SIST ISO 37003:2025
(Main)Fraud control management systems — Guidance for organizations managing the risk of fraud
Fraud control management systems — Guidance for organizations managing the risk of fraud
This document provides guidance for organizations for the development, implementation and maintenance of an effective fraud control management system (FCMS). This includes fraud prevention, early detection of fraud and effective response to fraud events that have occurred or can occur in the future.
The document provides guidance for managing the risk of fraud, including:
a) internal fraud against the organization;
b) external fraud against the organization;
c) internal fraud in collaboration with business associates or other third parties;
d) external fraud in collaboration with the organization’s personnel;
e) fraud by the organization or by persons purporting to act on behalf of and in the interests of the organization.
This document is applicable to all organizations, regardless of type, size, nature of activity and whether in the public or private, profit or not-for-profit sectors. It is not intended to assist consumers in preventing, detecting or responding to what is generally termed "consumer fraud".
Systèmes de management du contrôle de la fraude — Lignes directrices destinées aux organisations gérant le risque de fraude
Le présent document fournit des recommandations pour les organismes pour le développement, la mise en œuvre et le maintien d’un système de management anti-fraude (FCMS, de l’anglais Fraud Control Management System) efficace. Celui-ci inclut la prévention de la fraude, la détection précoce des actes frauduleux et une remédiation efficace aux cas de fraude survenus ou susceptibles de survenir.
Il fournit également des recommandations pour la gestion du risque de fraude, comprenant:
la fraude interne commise à l’encontre de l’organisme;
la fraude externe commise à l’encontre de l’organisme;
la fraude interne commise en collaboration avec des partenaires commerciaux ou d’autres tiers;
la fraude externe commise en collaboration avec le personnel de l’organisme;
la fraude commise par l’organisme lui-même ou par des personnes prétendant agir en son nom et dans son intérêt.
Le présent document s’applique à tous les organismes, quels que soient leur type, leur taille, la nature de leurs activités, que ces organismes relèvent du secteur public ou privé, à but lucratif ou non lucratif. Il n’est pas destiné à aider les consommateurs à prévenir, à détecter ou à lutter contre ce qui est généralement appelé la «fraude à la consommation».
Sistemi vodenja nadzora nad goljufijami - Smernice za organizacije, ki upravljajo s tveganjem goljufij
Ta dokument vsebuje smernice za organizacije v zvezi z razvojem, izvajanjem in vzdrževanjem učinkovitega sistema upravljanja s tveganjem goljufij (FCMS). To vključuje preprečevanje goljufij, zgodnje odkrivanje goljufij in učinkovit odziv na goljufije, ki so se že zgodile ali se lahko zgodijo v prihodnosti. Dokument podaja smernice za upravljanje s tveganjem goljufij, vključno z: a) notranjimi goljufijami zoper organizacijo; b) zunanjimi goljufijami zoper organizacijo; c) notranjimi goljufijami v sodelovanju s poslovnimi partnerji ali drugimi tretjimi osebami; d) zunanjimi goljufijami v sodelovanju z osebjem organizacije; e) goljufijami s strani organizacije ali oseb, ki domnevno delujejo v imenu in interesu organizacije. Ta dokument se uporablja za vse organizacije, ne glede na vrsto, velikost in področje dejavnosti ter ne glede na to, ali delujejo v javnem, zasebnem, profitnem ali neprofitnem sektorju. Ni namenjen za pomoč potrošnikom pri preprečevanju in odkrivanju tako imenovanih »potrošniških goljufij« ter odzivanju nanje.
General Information
- Status
- Published
- Public Enquiry End Date
- 01-Apr-2024
- Publication Date
- 09-Jun-2025
- Technical Committee
- VZK - Quality management and quality assurance
- Current Stage
- 6060 - National Implementation/Publication (Adopted Project)
- Start Date
- 02-Jun-2025
- Due Date
- 07-Aug-2025
- Completion Date
- 10-Jun-2025
Buy Documents
ISO 37003:2025 - Fraud control management systems — Guidance for organizations managing the risk of fraud Released:29. 05. 2025
ISO 37003:2025 - Systèmes de management anti-fraude — Recommandations pour les organismes gérant le risque de fraude
Overview
SIST ISO 37003:2025 - Fraud control management systems - Guidance for organizations managing the risk of fraud - provides practical guidance for developing, implementing and maintaining an effective fraud control management system (FCMS). It covers fraud prevention, early detection and effective response to fraud events, and addresses fraud committed:
- internally and externally,
- in collaboration with business associates or third parties,
- by persons acting on behalf of the organization, while noting it is not intended for consumer fraud prevention. SIST ISO 37003:2025 applies to all organizations regardless of size, sector or legal form.
Key topics and technical requirements
The standard follows a management-system approach and addresses essential FCMS components:
- Context of the organization - understanding internal/external factors and interested parties; defining FCMS scope and interfaces with other risk functions.
- Fraud risk assessment - identifying, analyzing and prioritizing fraud risks (internal, external, third‑party and collusive fraud).
- Leadership and governance - roles for governing bodies, top management commitment, fraud control policy and delegated decision‑making.
- Fraud control function - establishment of an accountable function and integration with information security and internal audit.
- Planning and objectives - setting measurable fraud control objectives and actions to address risks and opportunities.
- Support and competence - allocating resources, competency requirements, employment processes, awareness and training for personnel and business associates.
- Communication and documented information - promoting the FCMS, record keeping and confidentiality controls.
- Operations - operational planning, fraud prevention measures (including integrity frameworks and conflict‑of‑interest management), detection, response and continual improvement.
Practical applications - who uses ISO 37003
ISO 37003 is a practical guide for:
- Risk managers, compliance and fraud officers building or maturing an FCMS.
- Internal audit, legal, HR and security teams aligning policies, investigation and response processes.
- Boards and senior management seeking governance, oversight and assurance over fraud risk.
- Consultants and service providers designing controls, training and fraud detection programs.
- Organizations that need to integrate fraud control with existing management systems (e.g., information security or enterprise risk).
Benefits include clearer governance, improved early detection, reduced financial and reputational loss, and stronger third‑party controls.
Related standards
ISO 37003 complements established frameworks and management standards such as:
- ISO 37001 (Anti‑bribery management systems),
- ISO 31000 (Risk management),
- ISO 27001 (Information security management). Organizations commonly use ISO 37003 together with these standards to build an integrated approach to integrity, risk and security.
Buy Documents
ISO 37003:2025 - Fraud control management systems — Guidance for organizations managing the risk of fraud Released:29. 05. 2025
ISO 37003:2025 - Systèmes de management anti-fraude — Recommandations pour les organismes gérant le risque de fraude
Get Certified
Connect with accredited certification bodies for this standard
BSI Group
BSI (British Standards Institution) is the business standards company that helps organizations make excellence a habit.
Bureau Veritas
Bureau Veritas is a world leader in laboratory testing, inspection and certification services.
DNV
DNV is an independent assurance and risk management provider.
Sponsored listings
Frequently Asked Questions
SIST ISO 37003:2025 is a standard published by the Slovenian Institute for Standardization (SIST). Its full title is "Fraud control management systems — Guidance for organizations managing the risk of fraud". This standard covers: This document provides guidance for organizations for the development, implementation and maintenance of an effective fraud control management system (FCMS). This includes fraud prevention, early detection of fraud and effective response to fraud events that have occurred or can occur in the future. The document provides guidance for managing the risk of fraud, including: a) internal fraud against the organization; b) external fraud against the organization; c) internal fraud in collaboration with business associates or other third parties; d) external fraud in collaboration with the organization’s personnel; e) fraud by the organization or by persons purporting to act on behalf of and in the interests of the organization. This document is applicable to all organizations, regardless of type, size, nature of activity and whether in the public or private, profit or not-for-profit sectors. It is not intended to assist consumers in preventing, detecting or responding to what is generally termed "consumer fraud".
This document provides guidance for organizations for the development, implementation and maintenance of an effective fraud control management system (FCMS). This includes fraud prevention, early detection of fraud and effective response to fraud events that have occurred or can occur in the future. The document provides guidance for managing the risk of fraud, including: a) internal fraud against the organization; b) external fraud against the organization; c) internal fraud in collaboration with business associates or other third parties; d) external fraud in collaboration with the organization’s personnel; e) fraud by the organization or by persons purporting to act on behalf of and in the interests of the organization. This document is applicable to all organizations, regardless of type, size, nature of activity and whether in the public or private, profit or not-for-profit sectors. It is not intended to assist consumers in preventing, detecting or responding to what is generally termed "consumer fraud".
SIST ISO 37003:2025 is classified under the following ICS (International Classification for Standards) categories: 03.100.01 - Company organization and management in general; 03.100.02 - Governance and ethics; 03.100.70 - Management systems. The ICS classification helps identify the subject area and facilitates finding related standards.
SIST ISO 37003:2025 is available in PDF format for immediate download after purchase. The document can be added to your cart and obtained through the secure checkout process. Digital delivery ensures instant access to the complete standard document.
Standards Content (Sample)
SLOVENSKI STANDARD
01-julij-2025
Sistemi vodenja nadzora nad goljufijami - Smernice za organizacije, ki upravljajo s
tveganjem goljufij
Fraud control management systems — Guidance for organizations managing the risk of
fraud
Systèmes de management du contrôle de la fraude — Lignes directrices destinées aux
organisations gérant le risque de fraude
Ta slovenski standard je istoveten z: ISO 37003:2025
ICS:
03.100.01 Organizacija in vodenje Company organization and
podjetja na splošno management in general
03.100.02 Upravljanje in etika Governance and ethics
03.100.70 Sistemi vodenja Management systems
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
International
Standard
ISO 37003
First edition
Fraud control management systems —
2025-05
Guidance for organizations managing
the risk of fraud
Systèmes de management du contrôle de la fraude — Lignes
directrices destinées aux organisations gérant le risque de fraude
Reference number
All rights reserved.
ISO publications, in their entirety or in fragments, are owned by ISO. They are licensed, not sold, and are subject to the
terms and conditions set forth in the ISO End Customer License Agreement, the License Agreement of the relevant ISO
member body, or those of authorized third-party distributors.
Unless otherwise specified or required for its implementation, no part of this ISO publication may be reproduced,
distributed, modified, or used in any form or by any means, electronic or mechanical, including photocopying, scanning,
recording, or posting on any intranet, internet, or other digital platforms, without the prior written permission of ISO,
the relevant ISO member body or an authorized third-party distributor.
This publication shall not be disclosed to third parties, and its use is strictly limited to the license type and purpose
specified in the applicable license grant. Unauthorized reproduction, distribution, or use beyond the granted license is
prohibited and may result in legal action.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
Licensing and use terms
As stated above, ISO documents, as well as any updates and/or corrections, and any intellectual property or
other rights pertaining thereto, are owned by ISO. ISO documents are licensed, not sold. This document does
not in any way operate to assign or transfer any intellectual property rights from ISO to the user. ISO
documents are protected by copyright law, database law, trademark law, unfair competition law, trade secrecy
law, and any other applicable law. Users acknowledge and agree to respect ISO’s intellectual property rights
in the ISO documents.
The use of ISO documents is subject to the terms and conditions of the applicable licence agreement.
ISO documents are provided under different licensing agreement types (“Licence Type”) allowing a non-
exclusive, non-transferable, limited, revocable right to use/access the ISO documents for one or more of the
purposes described below (“Purpose”), which may be internal or external in scope. The applicable Purpose(s)
must be agreed in the purchase order and/or in the applicable licence agreement.
a) Licence Type:
1) Single registered end-user licence (watermarked in the user’s name) for the specified Purpose. Under
this license, the user cannot share the ISO document with a third party, including on a network.
2) Network licence for the specified Purpose. The network licence can be assigned to either unnamed
concurrent end-users or named concurrent end-users within the same organization.
ii
b) Purpose:
1) Internal Purpose. Internal use only within the user’s organization, including but not limited to own
implementation (“Internal Purpose”).
The scope of permitted internal use is specified at the time of purchase or through subsequent
agreement with ISO, the ISO member body in the user’s country, any other ISO member body or an
authorized third-party distributor, including any applicable internal use rights (such as for internal
meetings, internal training programmes, preparation of certification services, for integration or
illustration in internal manuals, internal training materials, and internal guidance documents). Each
internal use must be explicitly specified in the purchase order and/or in the applicable licence
agreement, and specific fees and requirements apply to each permitted use.
2) External Purpose. External use, including but not limited to:
— testing services;
— inspection services;
— certification services;
— auditing services;
— consulting services;
— conformity assessment scheme development and implementation;
— training services;
— education;
— research;
— software development and other digital platform or software-enabled digital services;
— any other services or activities conducted by the user or the user’s organization to third parties,
whether for commercial or non-commercial purposes (“External Purpose”).
The scope of permitted external use is specified at the time of purchase or through subsequent
agreement with ISO, the ISO member body in the user’s country, any other ISO member body or an
authorized third-party distributor, including any applicable external use rights (e.g. in publications,
products, or services marketed and sold by the user/the user’s organization). Each external use must
be explicitly specified in the purchase order and/or in the applicable licence agreement, and specific
fees and requirements apply to each permitted use.
Unless users have been granted use rights according to the above provisions, they are not granted the right to
share or sublicense ISO documents inside or outside their organization for either Purpose. If users wish to
obtain additional use rights for ISO documents or their content, users can contact ISO or the ISO member body
in their country to explore possible options.
If the user or the user’s organization is granted a licence for the External Purpose of providing any of the
following services to third parties:
— testing services;
— inspection services;
ii(bis)
— certification services;
— auditing services;
— consulting services,
and if any of these five (5) services reference, rely upon, incorporate, or otherwise make use of any aspect,
requirement, provision, or any other information of any ISO document, the user or the user’s organization
agrees to verify that the third party receiving such services has obtained from the ISO member body in their
country, any other ISO member body, ISO or an authorized third-party distributor, a valid licence for its own
implementation of such ISO document or other use related to such services. This verification obligation must
be included in the applicable licence agreement obtained by the user or the user’s organization.
ISO documents must not be disclosed to third parties, and users must use them solely for the purpose specified
in the purchase order and/or applicable licensing agreement. Unauthorized disclosure or use of ISO
documents beyond the licensed purpose is prohibited and can result in legal action.
Use restrictions
Except as provided for in the applicable licence agreement and subject to a separate licence by ISO, the ISO
member body in the user’s country, any other ISO member body or an authorized third-party distributor, users
are not granted the right to:
— use ISO documents for any purpose other than the Purpose;
— grant use or access rights to ISO documents beyond the Licence Type;
— disclose ISO documents beyond the intended Purpose and/or Licence Type;
— sell, lend, lease, reproduce, distribute, import/export or otherwise commercially exploit ISO documents.
In the case of documents that are joint publications (such as ISO/IEC documents), this clause applies to
the respective joint copyright ownership;
— assign or otherwise transfer ownership of ISO documents, in whole or in part, to any third party.
Regardless of the Licence Type or Purpose for which users are granted access and use rights for ISO
documents, users are not permitted to access or use any ISO documents, in whole or in part, for any machine
learning and/or artificial intelligence and/or similar purposes, including but not limited to accessing or using
them
a) as training data for large language or similar models, or
b) for prompting or otherwise enabling artificial intelligence or similar tools to generate responses.
Such use is only permitted if expressly authorized through a specific licence agreement by the ISO member
body in the requester’s country, another ISO member body, or ISO. Requests for such authorization are
considered on a case-by-case basis to ensure compliance with intellectual property rights. Specifically, it is not
possible to claim the benefit of copyright exception of Article 4 of the Directive (EU) 2019/790 of the European
Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market, for
the purpose of text and data mining on ISO documents, as ISO hereby opts out of this exception.
If ISO, or the ISO member body in the user’s country, has reasonable doubt that users are not compliant with
these terms, it can request in writing to perform an audit, or have an audit performed by a third-party auditor,
during business hours at the user’s premises or via remote access.
ii(ter)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization . 8
4.1 Understanding the organization and its context .8
4.2 Understanding the needs and expectations of interested parties .8
4.3 Determining the scope of the fraud control management system (FCMS) .9
4.4 Fraud control management system (FCMS) .9
4.5 Fraud risk assessment .9
4.5.1 General .9
4.5.2 Collaboration with other risk management functions .10
5 Leadership . 10
5.1 Leadership and commitment .10
5.1.1 Governing body .10
5.1.2 Top management .10
5.2 Fraud control policy .11
5.3 Roles, responsibilities and authorities .11
5.3.1 General .11
5.3.2 Delegated decision-making to managers and organizational functions .11
5.3.3 Fraud control function .11
5.3.4 Information security management system function . 12
5.3.5 Internal audit function . 12
6 Planning .13
6.1 Actions to address risks and opportunities . 13
6.1.1 General . 13
6.2 Fraud control objectives and planning to achieve them . 13
6.3 Planning of changes .14
7 Support . 14
7.1 Resources .14
7.1.1 General .14
7.1.2 Information security management system function .14
7.2 Competence .14
7.2.1 General .14
7.2.2 Employment process. 15
7.3 Awareness . 15
7.3.1 Awareness of personnel . 15
7.3.2 Training for personnel .16
7.3.3 Training for business associates .16
7.3.4 Awareness and training programmes . .16
7.4 Communication .17
7.4.1 General .17
7.4.2 Promoting the FCMS .17
7.5 Documented information .17
7.5.1 General .17
7.5.2 Creating and updating documented information .18
7.5.3 Control of documented information .18
7.5.4 Record keeping and confidentiality of information .18
8 Operation . 19
8.1 Operational planning and control .19
8.2 Preventing fraud . 20
iii
8.2.1 General . 20
8.2.2 Developing and promoting an effective integrity framework . 20
8.2.3 Managing conflicts of interest.21
8.2.4 Internal controls and the internal control environment .21
8.2.5 Pressure testing the internal control system . 22
8.2.6 Managing performance-based targets . 22
8.2.7 Personnel screening . 23
8.2.8 Screening and management of business associates . 23
8.2.9 Preventing technology-enabled fraud .24
8.2.10 Physical security and asset management . 25
8.3 Detecting fraud . 25
8.3.1 General . 25
8.3.2 Post-transactional review . 25
8.3.3 Analysis of management accounting reports . 25
8.3.4 Identification of early warning indicators . 26
8.3.5 Data analytics . 26
8.3.6 Fraud reporting .27
8.3.7 Artificial intelligence systems . .27
8.3.8 Complaint management . 28
8.3.9 Exit interviews . 28
8.4 Responding to fraud events . 28
8.4.1 General . 28
8.4.2 Immediate actions in response to discovery of fraud . 28
8.4.3 Digital evidence first response . 29
8.4.4 Investigation of a detected fraud event . 29
8.4.5 Consideration of grievances . 29
8.4.6 Disciplinary procedures . 29
8.4.7 Separation of investigation and decision-making processes . 29
8.4.8 Crisis management following discovery of a fraud event . 29
8.4.9 Internal reporting and escalation . 30
8.4.10 Fraud event register . 30
8.4.11 Analysis and reporting of fraud events . 30
8.4.12 External reporting .31
8.4.13 Recovery of stolen funds or property .31
8.4.14 Responding to fraud events involving business associates .32
8.4.15 Insuring against fraud events .32
8.4.16 Assessing internal controls, systems and processes post-detection of a fraud
event .32
8.4.17 Impact of fraud on other interested parties . 33
8.4.18 Disruption of fraud . 33
9 Performance evaluation .34
9.1 Monitoring, measurement, analysis and evaluation . . 34
9.2 Internal audit . 34
9.2.1 General . 34
9.2.2 Internal audit programme . 35
9.3 External audit . 35
9.4 Management review . 36
9.4.1 General . 36
9.4.2 Management review inputs . 36
9.4.3 Management review results . 36
10 Improvement .36
10.1 Continual improvement . 36
10.2 Nonconformity and corrective action . 36
Annex A (informative) Examples of fraud risks impacting global entities .38
Annex B (informative) Models for fraud prevention — Guidance . 41
Bibliography .45
iv
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO document should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
http://www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 309, Governance of organizations.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at http://www.iso.org/members.html.
v
Introduction
Fraud is a risk for all organizations in the private, public or not-for-profit sectors. Fraud events can
significantly impact the financial position of the target organization and often have flow-on financial
consequences for global and local economies. Fraud can lead to serious legal and financial consequences as
well as enduring psychological and emotional harm for the individuals involved. For a summary of the types
of fraud commonly encountered by organizations, see Annex A.
The pervasiveness and increasing sophistication of information technology, the rapid uptake of electronic
payment systems by the general population and economic globalization have led to an increased incidence
of external fraudulent attack on organizations across all sectors.
Managing and controlling the risk of fraud should be considered by the leadership of all organizations.
NOTE For more information on fraud as it relates to governance, see ISO 37000:2021, 6.9.
This document includes guidance on:
a) creating and maintaining processes for fraud risk identification, assessment and monitoring;
b) mitigating internal and external fraud, including fraud against, and by, the organization;
c) detecting fraud against or by the organization based on its assessed fraud risk exposures;
d) effective response to fraud events in order to ensure that:
— damage to the organization's image can be minimized;
— its reputation can be restored and improved;
— funds lost due to fraud can be recovered.
e) ensuring continual improvement.
Following this guidance cannot provide assurance that fraud has not occurred or will not occur in the future
as it is not possible to eliminate the risk of fraud. However, it will help organizations to effectively manage
fraud risk and to respond appropriately to fraud events and avoid or reduce the compliance liability risk of
the organization.
Effective fraud control requires the organization to commit to prevention, detection and response initiatives
underpinned by leadership, planning and resourcing as summarised in Figure 1.
vi
Figure 1 — Principles, structure and objectives of this document
vii
International Standard ISO 37003:2025(en)
Fraud control management systems — Guidance for
organizations managing the risk of fraud
1 Scope
This document provides guidance for organizations for the development, implementation and maintenance
of an effective fraud control management system (FCMS). This includes fraud prevention, early detection of
fraud and effective response to fraud events that have occurred or can occur in the future.
The document provides guidance for managing the risk of fraud, including:
a) internal fraud against the organization;
b) external fraud against the organization;
c) internal fraud in collaboration with business associates or other third parties;
d) external fraud in collaboration with the organization’s personnel;
e) fraud by the organization or by persons purporting to act on behalf of and in the interests of the
organization.
This document is applicable to all organizations, regardless of type, size, nature of activity and whether in
the public or private, profit or not-for-profit sectors. It is not intended to assist consumers in preventing,
detecting or responding to what is generally termed "consumer fraud".
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
fraud
intentional dishonest act causing actual or potential gain or loss that creates social or economic harm
Note 1 to entry: Fraud also includes the deliberate falsification, concealment, destruction or use of falsified
documentation used or intended for use for a normal business purpose or the improper use of information or position
for personal financial benefit.
Note 2 to entry: Fraudulent conduct need not necessarily represent a breach of law.
Note 3 to entry: Fraud can involve fraudulent conduct by internal and/or external parties targeting the organization
(3.3) or fraudulent conduct by the organization itself targeting external parties.
Note 4 to entry: Fraud can include loss of moneys or other property by persons internal and external to the organization
and where deception is used at the time, immediately before or immediately following the activity.
Note 5 to entry: Fraud can be external or internal or both. External fraud is where no perpetrator is employed by
or has a close association with the target organization. Internal fraud is where at least one perpetrator is employed
by or has a close association with the target organization and has detailed internal knowledge of the organization’s
operations, systems and procedures.
3.2
fraud event
instance of fraud (3.1) against or by an organization (3.3)
3.3
organization
person or group of people that has its own functions with responsibilities, authorities and relationships to
achieve its objectives (3.14)
Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not,
public or private.
Note 2 to entry: If the organization is part of a larger entity, the term “organization” refers only to the part of the larger
entity that is within the scope of the fraud controlmanagement system (3.11).
3.4
target organization
organization (3.3) that is the object of a fraud event (3.2).
3.5
interested party
person or organization (3.3) that can affect, be affected by, or perceive itself to be affected by a decision or
activity
3.6
top management
person or group of people who directs and controls an organization (3.3) at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the organization.
Note 2 to entry: If the scope of the management system (3.10) covers only part of an organization, then top management
refers to those who direct and control that part of the organization.
Note 3 to entry: Organizations can be organized depending on which legal framework they are obliged to operate under
and also according to their size, sector, etc. Some organizations have both a governing body (3.7) and top management
(3.6), while some organizations do not have responsibilities divided into several bodies. These variations, both in
respect of organization and responsibilities, can be considered when applying the requirements in Clause 5.
3.7
governing body
person or group of people who have ultimate accountability for the whole organization (3.3)
Note 1 to entry: A governing body can be explicitly established in a number of formats including, but not limited to, a
board of directors, supervisory board, sole director, joint and several directors, or trustees.
Note 2 to entry: ISO management system standards make reference to the term “top management” to describe a role
that, depending on the standard and organizational context, reports to, and is held accountable by, the governing body.
Note 3 to entry: Not all organizations, particularly small and medium organizations, will have a governing body
separate from top management. In such cases, top management exercises the role of the governing body.
[SOURCE: ISO 37000:2021, 3.3.4, modified — The Notes to entry were reordered: Note 2 to entry is now Note
1 to entry; Note 3 to entry is now Note 2 to entry; and Note 3 to entry was added.]
3.8
personnel
organization’s (3.3) directors, officers, employees, temporary staff or workers, and volunteers
Note 1 to entry: Different types of personnel pose different types and degrees of fraud risk (3.15) and can be treated
differently by the organization's fraud risk assessment and fraud risk management procedures.
[SOURCE: ISO 37001:2025, 3.24, modified — Note 1 has been amended and Note 2 to entry has been deleted]
3.9
business associate
external party with whom the organization (3.3) has, or plans to establish, some form of business relationship
Note 1 to entry: Business associate includes but is not limited to clients, customers, joint ventures, joint venture
partners, consortium partners, outsourcing providers, contractors, consultants, sub-contractors, suppliers, vendors,
advisors, agents, distributors, representatives, intermediaries and investors. This definition is deliberately broad and
should be interpreted in line with the fraud risk (3.15) profile of the organization to apply to business associates which
can reasonably expose the organization to fraud risks.
Note 2 to entry: Different types of business associate pose different types and degrees of fraud risk, and an organization
will have differing degrees of ability to influence different types of business associate.
Note 3 to entry: Reference to “business” in this document can be interpreted broadly to mean those activities that are
relevant to the purposes of the organization’s existence.
[SOURCE: ISO 37001:2025, 3.26, modified]
3.10
management system
set of interrelated or interacting elements of an organization (3.3) to establish policies (3.12) and objectives
(3.14) as well as processes (3.18) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
Note 2 to entry: The management system elements include the organization’s structure, roles and responsibilities,
planning and operation.
3.11
fraud control management system (FCMS)
part of the overall management system (3.10) for controlling the risks of fraud (3.1) against or by an
organization (3.3)
3.12
policy
intentions and direction of an organization (3.3) as formally expressed by its top management (3.6)
3.13
conflict of interest
situation in which an interested party has personal interest or organizational interest, directly or indirectly,
that can compromise, or interfere with, the ability to act impartially in carrying out their duties in the best
interest of the organization (3.3)
Note 1 to entry: There can be different types of personal interests: business, financial, family, professional, religious
or political.
Note 2 to entry: Organizational interest relates to the interests of an organization or part of an organization (e.g. team
or department) rather than an individual.
1)
[SOURCE: ISO 37009:20— , 3.1.10]
1) Under preparation. Stage at the time of publication: ISO/DIS 37009:2024.
3.14
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.
Note 2 to entry: Objectives can relate to different disciplines (such as finance, health and safety, and environment).
They can be, for example, organization-wide or spec
...
International
Standard
ISO 37003
First edition
Fraud control management systems —
2025-05
Guidance for organizations managing
the risk of fraud
Systèmes de management du contrôle de la fraude — Lignes
directrices destinées aux organisations gérant le risque de fraude
Reference number
All rights reserved.
ISO publications, in their entirety or in fragments, are owned by ISO. They are licensed, not sold, and are subject to the
terms and conditions set forth in the ISO End Customer License Agreement, the License Agreement of the relevant ISO
member body, or those of authorized third-party distributors.
Unless otherwise specified or required for its implementation, no part of this ISO publication may be reproduced,
distributed, modified, or used in any form or by any means, electronic or mechanical, including photocopying, scanning,
recording, or posting on any intranet, internet, or other digital platforms, without the prior written permission of ISO,
the relevant ISO member body or an authorized third-party distributor.
This publication shall not be disclosed to third parties, and its use is strictly limited to the license type and purpose
specified in the applicable license grant. Unauthorized reproduction, distribution, or use beyond the granted license is
prohibited and may result in legal action.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
Licensing and use terms
As stated above, ISO documents, as well as any updates and/or corrections, and any intellectual property or
other rights pertaining thereto, are owned by ISO. ISO documents are licensed, not sold. This document does
not in any way operate to assign or transfer any intellectual property rights from ISO to the user. ISO
documents are protected by copyright law, database law, trademark law, unfair competition law, trade secrecy
law, and any other applicable law. Users acknowledge and agree to respect ISO’s intellectual property rights
in the ISO documents.
The use of ISO documents is subject to the terms and conditions of the applicable licence agreement.
ISO documents are provided under different licensing agreement types (“Licence Type”) allowing a non-
exclusive, non-transferable, limited, revocable right to use/access the ISO documents for one or more of the
purposes described below (“Purpose”), which may be internal or external in scope. The applicable Purpose(s)
must be agreed in the purchase order and/or in the applicable licence agreement.
a) Licence Type:
1) Single registered end-user licence (watermarked in the user’s name) for the specified Purpose. Under
this license, the user cannot share the ISO document with a third party, including on a network.
2) Network licence for the specified Purpose. The network licence can be assigned to either unnamed
concurrent end-users or named concurrent end-users within the same organization.
ii
b) Purpose:
1) Internal Purpose. Internal use only within the user’s organization, including but not limited to own
implementation (“Internal Purpose”).
The scope of permitted internal use is specified at the time of purchase or through subsequent
agreement with ISO, the ISO member body in the user’s country, any other ISO member body or an
authorized third-party distributor, including any applicable internal use rights (such as for internal
meetings, internal training programmes, preparation of certification services, for integration or
illustration in internal manuals, internal training materials, and internal guidance documents). Each
internal use must be explicitly specified in the purchase order and/or in the applicable licence
agreement, and specific fees and requirements apply to each permitted use.
2) External Purpose. External use, including but not limited to:
— testing services;
— inspection services;
— certification services;
— auditing services;
— consulting services;
— conformity assessment scheme development and implementation;
— training services;
— education;
— research;
— software development and other digital platform or software-enabled digital services;
— any other services or activities conducted by the user or the user’s organization to third parties,
whether for commercial or non-commercial purposes (“External Purpose”).
The scope of permitted external use is specified at the time of purchase or through subsequent
agreement with ISO, the ISO member body in the user’s country, any other ISO member body or an
authorized third-party distributor, including any applicable external use rights (e.g. in publications,
products, or services marketed and sold by the user/the user’s organization). Each external use must
be explicitly specified in the purchase order and/or in the applicable licence agreement, and specific
fees and requirements apply to each permitted use.
Unless users have been granted use rights according to the above provisions, they are not granted the right to
share or sublicense ISO documents inside or outside their organization for either Purpose. If users wish to
obtain additional use rights for ISO documents or their content, users can contact ISO or the ISO member body
in their country to explore possible options.
If the user or the user’s organization is granted a licence for the External Purpose of providing any of the
following services to third parties:
— testing services;
— inspection services;
ii(bis)
— certification services;
— auditing services;
— consulting services,
and if any of these five (5) services reference, rely upon, incorporate, or otherwise make use of any aspect,
requirement, provision, or any other information of any ISO document, the user or the user’s organization
agrees to verify that the third party receiving such services has obtained from the ISO member body in their
country, any other ISO member body, ISO or an authorized third-party distributor, a valid licence for its own
implementation of such ISO document or other use related to such services. This verification obligation must
be included in the applicable licence agreement obtained by the user or the user’s organization.
ISO documents must not be disclosed to third parties, and users must use them solely for the purpose specified
in the purchase order and/or applicable licensing agreement. Unauthorized disclosure or use of ISO
documents beyond the licensed purpose is prohibited and can result in legal action.
Use restrictions
Except as provided for in the applicable licence agreement and subject to a separate licence by ISO, the ISO
member body in the user’s country, any other ISO member body or an authorized third-party distributor, users
are not granted the right to:
— use ISO documents for any purpose other than the Purpose;
— grant use or access rights to ISO documents beyond the Licence Type;
— disclose ISO documents beyond the intended Purpose and/or Licence Type;
— sell, lend, lease, reproduce, distribute, import/export or otherwise commercially exploit ISO documents.
In the case of documents that are joint publications (such as ISO/IEC documents), this clause applies to
the respective joint copyright ownership;
— assign or otherwise transfer ownership of ISO documents, in whole or in part, to any third party.
Regardless of the Licence Type or Purpose for which users are granted access and use rights for ISO
documents, users are not permitted to access or use any ISO documents, in whole or in part, for any machine
learning and/or artificial intelligence and/or similar purposes, including but not limited to accessing or using
them
a) as training data for large language or similar models, or
b) for prompting or otherwise enabling artificial intelligence or similar tools to generate responses.
Such use is only permitted if expressly authorized through a specific licence agreement by the ISO member
body in the requester’s country, another ISO member body, or ISO. Requests for such authorization are
considered on a case-by-case basis to ensure compliance with intellectual property rights. Specifically, it is not
possible to claim the benefit of copyright exception of Article 4 of the Directive (EU) 2019/790 of the European
Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market, for
the purpose of text and data mining on ISO documents, as ISO hereby opts out of this exception.
If ISO, or the ISO member body in the user’s country, has reasonable doubt that users are not compliant with
these terms, it can request in writing to perform an audit, or have an audit performed by a third-party auditor,
during business hours at the user’s premises or via remote access.
ii(ter)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization . 8
4.1 Understanding the organization and its context .8
4.2 Understanding the needs and expectations of interested parties .8
4.3 Determining the scope of the fraud control management system (FCMS) .9
4.4 Fraud control management system (FCMS) .9
4.5 Fraud risk assessment .9
4.5.1 General .9
4.5.2 Collaboration with other risk management functions .10
5 Leadership . 10
5.1 Leadership and commitment .10
5.1.1 Governing body .10
5.1.2 Top management .10
5.2 Fraud control policy .11
5.3 Roles, responsibilities and authorities .11
5.3.1 General .11
5.3.2 Delegated decision-making to managers and organizational functions .11
5.3.3 Fraud control function .11
5.3.4 Information security management system function . 12
5.3.5 Internal audit function . 12
6 Planning .13
6.1 Actions to address risks and opportunities . 13
6.1.1 General . 13
6.2 Fraud control objectives and planning to achieve them . 13
6.3 Planning of changes .14
7 Support . 14
7.1 Resources .14
7.1.1 General .14
7.1.2 Information security management system function .14
7.2 Competence .14
7.2.1 General .14
7.2.2 Employment process. 15
7.3 Awareness . 15
7.3.1 Awareness of personnel . 15
7.3.2 Training for personnel .16
7.3.3 Training for business associates .16
7.3.4 Awareness and training programmes . .16
7.4 Communication .17
7.4.1 General .17
7.4.2 Promoting the FCMS .17
7.5 Documented information .17
7.5.1 General .17
7.5.2 Creating and updating documented information .18
7.5.3 Control of documented information .18
7.5.4 Record keeping and confidentiality of information .18
8 Operation . 19
8.1 Operational planning and control .19
8.2 Preventing fraud . 20
iii
8.2.1 General . 20
8.2.2 Developing and promoting an effective integrity framework . 20
8.2.3 Managing conflicts of interest.21
8.2.4 Internal controls and the internal control environment .21
8.2.5 Pressure testing the internal control system . 22
8.2.6 Managing performance-based targets . 22
8.2.7 Personnel screening . 23
8.2.8 Screening and management of business associates . 23
8.2.9 Preventing technology-enabled fraud .24
8.2.10 Physical security and asset management . 25
8.3 Detecting fraud . 25
8.3.1 General . 25
8.3.2 Post-transactional review . 25
8.3.3 Analysis of management accounting reports . 25
8.3.4 Identification of early warning indicators . 26
8.3.5 Data analytics . 26
8.3.6 Fraud reporting .27
8.3.7 Artificial intelligence systems . .27
8.3.8 Complaint management . 28
8.3.9 Exit interviews . 28
8.4 Responding to fraud events . 28
8.4.1 General . 28
8.4.2 Immediate actions in response to discovery of fraud . 28
8.4.3 Digital evidence first response . 29
8.4.4 Investigation of a detected fraud event . 29
8.4.5 Consideration of grievances . 29
8.4.6 Disciplinary procedures . 29
8.4.7 Separation of investigation and decision-making processes . 29
8.4.8 Crisis management following discovery of a fraud event . 29
8.4.9 Internal reporting and escalation . 30
8.4.10 Fraud event register . 30
8.4.11 Analysis and reporting of fraud events . 30
8.4.12 External reporting .31
8.4.13 Recovery of stolen funds or property .31
8.4.14 Responding to fraud events involving business associates .32
8.4.15 Insuring against fraud events .32
8.4.16 Assessing internal controls, systems and processes post-detection of a fraud
event .32
8.4.17 Impact of fraud on other interested parties . 33
8.4.18 Disruption of fraud . 33
9 Performance evaluation .34
9.1 Monitoring, measurement, analysis and evaluation . . 34
9.2 Internal audit . 34
9.2.1 General . 34
9.2.2 Internal audit programme . 35
9.3 External audit . 35
9.4 Management review . 36
9.4.1 General . 36
9.4.2 Management review inputs . 36
9.4.3 Management review results . 36
10 Improvement .36
10.1 Continual improvement . 36
10.2 Nonconformity and corrective action . 36
Annex A (informative) Examples of fraud risks impacting global entities .38
Annex B (informative) Models for fraud prevention — Guidance . 41
Bibliography .45
iv
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO document should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
http://www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 309, Governance of organizations.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at http://www.iso.org/members.html.
v
Introduction
Fraud is a risk for all organizations in the private, public or not-for-profit sectors. Fraud events can
significantly impact the financial position of the target organization and often have flow-on financial
consequences for global and local economies. Fraud can lead to serious legal and financial consequences as
well as enduring psychological and emotional harm for the individuals involved. For a summary of the types
of fraud commonly encountered by organizations, see Annex A.
The pervasiveness and increasing sophistication of information technology, the rapid uptake of electronic
payment systems by the general population and economic globalization have led to an increased incidence
of external fraudulent attack on organizations across all sectors.
Managing and controlling the risk of fraud should be considered by the leadership of all organizations.
NOTE For more information on fraud as it relates to governance, see ISO 37000:2021, 6.9.
This document includes guidance on:
a) creating and maintaining processes for fraud risk identification, assessment and monitoring;
b) mitigating internal and external fraud, including fraud against, and by, the organization;
c) detecting fraud against or by the organization based on its assessed fraud risk exposures;
d) effective response to fraud events in order to ensure that:
— damage to the organization's image can be minimized;
— its reputation can be restored and improved;
— funds lost due to fraud can be recovered.
e) ensuring continual improvement.
Following this guidance cannot provide assurance that fraud has not occurred or will not occur in the future
as it is not possible to eliminate the risk of fraud. However, it will help organizations to effectively manage
fraud risk and to respond appropriately to fraud events and avoid or reduce the compliance liability risk of
the organization.
Effective fraud control requires the organization to commit to prevention, detection and response initiatives
underpinned by leadership, planning and resourcing as summarised in Figure 1.
vi
Figure 1 — Principles, structure and objectives of this document
vii
International Standard ISO 37003:2025(en)
Fraud control management systems — Guidance for
organizations managing the risk of fraud
1 Scope
This document provides guidance for organizations for the development, implementation and maintenance
of an effective fraud control management system (FCMS). This includes fraud prevention, early detection of
fraud and effective response to fraud events that have occurred or can occur in the future.
The document provides guidance for managing the risk of fraud, including:
a) internal fraud against the organization;
b) external fraud against the organization;
c) internal fraud in collaboration with business associates or other third parties;
d) external fraud in collaboration with the organization’s personnel;
e) fraud by the organization or by persons purporting to act on behalf of and in the interests of the
organization.
This document is applicable to all organizations, regardless of type, size, nature of activity and whether in
the public or private, profit or not-for-profit sectors. It is not intended to assist consumers in preventing,
detecting or responding to what is generally termed "consumer fraud".
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
fraud
intentional dishonest act causing actual or potential gain or loss that creates social or economic harm
Note 1 to entry: Fraud also includes the deliberate falsification, concealment, destruction or use of falsified
documentation used or intended for use for a normal business purpose or the improper use of information or position
for personal financial benefit.
Note 2 to entry: Fraudulent conduct need not necessarily represent a breach of law.
Note 3 to entry: Fraud can involve fraudulent conduct by internal and/or external parties targeting the organization
(3.3) or fraudulent conduct by the organization itself targeting external parties.
Note 4 to entry: Fraud can include loss of moneys or other property by persons internal and external to the organization
and where deception is used at the time, immediately before or immediately following the activity.
Note 5 to entry: Fraud can be external or internal or both. External fraud is where no perpetrator is employed by
or has a close association with the target organization. Internal fraud is where at least one perpetrator is employed
by or has a close association with the target organization and has detailed internal knowledge of the organization’s
operations, systems and procedures.
3.2
fraud event
instance of fraud (3.1) against or by an organization (3.3)
3.3
organization
person or group of people that has its own functions with responsibilities, authorities and relationships to
achieve its objectives (3.14)
Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not,
public or private.
Note 2 to entry: If the organization is part of a larger entity, the term “organization” refers only to the part of the larger
entity that is within the scope of the fraud controlmanagement system (3.11).
3.4
target organization
organization (3.3) that is the object of a fraud event (3.2).
3.5
interested party
person or organization (3.3) that can affect, be affected by, or perceive itself to be affected by a decision or
activity
3.6
top management
person or group of people who directs and controls an organization (3.3) at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the organization.
Note 2 to entry: If the scope of the management system (3.10) covers only part of an organization, then top management
refers to those who direct and control that part of the organization.
Note 3 to entry: Organizations can be organized depending on which legal framework they are obliged to operate under
and also according to their size, sector, etc. Some organizations have both a governing body (3.7) and top management
(3.6), while some organizations do not have responsibilities divided into several bodies. These variations, both in
respect of organization and responsibilities, can be considered when applying the requirements in Clause 5.
3.7
governing body
person or group of people who have ultimate accountability for the whole organization (3.3)
Note 1 to entry: A governing body can be explicitly established in a number of formats including, but not limited to, a
board of directors, supervisory board, sole director, joint and several directors, or trustees.
Note 2 to entry: ISO management system standards make reference to the term “top management” to describe a role
that, depending on the standard and organizational context, reports to, and is held accountable by, the governing body.
Note 3 to entry: Not all organizations, particularly small and medium organizations, will have a governing body
separate from top management. In such cases, top management exercises the role of the governing body.
[SOURCE: ISO 37000:2021, 3.3.4, modified — The Notes to entry were reordered: Note 2 to entry is now Note
1 to entry; Note 3 to entry is now Note 2 to entry; and Note 3 to entry was added.]
3.8
personnel
organization’s (3.3) directors, officers, employees, temporary staff or workers, and volunteers
Note 1 to entry: Different types of personnel pose different types and degrees of fraud risk (3.15) and can be treated
differently by the organization's fraud risk assessment and fraud risk management procedures.
[SOURCE: ISO 37001:2025, 3.24, modified — Note 1 has been amended and Note 2 to entry has been deleted]
3.9
business associate
external party with whom the organization (3.3) has, or plans to establish, some form of business relationship
Note 1 to entry: Business associate includes but is not limited to clients, customers, joint ventures, joint venture
partners, consortium partners, outsourcing providers, contractors, consultants, sub-contractors, suppliers, vendors,
advisors, agents, distributors, representatives, intermediaries and investors. This definition is deliberately broad and
should be interpreted in line with the fraud risk (3.15) profile of the organization to apply to business associates which
can reasonably expose the organization to fraud risks.
Note 2 to entry: Different types of business associate pose different types and degrees of fraud risk, and an organization
will have differing degrees of ability to influence different types of business associate.
Note 3 to entry: Reference to “business” in this document can be interpreted broadly to mean those activities that are
relevant to the purposes of the organization’s existence.
[SOURCE: ISO 37001:2025, 3.26, modified]
3.10
management system
set of interrelated or interacting elements of an organization (3.3) to establish policies (3.12) and objectives
(3.14) as well as processes (3.18) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
Note 2 to entry: The management system elements include the organization’s structure, roles and responsibilities,
planning and operation.
3.11
fraud control management system (FCMS)
part of the overall management system (3.10) for controlling the risks of fraud (3.1) against or by an
organization (3.3)
3.12
policy
intentions and direction of an organization (3.3) as formally expressed by its top management (3.6)
3.13
conflict of interest
situation in which an interested party has personal interest or organizational interest, directly or indirectly,
that can compromise, or interfere with, the ability to act impartially in carrying out their duties in the best
interest of the organization (3.3)
Note 1 to entry: There can be different types of personal interests: business, financial, family, professional, religious
or political.
Note 2 to entry: Organizational interest relates to the interests of an organization or part of an organization (e.g. team
or department) rather than an individual.
1)
[SOURCE: ISO 37009:20— , 3.1.10]
1) Under preparation. Stage at the time of publication: ISO/DIS 37009:2024.
3.14
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.
Note 2 to entry: Objectives can relate to different disciplines (such as finance, health and safety, and environment).
They can be, for example, organization-wide or specific to a project, product or process (3.18).
Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended result, as a purpose, as an operational
criterion, as a fraud control objective or by the use of other words with similar meaning (e.g. aim, goal, or target).
Note 4 to entry: In the context of fraud controlmanagement systems (3.11), fraud control objectives are set by the
organization (3.3), consistent with the fraud control policy (3.12), to achieve specific results.
3.15
risk
effect of uncertainty on objectives (3.14)
Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.
Note 3 to entry: Risk is often characterized by reference to potential events and consequences, or a combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes
in circumstances) and the associated likelihood of occurrence.
3.16
level of risk
magnitude of a risk (3.15) or combination of risks, expressed in terms of the combination of consequences
...
Norme
internationale
ISO 37003
Première édition
Systèmes de management anti-
2025-05
fraude — Recommandations pour
les organismes gérant le risque de
fraude
Fraud control management systems — Guidance for
organizations managing the risk of fraud
Numéro de référence
DOCUMENT PROTÉGÉ PAR DROIT D’AUTEUR
Tous droits réservés.
Les publications de l’ISO, dans leur intégralité ou sous forme d’extraits, sont la propriété de l’ISO. Elles sont concédées
sous licence, non vendues, et sont soumises aux conditions stipulées dans l’Accord de licence de l’ISO pour les utilisateurs
finaux ou l’Accord de licence de l’organisme membre de l’ISO concerné, ou aux conditions des distributeurs tiers
autorisés.
Sauf indication contraire ou exigence liée à sa mise en œuvre, aucune partie de la présente publication de l’ISO ne peut
être reproduite, distribuée, modifiée ou utilisée de quelque manière que ce soit, électronique ou mécanique, y compris la
photocopie, la numérisation, l’enregistrement ou la publication/diffusion sur tout intranet, internet ou autres
plateformes numériques, sans l’autorisation écrite préalable de l’ISO, ou de l’organisme membre de l’ISO concerné ou
d’un distributeur tiers autorisé.
La présente publication ne doit pas être divulguée à des tiers et son utilisation est strictement limitée au type de licence
et aux fins spécifiées dans l’accord de licence applicable. La reproduction, la distribution ou l’utilisation non autorisées à
des fins autres que celles pour lesquelles une licence a été octroyée sont interdites et peuvent entraîner des poursuites
judiciaires.
ISO copyright office
Case postale 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Genève
Tél.: +41 22 749 01 11
E-mail: copyright@iso.org
Web: www.iso.org
Publié en Suisse
Licence et conditions d’utilisation
Comme indiqué ci-dessus, les documents ISO, ainsi que toute mise à jour et/ou correction, et tout droit de
propriété intellectuelle ou autre droit y afférent, sont la propriété de l’ISO. Les documents ISO sont distribués
sous licence, et non vendus. Le présent document ne saurait en aucun cas avoir pour effet de céder ou de
transférer quelque droit de propriété intellectuelle que ce soit de l’ISO à l’utilisateur. Les documents ISO sont
protégés par le droit d’auteur, la législation relative aux bases de données, le droit des marques, la législation
en matière de concurrence déloyale, la législation relative au secret commercial et toute autre disposition
légale applicable. Les utilisateurs reconnaissent et acceptent de respecter les droits de propriété intellectuelle
de l’ISO sur les documents ISO.
L’utilisation des documents ISO est soumise aux conditions de l’accord de licence applicable.
Les documents ISO sont fournis dans le cadre de différents types d’accords de licence («Type de licence»)
offrant un droit non exclusif, non transférable, limité et révocable d’utilisation des documents ISO ou d’accès
à ces derniers aux fins décrites ci-dessous («Finalité»), dont le champ d’application peut être interne ou
externe. La ou les finalités visées doivent être fixées dans le bon de commande et/ou dans l’accord de licence
applicable.
a) Type de licence:
1) Licence pour utilisateur final enregistré unique (document filigrané au nom de l’utilisateur) aux fins
spécifiées. Sous cette licence, l’utilisateur n’est pas autorisé à partager le document ISO concerné avec
qui que ce soit, y compris sur un réseau.
ii
2) Licence pour mise en réseau aux fins spécifiées. La licence pour mise en réseau peut être octroyée
soit à des utilisateurs finaux simultanés non désignés, soit à des utilisateurs finaux simultanés
désignés au sein d’une même organisation.
b) Finalité:
1) Finalité interne. Usage interne uniquement au sein de l’organisation de l’utilisateur, y compris, mais
sans s’y limiter, aux fins de sa propre mise en œuvre («Finalité interne»).
Les possibilités d’usage interne autorisé sont spécifiées au moment de l’achat ou dans le cadre d’un
accord ultérieur avec l’ISO, l’organisme membre de l’ISO dans le pays de l’utilisateur, tout autre
organisme membre de l’ISO ou un distributeur tiers autorisé, y compris tout droit d’utilisation à des
fins internes applicable (par exemple, réunions internes, programmes de formation en interne,
préparation de services de certification, illustration de manuels internes, supports de formation en
interne et documents d’orientation internes, ou intégration dans ces derniers). Chaque usage interne
doit être explicitement spécifié dans le bon de commande et/ou dans l’accord de licence applicable,
et des frais et exigences spécifiques s’appliquent à chaque usage autorisé.
2) Finalité externe. Usage externe, y compris, mais sans s’y limiter:
— les services d’essai;
— les services d’inspection;
— les services de certification;
— les services d’audit;
— les services de conseil;
— l’élaboration et la mise en œuvre de programmes d’évaluation de la conformité;
— les services de formation;
— l’enseignement;
— la recherche;
— le développement de logiciels et autres plateformes numériques ou services numériques
reposant sur des logiciels;
— toute autre activité ou tout autre service proposé par l’utilisateur ou l’organisation de l’utilisateur
à une tierce partie, à des fins commerciales ou non commerciales («Finalité externe»).
Les possibilités d’usage externe autorisé sont spécifiées au moment de l’achat ou dans le cadre d’un
accord ultérieur avec l’ISO, l’organisme membre de l’ISO dans le pays de l’utilisateur, tout autre
organisme membre de l’ISO ou un distributeur tiers autorisé, y compris tout droit d’utilisation à des
fins externes applicable (par exemple, dans des publications, des produits ou des services
commercialisés et vendus par l’utilisateur/l’organisation de l’utilisateur). Chaque usage externe doit
être explicitement spécifié dans le bon de commande et/ou dans l’accord de licence applicable, et des
frais et exigences spécifiques s’appliquent à chaque usage autorisé.
Hormis les cas où les utilisateurs ont obtenu des droits d’utilisation conformément aux dispositions
susmentionnées, ils ne sont pas autorisés à partager les documents ISO ou à octroyer des sous-licences au sein
ou à l’extérieur de leur organisation, quelle que soit la finalité. Les utilisateurs qui souhaiteraient obtenir des
droits d’utilisation additionnels pour des documents ISO ou leur contenu sont invités à prendre contact avec
l’ISO ou le membre de l’ISO dans leur pays pour étudier les différentes options envisageables.
Lorsque l’utilisateur ou l’organisation de l’utilisateur se voit octroyer une licence à des fins externes de
fourniture de l’un des services suivants à une tierce partie:
— services d’essai;
— services d’inspection;
ii(bis)
— services de certification;
— services d’audit;
— services de conseil;
et dans le cas où l’un des cinq (5) services susmentionnés fait référence à, s’appuie sur, incorpore ou utilise de
quelque manière que ce soit un point, une exigence, une disposition ou toute autre information figurant dans
un document ISO, l’utilisateur ou l’organisation de l’utilisateur s’engage à vérifier que la tierce partie
bénéficiant desdits services a elle-même obtenu auprès de l’organisme membre de l’ISO dans son pays, de tout
autre organisme membre de l’ISO, de l’ISO ou d’un distributeur tiers autorisé, une licence valide pour la mise
en œuvre du document ISO correspondant ou pour tout autre usage en rapport avec les services
susmentionnés. Cette obligation de vérification est prévue aux termes de l’accord de licence applicable obtenu
par l’utilisateur ou l’organisation de l’utilisateur.
Les documents ISO ne doivent pas être divulgués à des tiers, et les utilisateurs doivent les utiliser uniquement
aux fins spécifiées dans le bon de commande et/ou l’accord de licence applicable. La divulgation ou l’utilisation
non autorisée des documents ISO à des fins autres que celles pour lesquelles une licence a été octroyée est
interdite et peut entraîner des poursuites judiciaires.
Restrictions d’utilisation
Sauf disposition contraire dans l’accord de licence applicable et sous réserve de l’octroi d’une licence distincte
par l’ISO, l’organisme membre de l’ISO dans le pays de l’utilisateur, tout autre organisme membre de l’ISO ou
un distributeur tiers autorisé, les utilisateurs ne sont pas autorisés à:
— utiliser des documents ISO à toute autre fin que la Finalité prévue;
— octroyer des droits d’utilisation des documents ISO ou des droits d’accès à ceux-ci hors du cadre du Type
de licence concerné;
— divulguer des documents ISO hors du cadre de la Finalité et/ou du Type de licence prévus;
— vendre, prêter, louer, reproduire, distribuer, importer/exporter ou exploiter commercialement de
quelque manière que ce soit des documents ISO. Dans le cas des documents publiés conjointement (par
exemple les documents ISO/IEC), cette clause s’applique à la cotitularité des droits d’auteur respectifs;
— céder ou transférer de quelque manière que ce soit la propriété des documents ISO, en tout ou en partie, à
un tiers.
Indépendamment du type de licence ou de la finalité pour laquelle les utilisateurs se voient octroyer des droits
d’accès et d’utilisation pour des documents ISO, les utilisateurs ne sont pas autorisés à accéder aux
documents ISO ou à les utiliser, en tout ou en partie, à des fins d’apprentissage automatique et/ou pour une
intelligence artificielle et/ou à des fins similaires, y compris, mais sans s’y limiter
a) en tant que données d’entraînement de grands modèles de langage ou de modèles similaires, ou
b) pour des invites ou pour permettre à une intelligence artificielle ou à des outils similaires de générer des
réponses.
Un tel usage n’est autorisé que s’il fait l’objet d’un accord de licence spécifique conclu avec l’organisme
membre de l’ISO dans le pays du demandeur, un autre organisme membre de l’ISO ou l’ISO. Les demandes
d’autorisation de cette nature sont examinées au cas par cas afin de garantir le respect des droits de propriété
intellectuelle. En particulier, l’exception au droit d’auteur visée à l’Article 4 de la Directive (UE) 2019/790 du
Parlement européen et du Conseil du 17 avril 2019 sur le droit d’auteur et les droits voisins dans le marché
unique numérique ne saurait être invoquée aux fins de la fouille de textes et de données sur les documents ISO,
l’ISO renonçant par la présente à cette exception.
En cas de doute raisonnable de l’ISO ou de l’organisme membre de l’ISO dans le pays de l’utilisateur quant au
respect des présentes conditions par l’utilisateur, l’ISO ou l’organisme membre de l’ISO concerné peut exiger
par écrit de réaliser un audit, ou de faire réaliser un audit par un auditeur tiers, pendant les heures ouvrables,
dans les locaux de l’utilisateur ou via un accès à distance.
ii(ter)
Sommaire Page
Avant-propos .vi
Introduction .vii
1 Domaine d’application . 1
2 Références normatives . 1
3 Termes et définitions . 1
4 Contexte de l’organisme . 8
4.1 Comprendre l’organisme et son contexte .8
4.2 Comprendre les besoins et attentes des parties intéressées .9
4.3 Déterminer le champ d’application du système de management anti-fraude (FCMS) .9
4.4 Système de management anti-fraude (FCMS) .9
4.5 Appréciation du risque de fraude .10
4.5.1 Généralités .10
4.5.2 Collaboration avec d’autres fonctions de gestion du risque .10
5 Leadership . 10
5.1 Leadership et engagement .10
5.1.1 Organe de gouvernance .10
5.1.2 Direction .11
5.2 Politique anti-fraude . .11
5.3 Rôles, responsabilités et autorités au sein de l’organisme . 12
5.3.1 Généralités . 12
5.3.2 Délégation du pouvoir de prise de décision aux responsables et aux fonctions de
l’organisme . 12
5.3.3 Fonction anti-fraude . . 12
5.3.4 Fonction du système de management de la sécurité de l’information . 13
5.3.5 Fonction d’audit interne . 13
6 Planification.13
6.1 Actions pour traiter les risques et les opportunités . 13
6.1.1 Généralités . 13
6.2 Objectifs anti-fraude et planification pour les atteindre .14
6.3 Planification des changements .14
7 Support . 14
7.1 Ressources .14
7.1.1 Généralités .14
7.1.2 Fonction du système de management de la sécurité de l’information . 15
7.2 Compétence . 15
7.2.1 Généralités . 15
7.2.2 Processus relatifs à l’emploi .16
7.3 Sensibilisation .16
7.3.1 Sensibilisation du personnel .16
7.3.2 Formation du personnel .17
7.3.3 Formation des partenaires commerciaux .17
7.3.4 Programmes de sensibilisation et de formation .17
7.4 Communication .18
7.4.1 Généralités .18
7.4.2 Promotion du FCMS .18
7.5 Informations documentées .18
7.5.1 Généralités .18
7.5.2 Création et mise à jour des informations documentées .19
7.5.3 Maîtrise des informations documentées .19
7.5.4 Tenue à jour des documents probatoires et confidentialité des informations . 20
8 Réalisation .20
8.1 Planification et maîtrise . . 20
iii
8.2 Prévention de la fraude . 22
8.2.1 Généralités . 22
8.2.2 Élaboration et promotion d’un cadre d’intégrité efficace. 22
8.2.3 Gestion des conflits d’intérêts . 22
8.2.4 Dispositifs internes de maîtrise/contrôle et environnement de contrôle interne . 23
8.2.5 Test de résistance du système de contrôle interne . 23
8.2.6 Gestion des objectifs de performance .24
8.2.7 Sélection du personnel .24
8.2.8 Sélection et gestion des partenaires commerciaux . 25
8.2.9 Prévention de la fraude technologique . 26
8.2.10 Sécurité physique et gestion des actifs . 26
8.3 Détection de la fraude .27
8.3.1 Généralités .27
8.3.2 Revue post-transactionnelle .27
8.3.3 Analyse des rapports comptables de gestion .27
8.3.4 Identification des indicateurs d’alerte précoce . .27
8.3.5 Analyse de données . 28
8.3.6 Signalement de fraude . 28
8.3.7 Système d’intelligence artificielle . 29
8.3.8 Gestion des plaintes . 29
8.3.9 Entretiens de départ . 30
8.4 Remédiation aux cas de fraude . 30
8.4.1 Généralités . 30
8.4.2 Actions immédiates en réponse à la découverte d’une fraude . 30
8.4.3 Réponse initiale aux preuves numériques . .31
8.4.4 Enquête relative à un cas de fraude détecté .31
8.4.5 Prise en compte des griefs .31
8.4.6 Mesures disciplinaires .31
8.4.7 Séparation des processus d’enquête et de prise de décision .31
8.4.8 Gestion de crise à la suite de la découverte d’un cas de fraude .31
8.4.9 Signalement et remontée interne .32
8.4.10 Registre des cas de fraude .32
8.4.11 Analyse et signalement des cas de fraude .32
8.4.12 Signalement externe . 33
8.4.13 Récupération des fonds ou des biens dérobés . 34
8.4.14 Réponse aux cas de fraude impliquant des partenaires commerciaux . 34
8.4.15 Assurance contre les cas de fraude . 34
8.4.16 Évaluation des dispositifs internes de maîtrise/contrôle, des systèmes et des
processus après détection d’un cas de fraude . . . 34
8.4.17 Répercussions de la fraude sur les autres parties intéressées . 35
8.4.18 Perturbations dues à la fraude . 36
9 Évaluation des performances .36
9.1 Surveillance, mesure, analyse et évaluation . 36
9.2 Audit interne . .37
9.2.1 Généralités .37
9.2.2 Programme d’audit interne .37
9.3 Audit externe.37
9.4 Revue de direction . 38
9.4.1 Généralités . 38
9.4.2 Éléments d’entrée de la revue de direction . 38
9.4.3 Résultats de la revue de direction . 38
10 Amélioration .39
10.1 Amélioration continue . 39
10.2 Non-conformité et action corrective . 39
Annexe A (informative) Exemples de risques de fraude affectant des entités mondiales .40
Annexe B (informative) Modèles de prévention de la fraude — Recommandations .43
iv
Bibliographie . 47
v
Avant-propos
L’ISO (Organisation internationale de normalisation) est une fédération mondiale d’organismes nationaux
de normalisation (comités membres de l’ISO). L’élaboration des Normes internationales est en général
confiée aux comités techniques de l’ISO. Chaque comité membre intéressé par une étude a le droit de faire
partie du comité technique créé à cet effet. Les organisations internationales, gouvernementales et non
gouvernementales, en liaison avec l’ISO, participent également aux travaux. L’ISO collabore étroitement avec
la Commission électrotechnique internationale (IEC) en ce qui concerne la normalisation électrotechnique.
Les procédures utilisées pour élaborer le présent document et celles destinées à sa mise à jour sont
décrites dans les Directives ISO/IEC, Partie 1. Il convient, en particulier, de prendre note des différents
critères d’approbation requis pour les différents types de documents ISO. Le présent document a
été rédigé conformément aux règles de rédaction données dans les Directives ISO/IEC, Partie 2 (voir
www.iso.org/directives).
L’ISO attire l’attention sur le fait que la mise en application du présent document peut entraîner l’utilisation
d’un ou de plusieurs brevets. L’ISO ne prend pas position quant à la preuve, à la validité et à l’applicabilité de
tout droit de brevet revendiqué à cet égard. À la date de publication du présent document, l’ISO n’avait pas
reçu notification qu’un ou plusieurs brevets pouvaient être nécessaires à sa mise en application. Toutefois,
il y a lieu d’avertir les responsables de la mise en application du présent document que des informations
plus récentes sont susceptibles de figurer dans la base de données de brevets, disponible à l’adresse
http://www.iso.org/patents. L’ISO ne saurait être tenue pour responsable de ne pas avoir identifié de tels
droits de propriété et averti de leur existence.
Les appellations commerciales éventuellement mentionnées dans le présent document sont données pour
information, par souci de commodité, à l’intention des utilisateurs et ne sauraient constituer un engagement.
Pour une explication de la nature volontaire des normes, la signification des termes et expressions
spécifiques de l’ISO liés à l’évaluation de la conformité, ou pour toute information au sujet de l’adhésion de
l’ISO aux principes de l’Organisation mondiale du commerce (OMC) concernant les obstacles techniques au
commerce (OTC), voir www.iso.org/avant-propos.
Le présent document a été élaboré par le comité technique ISO/TC 309, Gouvernance des organisations.
Il convient que l’utilisateur adresse tout retour d’information ou toute question concernant le présent
document à l’organisme national de normalisation de son pays. Une liste exhaustive desdits organismes se
trouve à l’adresse http://www.iso.org/members.html.
vi
Introduction
La fraude constitue un risque pour tous les organismes, qu’ils relèvent des secteurs privé, public ou à but
non lucratif. Les cas de fraude peuvent avoir des répercussions significatives sur la situation financière de
l’organisme cible et entraînent souvent des conséquences financières indirectes sur les économies locales
et mondiales. La fraude peut entraîner de graves conséquences juridiques et financières, ainsi que des
dommages psychologiques et émotionnels durables pour les personnes concernées. Pour un aperçu des
types de fraude couramment rencontrés par les organismes, voir l’Annexe A.
La généralisation et la sophistication croissantes des technologies de l’information, l’adoption rapide des
systèmes de paiement électroniques par la population dans son ensemble et la mondialisation de l’économie
ont entraîné une augmentation des attaques frauduleuses externes contre les organismes dans tous les
secteurs.
Il convient que les leaders (organe de gouvernance, équipe de direction, rôles pertinents) de tous les
organismes prennent en considération la gestion et la maîtrise du risque de fraude.
NOTE Pour plus d’informations sur la fraude en lien avec la gouvernance, voir l’ISO 37000:2021, 6.9.
Le présent document fournit des recommandations relatives:
a) à la création et la tenue à jour de processus pour repérer, apprécier le risque de fraude et en assurer la
surveillance;
b) à l’atténuation des fraudes internes et externes, y compris celles commises à l’encontre de l’organisme
ou par celui-ci;
c) à la détection des fraudes commises à l’encontre de l’organisme ou par celui-ci, sur la base de ses
expositions présumées au risque de fraude;
d) à une remédiation efficace aux cas de fraude afin de s’assurer que:
— les atteintes à l’image de l’organisme peuvent être réduites le plus possible;
— sa réputation peut être rétablie et renforcée;
— les fonds perdus à la suite d’une fraude peuvent être récupérés;
e) à l’inscription dans une dynamique d’amélioration continue.
L’application de ces recommandations ne peut assurer qu’aucune fraude n’a eu ou n’aura lieu à l’avenir, car il
n’est pas possible d’éliminer le risque de fraude. Cependant, elles aident les organismes à gérer efficacement
le risque de fraude, à répondre de manière appropriée aux cas de fraude et à éviter ou à réduire le risque de
responsabilité en matière de conformité.
Une maîtrise/un contrôle efficace de la fraude exige que l’organisme s’engage dans des dispositifs de
prévention, de détection et de remédiation, fondées sur le leadership, la planification et l’allocation de
ressources, comme cela est résumé à la Figure 1.
vii
Figure 1 — Principes, structure et objectifs du présent document
viii
Norme internationale ISO 37003:2025(fr)
Systèmes de management anti-fraude — Recommandations
pour les organismes gérant le risque de fraude
1 Domaine d’application
Le présent document fournit des recommandations pour les organismes pour le développement, la mise en
œuvre et le maintien d’un système de management anti-fraude (FCMS, de l’anglais Fraud Control Management
System) efficace. Celui-ci inclut la prévention de la fraude, la détection précoce des actes frauduleux et une
remédiation efficace aux cas de fraude survenus ou susceptibles de survenir.
Il fournit également des recommandations pour la gestion du risque de fraude, comprenant:
a) la fraude interne commise à l’encontre de l’organisme;
b) la fraude externe commise à l’encontre de l’organisme;
c) la fraude interne commise en collaboration avec des partenaires commerciaux ou d’autres tiers;
d) la fraude externe commise en collaboration avec le personnel de l’organisme;
e) la fraude commise par l’organisme lui-même ou par des personnes prétendant agir en son nom et dans
son intérêt.
Le présent document s’applique à tous les organismes, quels que soient leur type, leur taille, la nature de
leurs activités, que ces organismes relèvent du secteur public ou privé, à but lucratif ou non lucratif. Il n’est
pas destiné à aider les consommateurs à prévenir, à détecter ou à lutter contre ce qui est généralement
appelé la «fraude à la consommation».
2 Références normatives
Le présent document ne contient aucune référence normative.
3 Termes et définitions
Pour les besoins du présent document, les termes et définitions suivants s’appliquent.
L’ISO et l’IEC tiennent à jour des bases de données terminologiques destinées à être utilisées en normalisation,
consultables aux adresses suivantes:
— ISO Online browsing platform: disponible à l’adresse https:// www .iso .org/ obp
— IEC Electropedia: disponible à l’adresse https:// www .electropedia .org/
3.1
fraude
acte malhonnête intentionnel entraînant un gain ou une perte, réel(le) ou potentiel(le), causant un préjudice
social ou économique
Note 1 à l'article: La fraude inclut également la falsification, la dissimulation, la destruction ou l’utilisation délibérées de
documents falsifiés utilisés ou destinés à être utilisés à des fins commerciales, ou l’utilisation abusive d’informations
ou d’une position à des fins d’enrichissement personnel.
Note 2 à l'article: Un comportement frauduleux ne constitue pas nécessairement une infraction à la loi.
Note 3 à l'article: La fraude peut impliquer un comportement frauduleux commis par des parties internes et/ou
externes visant l’organisme (3.3) ou un comportement frauduleux commis par l’organisme lui-même visant des parties
externes.
Note 4 à l'article: La fraude peut entraîner une perte d’argent ou d’autres biens pour des personnes internes ou
externes à l’organisme, lorsqu’une tromperie est utilisée au moment même, immédiatement avant ou immédiatement
après l’activité.
Note 5 à l'article: La fraude peut être externe, interne ou les deux. Une fraude externe est une fraude dont l’auteur n’est
pas employé par l’organisme cible et n’a pas de lien étroit avec celui-ci. Une fraude interne est une fraude commise
par au moins un auteur est employé par l’organisme cible ou entretient un lien étroit avec celui-ci, et dispose d’une
connaissance approfondie de ses opérations, de ses systèmes et de ses procédures.
3.2
cas de fraude
acte de fraude (3.1) commise à l’encontre d’un organisme (3.3) ou par celui-ci
3.3
organisme
personne ou groupe de personnes ayant ses propres rôles (fonctions) avec des responsabilités, des autorités
et des relations lui permettant d’atteindre ses objectifs (3.14)
Note 1 à l'article: Le concept d’organisme englobe sans s’y limiter, les travailleurs indépendants, les compagnies, les
sociétés, les firmes, les entreprises, les administrations, les partenariats, les associations caritatives ou les institutions,
ou bien une partie ou une combinaison des entités précédentes, à responsabilité limitée ou ayant un autre statut, de
droit public ou privé.
Note 2 à l'article: Si l’organisme fait partie d’une plus grande entité, le terme «organisme» fait uniquement référence
à la partie de cette entité qui est comprise dans le champ d’application du système de management anti-fraude (3.11).
3.4
organisme cible
organisme (3.3) qui fait l’objet d’un cas de fraude (3.2)
3.5
partie intéressée
personne ou organisme (3.3) qui peut soit influer sur une décision ou une activité, soit être influencé ou
s’estimer influencé par une décision ou une activité
3.6
direction
personne ou groupe de personnes qui oriente et dirige un organisme (3.3) au plus haut niveau
Note 1 à l'article: La direction a le pouvoir de déléguer son autorité et de fournir des ressources au sein de l’organisme.
Note 2 à l'article: Si le champ d’application du système de management (3.10) ne couvre qu’une partie de l’organisme,
alors «direction» fait référence à ceux qui orientent et dirigent cette partie de l’organisme.
Note 3 à l'article: Les organismes peuvent être organisés en fonction du cadre légal dans lequel ils sont tenus d’opérer,
ainsi que de leur taille, de leur secteur, etc. Certains organismes disposent à la fois d’un organe de gouvernance (3.7)
et d’une direction (3.6), tandis que d’autres ne font pas la distinction des responsabilités entre plusieurs organes. Ces
variantes, à la fois en matière d’organisme et de responsabilités, peuvent être prises en compte lors de l’application des
exigences de l’Article 5.
3.7
organe de gouvernance
personne ou groupe de personnes assumant la redevabilité ultime pour l’ensemble de l’organisme (3.3)
Note 1 à l'article: Un organe de gouvernance peut être explicitement établi sous différentes formes, notamment,
sans s’y limiter, un conseil d’administration, un conseil de surveillance, un directeur unique, une codirection ou des
administrateurs.
Note 2 à l'article: Les normes de systèmes de management de l’ISO font référence au terme «direction» pour décrire un
rôle qui, selon la norme et le contexte de l’organisme, rend compte à l’organe de gouvernance et est tenu redevable par
ce dernier.
Note 3 à l'article: Tous les organismes, en particulier les petits et moyens organismes, ne disposent pas d’organe de
gouvernance distinct de la direction. Dans ce cas, la direction joue le rôle d’organe de gouvernance.
[SOURCE: ISO 37000:2021, 3.3.4, modifié — Les notes à l’article ont été réorganisées: la Note 2 à l’article est
maintenant la Note 1 à l’article; la Note 3 à l’article est maintenant la Note 2 à l’article; et la Note 3 à l’article
a été ajoutée.]
3.8
personnel
directeurs, agents, employés, contractuels ou personnel intérimaire et bénévoles de l’organisme (3.3)
Note 1 à l'article: Différents types d’employés représentent différents types et degrés de risque (3.15) de fraude et
peuvent être traités de manière différente dans le cadre de l’appréciation du risque de fraude et des modalités de
gestion des risques de fraude de l’organisme.
[SOURCE: ISO 37001:2025, 3.24, modifié — La Note 1 a été modifiée et la Note 2 à l’article a été supprimée]
3.9
partenaire commercial
partie externe avec qui l’organisme (3.3) entretient, ou prévoit d’établir, une certaine forme de relation
commerciale
Note 1 à l'article: Le partenaire commercial comprend notamment les clients, les entreprises communes, les partenaires
d’entreprise commune, les partenaires de consortium, les prestatair
...