In April 2021 the International Standards Organisation (ISO) published a new standard called Compliance management systems – Requirements with guidance for use: ISO 37301:2021. What are the key things to know about this new standard? 


While this is technically a ‘new’ ISO standard, in reality it's more of an evolution of the standard it replaces, ISO 19600:2014 Compliance management systems - Guidelines. What is new is that the 2021 Standard is now a certification standard, which means that organisations will be able to be assessed and certified against it, which was not the case with the earlier version. 

While the detailed requirements set out in the new standard might likely be a bit more than some New Zealand organisations are quite ready to embrace, ISO 37301 does give a useful and internationally recognised benchmark of best practice. 

Core themes

Two core themes running through the new standard for compliance management systems are: 

  1. The importance of building and maintaining a strong culture of compliance throughout an organisation.
  2. Leadership at all levels is key to building that effective compliance culture. 

Overview of the new standard for compliance management systems

ISO 37301 specifies requirements and guidelines for establishing, developing, implementing, evaluating, maintaining and improving an effective compliance management system. The approach is based on the Plan-Do-Check-Act (PDCA) model which is also used in other management system standards, including ISO/IEC 27001 Information Security Management. 

Key requirements for setting up an effective and efficient compliance management system include: 

  1. Determining the context of the organisation and putting in place processes that identify compliance obligations and compliance risks.
  2. Ensuring top management and governing bodies uphold the values of the organisation and support all policies, processes and procedures that are essential to achieve compliance objectives.
  3. Having effective monitoring mechanisms for actual compliance, as well as ongoing assessment of the compliance management system on the basis of the implemented controls.
  4. Monitoring and investigating cases of non-compliance on a regular and consistent basis.
  5. Establishing an organisation-wide whistle-blower (protected disclosure) policy and process. The standard outlines what a best practice whistle-blowing process should include. 

To find out more, you can purchase a copy of ISO 37301:201 from Standards New Zealand.

BIG C Background Image