a contravention occurring with the attendant costs and reputational damage.

This document specifies requirements as well as provides guidance on compliance management

systems and recommended practices. Both the requirements and the guidance in this document are

intended to be adaptable, and implementation can differ depending on the size and level of maturity

of an organization’s compliance management system and on the context, nature and complexity of the

organization’s activities and objectives.
vi © ISO 2021 – All rights reserved
---------------------- Page: 8 ----------------------
SIST ISO 37301:2021
ISO 37301:2021(E)

This document is suitable to enhance the compliance-related requirements in other management

systems and to assist an organization in improving the overall management of all its compliance

obligations.

Figure 1 provides an overview on common elements of a compliance management system.

Figure 1 — Elements of a compliance management system
© ISO 2021 – All rights reserved vii
---------------------- Page: 9 ----------------------
SIST ISO 37301:2021
ISO 37301:2021(E)
In this document, the following verbal forms are used:
— “shall” indicates a requirement;
— “should” indicates a recommendation;
— “may” indicates permission;
— “can” indicates a possibility or a capability.

Information marked as “NOTE” is for guidance in understanding or clarifying the associated

requirements.
Annex A provides guidance for the use of this document.
viii © ISO 2021 – All rights reserved
---------------------- Page: 10 ----------------------
SIST ISO 37301:2021
INTERNATIONAL STANDARD ISO 37301:2021(E)
Compliance management systems — Requirements with
guidance for use
1 Scope

This document specifies requirements and provides guidelines for establishing, developing,

implementing, evaluating, maintaining and improving an effective compliance management system

within an organization.

This document is applicable to all types of organizations regardless of the type, size and nature of the

activity, as well as whether the organization is from the public, private or non-profit sector.

All requirements specified in this document that refer to a governing body apply to top management in

cases where an organization does not have a governing body as a separate function.

2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
organization

person or group of people that has its own functions with responsibilities, authorities and relationships

to achieve its objectives (3.6)

Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,

enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated

or not, public or private.

Note 2 to entry: If the organization is part of a larger entity, the term “organization” refers only to the part of the

larger entity that is within the scope of the compliance management system.
3.2
interested party (preferred term)
stakeholder (admitted term)

person or organization (3.1) that can affect, be affected by, or perceive itself to be affected by a decision

or activity
3.3
top management

person or group of people who directs and controls an organization (3.1) at the highest level

Note 1 to entry: Top management has the power to delegate authority and provide resources within the

organization.

Note 2 to entry: If the scope of the management system (3.4) covers only part of an organization, then top

management refers to those who direct and control that part of the organization.
© ISO 2021 – All rights reserved 1
---------------------- Page: 11 ----------------------
SIST ISO 37301:2021
ISO 37301:2021(E)

Note 3 to entry: For the purposes of this document, the term “top management” refers to the highest level of

executive management.
3.4
management system

set of interrelated or interacting elements of an organization (3.1) to establish policies (3.5) and

objectives (3.6) as well as processes (3.8) to achieve those objectives

Note 1 to entry: A management system can address a single discipline or several disciplines.

Note 2 to entry: The management system elements include the organization’s structure, roles and responsibilities,

planning and operation.
3.5
policy

intentions and direction of an organization (3.1), as formally expressed by its top management (3.3)

Note 1 to entry: A policy can also be formally expressed by an organization’s governing body (3.21).

3.6
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.

Note 2 to entry: Objectives can relate to different disciplines (such as finance, health and safety, and environment).

They can be, for example, organization-wide, or specific to a project, product, service or process (3.8)).

Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended result, a purpose, an operational

criterion, as a compliance (3.26) objective, or by the use of other words with similar meaning (e.g. aim, goal, or

target).

Note 4 to entry: In the context of compliance management systems (3.4), compliance objectives are set by the

organization (3.1), consistent with the compliance policy (3.5), to achieve specific results.

3.7
risk
effect of uncertainty on objectives (3.6)

Note 1 to entry: An effect is a deviation from the expected – positive or negative.

Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or

knowledge of, an event, its consequence, or likelihood.

Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73) and

“consequences” (as defined in ISO Guide 73), or a combination of these.

Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including

changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73) of occurrence.

3.8
process

set of interrelated or interacting activities that uses or transforms inputs to deliver a result

Note 1 to entry: Whether the result of a process is called output, product or service depends on the context of the

reference.
3.9
competence
ability to apply knowledge and skills to achieve intended results
2 © ISO 2021 – All rights reserved
---------------------- Page: 12 ----------------------
SIST ISO 37301:2021
ISO 37301:2021(E)
3.10
documented information

information required to be controlled and maintained by an organization (3.1) and the medium on

which it is contained

Note 1 to entry: Documented information can be in any format and media, and from any source.

Note 2 to entry: Documented information can refer to:
— the management system (3.4), including related processes (3.8);
— information created in order for the organization to operate (documentation);
— evidence of results achieved (records).
3.11
performance
measurable result

Note 1 to entry: Performance can relate either to quantitative or qualitative findings.

Note 2 to entry: Performance can relate to managing activities, processes (3.8), products, services, systems or

organizations (3.1).
3.12
continual improvement
recurring activity to enhance performance (3.11)
3.13
effectiveness
extent to which planned activities are realized and planned results are achieved
3.14
requirement
need or expectation that is stated, generally implied or obligatory

Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization (3.1) and

interested parties (3.2) that the need or expectation under consideration is implied.

Note 2 to entry: A specified requirement is one that is stated, e.g. in documented information (3.10).

3.15
conformity
fulfilment of a requirement (3.14)
3.16
nonconformity
non-fulfilment of a requirement (3.14)
Note 1 to entry: A nonconformity is not necessarily a noncompliance (3.27).
3.17
corrective action

action to eliminate the cause(s) of a nonconformity (3.16) and to prevent recurrence

3.18
audit

systematic and independent process (3.8) for obtaining evidence and evaluating it objectively to

determine the extent to which the audit criteria are fulfilled

Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party

(3.30)), and it can be a combined audit (combining two or more disciplines).

Note 2 to entry: An internal audit is conducted by the organization (3.1) itself, or by an external party on its behalf.

© ISO 2021 – All rights reserved 3
---------------------- Page: 13 ----------------------
SIST ISO 37301:2021
ISO 37301:2021(E)
Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.

Note 4 to entry: Independence can be demonstrated by the freedom from responsibility for the activity being

audited or freedom from bias and conflict of interest.
3.19
measurement
process (3.8) to determine a value
3.20
monitoring
determining the status of a system, a process (3.8) or an activity

Note 1 to entry: To determine the status, there can be a need to check, supervise or critically observe.

3.21
governing body

person or group of persons that has the ultimate responsibility and authority for an organization’s (3.1)

activities, governance and policies (3.5) and to which top management (3.3) reports and by which top

management is held accountable

Note 1 to entry: Not all organizations, particularly small organizations, will have a governing body separate from

top management.

Note 2 to entry: A governing body can include, but is not limited to, a board of directors, committees of the board,

a supervisory board or trustees.
3.22
personnel

individuals in a relationship recognized as a work relationship in national law or practice, or in any

contractual relationship that depends on its activity from the organization (3.1)

3.23
compliance function
person or group of persons with responsi
...

INTERNATIONAL ISO
STANDARD 37301
First edition
2021-04
Compliance management systems —
Requirements with guidance for use
Systèmes de management de la conformité — Exigences et
recommandations pour la mise en oeuvre
Reference number
ISO 37301:2021(E)
ISO 2021
---------------------- Page: 1 ----------------------
ISO 37301:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2021

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2021 – All rights reserved
---------------------- Page: 2 ----------------------
ISO 37301:2021(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Context of the organization ....................................................................................................................................................................... 5

4.1 Understanding the organization and its context ....................................................................................................... 5

4.2 Understanding the needs and expectations of interested parties .............................................................. 5

4.3 Determining the scope of the compliance management system ................................................................. 5

4.4 Compliance management system ........................................................................................................................................... 6

4.5 Compliance obligations ................................................................................................................................................................... 6

4.6 Compliance risk assessment ....................................................................................................................................................... 6

5 Leadership .................................................................................................................................................................................................................. 6

5.1 Leadership and commitment ..................................................................................................................................................... 6

5.1.1 Governing body and top management .......................................................................................................... 6

5.1.2 Compliance culture ........................................................................................................................................................ 7

5.1.3 Compliance governance ............................................................................................................................................. 7

5.2 Compliance policy ................................................................................................................................................................................ 8

5.3 Roles, responsibilities and authorities ............................................................................................................................... 8

5.3.1 Governing body and top management .......................................................................................................... 8

5.3.2 Compliance function ..................................................................................................................................................... 9

5.3.3 Management .....................................................................................................................................................................10

5.3.4 Personnel .............................................................................................................................................................................10

6 Planning ......................................................................................................................................................................................................................10

6.1 Actions to address risks and opportunities ................................................................................................................10

6.2 Compliance objectives and planning to achieve them .......................................................................................11

6.3 Planning of changes .........................................................................................................................................................................11

7 Support ........................................................................................................................................................................................................................12

7.1 Resources ..................................................................................................................................................................................................12

7.2 Competence ............................................................................................................................................................................................12

7.2.1 General...................................................................................................................................................................................12

7.2.2 Employment process .................................................................................................................................................12

7.2.3 Training .................................................................................................................................................................................12

7.3 Awareness ................................................................................................................................................................................................13

7.4 Communication ...................................................................................................................................................................................13

7.5 Documented information ............................................................................................................................................................14

7.5.1 General...................................................................................................................................................................................14

7.5.2 Creating and updating documented information .............................................................................14

7.5.3 Control of documented information ............................................................................................................14

8 Operation ..................................................................................................................................................................................................................15

8.1 Operational planning and control .......................................................................................................................................15

8.2 Establishing controls and procedures .............................................................................................................................15

8.3 Raising concerns .................................................................................................................................................................................15

8.4 Investigation processes ................................................................................................................................................................15

9 Performance evaluation ............................................................................................................................................................................16

9.1 Monitoring, measurement, analysis and evaluation ............................................................................................16

9.1.1 General...................................................................................................................................................................................16

9.1.2 Sources of feedback on compliance performance ............................................................................16

9.1.3 Development of indicators ...................................................................................................................................16

9.1.4 Compliance reporting ...............................................................................................................................................16

9.1.5 Record-keeping ..............................................................................................................................................................17

© ISO 2021 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO 37301:2021(E)

9.2 Internal audit .........................................................................................................................................................................................17

9.2.1 General...................................................................................................................................................................................17

9.2.2 Internal audit programme ....................................................................................................................................17

9.3 Management review ........................................................................................................................................................................17

9.3.1 General...................................................................................................................................................................................17

9.3.2 Management review inputs .................................................................................................................................18

9.3.3 Management review results ................................................................................................................................18

10 Improvement .........................................................................................................................................................................................................18

10.1 Continual improvement ...............................................................................................................................................................18

10.2 Nonconformity and corrective action ..............................................................................................................................19

Annex A (informative) Guidance for the use of this document ..............................................................................................20

Bibliography .............................................................................................................................................................................................................................40

iv © ISO 2021 – All rights reserved
---------------------- Page: 4 ----------------------
ISO 37301:2021(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

iso/ foreword .html.

This document was prepared by Technical Committee ISO/TC 309, Governance of organizations.

This first edition of ISO 37301 cancels and replaces ISO 19600:2014, which has been technically revised.

The main changes compared to ISO 19600:2014 are as follows:

— this document now contains requirements with additional guidance for use based on those

requirements;

— this document follows ISO’s requirements for a harmonized structure for management system

standards.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO 2021 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO 37301:2021(E)
Introduction

Organizations that aim to be successful in the long term need to establish and maintain a culture of

compliance, considering the needs and expectations of interested parties. Compliance is therefore not

only the basis, but also an opportunity, for a successful and sustainable organization.

Compliance is an ongoing process and the outcome of an organization meeting its obligations.

Compliance is made sustainable by embedding it in the culture of the organization and in the behaviour

and attitude of people working for it. While maintaining its independence, it is preferable that

compliance management is integrated with the organization’s other management processes and its

operational requirements and procedures.

An effective, organization-wide compliance management system enables an organization to

demonstrate its commitment to comply with relevant laws, regulatory requirements, industry codes

and organizational standards, as well as standards of good governance, generally accepted best

practices, ethics and community expectations.

An organization’s approach to compliance is shaped by the leadership applying core values and

generally accepted good governance, ethical and community standards. Embedding compliance in the

behaviour of the people working for an organization depends above all on leadership at all levels and

clear values of an organization, as well as an acknowledgement and implementation of measures to

promote compliant behaviour. If this is not the case at all levels of an organization, there is a risk of

noncompliance.

In a number of jurisdictions, courts have considered an organization’s commitment to compliance

through its compliance management system when determining the appropriate penalty to be imposed

for contraventions of relevant laws. Therefore, regulatory and judicial bodies can also benefit from this

document as a benchmark.

Organizations are increasingly convinced that, by applying binding values and appropriate compliance

management, they can safeguard their integrity and avoid or minimize noncompliance with the

organization’s compliance obligations. Integrity and effective compliance are therefore key elements

of good and diligent management. Compliance also contributes to the socially responsible behaviour of

organizations.

One of the objectives of this document is to assist organizations to develop and spread a positive culture

of compliance, considering that an effective and sound management of compliance-related risks should

be regarded as an opportunity to pursue and take, due to the several benefits that it provides to the

organization such as:
— improving business opportunities and sustainability;
— protecting and enhancing an organization’s reputation and credibility;
— taking into account expectations of interested parties;

— demonstrating an organization’s commitment to managing its compliance risks effectively and

efficiently;

— increasing the confidence of third parties in the organization’s capacity to achieve sustained success;

— minimizing the risk of a contravention occurring with the attendant costs and reputational damage.

This document specifies requirements as well as provides guidance on compliance management

systems and recommended practices. Both the requirements and the guidance in this document are

intended to be adaptable, and implementation can differ depending on the size and level of maturity

of an organization’s compliance management system and on the context, nature and complexity of the

organization’s activities and objectives.
vi © ISO 2021 – All rights reserved
---------------------- Page: 6 ----------------------
ISO 37301:2021(E)

This document is suitable to enhance the compliance-related requirements in other management

systems and to assist an organization in improving the overall management of all its compliance

obligations.

Figure 1 provides an overview on common elements of a compliance management system.

Figure 1 — Elements of a compliance management system
© ISO 2021 – All rights reserved vii
---------------------- Page: 7 ----------------------
ISO 37301:2021(E)
In this document, the following verbal forms are used:
— “shall” indicates a requirement;
— “should” indicates a recommendation;
— “may” indicates permission;
— “can” indicates a possibility or a capability.

Information marked as “NOTE” is for guidance in understanding or clarifying the associated

requirements.
Annex A provides guidance for the use of this document.
viii © ISO 2021 – All rights reserved
---------------------- Page: 8 ----------------------
INTERNATIONAL STANDARD ISO 37301:2021(E)
Compliance management systems — Requirements with
guidance for use
1 Scope

This document specifies requirements and provides guidelines for establishing, developing,

implementing, evaluating, maintaining and improving an effective compliance management system

within an organization.

This document is applicable to all types of organizations regardless of the type, size and nature of the

activity, as well as whether the organization is from the public, private or non-profit sector.

All requirements specified in this document that refer to a governing body apply to top management in

cases where an organization does not have a governing body as a separate function.

2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
organization

person or group of people that has its own functions with responsibilities, authorities and relationships

to achieve its objectives (3.6)

Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,

enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated

or not, public or private.

Note 2 to entry: If the organization is part of a larger entity, the term “organization” refers only to the part of the

larger entity that is within the scope of the compliance management system.
3.2
interested party (preferred term)
stakeholder (admitted term)

person or organization (3.1) that can affect, be affected by, or perceive itself to be affected by a decision

or activity
3.3
top management

person or group of people who directs and controls an organization (3.1) at the highest level

Note 1 to entry: Top management has the power to delegate authority and provide resources within the

organization.

Note 2 to entry: If the scope of the management system (3.4) covers only part of an organization, then top

management refers to those who direct and control that part of the organization.
© ISO 2021 – All rights reserved 1
---------------------- Page: 9 ----------------------
ISO 37301:2021(E)

Note 3 to entry: For the purposes of this document, the term “top management” refers to the highest level of

executive management.
3.4
management system

set of interrelated or interacting elements of an organization (3.1) to establish policies (3.5) and

objectives (3.6) as well as processes (3.8) to achieve those objectives

Note 1 to entry: A management system can address a single discipline or several disciplines.

Note 2 to entry: The management system elements include the organization’s structure, roles and responsibilities,

planning and operation.
3.5
policy

intentions and direction of an organization (3.1), as formally expressed by its top management (3.3)

Note 1 to entry: A policy can also be formally expressed by an organization’s governing body (3.21).

3.6
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.

Note 2 to entry: Objectives can relate to different disciplines (such as finance, health and safety, and environment).

They can be, for example, organization-wide, or specific to a project, product, service or process (3.8)).

Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended result, a purpose, an operational

criterion, as a compliance (3.26) objective, or by the use of other words with similar meaning (e.g. aim, goal, or

target).

Note 4 to entry: In the context of compliance management systems (3.4), compliance objectives are set by the

organization (3.1), consistent with the compliance policy (3.5), to achieve specific results.

3.7
risk
effect of uncertainty on objectives (3.6)

Note 1 to entry: An effect is a deviation from the expected – positive or negative.

Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or

knowledge of, an event, its consequence, or likelihood.

Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73) and

“consequences” (as defined in ISO Guide 73), or a combination of these.

Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including

changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73) of occurrence.

3.8
process

set of interrelated or interacting activities that uses or transforms inputs to deliver a result

Note 1 to entry: Whether the result of a process is called output, product or service depends on the context of the

reference.
3.9
competence
ability to apply knowledge and skills to achieve intended results
2 © ISO 2021 – All rights reserved
---------------------- Page: 10 ----------------------
ISO 37301:2021(E)
3.10
documented information

information required to be controlled and maintained by an organization (3.1) and the medium on

which it is contained

Note 1 to entry: Documented information can be in any format and media, and from any source.

Note 2 to entry: Documented information can refer to:
— the management system (3.4), including related processes (3.8);
— information created in order for the organization to operate (documentation);
— evidence of results achieved (records).
3.11
performance
measurable result

Note 1 to entry: Performance can relate either to quantitative or qualitative findings.

Note 2 to entry: Performance can relate to managing activities, processes (3.8), products, services, systems or

organizations (3.1).
3.12
continual improvement
recurring activity to enhance performance (3.11)
3.13
effectiveness
extent to which planned activities are realized and planned results are achieved
3.14
requirement
need or expectation that is stated, generally implied or obligatory

Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization (3.1) and

interested parties (3.2) that the need or expectation under consideration is implied.

Note 2 to entry: A specified requirement is one that is stated, e.g. in documented information (3.10).

3.15
conformity
fulfilment of a requirement (3.14)
3.16
nonconformity
non-fulfilment of a requirement (3.14)
Note 1 to entry: A nonconformity is not necessarily a noncompliance (3.27).
3.17
corrective action

action to eliminate the cause(s) of a nonconformity (3.16) and to prevent recurrence

3.18
audit

systematic and independent process (3.8) for obtaining evidence and evaluating it objectively to

determine the extent to which the audit criteria are fulfilled

Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party

(3.30)), and it can be a combined audit (combining two or more disciplines).

Note 2 to entry: An internal audit is conducted by the organization (3.1) itself, or by an external party on its behalf.

© ISO 2021 – All rights reserved 3
---------------------- Page: 11 ----------------------
ISO 37301:2021(E)
Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.

Note 4 to entry: Independence can be demonstrated by the freedom from responsibility for the activity being

audited or freedom from bias and conflict of interest.
3.19
measurement
process (3.8) to determine a value
3.20
monitoring
determining the status of a system, a process (3.8) or an activity

Note 1 to entry: To determine the status, there can be a need to check, supervise or critically observe.

3.21
governing body

person or group of persons that has the ultimate responsibility and authority for an organization’s (3.1)

activities, governance and policies (3.5) and to which top management (3.3) reports and by which top

management is held accountable

Note 1 to entry: Not all organizations, particularly small organizations, will have a governing body separate from

top management.

Note 2 to entry: A governing body can include, but is not limited to, a board of directors, committees of the board,

a supervisory board or trustees.
3.22
personnel

individuals in a relationship recognized as a work relationship in national law or practice, or in any

contractual relationship that depends on its activity from the organization (3.1)

3.23
compliance function

person or group of persons with responsibility and authority for the operation of the compliance (3.26)

management system (3.4)

Note 1 to entry: Preferably one individual will be assigned to the oversight of the compliance management system.

3.24
compliance risk

likelihood of occurrence and the consequences of noncompliance (3.27) with the organization’s (3.1)

compliance obligations (3.25)
3.25
compliance obligations

requirements (3.14) that an organization (3.1) mandatorily has to comply with as well as those that an

organization voluntarily chooses to comply with
3.26
compliance
meeting all the organization’s (3.1) compliance obligations (3.25)
3.27
noncompliance
non-fulfilment of compliance obligations (3.25)
3.28
compliance culture

values, ethics, beliefs and conduct (3.29) that exist throughout an organization (3.1) and interact with

the organization’s structures and control systems to produce behavioural norms that are conducive to

compliance (3.26)
4 © ISO 2021 – All rights reserved
---------------------
...

NORME ISO
INTERNATIONALE 37301
Première édition
2021-04
Systèmes de management de
la conformité — Exigences et
recommandations pour la mise en
oeuvre
Compliance management systems — Requirements with guidance for
use
Sistemas de gestión del compliance — Requisitos con orientación
para su uso
Numéro de référence
ISO 37301:2021(F)
ISO 2021
---------------------- Page: 1 ----------------------
ISO 37301:2021(F)
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO 2021

Tous droits réservés. Sauf prescription différente ou nécessité dans le contexte de sa mise en œuvre, aucune partie de cette

publication ne peut être reproduite ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique,

y compris la photocopie, ou la diffusion sur l’internet ou sur un intranet, sans autorisation écrite préalable. Une autorisation peut

être demandée à l’ISO à l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.

ISO copyright office
Case postale 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Genève
Tél.: +41 22 749 01 11
E-mail: copyright@iso.org
Web: www.iso.org
Publié en Suisse
ii © ISO 2021 – Tous droits réservés
---------------------- Page: 2 ----------------------
ISO 37301:2021(F)
Sommaire Page

Avant-propos ................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Domaine d’application ................................................................................................................................................................................... 1

2 Références normatives ................................................................................................................................................................................... 1

3 Termes et définitions ....................................................................................................................................................................................... 1

4 Contexte de l’organisme ................................................................................................................................................................................ 5

4.1 Connaissance de l’organisme et contexte ........................................................................................................................ 5

4.2 Compréhension des besoins et des attentes des parties intéressées ...................................................... 6

4.3 Détermination du périmètre d’application du système de management de conformité........ 6

4.4 Système de management de conformité ........................................................................................................................... 6

4.5 Obligations de conformité ............................................................................................................................................................. 6

4.6 Appréciation du risque de conformité................................................................................................................................ 7

5 Leadership .................................................................................................................................................................................................................. 7

5.1 Leadership et engagement............................................................................................................................................................ 7

5.1.1 Organe de gouvernance et direction ............................................................................................................... 7

5.1.2 Culture de conformité ........................................................................................................................................... ....... 8

5.1.3 Gouvernance de la fonction de conformité ............................................................................................... 8

5.2 Politique de conformité ................................................................................................................................................................... 8

5.3 Rôles, responsabilités et autorités ......................................................................................................................................... 9

5.3.1 Organe de gouvernance et direction ............................................................................................................... 9

5.3.2 Fonction de conformité ...........................................................................................................................................10

5.3.3 Encadrement (Management) .............................................................................................................................11

5.3.4 Personnel .............................................................................................................................................................................11

6 Planification ...........................................................................................................................................................................................................11

6.1 Actions à mettre en œuvre face aux risques et opportunités ......................................................................11

6.2 Objectifs de conformité et planification des actions pour les atteindre .............................................12

6.3 Planification des changements ..............................................................................................................................................12

7 Support ........................................................................................................................................................................................................................13

7.1 Ressources ...............................................................................................................................................................................................13

7.2 Compétences ..........................................................................................................................................................................................13

7.2.1 Généralités .........................................................................................................................................................................13

7.2.2 Processus de recrutement ....................................................................................................................................13

7.2.3 Formation ...................................................................... ......................................................................................................13

7.3 Sensibilisation ......................................................................................................................................................................................14

7.4 Communication ...................................................................................................................................................................................14

7.5 Informations documentées .......................................................................................................................................................15

7.5.1 Généralités .........................................................................................................................................................................15

7.5.2 Création et mise à jour des informations documentées .............................................................15

7.5.3 Maîtrise des informations documentées ..................................................................................................16

8 Réalisation des activités opérationnelles ................................................................................................................................16

8.1 Planification et maîtrise opérationnelles ......................................................................................................................16

8.2 Établissement des dispositifs de maîtrise ....................................................................................................................17

8.3 Signalement des inquiétudes ...................................................................................................................................................17

8.4 Processus d’enquête ........................................................................................................................................................................17

9 Évaluation des performances ...............................................................................................................................................................17

9.1 Surveillance, mesure, analyse et évaluation ...............................................................................................................17

9.1.1 Généralités .........................................................................................................................................................................17

9.1.2 Sources de retour d’informations sur les performances de conformité .......................18

9.1.3 Mise en place des indicateurs ............................................................................................................................18

9.1.4 Mécanisme de rapports (reporting) de conformité ........................................................................18

9.1.5 Conservation d’éléments probants ...............................................................................................................18

© ISO 2021 – Tous droits réservés iii
---------------------- Page: 3 ----------------------
ISO 37301:2021(F)

9.2 Audit interne ..........................................................................................................................................................................................19

9.2.1 Généralités .........................................................................................................................................................................19

9.2.2 Programme d’audit interne .................................................................................................................................19

9.3 Revue de direction ............................................................................................................................................................................19

9.3.1 Généralités .........................................................................................................................................................................19

9.3.2 Données d’entrée de la revue de direction .............................................................................................19

9.3.3 Résultats de la revue de direction ..................................................................................................................20

10 Amélioration ..........................................................................................................................................................................................................20

10.1 Amélioration continue ...................................................................................................................................................................20

10.2 Non-conformité et actions correctives ............................................................................................................................20

Annexe A (informative) Recommandations relatives à l’utilisation du présent document .....................22

Bibliographie ...........................................................................................................................................................................................................................44

iv © ISO 2021 – Tous droits réservés
---------------------- Page: 4 ----------------------
ISO 37301:2021(F)
Avant-propos

L’ISO (Organisation internationale de normalisation) est une fédération mondiale d’organismes

nationaux de normalisation (comités membres de l’ISO). L’élaboration des Normes internationales est

en général confiée aux comités techniques de l’ISO. Chaque comité membre intéressé par une étude

a le droit de faire partie du comité technique créé à cet effet. Les organisations internationales,

gouvernementales et non gouvernementales, en liaison avec l’ISO participent également aux travaux.

L’ISO collabore étroitement avec la Commission électrotechnique internationale (IEC) en ce qui

concerne la normalisation électrotechnique.

Les procédures utilisées pour élaborer le présent document et celles destinées à sa mise à jour sont

décrites dans les Directives ISO/IEC, Partie 1. Il convient, en particulier de prendre note des différents

critères d’approbation requis pour les différents types de documents ISO. Le présent document a été

rédigé conformément aux règles de rédaction données dans les Directives ISO/IEC, Partie 2 (voir www

.iso .org/ directives).

L’attention est attirée sur le fait que certains des éléments du présent document peuvent faire l’objet de

droits de propriété intellectuelle ou de droits analogues. L’ISO ne saurait être tenue pour responsable

de ne pas avoir identifié de tels droits de propriété et averti de leur existence. Les détails concernant

les références aux droits de propriété intellectuelle ou autres droits analogues identifiés lors de

l’élaboration du document sont indiqués dans l’Introduction et/ou dans la liste des déclarations de

brevets reçues par l’ISO (voir www .iso .org/ brevets).

Les appellations commerciales éventuellement mentionnées dans le présent document sont données

pour information, par souci de commodité, à l’intention des utilisateurs et ne sauraient constituer un

engagement.

Pour une explication de la nature volontaire des normes, la signification des termes et expressions

spécifiques de l’ISO liés à l’évaluation de la conformité, ou pour toute information au sujet de l’adhésion

de l’ISO aux principes de l’Organisation mondiale du commerce (OMC) concernant les obstacles

techniques au commerce (OTC), voir www .iso .org/ avant -propos.

Le présent document a été élaboré par le comité technique ISO/TC 309, Gouvernance des organisations.

Cette première édition de l’ISO 37301 annule et remplace l’ISO 19600:2014, qui a fait l’objet d’une

révision technique.
Les principales modifications par rapport à l’ISO 19600:2014 sont les suivantes:

— le présent document contient désormais des exigences et recommandations supplémentaires pour

la mise en œuvre basées sur ces exigences;

— le présent document suit les exigences de l’ISO pour une structure harmonisée des normes de

systèmes de management.

Il convient que l’utilisateur adresse tout retour d’information ou toute question concernant le présent

document à l’organisme national de normalisation de son pays. Une liste exhaustive desdits organismes

se trouve à l’adresse www .iso .org/ fr/ members .html.
© ISO 2021 – Tous droits réservés v
---------------------- Page: 5 ----------------------
ISO 37301:2021(F)
Introduction

Les organismes qui aspirent à garantir leur réussite sur le long terme doivent établir et entretenir une

culture de conformité, en prenant en compte les besoins et attentes des parties intéressées. Le dispositif

de conformité ne constitue donc pas seulement un prérequis, mais également une opportunité pour un

organisme qui souhaite se développer de façon durable.

La (mise/maintien en) conformité est un processus continu et le résultat d’un organisme qui exécute

ses obligations. Le meilleur moyen de permettre l’instauration durable d’un dispositif de conformité

est de l’intégrer à la culture de l’organisme ainsi que dans les attendus de l’organisme en matière de

comportement et conduite du personnel. Tout en gardant son indépendance, il est préférable que la

gestion du dispositif de conformité soit intégrée aux autres processus de l’organisme ainsi qu’à ses

exigences et procédures opérationnelles.

L’existence d’un système de management de conformité, à l’échelle d’un organisme dans son ensemble,

permet à ce dernier de démontrer son engagement vis-à-vis du respect de la législation en vigueur,

y compris les exigences réglementaires, les codes industriels et les normes organisationnelles, ainsi

que les normes de bonne gouvernance, les meilleures pratiques communément admises, l’éthique et les

attentes des parties intéressées.

La démarche de (mise/maintien en) conformité d’un organisme est orientée par un leadership qui

applique ses valeurs fondamentales et les principes communément admis de bonne gouvernance,

d’éthique et communautaires. Intégrer la (mise/maintien en) conformité dans le comportement des

personnes qui travaillent pour un organisme dépend avant tout d’une mission et d’une exemplarité à

tous les niveaux et de valeurs claires pour cet organisme, ainsi que de la reconnaissance et de la mise

en œuvre de mesures pour promouvoir une attitude de conformité. Si cela n’est pas le cas à tous les

niveaux d’un organisme, un risque de défaut de conformité existe.

Dans plusieurs juridictions, pour déterminer la sanction appropriée à prononcer en cas de violation

des lois en vigueur, les tribunaux ont tenu compte de l’engagement de l’organisme pour la (mise/

maintien en) conformité soutenu par son système de management de conformité. Par conséquent, les

autorités réglementaires/de régulation et les instances judiciaires peuvent également tirer parti du

présent document comme référence.

Les organismes sont de plus en plus convaincus du fait qu’en appliquant des valeurs engageantes et

une gestion appropriée de conformité, elles peuvent préserver leur intégrité et éviter ou de réduire

le plus possible les cas de manquement aux obligations de conformité de l’organisme. L’intégrité et

l’effectivité du dispositif de conformité sont donc des éléments clés pour une gestion saine et diligente

de l’organisme. La (mise/maintien en) conformité contribue également au comportement socialement

responsable des organismes.

L’un des objectifs du présent document est d’assister les organismes dans l’élaboration et la diffusion

d’une culture positive de conformité, en considérant qu’il convient qu’une gestion efficace et saine des

risques de conformité soit perçue comme étant une opportunité à saisir en raison des divers bénéfices

qu’il procure à l’organisme, comme:

— l’amélioration des opportunités commerciales et de la viabilité économique/sociale/

environnementale;

— la protection et l’amélioration de la réputation et de la crédibilité d’un organisme;

— la prise en compte des attentes des parties intéressées;

— la démonstration de l’engagement d’un organisme vis-à-vis de la gestion effective de ses risques de

conformité de manière efficace;

— l’accroissement de la confiance des tierces parties dans la capacité de l’organisme à atteindre des

objectifs sur le long terme;
vi © ISO 2021 – Tous droits réservés
---------------------- Page: 6 ----------------------
ISO 37301:2021(F)

— la réduction au minimum de la violation ou de la menace de violation des lois, des coûts afférents

et de l’atteinte à la réputation qui en découlent.

Le présent document spécifie des exigences relatives aux systèmes de management de conformité

et fournit des recommandations et pratiques recommandées. Les exigences et les recommandations

fournies dans le présent document se veulent flexibles et leur mise en œuvre peut être différente selon

la taille et le niveau de maturité du système de management de conformité de l’organisme et selon le

contexte, la nature et la complexité des activités de l’organisme et de ses objectifs.

Le présent document est à même d’améliorer les exigences de conformité dans d’autres systèmes de

management et d’aider un organisme à améliorer la gestion dans son ensemble de toutes ses obligations

de conformité.

La Figure 1 donne une vue d’ensemble des éléments les plus courants d’un système de management de

conformité.
© ISO 2021 – Tous droits réservés vii
---------------------- Page: 7 ----------------------
ISO 37301:2021(F)
Figure 1 — Éléments d’un système de management de conformité
Dans le présent document, les formes verbales suivantes sont utilisées:
— «doit» indique une exigence;
— «il convient de/que» indique une recommandation;
— «peut/il est admis» («may» en anglais) indique une autorisation;

— «peut/il est possible» («can» en anglais) indique une possibilité ou une capacité.

viii © ISO 2021 – Tous droits réservés
---------------------- Page: 8 ----------------------
ISO 37301:2021(F)

Les informations sous forme de «NOTE» sont fournies pour clarifier l’exigence associée ou en faciliter la

compréhension.

L’Annexe A donne des recommandations relatives à l’utilisation du présent document.

© ISO 2021 – Tous droits réservés ix
---------------------- Page: 9 ----------------------
NORME INTERNATIONALE ISO 37301:2021(F)
Systèmes de management de la conformité — Exigences et
recommandations pour la mise en oeuvre
1 Domaine d’application

Le présent document spécifie des exigences et fournit des recommandations pour l’établissement,

le développement, la mise en œuvre, l’évaluation, la tenue à jour et l’amélioration d’un système de

management de conformité efficace au sein d’un organisme.

Le présent document s’applique à tous les types d’organismes, indépendamment du type, de la taille et

de la nature de ses activités, qu’il appartienne au secteur public, privé ou à but non lucratif.

L’ensemble des exigences spécifiées dans le présent document qui font référence à un organe de

gouvernance s’appliquent à la direction lorsque l’organe de gouvernance d’un organisme n’est pas

distinct de la direction.
2 Références normatives
Le présent document ne contient aucune référence normative.
3 Termes et définitions

Pour les besoins du présent document, les termes et définitions suivants s’appliquent.

L’ISO et l’IEC tiennent à jour des bases de données terminologiques destinées à être utilisées en

normalisation, consultables aux adresses suivantes:

— ISO Online browsing platform: disponible à l’adresse https:// www .iso .org/ obp

— IEC Electropedia: disponible à l’adresse https:// www .electropedia .org/
3.1
organisme

personne ou groupe de personnes ayant un rôle avec les responsabilités, l’autorité et les relations lui

permettant d’atteindre ses objectifs (3.6)

Note 1 à l'article: Le concept d’organisme englobe sans s’y limiter, les travailleurs indépendants, les compagnies,

les sociétés, les firmes, les entreprises, les administrations, les partenariats, les organisations caritatives ou les

institutions, ou bien une partie ou une combinaison des entités précédentes, à responsabilité limitée ou ayant un

autre statut, de droit public ou privé.

Note 2 à l'article: Si l’organisme fait partie d’une entité plus grande, le terme «organisme» se réfère uniquement

à la partie de l’entité plus grande qui est couverte par le périmètre du système de management de conformité.

3.2
partie intéressée (terme préféré)
partie prenante (terme admis)

personne ou organisme (3.1) qui peut soit influer sur une décision ou une activité, soit être influencé(e)

ou s’estimer influencé(e) par une décision ou une activité
© ISO 2021 – Tous droits réservés 1
---------------------- Page: 10 ----------------------
ISO 37301:2021(F)
3.3
direction

personne ou groupe de personnes qui oriente et dirige un organisme (3.1) au plus haut niveau

Note 1 à l'article: La direction a le pouvoir de déléguer son autorité et de fournir des ressources au sein de

l’organisme.

Note 2 à l'article: Si le périmètre du système de management (3.4) ne couvre qu’une partie de l’organisme, alors la

direction s’adresse à ceux qui gouvernent et contrôlent cette partie de l’organisme.

Note 3 à l'article: Pour les besoins du présent document, le terme «direction» fait référence au plus haut niveau de

direction exécutive.
3.4
système de management

ensemble d’éléments corrélés ou en interaction d’un organisme (3.1), utilisés pour établir des politiques

(3.5) et des objectifs (3.6), ainsi que des processus (3.8) de façon à atteindre lesdits objectifs

Note 1 à l'article: Un système de management peut traiter d’un seul ou de plusieurs domaines.

Note 2 à l'article: Les éléments du système de management comprennent la structure, les rôles et responsabilités,

la planification et le fonctionnement de l’organisme.
3.5
politique

intentions et orientations d’un organisme (3.1), telles qu’elles sont officiellement formulées par sa

direction (3.3)

Note 1 à l'article: Une politique peut également être officiellement formulée par l’organe de gouvernance (3.21)

d’un organisme.
3.6
objectif
résultat à atteindre
Note 1 à l'article: Un objectif peut être stratégique, tactique ou opérationnel.

Note 2 à l'article: Les objectifs peuvent se rapporter à différents domaines (tels que finance, ventes et marketing,

achats, santé, sécurité, et environnement). Ils peuvent s’appliquer, par exemple, à l’organisme dans son ensemble

ou à un projet, un produit, un service ou un processus (3.8).

Note 3 à l'article: Un objectif peut être exprimé de différentes manières, par exemple par un résultat escompté,

un besoin, un critère opérationnel, en tant qu’objectif de conformité (3.26) ou par l’utilisation d’autres termes

ayant la même signification (par exemple finalité, but ou cible).

Note 4 à l'article: Dans le contexte des systèmes de management (3.4) de conformité, les objectifs de conformité

sont fixés par l’organisme (3.1), en cohérence avec sa politique (3.5) de conformité, en vue d’obtenir des résultats

spécifiques.
3.7
risque
effet de l’incertitude sur l’atteinte des objectifs (3.6)

Note 1 à l'article: Un effet est un écart, positif ou négatif, par rapport à une attente.

Note 2 à l'article: L’incertitude est l’état, même partiel, de manque d’information qui entrave la compréhension ou

la connaissance d’un événement, de ses conséquences ou de sa vraisemblance.

Note 3 à l'article: Un risque est souvent caractérisé par référence à des événements potentiels (tels que définis

dans le Guide ISO 73) et à des conséquences également potentielles (telles que définies dans le Guide ISO 73), ou

par référence à une combinaison des deux.
2 © ISO 2021 – Tous droits réservés
---------------------- Page: 11 ----------------------
ISO 37301:2021(F)

Note 4 à l'article: Un risque est souvent exprimé en termes de combinaison des conséquences d’un événement

(y compris des changements de circonstances) et de la vraisemblance de son occurrence (telle que définie dans

le Guide ISO 73).
3.8
processus

ensemble d’activités corrélées ou en interaction qui transforme des éléments d’entrée en résultat

Note 1 à l'article: Le résultat d’un processus est appelé «résultat», «produit» ou «service» en fonction du contexte

de référence.
3.9
compétence

aptitude à mettre en pratique des connaissances et des savoir-faire pour obtenir les résultats escomptés

3.10
information documentée

information devant être maîtrisée et tenue à jour par un organisme (3.1) ainsi que le support sur lequel

elle figure

Note 1 à l'article: Les informations documentées peuvent se présenter sous n’importe quel format et sur tous

supports et peuvent provenir de toute source.
Note 2 à l'article: Les informations documentées peuvent se rapporter:
— au système de management (3.4), y compris les processus (3.8) connexes;

— aux informations créées en vue du fonctionnement de l’organisme (documentation);

— aux preuves des résultats obtenus (enregistrements).
3.11
performance
résultat mesurable

Note 1 à l'article: Les performances peuvent être liées à des résultats quantitatifs ou qualitatifs.

Note 2 à l'article: Les performances peuvent concerner le management d’activités, de processus (3.8), de produits,

de services, de systèmes ou d’organismes (3.1).
3.12
amélioration continue
activité récurrente menée pour améliorer les performances (3.11)
3.13
efficacité

niveau de réalisation des activités planifiées et d’obtention des résultats escomptés

3.14
exigence
besoin ou attente qui sont formulés, généralement implicites ou obligatoires

Note 1 à l'article: «Généralement implicite» signifie qu’il est habituel ou de pratique commune pour l’organisme

(3.1) et les parties intéressées (3.2) que le besoin ou l’attente à prendre en considération soit implicite.

Note 2 à l'article: Une exigence spécifiée est une exigence formulée, par exemple une information documentée

(3.10).
3.15
conformité
satisfaction d’une exigence (3.14)
© ISO 2021 – Tous droits réservés 3
---------------------- Page: 12 ----------------------
ISO 37301:2021(F)
3.16
non-conformité
non-satisfaction d’une exigence (3.14)

Note 1 à l'article: Une non-conformité n’est pas nécessairement un défaut de conformité (3.27).

3.17
action corrective

action visant à éliminer la ou les causes d’une non-conformité (3.16) et à éviter qu’elle ne réapparaisse

3.18
audit

processus (3.8) méthodique et indépendant permettant d’obtenir des preuves et de les évaluer de

manière objective pour déterminer dans quelle mesure les critères d’audit sont satisfaits

Note 1
...

NORMA ISO
INTERNACIONAL 37301
Primera edición
Traducción oficial
2021-04
Official translation
Traduction officielle
Sistemas de gestión del compliance —
Requisitos con orientación para su uso
Compliance management systems — Requirements with guidance for
use
Systèmes de management de la conformité — Exigences et
recommandations pour la mise en oeuvre
Publicado por la Secretaría Central de ISO en Ginebra, Suiza, como
traducción oficial en español avalada por el Grupo de Trabajo Spanish
Translation Task Force (STTF), que ha certificado la conformidad en
relación con las versiones inglesa y francesa.
Número de referencia
ISO 37301:2021 (traducción oficial)
© ISO 2021
---------------------- Page: 1 ----------------------
ISO 37301:2021 (traducción oficial)
DOCUMENTO PROTEGIDO POR COPYRIGHT
© ISO 2021

Reservados los derechos de reproducción. Salvo prescripción diferente, o requerido en el contexto de su implementación, no podrá

reproducirse ni utilizarse ninguna parte de esta publicación bajo ninguna forma y por ningún medio, electrónico o mecánico,

incluidos el fotocopiado, o la publicación en Internet o una Intranet, sin la autorización previa por escrito. La autorización puede

solicitarse a ISO en la siguiente dirección o al organismo miembro de ISO en el país solicitante.

ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Ginebra, Suiza
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Publicada en Suiza
Versión española publicada en 2021
Traducción oficial/Official translation/Traduction officielle
ii © ISO 2021 – Todos los derechos reservados
---------------------- Page: 2 ----------------------
ISO 37301:2021 (traducción oficial)
Índice Página

Prólogo ...............................................................................................................................................................................................................................................v

Prólogo de la versión en español ..........................................................................................................................................................................vi

Introducción .............................................................................................................................................................................................................................vii

1 Objeto y campo de aplicación.................................................................................................................................................................. 1

2 Referencias normativas ................................................................................................................................................................................. 1

3 Términos y definiciones ................................................................................................................................................................................ 1

4 Contexto de la organización ...................................................................................................................................................................... 5

4.1 Comprensión de la organización y de su contexto ................................................................................................... 5

4.2 Comprensión de las necesidades y expectativas de las partes interesadas ....................................... 6

4.3 Determinación del alcance del sistema de gestión del compliance ........................................................... 6

4.4 Sistema de gestión del compliance ......................................................................................................................................... 6

4.5 Obligaciones de compliance ......................................................................................................................................................... 6

4.6 Evaluación de los riesgos de compliance .......................................................................................................................... 6

5 Liderazgo ...................................................................................................................................................................................................................... 7

5.1 Liderazgo y compromiso ................................................................................................................................................................ 7

5.1.1 Órgano de gobierno y alta dirección ............................................................................................................... 7

5.1.2 Cultura de compliance ................................................................................................................................................. 8

5.1.3 Gobernanza del compliance .................................................................................................................................... 8

5.2 Política de compliance ....................................................................................................................................................................... 8

5.3 Roles, responsabilidades y autoridades ............................................................................................................................ 9

5.3.1 Órgano de gobierno y alta dirección ............................................................................................................... 9

5.3.2 Función de compliance ................................................................................................................................................ 9

5.3.3 Dirección ..............................................................................................................................................................................10

5.3.4 Personal ................................................................................................................................................................................11

6 Planificación...........................................................................................................................................................................................................11

6.1 Acciones para abordar los riesgos y oportunidades ...........................................................................................11

6.2 Objetivos de compliance y planificación para lograrlos ....................................................................................11

6.3 Planificación de los cambios ....................................................................................................................................................12

7 Apoyo .............................................................................................................................................................................................................................12

7.1 Recursos.....................................................................................................................................................................................................12

7.2 Competencia ...........................................................................................................................................................................................12

7.2.1 Generalidades ..................................................................................................................................................................12

7.2.2 Proceso de empleo ......................................................................................................................................................13

7.2.3 Formación ...........................................................................................................................................................................13

7.3 Toma de conciencia ..........................................................................................................................................................................13

7.4 Comunicación ........................................................................................................................................................................................14

7.5 Información documentada ........................................................................................................................................................14

7.5.1 Generalidades ..................................................................................................................................................................14

7.5.2 Creación y actualización de la información documentada .......................................................15

7.5.3 Control de la información documentada .................................................................................................15

Operación ..................................................................................................................................................................................................................15

8.1 Planificación y control operacional ....................................................................................................................................15

8.2 Establecimiento de controles y procedimientos .....................................................................................................16

8.3 Planteamiento de inquietudes ................................................................................................................................................16

8.4 Procesos de investigación ...........................................................................................................................................................16

9 Evaluación del desempeño......................................................................................................................................................................17

9.1 Seguimiento, medición, análisis y evaluación ...........................................................................................................17

9.1.1 Generalidades ..................................................................................................................................................................17

9.1.2 Fuentes de opinión sobre el desempeño del compliance ...........................................................17

Traducción oficial/Official translation/Traduction officielle
© ISO 2021 – Todos los derechos reservados iii
---------------------- Page: 3 ----------------------
ISO 37301:2021 (traducción oficial)

9.1.3 Desarrollo de indicadores .....................................................................................................................................17

9.1.4 Informes de compliance ..........................................................................................................................................17

9.1.5 Mantenimiento de registros ................................................................................................................................18

9.2 Auditoría interna ................................................................................................................................................................................18

9.2.1 Generalidades ..................................................................................................................................................................18

9.2.2 Programa de auditoría interna .........................................................................................................................18

9.3 Revisión por la dirección .............................................................................................................................................................18

9.3.1 Generalidades ..................................................................................................................................................................18

9.3.2 Entradas para la revisión del sistema .........................................................................................................18

9.3.3 Resultados de la revisión por la dirección ..............................................................................................19

10 Mejora ...........................................................................................................................................................................................................................19

10.1 Mejora continua ..................................................................................................................................................................................19

10.2 No conformidades y acciones correctivas ....................................................................................................................19

Anexo A (informativo) Guía para el uso de este documento .....................................................................................................21

Bibliografía ................................................................................................................................................................................................................................43

---------------------- Page: 4 ----------------------
ISO 37301:2021 (traducción oficial)
Prólogo

ISO (Organización Internacional de Normalización) es una federación mundial de organismos

nacionales de normalización (organismos miembros de ISO). El trabajo de elaboración de las Normas

Internacionales se lleva a cabo normalmente a través de los comités técnicos de ISO. Cada organismo

miembro interesado en una materia para la cual se haya establecido un comité técnico, tiene el derecho

de estar representado en dicho comité. Las organizaciones internacionales, gubernamentales y no

gubernamentales, vinculadas con ISO, también participan en el trabajo. ISO colabora estrechamente

con la Comisión Electrotécnica Internacional (IEC) en todos los temas de normalización electrotécnica.

En la Parte 1 de las Directivas ISO/IEC se describen los procedimientos utilizados para desarrollar este

documento y aquellos previstos para su mantenimiento posterior. En particular debería tomarse nota

de los diferentes criterios de aprobación necesarios para los distintos tipos de documentos ISO. Este

documento ha sido redactado de acuerdo con las reglas editoriales de la Parte 2 de las Directivas ISO/

IEC (véase www .iso .org/ directives).

Se llama la atención sobre la posibilidad de que algunos de los elementos de este documento puedan

estar sujetos a derechos de patente. ISO no asume la responsabilidad por la identificación de alguno

o todos los derechos de patente. Los detalles sobre cualquier derecho de patente identificado durante

el desarrollo de este documento se indicarán en la Introducción y/o en la lista ISO de declaraciones de

patente recibidas (véase www .iso .org/ patents).

Cualquier nombre comercial utilizado en este documento es información que se proporciona para

comodidad del usuario y no constituye una recomendación.

Para una explicación de la naturaleza voluntaria de las normas, el significado de los términos específicos

de ISO y las expresiones relacionadas con la evaluación de la conformidad, así como la información

acerca de la adhesión de ISO a los principios de la Organización Mundial del Comercio (OMC) respecto a

los Obstáculos Técnicos al Comercio (OTC), véase www .iso .org/ iso/ foreword .html.

Este documento ha sido elaborado por el Comité Técnico ISO/TC 309, Gobernanza de las organizaciones.

Esta primera edición de la Norma ISO 37301 anula y sustituye a la Norma ISO 19600:2014, que ha sido

revisada técnicamente.
Los principales cambios respecto de la Norma ISO 19600:2014 son los siguientes:

— este documento contiene ahora requisitos y orientación adicional basada en los mismos;

— este documento sigue los requisitos de ISO para una estructura armonizada para las normas de

sistemas de gestión.

Cualquier comentario o pregunta sobre este documento deberían dirigirse al organismo nacional de

normalización del usuario. En www .iso .org/ members .html se puede encontrar un listado completo de

estos organismos.
Traducción oficial/Official translation/Traduction officielle
© ISO 2021 – Todos los derechos reservados v
---------------------- Page: 5 ----------------------
ISO 37301:2021 (traducción oficial)
Prólogo de la versión en español

Este documento ha sido traducido por el Grupo de Trabajo Spanish Translation Task Force (STTF) del

Comité Técnico ISO/TC 309, Gobernanza de las organizaciones, en el que participan representantes de

los organismos nacionales de normalización y representantes del sector empresarial de los siguientes

países:

Argentina, Bolivia, Chile, Colombia, Costa Rica, Ecuador, El Salvador, España, Guatemala, Panamá, Perú,

Uruguay.

Esta traducción es parte del resultado del trabajo que el Grupo ISO/TC 309/STTF, viene desarrollando

desde su creación en el año 2021 para lograr la unificación de la terminología en lengua española en el

ámbito del compliance.
Traducción oficial/Official translation/Traduction officielle
vi © ISO 2021 – Todos los derechos reservados
---------------------- Page: 6 ----------------------
ISO 37301:2021 (traducción oficial)
Introducción

Las organizaciones que pretenden ser exitosas a largo plazo necesitan establecer y mantener una

cultura de cumplimiento, considerando las necesidades y expectativas de las partes interesadas. El

compliance, por tanto, no sólo es la base, sino también una oportunidad para una organización exitosa y

sostenible.

El compliance es un proceso continuo y el resultado de que una organización cumpla con sus obligaciones.

El compliance se hace sostenible a través de su integración en la cultura de una organización y

en el comportamiento y la actitud de las personas que trabajan para ella. Mientras mantenga su

independencia, es preferible que la gestión del compliance esté integrada con los demás procesos de

gestión de la organización y en sus requisitos y procedimientos operacionales.

Un sistema de gestión del compliance eficaz y que abarque a toda la organización permite que la

organización demuestre su compromiso de cumplir con las leyes, requisitos regulatorios, códigos de la

industria y las normas de la organización pertinentes, así como con las normas de buena gobernanza,

las mejores prácticas generalmente aceptadas, la ética y las expectativas de la comunidad.

El enfoque de una organización para el compliance consiste en que los líderes apliquen los valores

fundamentales y las normas generalmente aceptadas de buena gobernanza, de ética y de la comunidad.

Incorporar el compliance en el comportamiento de las personas que trabajan para una organización

depende, sobre todo, de sus líderes, en todos los niveles, y de que existan unos valores claros en la

organización, así como de la aceptación e implementación de medidas que promuevan una conducta

de cumplimiento. Si eso no sucede así en todos los niveles de la organización, existe riesgo de no

cumplimiento de compliance.

En varias jurisdicciones, a la hora de determinar la sanción a imponer por contravenir las leyes

pertinentes, los tribunales han tenido en cuenta el compromiso de cumplimiento de una organización a

través de su sistema de gestión del compliance. Por ello, los organismos regulatorios y judiciales también

se pueden beneficiar de tener este documento como punto de referencia.

Las organizaciones están cada vez más convencidas de que si aplican valores vinculantes y una gestión

adecuada del compliance, pueden salvaguardar su integridad y evitar o minimizar los no cumplimientos

de compliance con las obligaciones de compliance de la organización. Integridad y un compliance eficaz

son, por tanto, elementos clave para llevar una buena y diligente gestión. El compliance también

contribuye al comportamiento socialmente responsable de las organizaciones.

Uno de los objetivos de este documento es ayudar a las organizaciones a desarrollar y difundir una

cultura positiva de compliance, teniendo en cuenta que una gestión eficaz y sólida de los riesgos

relacionados con compliance debería considerarse como una oportunidad para perseguir y aprovechar,

debido a los diversos beneficios que proporciona a la organización, como, por ejemplo:

— mejorar las oportunidades de negocio y la sostenibilidad;
— proteger y mejorar la reputación y la credibilidad de una organización;
— tener en cuenta las expectativas de las partes interesadas;

— demostrar el compromiso de la organización en la gestión de sus riesgos de compliance de forma

eficaz y eficiente;

— aumentar la confianza de terceras partes en la capacidad de la organización para lograr un éxito

sostenido;

— minimizar el riesgo de que se produzca una infracción que conlleve costos y daños a la reputación.

Este documento especifica requisitos y, además, proporciona una guía de los sistemas de gestión del

compliance y prácticas recomendadas. Se pretende que tanto los requisitos como la guía que proporciona

este documento sean adaptables, y su aplicación puede diferir dependiendo del tamaño y el nivel de

Traducción oficial/Official translation/Traduction officielle
© ISO 2021 – Todos los derechos reservados vii
---------------------- Page: 7 ----------------------
ISO 37301:2021 (traducción oficial)

madurez del sistema de gestión del compliance de una organización y del contexto, la naturaleza y la

complejidad de las actividades y los objetivos de la organización.

Este documento es adecuado para mejorar los requisitos relacionados con compliance en otros sistemas

de gestión y para ayudar a la organización a que mejore la gestión global de todas sus obligaciones de

compliance.

La Figura 1 proporciona una visión general de los elementos comunes de un sistema de gestión del

compliance.
Figura 1 — Elementos de un sistema de gestión del compliance
Traducción oficial/Official translation/Traduction officielle
viii © ISO 2021 – Todos los derechos reservados
---------------------- Page: 8 ----------------------
ISO 37301:2021 (traducción oficial)
En este documento se utilizan las siguientes formas verbales:
— “debe” indica un requisito;
— “debería” indica una recomendación;
— “puede” indica un permiso, una posibilidad o una capacidad.

La información indicada como “NOTA” se presenta a modo de orientación para la comprensión o

clarificación del requisito correspondiente.
El Anexo A proporciona orientación para el uso de este documento.
Traducción oficial/Official translation/Traduction officielle
© ISO 2021 – Todos los derechos reservados ix
---------------------- Page: 9 ----------------------
NORMA INTERNACIONAL ISO 37301:2021 (traducción oficial)
Sistemas de gestión del compliance — Requisitos con
orientación para su uso
1 Objeto y campo de aplicación

Este documento especifica los requisitos y proporciona directrices para establecer, desarrollar,

implementar, evaluar, mantener y mejorar un sistema de gestión del compliance eficaz dentro de una

organización.

Este documento es aplicable a toda clase de organizaciones independientemente del tipo, tamaño y

naturaleza de la actividad, así como a organizaciones del sector público, privado o sin fines de lucro.

Todos los requisitos especificados en este documento que hagan referencia a un órgano de gobierno se

aplican a la alta dirección en aquellos casos en los que una organización no tenga un órgano de gobierno

como función independiente.
2 Referencias normativas
No existen referencias normativas en este documento.
3 Términos y definiciones

Para los fines de este documento, se aplican los términos y definiciones siguientes.

ISO e IEC mantienen bases de datos terminológicas para su utilización en normalización en las siguientes

direcciones:

— Plataforma de búsqueda en línea de ISO: disponible en https:// www .iso .org/ obp

— Electropedia de IEC: disponible en https:// www .electropedia .org/
3.1
organización

persona o grupo de personas que tienen sus propias funciones con responsabilidades, autoridades y

relaciones para el logro de sus objetivos (3.6)

Nota 1 a la entrada: El concepto de organización incluye, entre otros, un trabajador independiente, compañía,

corporación, firma, empresa, autoridad, sociedad, organización benéfica o institución, o una parte o combinación

de estas, ya estén constituidas o no, públicas o privadas.

Nota 2 a la entrada: En el caso de que la organización forme parte de una entidad más grande, el término

“organización” se refiere solo a aquella parte de la organización que está dentro del alcance del sistema de gestión.

3.2
parte interesada

persona u organización (3.1) que puede afectar, verse afectada, o percibirse como afectada por una

decisión o actividad
3.3
alta dirección

persona o grupo de personas que dirigen y controlan una organización (3.1) al más alto nivel

Nota 1 a la entrada: La alta dirección tiene el poder de delegar autoridad y proporcionar recursos dentro de la

organización.
Traducción oficial/Official translation/Traduction officielle
© ISO 2021 – Todos los derechos reservados 1
---------------------- Page: 10 ----------------------
ISO 37301:2021 (traducción oficial)

Nota 2 a la entrada: Si el alcance del sistema de gestión (3.4) comprende solo una parte de una organización,

entonces alta dirección se refiere a quienes dirigen y controlan esa parte de la organización.

Nota 3 a la entrada: Para los fines de este documento, el término “alta dirección” se refiere al más alto nivel de la

dirección ejecutiva.
3.4
sistema de gestión

conjunto de elementos de una organización (3.1) interrelacionados o que interactúan para establecer

políticas (3.5), objetivos (3.6) y procesos (3.8) para lograr esos objetivos

Nota 1 a la entrada: Un sistema de gestión puede tratar una sola disciplina o varias disciplinas.

Nota 2 a la entrada: Los elementos del sistema de gestión incluyen la estructura de la organización, los roles y las

responsabilidades, la planificación y la operación.
3.5
política

intenciones y dirección de una organización (3.1) como las expresa formalmente su alta dirección (3.3)

Nota 1 a la entrada: La política también puede ser expresada formalmente por el órgano de gobierno (3.21) de una

organización (3.1).
3.6
objetivo
resultado a lograr
Nota 1 a la entrada: Un objetivo puede ser estratégico, táctico u operativo.

Nota 2 a la entrada: Los objetivos pueden referirse a diferentes disciplinas (como las finanzas, la seguridad y

salud y el medio ambiente). Pueden ser, por ejemplo, objetivos que abarquen a toda la organización o específicos

para un proyecto, producto, servicio o proceso (3.8).

Nota 3 a la entrada: Un objetivo se puede expresar de otras maneras, por ejemplo, como un resultado previsto,

un propósito, un criterio operativo, un objetivo de compliance (3.26), o mediante el uso de términos con un

significado similar (por ejemplo, finalidad o meta).

Nota 4 a la entrada: En el contexto de sistemas de gestión (3.4) del compliance, la organización (3.1) establece los

objetivos de compliance, en concordancia con la política (3.5) de compliance, para lograr resultados específicos.

3.7
riesgo
efecto de la incertidumbre sobre los objetivos (3.6)

Nota 1 a la entrada: Un efecto es una desviación de lo esperado, ya sea positiva o negativa.

Nota 2 a la entrada: Incertidumbre es el estado, incluso parcial, de deficiencia de información relacionada con la

comprensión o conocimiento de un evento, su consecuencia o su probabilidad.

Nota 3 a la entrada: Con frecuencia el riesgo se caracteriza por referencia a “eventos” potenciales (como se define

en la Guía ISO 73) y “consecuencias” (como se define en la Guía ISO 73) , o a una combinación de estos.

Nota 4 a la entrada: Con frecuencia el riesgo se expresa en términos de una combinación de las consecuencias

de un evento (incluidos los cambios de las circunstancias) y la “probabilidad” (como se define en la Guía ISO 73)

asociada de que ocurra.
3.8
proceso

conjunto de actividades interrelacionadas o que interactúan, que emplean o transforman elementos de

entrada para obtener resultados

Nota 1 a la entrada: Que el resultado de un proceso se denomine salida, producto o servicio depende del contexto

de referencia.
Traducción oficial/Official translation/Traduction officielle
2 © ISO 2021 – Todos los derechos reservados
---------------------- Page: 11 ----------------------
ISO 37301:2021 (traducción oficial)
3.9
competencia

capacidad para aplicar conocimientos y habilidades con el fin de lograr los resultados previstos

3.10
información documentada

información que una organización (3.1) tiene que controlar y mantener, y el medio en el que está

contenida

Nota 1 a la entrada: La información documentada puede estar en cualquier formato y medio, y puede provenir de

cualquier fuente.
Nota 2 a la entrada: La información documentada puede hacer referencia a:
— el sistema de gestión (3.4), incluidos los procesos (3.8) relacionados;
— la información creada para que la organización opere (documentación);
— la evidencia de los resultados alcanzados (registros).
3.11
desempeño
resultado medible

Nota 1 a la entrada: El desempeño se puede relacionar con hallazgos cuantitativos o cualitativos.

Nota 2 a la entrada: El desempeño se puede relacionar con actividades de gestión, procesos (3.8), productos,

servicios, sistemas u organizaciones (3.1).
3.12
mejora continua
actividad recurrente para mejorar el desempeño (3.11)
3.13
eficacia
grado en el que se re
...

FINAL
INTERNATIONAL ISO/FDIS
DRAFT
STANDARD 37301
ISO/TC 309
Compliance management systems —
Secretariat: BSI
Requirements with guidance for use
Voting begins on:
2021­01­01
Systèmes de management de la conformité — Exigences et
recommandations pour la mise en oeuvre
Voting terminates on:
2021­02­26
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
ISO/FDIS 37301:2021(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN­
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS. ISO 2021
---------------------- Page: 1 ----------------------
ISO/FDIS 37301:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2021

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH­1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2021 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/FDIS 37301:2021(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Context of the organization ....................................................................................................................................................................... 5

4.1 Understanding the organization and its context ....................................................................................................... 5

4.2 Understanding the needs and expectations of interested parties .............................................................. 5

4.3 Determining the scope of the compliance management system ................................................................. 5

4.4 Compliance management system ........................................................................................................................................... 6

4.5 Compliance obligations ................................................................................................................................................................... 6

4.6 Compliance risk assessment ....................................................................................................................................................... 6

5 Leadership .................................................................................................................................................................................................................. 6

5.1 Leadership and commitment ..................................................................................................................................................... 6

5.1.1 Governing body and top management .......................................................................................................... 6

5.1.2 Compliance culture ........................................................................................................................................................ 7

5.1.3 Compliance governance ............................................................................................................................................. 7

5.2 Compliance policy ................................................................................................................................................................................ 8

5.3 Roles, responsibilities and authorities ............................................................................................................................... 8

5.3.1 Governing body and top management .......................................................................................................... 8

5.3.2 Compliance function ..................................................................................................................................................... 9

5.3.3 Management .....................................................................................................................................................................10

5.3.4 Personnel .............................................................................................................................................................................10

6 Planning ......................................................................................................................................................................................................................10

6.1 Actions to address risks and opportunities ................................................................................................................10

6.2 Compliance objectives and planning to achieve them .......................................................................................11

6.3 Planning of changes .........................................................................................................................................................................11

7 Support ........................................................................................................................................................................................................................11

7.1 Resources ..................................................................................................................................................................................................11

7.2 Competence ............................................................................................................................................................................................12

7.2.1 General...................................................................................................................................................................................12

7.2.2 Employment process .................................................................................................................................................12

7.2.3 Training .................................................................................................................................................................................12

7.3 Awareness ................................................................................................................................................................................................13

7.4 Communication ...................................................................................................................................................................................13

7.5 Documented information ............................................................................................................................................................14

7.5.1 General...................................................................................................................................................................................14

7.5.2 Creating and updating documented information .............................................................................14

7.5.3 Control of documented information ............................................................................................................14

8 Operation ..................................................................................................................................................................................................................15

8.1 Operational planning and control .......................................................................................................................................15

8.2 Establishing controls and procedures .............................................................................................................................15

8.3 Raising concerns .................................................................................................................................................................................15

8.4 Investigation processes ................................................................................................................................................................15

9 Performance evaluation ............................................................................................................................................................................16

9.1 Monitoring, measurement, analysis and evaluation ............................................................................................16

9.1.1 General...................................................................................................................................................................................16

9.1.2 Sources of feedback on compliance performance ............................................................................16

9.1.3 Development of indicators ...................................................................................................................................16

9.1.4 Compliance reporting ...............................................................................................................................................16

9.1.5 Record­keeping ..............................................................................................................................................................17

© ISO 2021 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/FDIS 37301:2021(E)

9.2 Internal audit .........................................................................................................................................................................................17

9.2.1 General...................................................................................................................................................................................17

9.2.2 Internal audit programme ....................................................................................................................................17

9.3 Management review ........................................................................................................................................................................17

9.3.1 General...................................................................................................................................................................................17

9.3.2 Management review inputs .................................................................................................................................18

9.3.3 Management review results ................................................................................................................................18

10 Improvement .........................................................................................................................................................................................................18

10.1 Continual improvement ...............................................................................................................................................................18

10.2 Nonconformity and corrective action ..............................................................................................................................19

Annex A (informative) Guidance for the use of this document ..............................................................................................20

Bibliography .............................................................................................................................................................................................................................40

iv © ISO 2021 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/FDIS 37301:2021(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non­governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO’s adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

iso/ foreword .html.

This document was prepared by Technical Committee ISO/TC 309, Governance of organizations.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO 2021 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/FDIS 37301:2021(E)
Introduction

Organizations that aim to be successful in the long term need to establish and maintain a culture of

compliance, considering the needs and expectations of interested parties. Compliance is therefore not

only the basis, but also an opportunity, for a successful and sustainable organization.

Compliance is an ongoing process and the outcome of an organization meeting its obligations.

Compliance is made sustainable by embedding it in the culture of the organization and in the behaviour

and attitude of people working for it. While maintaining its independence, it is preferable that

compliance management is integrated with the organization’s other management processes and its

operational requirements and procedures.

An effective, organization-wide compliance management system enables an organization to

demonstrate its commitment to comply with relevant laws, regulatory requirements, industry codes

and organizational standards, as well as standards of good governance, generally accepted best

practices, ethics and community expectations.

An organization’s approach to compliance is shaped by the leadership applying core values and

generally accepted good governance, ethical and community standards. Embedding compliance in the

behaviour of the people working for an organization depends above all on leadership at all levels and

clear values of an organization, as well as an acknowledgement and implementation of measures to

promote compliant behaviour. If this is not the case at all levels of an organization, there is a risk of

noncompliance.

In a number of jurisdictions, courts have considered an organization’s commitment to compliance

through its compliance management system when determining the appropriate penalty to be imposed

for contraventions of relevant laws. Therefore, regulatory and judicial bodies can also benefit from this

document as a benchmark.

Organizations are increasingly convinced that, by applying binding values and appropriate compliance

management, they can safeguard their integrity and avoid or minimize noncompliance with the

organization’s compliance obligations. Integrity and effective compliance are therefore key elements

of good and diligent management. Compliance also contributes to the socially responsible behaviour of

organizations.

One of the objectives of this document is to assist organizations to develop and spread a positive culture

of compliance, considering that an effective and sound management of compliance­related risks should

be regarded as an opportunity to pursue and take, due to the several benefits that it provides to the

organization such as:
— improving business opportunities and sustainability;
— protecting and enhancing an organization’s reputation and credibility;
— taking into account expectations of interested parties;

— demonstrating an organization’s commitment to managing its compliance risks effectively and

efficiently;

— increasing the confidence of third parties in the organization’s capacity to achieve sustained success;

— minimizing the risk of a contravention occurring with the attendant costs and reputational damage.

This document specifies requirements as well as provides guidance on compliance management

systems and recommended practices. Both the requirements and the guidance in this document are

intended to be adaptable, and implementation can differ depending on the size and level of maturity

of an organization’s compliance management system and on the context, nature and complexity of the

organization’s activities and objectives.
vi © ISO 2021 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/FDIS 37301:2021(E)

This document is suitable to enhance the compliance-related requirements in other management

systems and to assist an organization in improving the overall management of all its compliance

obligations.

Figure 1 provides an overview on common elements of a compliance management system.

Figure 1 — Elements of a compliance management system
In this document, the following verbal forms are used:
— “shall” indicates a requirement;
© ISO 2021 – All rights reserved vii
---------------------- Page: 7 ----------------------
ISO/FDIS 37301:2021(E)
— “should” indicates a recommendation;
— “may” indicates permission:
— “can” indicates a possibility or a capability.

Information marked as “NOTE” is for guidance in understanding or clarifying the associated

requirements.
Annex A provides guidance for the use of this document.
viii © ISO 2021 – All rights reserved
---------------------- Page: 8 ----------------------
FINAL DRAFT INTERNATIONAL STANDARD ISO/FDIS 37301:2021(E)
Compliance management systems — Requirements with
guidance for use
1 Scope

This document specifies requirements and provides guidelines for establishing, developing,

implementing, evaluating, maintaining and improving an effective compliance management system

within an organization.

This document is applicable to all types of organizations regardless of the type, size and nature of the

activity, as well as whether the organization is from the public, private or non-profit sector.

All requirements specified in this document that refer to a governing body apply to top management in

cases where an organization does not have a governing body as a separate function.

2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
organization

person or group of people that has its own functions with responsibilities, authorities and relationships

to achieve its objectives (3.6)

Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,

enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated

or not, public or private.

Note 2 to entry: If the organization is part of a larger entity, the term “organization” refers only to the part of the

larger entity that is within the scope of the compliance management system.
3.2
interested party (preferred term)
stakeholder (admitted term)

person or organization (3.1) that can affect, be affected by, or perceive itself to be affected by a decision

or activity
3.3
top management

person or group of people who directs and controls an organization (3.1) at the highest level

Note 1 to entry: Top management has the power to delegate authority and provide resources within the

organization.

Note 2 to entry: If the scope of the management system (3.4) covers only part of an organization, then top

management refers to those who direct and control that part of the organization.
© ISO 2021 – All rights reserved 1
---------------------- Page: 9 ----------------------
ISO/FDIS 37301:2021(E)

Note 3 to entry: For the purposes of this document, the term “top management” refers to the highest level of

executive management.
3.4
management system

set of interrelated or interacting elements of an organization (3.1) to establish policies (3.5) and

objectives (3.6) as well as processes (3.8) to achieve those objectives

Note 1 to entry: A management system can address a single discipline or several disciplines.

Note 2 to entry: The management system elements include the organization’s structure, roles and responsibilities,

planning and operation.
3.5
policy

intentions and direction of an organization (3.1), as formally expressed by its top management (3.3)

Note 1 to entry: A policy can also be formally expressed by an organization’s governing body (3.2).

3.6
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.

Note 2 to entry: Objectives can relate to different disciplines (such as finance, health and safety, and environment).

They can be, for example, organization-wide, or specific to a project, product, service or process (3.8)).

Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended result, a purpose, an operational

criterion, as a compliance (3.7) objective, or by the use of other words with similar meaning (e.g. aim, goal, or

target).

Note 4 to entry: In the context of compliance management systems (3.4), compliance objectives are set by the

organization (3.1), consistent with the compliance policy (3.5), to achieve specific results.

3.7
risk
effect of uncertainty on objectives

Note 1 to entry: An effect is a deviation from the expected – positive or negative.

Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or

knowledge of, an event, its consequence, or likelihood.

Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73) and

“consequences” (as defined in ISO Guide 73), or a combination of these.

Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including

changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73) of occurrence.

3.8
process

set of interrelated or interacting activities that uses or transforms inputs to deliver a result

Note 1 to entry: Whether the result of a process is called output, product or service depends on the context of the

reference.
3.9
competence
ability to apply knowledge and skills to achieve intended results
2 © ISO 2021 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/FDIS 37301:2021(E)
3.10
documented information

information required to be controlled and maintained by an organization (3.1) and the medium on

which it is contained

Note 1 to entry: Documented information can be in any format and media, and from any source.

Note 2 to entry: Documented information can refer to:
— the management system (3.4), including related processes (3.8);
— information created in order for the organization to operate (documentation);
— evidence of results achieved (records).
3.11
performance
measurable result

Note 1 to entry: Performance can relate either to quantitative or qualitative findings.

Note 2 to entry: Performance can relate to managing activities, processes (3.8), products, services, systems or

organizations (3.1).
3.12
continual improvement
recurring activity to enhance performance (3.11)
3.13
effectiveness
extent to which planned activities are realized and planned results are achieved
3.14
requirement
need or expectation that is stated, generally implied or obligatory

Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization (3.1) and

interested parties (3.2) that the need or expectation under consideration is implied.

Note 2 to entry: A specified requirement is one that is stated, e.g. in documented information (3.10).

3.15
conformity
fulfilment of a requirement (3.14)
3.16
nonconformity
non-fulfilment of a requirement (3.14)
Note 1 to entry: A nonconformity is not necessarily a noncompliance (3.27).
3.17
corrective action

action to eliminate the cause(s) of a nonconformity (3.16) and to prevent recurrence

3.18
audit

systematic and independent process (3.8) for obtaining evidence and evaluating it objectively to

determine the extent to which the audit criteria are fulfilled

Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party

(3.30)), and it can be a combined audit (combining two or more disciplines).

Note 2 to entry: An internal audit is conducted by the organization (3.1) itself, or by an external party on its behalf.

© ISO 2021 – All rights reserved 3
---------------------- Page: 11 ----------------------
ISO/FDIS 37301:2021(E)
Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.

Note 4 to entry: Independence can be demonstrated by the freedom from responsibility for the activity being

audited or freedom from bias and conflict of interest.
3.19
measurement
process (3.8) to determine a value
3.20
monitoring
determining the status of a system, a process (3.8) or an activity

Note 1 to entry: To determine the status, there can be a need to check, supervise or critically observe.

3.21
governing body

person or group of persons that has the ultimate responsibility and authority for an organization’s (3.1)

activities, governance and policies (3.5) and to which top management (3.3) reports and by which top

management is held accountable

Note 1 to entry: Not all organizations, particularly small organizations, will have a governing body separate from

top management.

Note 2 to entry: A governing body can include, but is not limited to, a board of directors, committees of the board,

a supervisory board or trustees.
3.22
personnel

individuals in a relationship recognized as a work relationship in national law or practice, or in any

contractual relationship that depends on its activity from the organization (3.1)

3.23
compliance function

person or group of persons with responsibility and authority for the operation of the compliance (3.26)

management system (3.4)

Note 1 to entry: Preferably one individual will be assigned to the oversight of compliance management system.

3.24
compliance risk

likelihood of occurrence and the consequences of noncompliance (3.27) with the organization’s (3.1)

compliance obligations (3.25)
3.25
compliance obligations

requirements (3.14) that an organization (3.1) mandatorily has to comply with as well as those that an

organization voluntarily chooses to comply with
3.26
compliance
meeting all the organization’s (3.1) compliance obligations (3.25)
3.27
noncompliance
non-fulfilment of compliance obligations (3.25)
3.28
compliance culture
values, ethics, beliefs and conduct
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.