Compliance management systems -- Requirements with guidance for use

Systèmes de management de la conformité -- Exigences et recommandations pour la mise en oeuvre

Sistemi za upravljanje skladnosti - Zahteve z napotki za uporabo

General Information

Status
Published
Current Stage
5020 - FDIS ballot initiated: 2 months. Proof sent to secretariat
Start Date
01-Jan-2021
Completion Date
01-Jan-2021

Buy Standard

Draft
ISO/FDIS 37301 - Compliance management systems -- Requirements with guidance for use
English language
40 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
ISO/DIS 37301:Version 24-apr-2020 - Compliance management systems -- Requirements with guidance for use
English language
40 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
ISO/DIS 37301:2021 - BARVE na PDF-str 9,40
English language
47 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day
Draft
ISO/DIS 37301 - Systemes de management de la conformité -- Exigences et recommandations pour la mise en oeuvre
French language
48 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

FINAL
INTERNATIONAL ISO/FDIS
DRAFT
STANDARD 37301
ISO/TC 309
Compliance management systems —
Secretariat: BSI
Requirements with guidance for use
Voting begins on:
2021­01­01
Systèmes de management de la conformité — Exigences et
recommandations pour la mise en oeuvre
Voting terminates on:
2021­02­26
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
ISO/FDIS 37301:2021(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN­
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS. ISO 2021
---------------------- Page: 1 ----------------------
ISO/FDIS 37301:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2021

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH­1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2021 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/FDIS 37301:2021(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Context of the organization ....................................................................................................................................................................... 5

4.1 Understanding the organization and its context ....................................................................................................... 5

4.2 Understanding the needs and expectations of interested parties .............................................................. 5

4.3 Determining the scope of the compliance management system ................................................................. 5

4.4 Compliance management system ........................................................................................................................................... 6

4.5 Compliance obligations ................................................................................................................................................................... 6

4.6 Compliance risk assessment ....................................................................................................................................................... 6

5 Leadership .................................................................................................................................................................................................................. 6

5.1 Leadership and commitment ..................................................................................................................................................... 6

5.1.1 Governing body and top management .......................................................................................................... 6

5.1.2 Compliance culture ........................................................................................................................................................ 7

5.1.3 Compliance governance ............................................................................................................................................. 7

5.2 Compliance policy ................................................................................................................................................................................ 8

5.3 Roles, responsibilities and authorities ............................................................................................................................... 8

5.3.1 Governing body and top management .......................................................................................................... 8

5.3.2 Compliance function ..................................................................................................................................................... 9

5.3.3 Management .....................................................................................................................................................................10

5.3.4 Personnel .............................................................................................................................................................................10

6 Planning ......................................................................................................................................................................................................................10

6.1 Actions to address risks and opportunities ................................................................................................................10

6.2 Compliance objectives and planning to achieve them .......................................................................................11

6.3 Planning of changes .........................................................................................................................................................................11

7 Support ........................................................................................................................................................................................................................11

7.1 Resources ..................................................................................................................................................................................................11

7.2 Competence ............................................................................................................................................................................................12

7.2.1 General...................................................................................................................................................................................12

7.2.2 Employment process .................................................................................................................................................12

7.2.3 Training .................................................................................................................................................................................12

7.3 Awareness ................................................................................................................................................................................................13

7.4 Communication ...................................................................................................................................................................................13

7.5 Documented information ............................................................................................................................................................14

7.5.1 General...................................................................................................................................................................................14

7.5.2 Creating and updating documented information .............................................................................14

7.5.3 Control of documented information ............................................................................................................14

8 Operation ..................................................................................................................................................................................................................15

8.1 Operational planning and control .......................................................................................................................................15

8.2 Establishing controls and procedures .............................................................................................................................15

8.3 Raising concerns .................................................................................................................................................................................15

8.4 Investigation processes ................................................................................................................................................................15

9 Performance evaluation ............................................................................................................................................................................16

9.1 Monitoring, measurement, analysis and evaluation ............................................................................................16

9.1.1 General...................................................................................................................................................................................16

9.1.2 Sources of feedback on compliance performance ............................................................................16

9.1.3 Development of indicators ...................................................................................................................................16

9.1.4 Compliance reporting ...............................................................................................................................................16

9.1.5 Record­keeping ..............................................................................................................................................................17

© ISO 2021 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/FDIS 37301:2021(E)

9.2 Internal audit .........................................................................................................................................................................................17

9.2.1 General...................................................................................................................................................................................17

9.2.2 Internal audit programme ....................................................................................................................................17

9.3 Management review ........................................................................................................................................................................17

9.3.1 General...................................................................................................................................................................................17

9.3.2 Management review inputs .................................................................................................................................18

9.3.3 Management review results ................................................................................................................................18

10 Improvement .........................................................................................................................................................................................................18

10.1 Continual improvement ...............................................................................................................................................................18

10.2 Nonconformity and corrective action ..............................................................................................................................19

Annex A (informative) Guidance for the use of this document ..............................................................................................20

Bibliography .............................................................................................................................................................................................................................40

iv © ISO 2021 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/FDIS 37301:2021(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non­governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO’s adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

iso/ foreword .html.

This document was prepared by Technical Committee ISO/TC 309, Governance of organizations.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO 2021 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/FDIS 37301:2021(E)
Introduction

Organizations that aim to be successful in the long term need to establish and maintain a culture of

compliance, considering the needs and expectations of interested parties. Compliance is therefore not

only the basis, but also an opportunity, for a successful and sustainable organization.

Compliance is an ongoing process and the outcome of an organization meeting its obligations.

Compliance is made sustainable by embedding it in the culture of the organization and in the behaviour

and attitude of people working for it. While maintaining its independence, it is preferable that

compliance management is integrated with the organization’s other management processes and its

operational requirements and procedures.

An effective, organization-wide compliance management system enables an organization to

demonstrate its commitment to comply with relevant laws, regulatory requirements, industry codes

and organizational standards, as well as standards of good governance, generally accepted best

practices, ethics and community expectations.

An organization’s approach to compliance is shaped by the leadership applying core values and

generally accepted good governance, ethical and community standards. Embedding compliance in the

behaviour of the people working for an organization depends above all on leadership at all levels and

clear values of an organization, as well as an acknowledgement and implementation of measures to

promote compliant behaviour. If this is not the case at all levels of an organization, there is a risk of

noncompliance.

In a number of jurisdictions, courts have considered an organization’s commitment to compliance

through its compliance management system when determining the appropriate penalty to be imposed

for contraventions of relevant laws. Therefore, regulatory and judicial bodies can also benefit from this

document as a benchmark.

Organizations are increasingly convinced that, by applying binding values and appropriate compliance

management, they can safeguard their integrity and avoid or minimize noncompliance with the

organization’s compliance obligations. Integrity and effective compliance are therefore key elements

of good and diligent management. Compliance also contributes to the socially responsible behaviour of

organizations.

One of the objectives of this document is to assist organizations to develop and spread a positive culture

of compliance, considering that an effective and sound management of compliance­related risks should

be regarded as an opportunity to pursue and take, due to the several benefits that it provides to the

organization such as:
— improving business opportunities and sustainability;
— protecting and enhancing an organization’s reputation and credibility;
— taking into account expectations of interested parties;

— demonstrating an organization’s commitment to managing its compliance risks effectively and

efficiently;

— increasing the confidence of third parties in the organization’s capacity to achieve sustained success;

— minimizing the risk of a contravention occurring with the attendant costs and reputational damage.

This document specifies requirements as well as provides guidance on compliance management

systems and recommended practices. Both the requirements and the guidance in this document are

intended to be adaptable, and implementation can differ depending on the size and level of maturity

of an organization’s compliance management system and on the context, nature and complexity of the

organization’s activities and objectives.
vi © ISO 2021 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/FDIS 37301:2021(E)

This document is suitable to enhance the compliance-related requirements in other management

systems and to assist an organization in improving the overall management of all its compliance

obligations.

Figure 1 provides an overview on common elements of a compliance management system.

Figure 1 — Elements of a compliance management system
In this document, the following verbal forms are used:
— “shall” indicates a requirement;
© ISO 2021 – All rights reserved vii
---------------------- Page: 7 ----------------------
ISO/FDIS 37301:2021(E)
— “should” indicates a recommendation;
— “may” indicates permission:
— “can” indicates a possibility or a capability.

Information marked as “NOTE” is for guidance in understanding or clarifying the associated

requirements.
Annex A provides guidance for the use of this document.
viii © ISO 2021 – All rights reserved
---------------------- Page: 8 ----------------------
FINAL DRAFT INTERNATIONAL STANDARD ISO/FDIS 37301:2021(E)
Compliance management systems — Requirements with
guidance for use
1 Scope

This document specifies requirements and provides guidelines for establishing, developing,

implementing, evaluating, maintaining and improving an effective compliance management system

within an organization.

This document is applicable to all types of organizations regardless of the type, size and nature of the

activity, as well as whether the organization is from the public, private or non-profit sector.

All requirements specified in this document that refer to a governing body apply to top management in

cases where an organization does not have a governing body as a separate function.

2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
organization

person or group of people that has its own functions with responsibilities, authorities and relationships

to achieve its objectives (3.6)

Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,

enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated

or not, public or private.

Note 2 to entry: If the organization is part of a larger entity, the term “organization” refers only to the part of the

larger entity that is within the scope of the compliance management system.
3.2
interested party (preferred term)
stakeholder (admitted term)

person or organization (3.1) that can affect, be affected by, or perceive itself to be affected by a decision

or activity
3.3
top management

person or group of people who directs and controls an organization (3.1) at the highest level

Note 1 to entry: Top management has the power to delegate authority and provide resources within the

organization.

Note 2 to entry: If the scope of the management system (3.4) covers only part of an organization, then top

management refers to those who direct and control that part of the organization.
© ISO 2021 – All rights reserved 1
---------------------- Page: 9 ----------------------
ISO/FDIS 37301:2021(E)

Note 3 to entry: For the purposes of this document, the term “top management” refers to the highest level of

executive management.
3.4
management system

set of interrelated or interacting elements of an organization (3.1) to establish policies (3.5) and

objectives (3.6) as well as processes (3.8) to achieve those objectives

Note 1 to entry: A management system can address a single discipline or several disciplines.

Note 2 to entry: The management system elements include the organization’s structure, roles and responsibilities,

planning and operation.
3.5
policy

intentions and direction of an organization (3.1), as formally expressed by its top management (3.3)

Note 1 to entry: A policy can also be formally expressed by an organization’s governing body (3.2).

3.6
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.

Note 2 to entry: Objectives can relate to different disciplines (such as finance, health and safety, and environment).

They can be, for example, organization-wide, or specific to a project, product, service or process (3.8)).

Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended result, a purpose, an operational

criterion, as a compliance (3.7) objective, or by the use of other words with similar meaning (e.g. aim, goal, or

target).

Note 4 to entry: In the context of compliance management systems (3.4), compliance objectives are set by the

organization (3.1), consistent with the compliance policy (3.5), to achieve specific results.

3.7
risk
effect of uncertainty on objectives

Note 1 to entry: An effect is a deviation from the expected – positive or negative.

Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or

knowledge of, an event, its consequence, or likelihood.

Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73) and

“consequences” (as defined in ISO Guide 73), or a combination of these.

Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including

changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73) of occurrence.

3.8
process

set of interrelated or interacting activities that uses or transforms inputs to deliver a result

Note 1 to entry: Whether the result of a process is called output, product or service depends on the context of the

reference.
3.9
competence
ability to apply knowledge and skills to achieve intended results
2 © ISO 2021 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/FDIS 37301:2021(E)
3.10
documented information

information required to be controlled and maintained by an organization (3.1) and the medium on

which it is contained

Note 1 to entry: Documented information can be in any format and media, and from any source.

Note 2 to entry: Documented information can refer to:
— the management system (3.4), including related processes (3.8);
— information created in order for the organization to operate (documentation);
— evidence of results achieved (records).
3.11
performance
measurable result

Note 1 to entry: Performance can relate either to quantitative or qualitative findings.

Note 2 to entry: Performance can relate to managing activities, processes (3.8), products, services, systems or

organizations (3.1).
3.12
continual improvement
recurring activity to enhance performance (3.11)
3.13
effectiveness
extent to which planned activities are realized and planned results are achieved
3.14
requirement
need or expectation that is stated, generally implied or obligatory

Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization (3.1) and

interested parties (3.2) that the need or expectation under consideration is implied.

Note 2 to entry: A specified requirement is one that is stated, e.g. in documented information (3.10).

3.15
conformity
fulfilment of a requirement (3.14)
3.16
nonconformity
non-fulfilment of a requirement (3.14)
Note 1 to entry: A nonconformity is not necessarily a noncompliance (3.27).
3.17
corrective action

action to eliminate the cause(s) of a nonconformity (3.16) and to prevent recurrence

3.18
audit

systematic and independent process (3.8) for obtaining evidence and evaluating it objectively to

determine the extent to which the audit criteria are fulfilled

Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party

(3.30)), and it can be a combined audit (combining two or more disciplines).

Note 2 to entry: An internal audit is conducted by the organization (3.1) itself, or by an external party on its behalf.

© ISO 2021 – All rights reserved 3
---------------------- Page: 11 ----------------------
ISO/FDIS 37301:2021(E)
Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.

Note 4 to entry: Independence can be demonstrated by the freedom from responsibility for the activity being

audited or freedom from bias and conflict of interest.
3.19
measurement
process (3.8) to determine a value
3.20
monitoring
determining the status of a system, a process (3.8) or an activity

Note 1 to entry: To determine the status, there can be a need to check, supervise or critically observe.

3.21
governing body

person or group of persons that has the ultimate responsibility and authority for an organization’s (3.1)

activities, governance and policies (3.5) and to which top management (3.3) reports and by which top

management is held accountable

Note 1 to entry: Not all organizations, particularly small organizations, will have a governing body separate from

top management.

Note 2 to entry: A governing body can include, but is not limited to, a board of directors, committees of the board,

a supervisory board or trustees.
3.22
personnel

individuals in a relationship recognized as a work relationship in national law or practice, or in any

contractual relationship that depends on its activity from the organization (3.1)

3.23
compliance function

person or group of persons with responsibility and authority for the operation of the compliance (3.26)

management system (3.4)

Note 1 to entry: Preferably one individual will be assigned to the oversight of compliance management system.

3.24
compliance risk

likelihood of occurrence and the consequences of noncompliance (3.27) with the organization’s (3.1)

compliance obligations (3.25)
3.25
compliance obligations

requirements (3.14) that an organization (3.1) mandatorily has to comply with as well as those that an

organization voluntarily chooses to comply with
3.26
compliance
meeting all the organization’s (3.1) compliance obligations (3.25)
3.27
noncompliance
non-fulfilment of compliance obligations (3.25)
3.28
compliance culture
values, ethics, beliefs and conduct
...

DRAFT INTERNATIONAL STANDARD
ISO/DIS 37301
ISO/TC 309 Secretariat: BSI
Voting begins on: Voting terminates on:
2020-03-13 2020-06-05
Compliance management systems — Requirements with
guidance for use
ICS: 03.100.01; 03.100.02; 03.100.70
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
This document is circulated as received from the committee secretariat.
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/DIS 37301:2020(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION. ISO 2020
---------------------- Page: 1 ----------------------
ISO/DIS 37301:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2020

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2020 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/DIS 37301:2020(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Context of the organization ....................................................................................................................................................................... 5

4.1 Understanding the organization and its context ....................................................................................................... 5

4.2 Understanding the needs and expectations of interested parties .............................................................. 5

4.3 Determining the scope of the compliance management system ................................................................. 6

4.4 Compliance management system ........................................................................................................................................... 6

5 Leadership .................................................................................................................................................................................................................. 6

5.1 Leadership and commitment ..................................................................................................................................................... 6

5.1.1 Governing body and top management .......................................................................................................... 6

5.1.2 Compliance culture ........................................................................................................................................................ 7

5.1.3 Compliance governance ............................................................................................................................................. 7

5.2 Policy ............................................................................................................................................................................................................... 7

5.3 Roles, responsibilities and authorities ............................................................................................................................... 8

5.3.1 Governing body and top management .......................................................................................................... 8

5.3.2 Compliance function ..................................................................................................................................................... 8

5.3.3 Management ........................................................................................................................................................................ 9

5.3.4 Personnel .............................................................................................................................................................................10

6 Planning ......................................................................................................................................................................................................................10

6.1 Actions to address risks and opportunities ................................................................................................................10

6.2 Compliance objectives and planning to achieve them .......................................................................................10

6.3 Compliance obligations ................................................................................................................................................................11

6.4 Compliance risk assessment ....................................................................................................................................................11

7 Support ........................................................................................................................................................................................................................11

7.1 Resources ..................................................................................................................................................................................................11

7.2 Competence ............................................................................................................................................................................................12

7.2.1 General...................................................................................................................................................................................12

7.2.2 Employment process .................................................................................................................................................12

7.2.3 Training .................................................................................................................................................................................12

7.3 Awareness ................................................................................................................................................................................................13

7.4 Communication ...................................................................................................................................................................................13

7.5 Documented information ............................................................................................................................................................14

7.5.1 General...................................................................................................................................................................................14

7.5.2 Creating and updating ..............................................................................................................................................14

7.5.3 Control of documented information ............................................................................................................14

8 Operation ..................................................................................................................................................................................................................15

8.1 Operational planning and control .......................................................................................................................................15

8.2 Establishing controls and procedures .............................................................................................................................15

8.3 Raising concerns .................................................................................................................................................................................15

8.4 Investigation processes ................................................................................................................................................................15

9 Performance evaluation ............................................................................................................................................................................16

9.1 Monitoring, measurement, analysis and evaluation ............................................................................................16

9.1.1 General...................................................................................................................................................................................16

9.1.2 Sources of feedback on compliance performance ............................................................................16

9.1.3 Development of indicators ...................................................................................................................................16

9.1.4 Compliance reporting ...............................................................................................................................................16

9.1.5 Record-keeping ..............................................................................................................................................................17

9.2 Internal audit .........................................................................................................................................................................................17

© ISO 2020 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/DIS 37301:2020(E)

9.3 Management review ........................................................................................................................................................................17

10 Improvement .........................................................................................................................................................................................................18

10.1 Nonconformity, noncompliance and corrective action .....................................................................................18

10.2 Continual improvement ...............................................................................................................................................................19

Annex A (informative) Guidance for the use of this document ..............................................................................................20

Bibliography .............................................................................................................................................................................................................................40

iv © ISO 2020 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/DIS 37301:2020(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso .org/

iso/ foreword .html.

This document was prepared by Technical Committee ISO/TC 309 Governance of organizations.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
This document cancels and replaces ISO 19600:2014-10.
In this International Standard, the following verbal forms are used:
— “shall” indicates a requirement;
— “should” indicates a recommendation;
— “may” indicates permission:
— “can” indicates a possibility or a capability.

Information marked as “NOTE” is for guidance in understanding or clarifying the associated

requirements.
© ISO 2020 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/DIS 37301:2020(E)
Introduction

Organizations that aim to be successful in the long term need to establish and maintain a culture of

integrity and compliance, considering the needs and expectations of interested parties. Integrity and

compliance are therefore not only the basis, but also an opportunity, for a successful and sustainable

organization.

Compliance is an ongoing process and the outcome of an organization meeting its obligations.

Compliance is made sustainable by embedding it in the culture of the organization and in the behaviour

and attitude of people working for it. While maintaining its independence, it is preferable if compliance

management is integrated with the organization’s other management processes and its operational

requirements and procedures.

An effective, organization-wide compliance management system enables an organization to

demonstrate its commitment to comply with relevant laws, including legislative requirements, industry

codes and organizational standards, as well as standards of good corporate governance, best practices,

ethics and community expectations.

An organization’s approach to compliance is shaped by the leadership applying core values and

generally accepted corporate governance, ethical and community standards. Embedding compliance

in the behaviour of the people working for an organization depends above all on leadership at all levels

and clear values of an organization, as well as an acknowledgement and implementation of measures

to promote compliant behaviour. If this is not the case at all levels of an organization, there is a risk of

noncompliance.

In a number of jurisdictions, courts have considered an organization’s commitment to compliance

through its compliance management system when determining the appropriate penalty to be imposed

for contraventions of relevant laws. Therefore, regulatory and judicial bodies can also benefit from this

document as a benchmark.

Organizations are increasingly convinced that by applying binding values and appropriate compliance

management, they can safeguard their integrity and avoid or minimize noncompliance with the

organization’s compliance obligations. Integrity and effective compliance are therefore key elements

of good and diligent management. Compliance also contributes to the socially responsible behaviour of

organizations.

One of the objectives of this document is to assist organizations to develop and spread a positive culture

of compliance, considering that an effective and sound management of compliance-related risks should

be regarded as an opportunity to pursue and take, due to the several benefits that it provides to the

organization.

This document specifies requirements as well as provides guidance on compliance management systems

and recommended practices. Both the requirements and the guidance in this document are intended to

be adaptable, and the implementation of this can differ depending on the size and level of maturity of

an organization’s compliance management system and on the context, nature and complexity of the

organization’s activities and objectives.

This document is suitable to enhance the compliance-related requirements in other management

systems and to assist an organization in improving the overall management of all its compliance

obligations.
vi © ISO 2020 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/DIS 37301:2020(E)
Figure 1 —
© ISO 2020 – All rights reserved vii
---------------------- Page: 7 ----------------------
DRAFT INTERNATIONAL STANDARD ISO/DIS 37301:2020(E)
Compliance management systems — Requirements with
guidance for use
1 Scope

This document specifies requirements and provides guidelines for establishing, developing,

implementing, evaluating, maintaining and improving an effective compliance management system

within an organization.

This document is applicable to all types of organizations regardless of the type, size and nature of the

activity, as well as whether the organization is from the public, private or non-profit sector.

All requirements specified in this document which refer to a governing body apply to top management

in cases where an organization does not have a governing body as a separate function.

2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
organization

person or group of people that has its own functions with responsibilities, authorities and relationships

to achieve its objectives (3.8)

Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,

enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated

or not, public or private.
3.2
interested party (preferred term)
stakeholder (admitted term)

person or organization (3.1) that can affect, be affected by, or perceive itself to be affected by a decision

or activity
3.3
requirement
need or expectation that is stated, generally implied or obligatory

Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and

interested parties that the need or expectation under consideration is implied.

Note 2 to entry: A specified requirement is one that is stated, e.g. in documented information.

© ISO 2020 – All rights reserved 1
---------------------- Page: 8 ----------------------
ISO/DIS 37301:2020(E)
3.4
management system

set of interrelated or interacting elements of an organization (3.1) to establish policies (3.7) and

objectives (3.8) and processes (3.12) to achieve those objectives

Note 1 to entry: A management system can address a single discipline or several disciplines.

Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities, planning

and operation.

Note 3 to entry: The scope of a management system can include the whole of the organization, specific and

identified functions of the organization, specific and identified sections of the organization, or one or more

functions across a group of organizations.
3.5
top management

person or group of people who directs and controls an organization (3.1) at the highest level

Note 1 to entry: Top management has the power to delegate authority and provide resources within the

organization.

Note 2 to entry: If the scope of the management system (3.4) covers only part of an organization, then top

management refers to those who direct and control that part of the organization.

Note 3 to entry: For the purposes of this document, the term "top management" refers to the highest level of

executive management.
3.6
effectiveness
extent to which planned activities are realized and planned results achieved
3.7
policy

intentions and direction of an organization (3.1) as formally expressed by its top management (3.5)

and/or its governing body (3.22)
3.8
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.

Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and

environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and

process (3.12).

Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an

operational criterion, as a compliance objective, or by the use of other words with similar meaning (e.g. aim, goal,

or target).

Note 4 to entry: In the context of compliance management systems, compliance objectives are set by the

organization, consistent with the compliance policy, to achieve specific results.

3.9
risk
effect of uncertainty

Note 1 to entry: An effect is a deviation from the expected – positive or negative.

Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or

knowledge of, an event, its consequence, or likelihood.

Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73) and

“consequences” (as defined in ISO Guide 73), or a combination of these.
2 © ISO 2020 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/DIS 37301:2020(E)

Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including

changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73) of occurrence.

3.10
competence
ability to apply knowledge and skills to achieve intended results
3.11
documented information

information required to be controlled and maintained by an organization (3.1) and the medium on

which it is contained

Note 1 to entry: Documented information can be in any format and media, and from any source.

Note 2 to entry: Documented information can refer to:
— the management system (3.4), including related processes (3.12);
— information created in order for the organization to operate (documentation);
— evidence of results achieved (records).
3.12
process

set of interrelated or interacting activities which transforms inputs into outputs

3.13
performance
measurable result

Note 1 to entry: Performance can relate either to quantitative or qualitative findings.

Note 2 to entry: Performance can relate to managing activities, processes (3.12), products (including services),

systems or organizations (3.1)
3.14
outsource (verb)

make an arrangement where an external organization (3.1) performs part of an organization’s function

or process (3.11)

Note 1 to entry: An external organization is outside the scope of the management system (3.4), although the

outsourced function or process is within the scope.
3.15
monitoring
determining the status of a system, a process (3.12) or an activity

Note 1 to entry: To determine the status, there can be a need to check, supervise or critically observe.

3.16
measurement
process (3.12) to determine a value
3.17
audit

systematic, independent and documented process (3.12) for obtaining audit evidence and evaluating it

objectively to determine the extent to which the audit criteria are fulfilled

Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party),

and it can be a combined audit (combining two or more disciplines).

Note 2 to entry: An internal audit is conducted by the organization itself, or by an external party on its behalf.

Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.
© ISO 2020 – All rights reserved 3
---------------------- Page: 10 ----------------------
ISO/DIS 37301:2020(E)

Note 4 to entry: Independence can be demonstrated by the freedom from responsibility for the activity being

audited or freedom from bias and conflict of interest.
3.18
conformity
fulfilment of a requirement (3.3)
3.19
nonconformity
non-fulfilment of a requirement (3.3)
Note 1 to entry: A nonconformity is not necessarily a noncompliance (3.28).
3.20
corrective action

action to eliminate the cause(s) of a nonconformity (3.19) or a noncompliance (3.28) and to prevent

recurrence
3.21
continual improvement
recurring activity to enhance performance (3.13)
3.22
governing body

person or group of persons that has the ultimate responsibility and authority for an organization's

(3.1) activities, governance and policies and to which top management (3.5) reports and by which top

management is held accountable

Note 1 to entry: Not all organizations, particularly small organizations, will have a governing body separate from

top management.

Note 2 to entry: A governing body can include, but is not limited to, board of directors, committees of the board,

supervisory board, or trustees.
3.23
personnel

individuals in a relationship recognized as work relationship in national law or practice, or in any

contractual relationship which depends on its activity from the organization (3.1)

3.24
compliance function

person or group of persons with responsibility and authority for the operation of the compliance (3.27)

management system (3.4)

Note 1 to entry: Preferably one individual will be assigned to the oversight of compliance management system.

3.25
compliance risk

likelihood of occurrence and the consequences of noncompliance (3.17) with the organization’s

compliance obligations (3.26)
3.26
compliance obligation

requirements (3.3) that an organization (3.1) mandatorily has to comply with as well as those that an

organization (3.1) voluntarily chooses to comply with
3.27
compliance
the outcome of meeting all the organization’s compliance obligations (3.26)
4 © ISO 2020 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/DIS 37301:2020(E)
3.28
noncompliance
non-fulfilment of a compliance obligation (3.26)
3.29
compliance culture

values, ethics and beliefs that exist throughout an organization (3.1) and interact with the organization’s

structures and control systems to produce behavioural norms that are conducive to compliance (3.27)

outcomes
3.30
conduct

an organisation’s behaviours and practices that impact outcomes for customers, employees, suppliers,

markets and communities
3.32
third party
person or body that is independent of the organization (3.1)

Note 1 to entry: All business associates are third parties, but not all third parties are business associates

3.33
procedure
specified way to carry out an activity or process (3.12)
[SOURCE: ISO 9000:2015, 3.4.5]
4 Context of the organization
4.1 Understanding the organization and its context

The organization shall determine external and internal issues that are relevant to its purpose and that

affect its ability to achieve the intended outcome(s) of its compliance management system.

For this purpose, the organization shall consider a broad range of issues, including:

— the legal and regulatory context;
— social, cultural, and environmental contexts;
— technology;
— the economic situation;
— internal structures, policies, procedures, processes and resources;

— business model, including strategy, nature, size and scale complexity and sustainability of the

organization’s activities and oper
...

SLOVENSKI STANDARD
oSIST ISO/DIS 37301:2021
01-januar-2021
Sistemi za upravljanje skladnosti - Zahteve z napotki za uporabo
Compliance management systems - Requirements with guidance for use
Systèmes de management de la conformité - Exigences et recommandations pour la
mise en oeuvre
Ta slovenski standard je istoveten z: ISO/DIS 37301
ICS:
03.100.01 Organizacija in vodenje Company organization and
podjetja na splošno management in general
03.100.70 Sistemi vodenja Management systems
oSIST ISO/DIS 37301:2021 en,fr,de

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST ISO/DIS 37301:2021
---------------------- Page: 2 ----------------------
oSIST ISO/DIS 37301:2021
DRAFT INTERNATIONAL STANDARD
ISO/DIS 37301
ISO/TC 309 Secretariat: BSI
Voting begins on: Voting terminates on:
2020-03-13 2020-06-05
Compliance management systems — Requirements with
guidance for use
ICS: 03.100.01; 03.100.02; 03.100.70
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
This document is circulated as received from the committee secretariat.
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/DIS 37301:2020(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION. ISO 2020
---------------------- Page: 3 ----------------------
oSIST ISO/DIS 37301:2021
ISO/DIS 37301:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2020

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2020 – All rights reserved
---------------------- Page: 4 ----------------------
oSIST ISO/DIS 37301:2021
ISO/DIS 37301:2020(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Context of the organization ....................................................................................................................................................................... 5

4.1 Understanding the organization and its context ....................................................................................................... 5

4.2 Understanding the needs and expectations of interested parties .............................................................. 5

4.3 Determining the scope of the compliance management system ................................................................. 6

4.4 Compliance management system ........................................................................................................................................... 6

5 Leadership .................................................................................................................................................................................................................. 6

5.1 Leadership and commitment ..................................................................................................................................................... 6

5.1.1 Governing body and top management .......................................................................................................... 6

5.1.2 Compliance culture ........................................................................................................................................................ 7

5.1.3 Compliance governance ............................................................................................................................................. 7

5.2 Policy ............................................................................................................................................................................................................... 7

5.3 Roles, responsibilities and authorities ............................................................................................................................... 8

5.3.1 Governing body and top management .......................................................................................................... 8

5.3.2 Compliance function ..................................................................................................................................................... 8

5.3.3 Management ........................................................................................................................................................................ 9

5.3.4 Personnel .............................................................................................................................................................................10

6 Planning ......................................................................................................................................................................................................................10

6.1 Actions to address risks and opportunities ................................................................................................................10

6.2 Compliance objectives and planning to achieve them .......................................................................................10

6.3 Compliance obligations ................................................................................................................................................................11

6.4 Compliance risk assessment ....................................................................................................................................................11

7 Support ........................................................................................................................................................................................................................11

7.1 Resources ..................................................................................................................................................................................................11

7.2 Competence ............................................................................................................................................................................................12

7.2.1 General...................................................................................................................................................................................12

7.2.2 Employment process .................................................................................................................................................12

7.2.3 Training .................................................................................................................................................................................12

7.3 Awareness ................................................................................................................................................................................................13

7.4 Communication ...................................................................................................................................................................................13

7.5 Documented information ............................................................................................................................................................14

7.5.1 General...................................................................................................................................................................................14

7.5.2 Creating and updating ..............................................................................................................................................14

7.5.3 Control of documented information ............................................................................................................14

8 Operation ..................................................................................................................................................................................................................15

8.1 Operational planning and control .......................................................................................................................................15

8.2 Establishing controls and procedures .............................................................................................................................15

8.3 Raising concerns .................................................................................................................................................................................15

8.4 Investigation processes ................................................................................................................................................................15

9 Performance evaluation ............................................................................................................................................................................16

9.1 Monitoring, measurement, analysis and evaluation ............................................................................................16

9.1.1 General...................................................................................................................................................................................16

9.1.2 Sources of feedback on compliance performance ............................................................................16

9.1.3 Development of indicators ...................................................................................................................................16

9.1.4 Compliance reporting ...............................................................................................................................................16

9.1.5 Record-keeping ..............................................................................................................................................................17

9.2 Internal audit .........................................................................................................................................................................................17

© ISO 2020 – All rights reserved iii
---------------------- Page: 5 ----------------------
oSIST ISO/DIS 37301:2021
ISO/DIS 37301:2020(E)

9.3 Management review ........................................................................................................................................................................17

10 Improvement .........................................................................................................................................................................................................18

10.1 Nonconformity, noncompliance and corrective action .....................................................................................18

10.2 Continual improvement ...............................................................................................................................................................19

Annex A (informative) Guidance for the use of this document ..............................................................................................20

Bibliography .............................................................................................................................................................................................................................40

iv © ISO 2020 – All rights reserved
---------------------- Page: 6 ----------------------
oSIST ISO/DIS 37301:2021
ISO/DIS 37301:2020(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso .org/

iso/ foreword .html.

This document was prepared by Technical Committee ISO/TC 309 Governance of organizations.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
This document cancels and replaces ISO 19600:2014-10.
In this International Standard, the following verbal forms are used:
— “shall” indicates a requirement;
— “should” indicates a recommendation;
— “may” indicates permission:
— “can” indicates a possibility or a capability.

Information marked as “NOTE” is for guidance in understanding or clarifying the associated

requirements.
© ISO 2020 – All rights reserved v
---------------------- Page: 7 ----------------------
oSIST ISO/DIS 37301:2021
ISO/DIS 37301:2020(E)
Introduction

Organizations that aim to be successful in the long term need to establish and maintain a culture of

integrity and compliance, considering the needs and expectations of interested parties. Integrity and

compliance are therefore not only the basis, but also an opportunity, for a successful and sustainable

organization.

Compliance is an ongoing process and the outcome of an organization meeting its obligations.

Compliance is made sustainable by embedding it in the culture of the organization and in the behaviour

and attitude of people working for it. While maintaining its independence, it is preferable if compliance

management is integrated with the organization’s other management processes and its operational

requirements and procedures.

An effective, organization-wide compliance management system enables an organization to

demonstrate its commitment to comply with relevant laws, including legislative requirements, industry

codes and organizational standards, as well as standards of good corporate governance, best practices,

ethics and community expectations.

An organization’s approach to compliance is shaped by the leadership applying core values and

generally accepted corporate governance, ethical and community standards. Embedding compliance

in the behaviour of the people working for an organization depends above all on leadership at all levels

and clear values of an organization, as well as an acknowledgement and implementation of measures

to promote compliant behaviour. If this is not the case at all levels of an organization, there is a risk of

noncompliance.

In a number of jurisdictions, courts have considered an organization’s commitment to compliance

through its compliance management system when determining the appropriate penalty to be imposed

for contraventions of relevant laws. Therefore, regulatory and judicial bodies can also benefit from this

document as a benchmark.

Organizations are increasingly convinced that by applying binding values and appropriate compliance

management, they can safeguard their integrity and avoid or minimize noncompliance with the

organization’s compliance obligations. Integrity and effective compliance are therefore key elements

of good and diligent management. Compliance also contributes to the socially responsible behaviour of

organizations.

One of the objectives of this document is to assist organizations to develop and spread a positive culture

of compliance, considering that an effective and sound management of compliance-related risks should

be regarded as an opportunity to pursue and take, due to the several benefits that it provides to the

organization.

This document specifies requirements as well as provides guidance on compliance management systems

and recommended practices. Both the requirements and the guidance in this document are intended to

be adaptable, and the implementation of this can differ depending on the size and level of maturity of

an organization’s compliance management system and on the context, nature and complexity of the

organization’s activities and objectives.

This document is suitable to enhance the compliance-related requirements in other management

systems and to assist an organization in improving the overall management of all its compliance

obligations.
vi © ISO 2020 – All rights reserved
---------------------- Page: 8 ----------------------
oSIST ISO/DIS 37301:2021
ISO/DIS 37301:2020(E)
Figure 1 —
© ISO 2020 – All rights reserved vii
---------------------- Page: 9 ----------------------
oSIST ISO/DIS 37301:2021
---------------------- Page: 10 ----------------------
oSIST ISO/DIS 37301:2021
DRAFT INTERNATIONAL STANDARD ISO/DIS 37301:2020(E)
Compliance management systems — Requirements with
guidance for use
1 Scope

This document specifies requirements and provides guidelines for establishing, developing,

implementing, evaluating, maintaining and improving an effective compliance management system

within an organization.

This document is applicable to all types of organizations regardless of the type, size and nature of the

activity, as well as whether the organization is from the public, private or non-profit sector.

All requirements specified in this document which refer to a governing body apply to top management

in cases where an organization does not have a governing body as a separate function.

2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
organization

person or group of people that has its own functions with responsibilities, authorities and relationships

to achieve its objectives (3.8)

Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,

enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated

or not, public or private.
3.2
interested party (preferred term)
stakeholder (admitted term)

person or organization (3.1) that can affect, be affected by, or perceive itself to be affected by a decision

or activity
3.3
requirement
need or expectation that is stated, generally implied or obligatory

Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and

interested parties that the need or expectation under consideration is implied.

Note 2 to entry: A specified requirement is one that is stated, e.g. in documented information.

© ISO 2020 – All rights reserved 1
---------------------- Page: 11 ----------------------
oSIST ISO/DIS 37301:2021
ISO/DIS 37301:2020(E)
3.4
management system

set of interrelated or interacting elements of an organization (3.1) to establish policies (3.7) and

objectives (3.8) and processes (3.12) to achieve those objectives

Note 1 to entry: A management system can address a single discipline or several disciplines.

Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities, planning

and operation.

Note 3 to entry: The scope of a management system can include the whole of the organization, specific and

identified functions of the organization, specific and identified sections of the organization, or one or more

functions across a group of organizations.
3.5
top management

person or group of people who directs and controls an organization (3.1) at the highest level

Note 1 to entry: Top management has the power to delegate authority and provide resources within the

organization.

Note 2 to entry: If the scope of the management system (3.4) covers only part of an organization, then top

management refers to those who direct and control that part of the organization.

Note 3 to entry: For the purposes of this document, the term "top management" refers to the highest level of

executive management.
3.6
effectiveness
extent to which planned activities are realized and planned results achieved
3.7
policy

intentions and direction of an organization (3.1) as formally expressed by its top management (3.5)

and/or its governing body (3.22)
3.8
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.

Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and

environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and

process (3.12).

Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an

operational criterion, as a compliance objective, or by the use of other words with similar meaning (e.g. aim, goal,

or target).

Note 4 to entry: In the context of compliance management systems, compliance objectives are set by the

organization, consistent with the compliance policy, to achieve specific results.

3.9
risk
effect of uncertainty

Note 1 to entry: An effect is a deviation from the expected – positive or negative.

Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or

knowledge of, an event, its consequence, or likelihood.

Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73) and

“consequences” (as defined in ISO Guide 73), or a combination of these.
2 © ISO 2020 – All rights reserved
---------------------- Page: 12 ----------------------
oSIST ISO/DIS 37301:2021
ISO/DIS 37301:2020(E)

Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including

changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73) of occurrence.

3.10
competence
ability to apply knowledge and skills to achieve intended results
3.11
documented information

information required to be controlled and maintained by an organization (3.1) and the medium on

which it is contained

Note 1 to entry: Documented information can be in any format and media, and from any source.

Note 2 to entry: Documented information can refer to:
— the management system (3.4), including related processes (3.12);
— information created in order for the organization to operate (documentation);
— evidence of results achieved (records).
3.12
process

set of interrelated or interacting activities which transforms inputs into outputs

3.13
performance
measurable result

Note 1 to entry: Performance can relate either to quantitative or qualitative findings.

Note 2 to entry: Performance can relate to managing activities, processes (3.12), products (including services),

systems or organizations (3.1)
3.14
outsource (verb)

make an arrangement where an external organization (3.1) performs part of an organization’s function

or process (3.11)

Note 1 to entry: An external organization is outside the scope of the management system (3.4), although the

outsourced function or process is within the scope.
3.15
monitoring
determining the status of a system, a process (3.12) or an activity

Note 1 to entry: To determine the status, there can be a need to check, supervise or critically observe.

3.16
measurement
process (3.12) to determine a value
3.17
audit

systematic, independent and documented process (3.12) for obtaining audit evidence and evaluating it

objectively to determine the extent to which the audit criteria are fulfilled

Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party),

and it can be a combined audit (combining two or more disciplines).

Note 2 to entry: An internal audit is conducted by the organization itself, or by an external party on its behalf.

Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.
© ISO 2020 – All rights reserved 3
---------------------- Page: 13 ----------------------
oSIST ISO/DIS 37301:2021
ISO/DIS 37301:2020(E)

Note 4 to entry: Independence can be demonstrated by the freedom from responsibility for the activity being

audited or freedom from bias and conflict of interest.
3.18
conformity
fulfilment of a requirement (3.3)
3.19
nonconformity
non-fulfilment of a requirement (3.3)
Note 1 to entry: A nonconformity is not necessarily a noncompliance (3.28).
3.20
corrective action

action to eliminate the cause(s) of a nonconformity (3.19) or a noncompliance (3.28) and to prevent

recurrence
3.21
continual improvement
recurring activity to enhance performance (3.13)
3.22
governing body

person or group of persons that has the ultimate responsibility and authority for an organization's

(3.1) activities, governance and policies and to which top management (3.5) reports and by which top

management is held accountable

Note 1 to entry: Not all organizations, particularly small organizations, will have a governing body separate from

top management.

Note 2 to entry: A governing body can include, but is not limited to, board of directors, committees of the board,

supervisory board, or trustees.
3.23
personnel

individuals in a relationship recognized as work relationship in national law or practice, or in any

contractual relationship which depends on its activity from the organization (3.1)

3.24
compliance function

person or group of persons with responsibility and authority for the operation of the compliance (3.27)

management system (3.4)

Note 1 to entry: Preferably one individual will be assigned to the oversight of compliance management system.

3.25
compliance risk

likelihood of occurrence and the consequences of noncompliance (3.17) with the organization’s

compliance obligations (3.26)
3.26
compliance obligation

requirements (3.3) that an organization (3.1) mandatorily has to comply with as well as those that an

organization (3.1) voluntarily chooses to comply with
3.27
compliance
the outcome of meeting all the organization’s compliance obligations (3.26)
4 © ISO 2020 – All rights reserved
---------------------- Page: 14 ----------------------
oSIST ISO/DIS 37301:2021
ISO/DIS 37301:2020(E)
3.28
noncompliance
non-fulfilment of a compliance obligation (3.26)
3.29
compliance culture

values, ethics and beliefs that exist throughout an organization (3.1) and interact with the organization’s

structures and control systems to produce behavioural norms that are c
...

PROJET DE NORME INTERNATIONALE
ISO/DIS 37301
ISO/TC 309 Secrétariat: BSI
Début de vote: Vote clos le:
2020-03-13 2020-06-05
Systèmes de management de la conformité — Exigences et
recommandations pour la mise en oeuvre
Compliance management systems — Requirements with guidance for use
ICS: 03.100.01; 03.100.02; 03.100.70
CE DOCUMENT EST UN PROJET DIFFUSÉ POUR
OBSERVATIONS ET APPROBATION. IL EST DONC
SUSCEPTIBLE DE MODIFICATION ET NE PEUT
ÊTRE CITÉ COMME NORME INTERNATIONALE
AVANT SA PUBLICATION EN TANT QUE TELLE.
OUTRE LE FAIT D’ÊTRE EXAMINÉS POUR
ÉTABLIR S’ILS SONT ACCEPTABLES À DES
FINS INDUSTRIELLES, TECHNOLOGIQUES ET
COMMERCIALES, AINSI QUE DU POINT DE VUE

Le présent document est distribué tel qu’il est parvenu du secrétariat du comité.

DES UTILISATEURS, LES PROJETS DE NORMES
INTERNATIONALES DOIVENT PARFOIS ÊTRE
CONSIDÉRÉS DU POINT DE VUE DE LEUR
POSSIBILITÉ DE DEVENIR DES NORMES
POUVANT SERVIR DE RÉFÉRENCE DANS LA
RÉGLEMENTATION NATIONALE.
Numéro de référence
LES DESTINATAIRES DU PRÉSENT PROJET
ISO/DIS 37301:2020(F)
SONT INVITÉS À PRÉSENTER, AVEC LEURS
OBSERVATIONS, NOTIFICATION DES DROITS
DE PROPRIÉTÉ DONT ILS AURAIENT
ÉVENTUELLEMENT CONNAISSANCE ET À
FOURNIR UNE DOCUMENTATION EXPLICATIVE. ISO 2020
---------------------- Page: 1 ----------------------
ISO/DIS 37301:2020(F)
ISO/DIS 37301:2020(F)
Sommaire ƒ‰‡

Avant-propos .............................................................................................................................................................. v

Introduction .............................................................................................................................................................. vi

1 Domaine d’application .............................................................................................................................. 1

2 Références normatives .............................................................................................................................. 1

3 Termes et définitions ................................................................................................................................. 1

4 Contexte de l’organisme ............................................................................................................................ 6

4.1 Connaissance de l’organisme et contexte ............................................................................................ 6

4.2 Compréhension des besoins et des attentes des parties intéressées ......................................... 6

4.3 Détermination du périmètre d’application du système de management de la conformité . 7

4.4 Système de management de la conformité.......................................................................................... 7

5 Leadership..................................................................................................................................................... 7

5.1 Leadership et engagement ....................................................................................................................... 7

5.1.1 Organe de gouvernance et direction ..................................................................................................... 7

5.1.2 Culture de la conformité ........................................................................................................................... 8

5.1.3 Gouvernance relative à la conformité .................................................................................................. 8

5.2 Politique ......................................................................................................................................................... 9

5.3 Rôles, responsabilités et autorités ........................................................................................................ 9

5.3.1 Organe de gouvernance et direction ..................................................................................................... 9

5.3.2 Fonction en charge de la conformité .................................................................................................. 10

5.3.3 Encadrement ............................................................................................................................................. 11

5.3.4 Personnel .................................................................................................................................................... 12

6 Planification ............................................................................................................................................... 12

6.1 Actions à mettre en œuvre face aux risques et opportunités ..................................................... 12

6.2 Objectifs de conformité et planification des actions pour les atteindre ................................. 13

6.3 Obligations de conformité ..................................................................................................................... 13

6.4 Évaluation des risques liés à la conformité ...................................................................................... 13

7 Support ........................................................................................................................................................ 14

7.1 Ressources ................................................................................................................................................. 14

7.2 Compétences.............................................................................................................................................. 14

7.2.1 Généralités ................................................................................................................................................. 14

7.2.2 Processus relatif à l’emploi ................................................................................................................... 14

7.2.3 Formation ................................................................................................................................................... 15

7.3 Sensibilisation ........................................................................................................................................... 15

7.4 Communication ......................................................................................................................................... 15

7.5 Informations documentées ................................................................................................................... 16

7.5.1 Généralités ................................................................................................................................................. 16

7.5.2 Création et mise à jour des informations documentées............................................................... 17

7.5.3 Maîtrise des informations documentées .......................................................................................... 17

DOCUMENT PROTÉGÉ PAR COPYRIGHT

8 Réalisation des activités opérationnelles ......................................................................................... 17

© ISO 2020

8.1 Planification et maîtrise opérationnelles ......................................................................................... 17

Tous droits réservés. Sauf prescription différente ou nécessité dans le contexte de sa mise en oeuvre, aucune partie de cette

8.2 Établissement des contrôles et des procédures ............................................................................. 18

publication ne peut être reproduite ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique,

8.3 Signalement des inquiétudes ............................................................................................................... 18

y compris la photocopie, ou la diffusion sur l’internet ou sur un intranet, sans autorisation écrite préalable. Une autorisation peut

être demandée à l’ISO à l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.

8.4 Processus d’enquête ................................................................................................................................ 18

ISO copyright office

9 Évaluation des performances ............................................................................................................... 19

Case postale 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva

9.1 Surveillance, mesure, analyse et évaluation .................................................................................... 19

Tél.: +41 22 749 01 11
Fax: +41 22 749 09 47
E-mail: copyright@iso.org
Website: www.iso.org
̹ ʹͲʹͲ–‘—•†”‘‹–•”±•‡”˜±• ‹‹‹
Publié en Suisse
ii © ISO 2020 – Tous droits réservés
---------------------- Page: 2 ----------------------
ISO/DIS 37301:2020(F)
Sommaire Page

Avant-propos .............................................................................................................................................................. v

Introduction .............................................................................................................................................................. vi

1 Domaine d’application .............................................................................................................................. 1

2 Références normatives .............................................................................................................................. 1

3 Termes et définitions ................................................................................................................................. 1

4 Contexte de l’organisme ............................................................................................................................ 6

4.1 Connaissance de l’organisme et contexte ............................................................................................ 6

4.2 Compréhension des besoins et des attentes des parties intéressées ......................................... 6

4.3 Détermination du périmètre d’application du système de management de la conformité . 7

4.4 Système de management de la conformité.......................................................................................... 7

5 Leadership..................................................................................................................................................... 7

5.1 Leadership et engagement ....................................................................................................................... 7

5.1.1 Organe de gouvernance et direction ..................................................................................................... 7

5.1.2 Culture de la conformité ........................................................................................................................... 8

5.1.3 Gouvernance relative à la conformité .................................................................................................. 8

5.2 Politique ......................................................................................................................................................... 9

5.3 Rôles, responsabilités et autorités ........................................................................................................ 9

5.3.1 Organe de gouvernance et direction ..................................................................................................... 9

5.3.2 Fonction en charge de la conformité .................................................................................................. 10

5.3.3 Encadrement ............................................................................................................................................. 11

5.3.4 Personnel .................................................................................................................................................... 12

6 Planification ............................................................................................................................................... 12

6.1 Actions à mettre en œuvre face aux risques et opportunités ..................................................... 12

6.2 Objectifs de conformité et planification des actions pour les atteindre ................................. 13

6.3 Obligations de conformité ..................................................................................................................... 13

6.4 Évaluation des risques liés à la conformité ...................................................................................... 13

7 Support ........................................................................................................................................................ 14

7.1 Ressources ................................................................................................................................................. 14

7.2 Compétences.............................................................................................................................................. 14

7.2.1 Généralités ................................................................................................................................................. 14

7.2.2 Processus relatif à l’emploi ................................................................................................................... 14

7.2.3 Formation ................................................................................................................................................... 15

7.3 Sensibilisation ........................................................................................................................................... 15

7.4 Communication ......................................................................................................................................... 15

7.5 Informations documentées ................................................................................................................... 16

7.5.1 Généralités ................................................................................................................................................. 16

7.5.2 Création et mise à jour des informations documentées............................................................... 17

7.5.3 Maîtrise des informations documentées .......................................................................................... 17

8 Réalisation des activités opérationnelles ......................................................................................... 17

8.1 Planification et maîtrise opérationnelles ......................................................................................... 17

8.2 Établissement des contrôles et des procédures ............................................................................. 18

8.3 Signalement des inquiétudes ............................................................................................................... 18

8.4 Processus d’enquête ................................................................................................................................ 18

9 Évaluation des performances ............................................................................................................... 19

9.1 Surveillance, mesure, analyse et évaluation .................................................................................... 19

© ISO 2020 – Tous droits réservés
iii
---------------------- Page: 3 ----------------------
ISO/DIS 37301:2020(F)

9.1.1 Généralités ................................................................................................................................................. 19

9.1.2 Sources de retour d’informations sur les performances de conformité ................................. 19

9.1.3 Mise en place des indicateurs ............................................................................................................... 19

9.1.4 Communication d’informations sur la conformité ........................................................................ 19

9.1.5 Conservation des enregistrements ..................................................................................................... 20

9.2 Audit interne ............................................................................................................................................. 20

9.3 Revue de direction ................................................................................................................................... 21

10 Amélioration .............................................................................................................................................. 22

10.1 Non-conformité aux exigences, état de non-conformité et actions correctives .................... 22

10.2 Amélioration continue ............................................................................................................................ 22

(informative) Recommandations relatives à l’utilisation du présent document ............. 23

Bibliographie ........................................................................................................................................................... 47

© ISO 2020 – Tous droits réservés
---------------------- Page: 4 ----------------------
ISO/DIS 37301:2020(F)
Avant-propos

L’ISO (Organisation internationale de normalisation) est une fédération mondiale d’organismes

nationaux de normalisation (comités membres de l’ISO). L’élaboration des Normes internationales est en

général confiée aux comités techniques de l’ISO. Chaque comité membre intéressé par une étude a le droit

de faire partie du comité technique créé à cet effet. Les organisations internationales, gouvernementales

et non gouvernementales, en liaison avec l’ISO participent également aux travaux. L’ISO collabore

étroitement avec la Commission électrotechnique internationale (IEC) en ce qui concerne la

normalisation électrotechnique.

Les procédures utilisées pour élaborer le présent document et celles destinées à sa mise à jour sont

décrites dans les Directives ISO/IEC, Partie 1. Il convient, en particulier de prendre note des différents

critères d’approbation requis pour les différents types de documents ISO. Le présent document a été

rédigé conformément aux règles de rédaction données dans les Directives ISO/IEC, Partie 2

(voir www.iso.org/directives).

L’attention est attirée sur le fait que certains des éléments du présent document peuvent faire l’objet de

droits de propriété intellectuelle ou de droits analogues. L’ISO ne saurait être tenue pour responsable de

ne pas avoir identifié de tels droits de propriété et averti de leur existence. Les détails concernant les

références aux droits de propriété intellectuelle ou autres droits analogues identifiés lors de l’élaboration

du document sont indiqués dans l’Introduction et/ou dans la liste des déclarations de brevets reçues par

l’ISO (voir www.iso.org/brevets).

Les appellations commerciales éventuellement mentionnées dans le présent document sont données

pour information, par souci de commodité, à l’intention des utilisateurs et ne sauraient constituer un

engagement.

Pour une explication de la nature volontaire des normes, la signification des termes et expressions

spécifiques de l’ISO liés à l’évaluation de la conformité, ou pour toute information au sujet de l’adhésion

de l’ISO aux principes de l’Organisation mondiale du commerce (OMC) concernant les obstacles

techniques au commerce (OTC), voir le lien suivant : www.iso.org/iso/fr/avant-propos.

Le présent document a été élaboré par le comité technique ISO/TC 309, Gouvernance des organisations.

Il convient que l’utilisateur adresse tout retour d’information ou toute question concernant le présent

document à l’organisme national de normalisation de son pays. Une liste exhaustive desdits organismes

se trouve à l’adresse www.iso.org/fr/members.html.
Le présent document annule et remplace l’ISO 19600:2014-10.

Dans la présente Norme internationale, les formes verbales suivantes sont utilisées :

⎯ « doit » indique une exigence ;
⎯ « il convient de/que » indique une recommandation ;
⎯ « peut/il est admis » (« may » en anglais) indique une autorisation ;

⎯ « peut/il est possible » (« can » en anglais) indique une possibilité ou une capacité.

Les informations sous forme de « NOTE » sont fournies pour clarifier l’exigence associée ou en faciliter la

compréhension.
© ISO 2020 – Tous droits réservés
---------------------- Page: 5 ----------------------
ISO/DIS 37301:2020(F)
Introduction

Les organismes qui aspirent à garantir leur réussite sur le long terme doivent établir et entretenir une

culture d’intégrité et de conformité, en prenant en compte les besoins et attentes des parties intéressées.

L’intégrité et la conformité ne constituent donc pas seulement un prérequis, mais également une

opportunité pour un organisme qui souhaite se développer de façon durable.

La conformité est un processus continu et le résultat d’un organisme qui respecte ses obligations. La

pérennité de la conformité est assurée par son intégration à la culture de l’organisme ainsi que dans le

comportement et la conduite des personnes qui travaillent en son sein. Tout en gardant son

indépendance, il est préférable que le management de la conformité soit intégré aux autres processus de

management de l’organisme ainsi qu’à ses exigences et procédures opérationnelles.

Un système de management de la conformité efficace, à l’échelle d’un organisme dans son ensemble,

permet à ce dernier de démontrer son engagement vis-à-vis du respect de la législation en vigueur,

y compris les exigences légales, les codes industriels et les normes organisationnelles, ainsi que les

standards de bonne gouvernance d’entreprise, les meilleures pratiques, l’éthique et les attentes des

parties intéressées.

L’approche de la conformité d’un organisme est orientée par une direction qui applique ses valeurs

fondamentales et les normes communément admises de gouvernance d’entreprise, d’éthique et

communautaires. Intégrer la conformité dans le comportement des personnes qui travaillent pour un

organisme dépend avant tout d’une direction et d’une exemplarité à tous les niveaux et de valeurs claires

pour cet organisme, ainsi que de la reconnaissance et de la mise en œuvre de mesures pour promouvoir

une attitude de conformité. Si cela n’est pas le cas à tous les niveaux d’un organisme, un risque de

non-conformité existe.

Dans plusieurs juridictions, pour déterminer la sanction appropriée à imposer en cas de non-respect des

lois en vigueur, les tribunaux ont pris en compte l’engagement de l’organisme pour la conformité soutenu

par son système de management de la conformité. Par conséquent, les régulateurs et les instances

judiciaires peuvent également tirer parti du présent document comme référence.

Les organismes sont de plus en plus convaincus du fait que l’application de valeurs engageantes et un

management approprié de la conformité leur permettront de préserver leur intégrité et d’éviter ou de

réduire les risques de non-respect des obligations de conformité de l’organisme. L’intégrité et l’effectivité

de la conformité sont donc des éléments clés pour un management avisé. La conformité contribue

également au comportement socialement responsable des organismes.

L’un des objectifs du présent document est d’assister les organismes dans l’élaboration et la diffusion

d’une culture positive de la conformité, en considérant qu’il convient qu’un management efficace et sain

des risques liés à la conformité soit perçu comme étant une opportunité à saisir en raison des divers

bienfaits qu’il procure à l’organisme.

Le présent document spécifie des exigences et fournit des recommandations relatives aux systèmes de

management de la conformité et aux pratiques recommandées. Les exigences et les recommandations

fournies dans le présent document se veulent flexibles et leur mise en œuvre peut être différente selon

la taille et le niveau de maturité du système de management de la conformité d’un organisme et selon le

contexte, la nature et la complexité des activités de l’organisme et de ses objectifs.

Le présent document est à même d’améliorer les exigences liées à la conformité dans d’autres systèmes

de management et d’aider un organisme à améliorer le management dans son ensemble de toutes ses

obligations de conformité.
© ISO 2020 – Tous droits réservés
---------------------- Page: 6 ----------------------
ISO/DIS 37301:2020(F)
Figure 1
© ISO 2020 – Tous droits réservés
vii
---------------------- Page: 7 ----------------------
PROJET DE NORME INTERNATIONALE ISO/DIS 37301:2020(F)
Systèmes de management de la conformité — Exigences et
recommandations pour la mise en œuvre
1 Domaine d’application

Le présent document spécifie des exigences et fournit un cadre directeur pour l’établissement, le

développement, la mise en œuvre, l’évaluation, la tenue à jour et l’amélioration d’un système de

management de la conformité efficace au sein d’un organisme.

Le présent document s’applique à tous les types d’organismes, indépendamment du type, de la taille et de

la nature de ses activités, qu’il appartienne au secteur public, privé ou à but non lucratif.

L’ensemble des exigences spécifiées dans le présent document qui font référence à un organe de

gouvernance s’appliquent à la direction lorsque l’organe de gouvernance d’un organisme n’est pas distinct

de la direction.
2 Références normatives
Le présent document ne contient aucune référence normative.
3 Termes et définitions

Pour les besoins du présent document, les termes et définitions suivants s’appliquent.

L’ISO et l’IEC tiennent à jour des bases de données terminologiques destinées à être utilisées en

normalisation, consultables aux adresses suivantes :

⎯ ISO Online browsing platform : disponible à l’adresse https://www.iso.org/obp ;

⎯ IEC Electropedia : disponible à l’adresse http://www.electropedia.org/.
3.1
organisme

personne ou groupe de personnes ayant un rôle avec les responsabilités, l’autorité et les relations lui

permettant d’atteindre ses objectifs (3.8)

Note 1 à l’article : Le concept d’organisme englobe sans s’y limiter, les travailleurs indépendants, les compagnies, les

sociétés, les firmes, les entreprises, les administrations, les partenariats, les organisations caritatives ou les

institutions, ou bien une partie ou une combinaison des entités précédentes, à responsabilité limitée ou ayant un

autre statut, de droit public ou privé.
3.2
partie intéressée (terme préféré)
partie prenante (terme admis)

personne ou organisme (3.1) qui peut soit influer sur une décision ou une activité, soit être influencé(e) ou

s’estimer influencé(e) par une décision ou une activité
© ISO 2020 – Tous droits réservés
---------------------- Page: 8 ----------------------
ISO/DIS 37301:2020(F)
3.3
exigence
besoin ou attente qui sont formulés, généralement implicites ou obligatoires

Note 1 à l’article : « Généralement implicite » signifie qu’il est habituel ou de pratique commune pour l’organisme et

les parties intéressées que le besoin ou l’attente à prendre en considération soit implicite.

Note 2 à l’article : Une exigence spécifiée est une exigence formulée, par exemple une information documentée.

3.4
système de management

ensemble d’éléments corrélés ou en interaction d’un organisme (3.1), utilisés pour établir des

politiques (3.7) et des objectifs (3.8), et des processus (3.12) de façon à atteindre lesdits objectifs

Note 1 à l’article : Un système de management peut traiter d’un seul ou de plusieurs domaines.

Note 2 à l’article : Les éléments du système comprennent la structure, les rôles et responsabilités, la planification et

le fonctionnement de l’organisme.

Note 3 à l’article : Le périmètre d’un système de management peut comprendre l’ensemble de l’organisme, des

fonctions ou des sections spécifiques et identifiées de l’organisme, ou une ou plusieurs fonctions dans un groupe

d’organismes.
3.5
direction

personne ou groupe de personnes qui oriente et dirige un organisme (3.1) au plus haut niveau

Note 1 à l’article : La direction a le pouvoir de déléguer son autorité et de fournir des ressources au sein de

l’organisme.

Note 2 à l’article : Si le périmètre du système de management (3.4) ne couvre qu’une partie de l’organisme, alors la

direction s’adresse à ceux qui gouvernent et contrôlent cette partie de l’organisme.

Note 3 à l’article : Pour les besoins du présent document, le terme « direction » fait référence au plus haut niveau de

direction exécutive.
3.6
efficacité

niveau de réalisation des activités planifiées et d’obtention des résultats escomptés

3.7
politique

intentions et orientations d’un organisme (3.1), telles qu’elles sont officiellement formulées par sa

direction (3.5) et/ou son organe de gouvernance (3.22)
3.8
objectif
résultat à atteindre

Note 1 à l’article : Un objectif peut être stratégique, tactique ou opérationnel.

Note 2 à l’article : Les objectifs peuvent se rapporter à différents domaines (tels que finance, santé, sécurité, et

environnement) et peuvent s’appliquer à divers niveaux [au niveau stratégique, à un niveau concernant l’organisme

dans son ensemble ou afférant à un projet, un produit ou un processus (3.12), par exemple].

© ISO 2020 – Tous droits réservés
---------------------- Page: 9 ----------------------
ISO/DIS 37301:2020(F)
Note 3 à l’article : Un objectif peut être expr
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.