ISO 37001 · Standard Guides
ISO 37001 Anti-Bribery Certification in Australia
How ISO 37001 helps Australian organisations prevent, detect and respond to bribery and demonstrate integrity. The 2025 update, requirements and how to certify.
See the ISO 37001 standardBribery and corruption destroy trust, distort competition and can end careers and companies, and the legal consequences in Australia keep getting sharper. ISO 37001 is the international standard that helps organisations build a genuine defence: a system to prevent, detect and respond to bribery, and to demonstrate to regulators, partners and the public that integrity is managed, not just assumed. This guide explains what ISO 37001 is, what changed in the 2025 update, who needs it, what it requires, and how to get certified.
In short: ISO 37001:2025 is the international standard for an anti-bribery management system, or ABMS. It gives organisations a structured, proportionate way to manage bribery risk across their operations and third party relationships, and to show due diligence. The 2025 edition replaced the 2016 version, with organisations transitioning by February 2027.
What is ISO 37001?
ISO 37001 specifies the requirements for an anti-bribery management system. It is built on the recognition that the law alone does not stop bribery; organisations have to proactively manage the risk. The standard requires you to assess where bribery risk arises in your activities and relationships, then implement reasonable and proportionate policies, due diligence, financial and non financial controls, training and reporting mechanisms to manage it. Importantly, it is risk based and proportionate, so a small business and a multinational implement it at very different scales.
It covers bribery in all its forms, direct and indirect, by the organisation and on its behalf, in the public, private and not for profit sectors. It does not certify that no bribery will ever occur, which would be impossible, but that the organisation has implemented a recognised system to prevent, detect and respond to it.
What changed in the 2025 update
ISO published the second edition, ISO 37001:2025, in February 2025, replacing the 2016 version, with certified organisations required to transition by February 2027. The changes are refinements rather than a reinvention. The 2025 edition adopts the latest harmonised structure for easier integration with other standards, formally introduces the concept of anti-bribery culture as something leadership must actively build, clarifies the role and independence of the anti bribery function, strengthens guidance on conflicts of interest and third party due diligence, and adds subclauses on climate change in line with other recent ISO revisions. Organisations already running a sound 2016 system will find the transition manageable.
Why ISO 37001 matters in Australia
The first driver is legal exposure. Australia has strengthened its stance on bribery and corruption, including foreign bribery, and there is a clear trend toward holding organisations, not just individuals, accountable. A certified anti-bribery management system is one of the strongest ways to demonstrate that an organisation took reasonable steps to prevent bribery, which can matter significantly if conduct is ever scrutinised.
The second driver is doing business with government and large organisations, particularly across borders and in higher risk sectors and regions, where partners increasingly expect anti-bribery assurance. The third is reputation and culture. Certification signals to staff, partners and the public that the organisation is serious about integrity, and the process itself builds the internal culture and controls that make ethical conduct the norm rather than the exception.
Who needs ISO 37001 in Australia?
- Organisations operating internationally or in sectors and regions with elevated bribery risk.
- Businesses bidding for government or large corporate contracts that expect anti-bribery assurance.
- Construction, resources, infrastructure and procurement heavy industries, where bribery risk concentrates.
- Organisations with extensive third party, agent or intermediary relationships.
- Public sector bodies and not for profits demonstrating integrity to stakeholders and funders.
- Any organisation wanting to evidence due diligence against bribery exposure.
What ISO 37001 requires
Following the harmonised structure, the requirements sit in clauses 4 to 10, with anti-bribery specific controls throughout.
Bribery risk assessment
You assess where bribery risk arises across your activities, locations, sectors and relationships. This drives everything else, because controls must be proportionate to the actual risk.
Leadership and anti-bribery culture
Top management and the governing body must demonstrate commitment, set the anti-bribery policy, and, in the 2025 edition, actively foster an anti-bribery culture across the organisation. An independent anti-bribery function oversees the system.
Due diligence and controls
You conduct due diligence on transactions, projects, personnel and third parties in proportion to risk, and you implement financial and non financial controls, including managing gifts, hospitality and conflicts of interest.
Training, reporting and investigation
You build awareness and train your people, provide mechanisms to raise concerns and report suspected bribery safely, and investigate and respond to concerns appropriately.
Monitoring and improvement
You monitor the system, audit it, conduct management review and improve, keeping controls aligned with changing risk.
How to get ISO 37001 certified in Australia
- Bribery risk assessment to understand your exposure.
- Gap analysis against the standard and your current controls.
- Build the system, including policy, due diligence, controls, training and reporting mechanisms, proportionate to your risk.
- Implement and embed, generating real records of due diligence, training and monitoring.
- Internal audit and management review, both mandatory.
- Stage 1 and Stage 2 audits by an accredited certification body.
- Surveillance and recertification across the three year cycle.
Common mistakes to avoid
- Disproportionate controls, either token for the risk or so heavy they paralyse the business. The standard demands proportionality.
- Weak third party due diligence, a frequent source of real bribery exposure and an area the 2025 edition strengthens.
- Policy without culture, when the 2025 edition makes anti-bribery culture an explicit leadership responsibility.
- No safe reporting mechanism, which leaves the organisation blind to problems.
- Building to the 2016 edition when new certifications should target the 2025 version.
How ISO Accreditation can help
We help Australian organisations build ISO 37001 anti-bribery management systems that are genuinely proportionate to their risk, built to the current 2025 edition, and credible to regulators and partners. From bribery risk assessment and due diligence to controls, training and certification, we keep the system practical and defensible. Book a free consultation to discuss your exposure and the right approach.
Book a free consultation → isoaccreditation.com.au/contact-us
Call 1800 577 060 · info@isoaccreditation.com.au
Frequently asked questions
What is the current version of ISO 37001?
ISO 37001:2025, published in February 2025, is the current edition. It replaced ISO 37001:2016, with certified organisations required to transition by February 2027.
Does ISO 37001 guarantee no bribery will occur?
No, and it does not claim to. It certifies that the organisation has implemented a recognised system to prevent, detect and respond to bribery, which can demonstrate due diligence if conduct is ever scrutinised.
Is ISO 37001 only for large or international companies?
No. It is risk based and proportionate, so smaller organisations implement it at a scale that fits their bribery risk. Any organisation with meaningful exposure can benefit.
What changed in the 2025 edition?
Mainly refinements: the harmonised structure, an explicit focus on anti-bribery culture, clearer guidance on conflicts of interest and third party due diligence, a clarified anti-bribery function, and new climate change subclauses.
How long is ISO 37001 certification valid?
Three years, subject to passing annual surveillance audits, followed by a recertification audit.