ISO 37001 requirements anti-bribery management systems version 2016
28/05/2023
Quiz requirements ISO 37001 version 2016 You want to familiarize yourself with the structure of the standard, identify and understand the requirements of ISO 37001 version 2016, then it's up to you to play!
The quiz "ISO 37001 Requirements version 2016" will help you understand the main requirements of the standard.
The questions (requirements) for this quiz are 102, don't panic. The requirements of the standard are 223 but these 102 requirements are among the most important, so don't hesitate to learn in a fun way!
Don't think that you can complete this quiz in less than an hour, or even two hours, unless of course you are a little genius!
News on the anti-bribery standard ISO 37001 version 2016
The 223 requirements (shall, shall) of clauses 4 to 10 of ISO 37001 are broken down as follows:
|
ISO 37001 requirements version 2016
 |
||||
|
No
|
Clause
|
PDCA cycle
|
Requirement No
|
Quantity
|
|
4
|
Context | Plan |
1 ÷ 21
|
21
|
| 5 | Leadership | Plan, Do, Check, Act |
22 ÷ 65
|
44 |
| 6 | Planning | Plan |
66 ÷ 87
|
22
|
| 7 | Support | Do |
88 ÷ 134
|
47 |
| 8 | Operation | Do |
135 ÷ 169
|
35 |
| 9 | Performance | Check | 170 ÷ 211 | 42 |
| 10 | Improvement | Act | 212 ÷ 223 | 12 |
|
Total
|
223
|
|||
Requirements in ISO 37001 clauses and sub-clauses
.jpg)
Deming PDCA cycle
Note. Any requirement normally begins with "The organization shall ...". For simplicity we present the requirements directly starting with the verb.
|
ISO 37001 - Requirements and comments version 2016
|
||||
|
No
|
Clause
(sub-clause)
|
Requirement
|
PDCA cycle, links, comments
|
|
|
Context
|
||||
|
4.1
|
The organization and its context
|
|
||
|
1
|
4.1
|
Document external and internal issues | Everything that influences the achievement of objectives, cf. sub-clause 6.2. The issues are related to the nature of the management, the scope, the activities, the economic model, the partners, the relations with public representatives, the legal obligations | |
|
4.2
|
Stakeholders
|
|
||
|
2
|
4.2
|
Document stakeholders | List of stakeholders who may have an influence on the ABMS or be influenced by the ABMS (anti-bribery management system) | |
| 3 | 4.2 b | Document requirements of the stakeholders | Mandatory and non-mandatory requirements, as well as voluntary commitments | |
|
4.3
|
Scope
|
 |
||
|
4
|
4.3
|
Document the boundaries and applicability of the ABMS | In order to establish the scope of the ABMS | |
| 5 | 4.3 a | Take into account external and internal issues | Internal and external issues, cf. sub-clause 4.1 | |
| 6 | 4.3 b | Take into account the requirements of the stakeholders | Requirements, see sub-clause 4.2 | |
| 7 | 4.3 c | Take into account the bribery risk assessment | Results of risk assessment, cf. sub-clause 4.5 | |
| 8 | 4.3 | Make the scope available | As documented information, cf. sub-clause 7.5 | |
|
4.4
|
Information security management system
|
|
||
| 9 | 4.4 | Establish, document, implement, maintain and improve the ABMS |
Including the processes used and their interactions Processes : |
|
| 10 | 4.4 | Include anti-bribery specific indicators | In order to identify and assess any risk of bribery. And prevent and detect any act of bribery and find remedies | |
| 11 | 4.4 | Implement a reasonable and proportionate ABMS | The measures are based on recognized international good practices | |
| 12 | 4.4 | Take into account the factors related to the scope of the ABMS | Such as internal and external issues, requirements of the stakeholders, anti-bribery risk assessment, cf. sub-clause 4.3 | |
|
Bribery risk assessment
|
|
|||
| 13 | 4.5.1 | Undertake regular bribery risk assessment |
Based on the standard ISO 31000 Risk management |
|
| 14 | 4.5.1 a | Identify the bribery risks | Risks that can reasonably be anticipated, cf. the issues of sub-clause 4.1 | |
| 15 | 4.5.1 b | Analyze and assess the bribery risks | And establish and prioritize identified risks | |
| 16 | 4.5.1 c | Evaluate the adequacy and effectiveness of the controls put in place | In order to mitigate the identified and assessed risks | |
| 17 | 4.5.2 | Define criteria | In order to evaluate the level of bribery risk in the organization | |
| 18 | 4.5.2 |
Take into account the anti-bribery policy and objectives |
Cf. sub-clauses 5.2 and 6.2 | |
| 19 | 4.5.3 a | Review the bribery risk assessment | On a regular basis, in order to take into account changes and new information available | |
| 20 | 4.5.3 b | Review the bribery risk assessment | In the event of a significant change in the structure or activities of the company | |
| 21 | 4.5.4 | Retain documented information of realized assessments | In order to improve the ABMS, cf. sub-clause 7.5.3 | |
|
5
|
Leadership
|
Plan, Do, Check, Act | ||
|
Leadership and commitment
|
||||
| 22 | 5.1.1 a | Approve the anti-bribery policy | In order to demonstrate the leadership and commitment of top management (or governing body), cf. sub-clause 5.2 | |
| 23 | 5.1.1 b | Ensure that the strategy and anti-bribery policy are aligned | Cf. sub-clause 5.2 | |
| 24 | 5.1.1 c | Review relevant ABMS information | Top management receives this information at intervals that are planned | |
| 25 | 5.1.1 d | Require the allocation and assignment of necessary resources | In order to achieve efficient operation of the ABMS | |
| 26 | 5.1.1 e | Exercise oversight over the implementation of the ABMS | Top management reasonably manages the implementation of the ABMS | |
| 27 | 5.1.1 | Carry out these activities by top management | When the company does not have a governing body | |
| 28 | 5.1.2 a | Ensure that the ANMS is established, implemented, maintained and reviewed | In order to take into account the risks of bribery. In this way top management demonstrates its leadership and commitment | |
| 29 | 5.1.2 b | Ensure that the anti-bribery requirements are met | And integrated into business processes. In this way top management demonstrates its leadership and commitment | |
| 30 | 5.1.2 c | Deploy the necessary resources | In order to guarantee the efficient operation of the ABMS. In this way top management demonstrates its leadership and commitment | |
| 31 | 5.1.2 d | Communicate on the anti-bribery policy | Internally and externally. In this way top management demonstrates its leadership and commitment | |
| 32 | 5.1.2 e | Communicate the importance of having an effective ABMS | And to comply with ABMS requirements. In this way top management demonstrates its leadership and commitment | |
| 33 | 5.1.2 f | Ensure that the ABMS is appropriate | In order to achieve the objectives set. In this way top management demonstrates its leadership and commitment | |
| 34 | 5.1.2 g | Support personnel | In order for personnel to contribute to the control of the ABMS. In this way top management demonstrates its leadership and commitment | |
| 35 | 5.1.2 h | Promote anti-bribery culture | Culture appropriate to the specificities of the company. In this way top management demonstrates its leadership and commitment | |
| 36 | 5.1.2 i | Promote continual improvement | In this way, top management demonstrates its leadership and commitment. See sub-clause 10.2 | |
| 37 | 5.1.2 j | Support management roles | So that they manage the prevention and detection of bribery. In this way top management demonstrates its leadership and commitment | |
| 38 | 5.1.2 k | Encourage reporting procedures | On suspicious or proven cases of bribery. In this way top management demonstrates its leadership and commitment | |
| 39 | 5.1.2 l | Ensure that no personnel will suffer | For reporting a violation of the anti-bribery policy. In this way top management demonstrates its leadership and commitment | |
| 40 | 5.1.2 m | Report regularly on the operation of the ABMS | And allegations of bribery, cf. sub-clause 7.2.2.1 d. In this way top management demonstrates its leadership and commitment | |
|
5.2
|
Anti-bribery policy
|
|
||
| 41 | 5.2 a | Prohibit any form of bribery | Include in the updated anti-bribery policy, .jpg){kind=small} |
|
| 42 | 5.2 b | Enforce compliance with applicable anti-bribery laws | Include in the updated anti-bribery policy | |
| 43 | 5.2 c | Ensure that the policy is appropriate to the purpose of the organization | Include in the updated anti-bribery policy | |
| 44 | 5.2 d | Provide a framework for achieving the anti-bribery objectives | Include in the updated anti-bribery policy | |
| 45 | 5.2 e | Commit to satisfy anti-bribery requirements | Include in the updated anti-bribery policy | |
| 46 | 5.2 f | Encourage raising concerns in good faith | Include in the updated anti-bribery policy, cf. sub-clause 8.9 | |
| 47 | 5.2 g | Commit to continual improvement | Include in the updated anti-bribery policy, cf. sub-clause 10.2 | |
| 48 | 5.2 h | Promote the anti-bribery compliance function | Include in the updated anti-bribery policy, cf. sub-clause 5.3.2 | |
| 49 | 5.2 i | Explain in detail the consequences of not complying with the anti-bribery policy | Include in the updated anti-bribery policy | |
| 50 | 5.2 | Document the anti-bribery policy | Cf. sub-clause 7.5 | |
| 51 | 5.2 | Communicate the anti-bribery policy appropriately within the company | And to business associates | |
| 52 | 5.2 | Ensure that the anti-bribery policy is available | Including stakeholders | |
|
5.3
|
Roles
|
|
||
| 53 | 5.3.1 | Assume overall responsibility for the implementation of, and compliance with the ABMS | On behalf of top management, cf. sub-clause 5.1.2 | |
| 54 | 5.3.1 | Ensure that the responsibilities and authorities are assigned and communicated | For all relevant levels of the organization | |
| 55 | 5.3.1 | Enforce compliance with ABMS requirements in each department | On behalf of every manager at every level of the organization | |
| 56 | 5.3.1 | Understand and comply with the ABMS requirements at every level | On behalf of top management and all other personnel | |
| 57 | 5.3.2 a | Assign responsibility and authority to an anti-bribery compliance function (anti-bribery manager) | In order to oversee the design and implementation of the ABMS | |
| 58 | 5.3.2 b | Assign responsibility and authority to an anti-bribery compliance function (anti-bribery manager) | In order to provide advice to personnel on the ABMS and everything related to bribery | |
| 59 | 5.3.2 c | Assign responsibility and authority to an anti-bribery compliance function (anti-bribery manager) | In order to ensure that the ABMS conforms to ISO 37001 requirements | |
| 60 | 5.3.2 d | Assign responsibility and authority to an anti-bribery compliance function (anti-bribery manager) | in order to report on the performance of the ABMS | |
| 61 | 5.3.2 | Provide the anti-bribery manager with the necessary resources | The anti-bribery manager is competent, has the appropriate authority and independence | |
| 62 | 5.3.2 | Have direct and prompt access to top management | From the anti-bribery manager in the event that any issue has to be reported | |
| 63 | 5.3.2 | Ensure that the necessary responsibilities and authorities are assigned to persons external to the organization | In the event that the function or part of the anti-bribery manager function is outsourced | |
| 64 | 5.3.3 | Establish and maintain a decision-making process | In case top management delegates decision-making to personnel free from conflicts of interest | |
| 65 | 5.3.3 | Ensure that this process is reviewed periodically | On behalf of top management, cf. sub-clause 5.3.1 | |
|
6
|
Planning
|
|||
|
6.1
|
Actions
|
|
||
| 66 | 6.1 a | Ensure the achievement of objectives | Take into account issues, requirements and identified risks and opportunities, cf. sub-clauses 4.1, 4.2, 4.5 and 10.2 | |
| 67 | 6.1 b | Prevent and reduce undesired effects of the ABMS | Take into account issues, requirements and identified risks and opportunities, cf. sub-clauses 4.1, 4.2, 4.5 and 10.2 | |
| 68 | 6.1 c | Monitor the effectiveness of the ABMS | Take into account issues, requirements and identified risks and opportunities, cf. sub-clauses 4.1, 4.2, 4.5 and 10.2 | |
| 69 | 6.1 d | Achieve continual improvement | Take into account issues, requirements and identified risks and opportunities, cf. sub-clauses 4.1, 4.2, 4.5 and 10.2 | |
| 70 | 6.1 | Plan actions to address bribery threats | And improvement opportunities | |
| 71 | 6.1 | Plan how to integrate the actions | In the ABMS processes | |
| 72 | 6.1 | Plan how to evaluate the effectiveness of the actions | Cf. sub-clauses 9.1 and 9.3 | |
|
Objectives
|
|
|||
| 73 | 6.2 | Establish anti-bribery management system objectives | At all levels in the organization | |
| 74 | 6.2 a | Ensure that the ABMS objectives are consistent | With the anti-bribery policy | |
| 75 | 6.2 b | Ensure that the ABMS objectives are measurable | If practicable | |
| 76 | 6.2 c | Ensure that the ABMS objectives take into account issues, requirements and risks | Cf. sub-clauses 4.1, 4.2, 4.5 and 10.2 | |
| 77 | 6.2 d | Ensure that the ABMS objectives can be achieved | In reasonable limits | |
| 78 | 6.2 e | Ensure that the ABMS objectives are monitored |
Cf. sub-clause 9.1 |
|
| 79 | 6.2 f | Ensure that the ABMS objectives are communicated |
Cf. sub-clause 7.4 |
|
| 80 | 6.2 g | Ensure that the ABMS objectives are updated | At a reasonable frequency | |
| 81 | 6.2 | Retain documented information on ABMS objectives | Cf. sub-clause 7.5 | |
| 82 | 6.2 | Document what will be done | When planning how to achieve the ABMS objectives | |
| 83 | 6.2 | Document the necessary resources | When planning how to achieve the ABMS objectives | |
| 84 | 6.2 | Document who will be responsible for implementing the objectives | When planning how to achieve the ABMS objectives | |
| 85 | 6.2 | Document when this will be done | When planning how to achieve the ABMS objectives | |
| 86 | 6.2 | Document how the objectives will be evaluated and reported | When planning how to achieve the ABMS objectives | |
| 87 | 6.2 | Document who will be responsible in imposing sanctions or penalties | When planning how to achieve the ABMS objectives | |
|
7
|
Support
|
|||
|
7.1
|
Resources
|
|
||
|
88
|
7.1
|
Identify and provide personnel, physical and financial resources needed | In order to establish, apply, maintain and improve the ABMS | |
|
7.2
|
Competence
|
|
||
| 89 | 7.2 a | Document the necessary competence | Of those that can affect anti-bribery performance | |
| 90 | 7.2 b | Ensure that the persons are competent | On the basis of initial and professional training and experience | |
| 91 | 7.2 c | Take training actions | And evaluate the effectiveness of these actions | |
| 92 | 7.2 d | Retain documented information on competence | As evidence of competence | |
| 93 | 7.2.2.1 a | Comply with the anti-bribery policy and the requirements of the ABMS, in relation to personnel | Included in a documented procedure, cf. sub-clause 7.5 | |
| 94 | 7.2.2.1 b | Make the anti-bribery policy available and train staff on the policy | Included in a documented procedure, cf. sub-clause 7.5 | |
| 95 | 7.2.2.1 c | Take disciplinary action for non-compliance with anti-bribery policy or requirements of the ABMS | Included in a documented procedure, cf. sub-clause 7.5 | |
| 96 | 7.2.2.1 d 1 | Guarantee the absence of reprisals when refusing to participate in an activity with risk of bribery | Included in a documented procedure, cf. sub-clause 7.5 | |
| 97 | 7.2.2.1 d 2 | Guarantee the absence of reprisals when reporting an activity with a risk of bribery | Included in a documented procedure, cf. sub-clause 7.5 | |
| 98 | 7.2.2.2 a | Conduct due diligence to ensure that staff will comply with the anti-bribery policy and the requirements of the ABMS | Included in a documented procedure, cf. sub-clause 7.5 | |
| 99 | 7.2.2.2 b | Ensure that reasonable anti-bribery preventive measures are in place | Included in a documented procedure, cf. sub-clause 7.5 | |
| 100 | 7.2.2.2 c | File a declaration confirming compliance with the anti-bribery policy | Included in a documented procedure, cf. sub-clause 7.5 | |
|
7.3
|
Awareness
|
|
||
|
101
|
7.3
|
Ensure awareness and training to personnel |
On anti-bribery activities "Prevention is better than cure" |
|
| 102 | 7.3 a | Include in the training the anti-bribery policy, procedures, ABMS and their duty to comply | Taking into account the bribery risk assessment, cf. sub-clause 4.5 | |
| 103 | 7.3 b | Include in the training the bribery risk and the damage to them | Taking into account the bribery risk assessment, cf. sub-clause 4.5 | |
| 104 | 7.3 c | Include in the training the circumstancies in which bribery can occur | Taking into account the bribery risk assessment, cf. sub-clause 4.5 | |
| 105 | 7.3 d | Include in the training how to recognize and respond to solicitations | Taking into account the bribery risk assessment, cf. sub-clause 4.5 | |
| 106 | 7.3 e | Include in the training how to prevent and avoid bribery and recognize bribery risk indicators | Taking into account the bribery risk assessment, cf. sub-clause 4.5 | |
| 107 | 7.3 f | Include in the training the benefits of the contribution of personnel in the improvement of the ABMS | Taking into account the bribery risk assessment, cf. sub-clause 4.5 | |
| 108 | 7.3 g | Include in the training the consequences of not conforming with the ABMS requirements | Taking into account the bribery risk assessment, cf. sub-clause 4.5 | |
| 109 | 7.3 h | Include in the training how and to whom report any concerns | Taking into account the bribery risk assessment, cf. sub-clauses 4.5 and 8.9 | |
| 110 | 7.3 i | Include in the training information on available training and resources | Taking into account the bribery risk assessment, cf. sub-clause 4.5 | |
| 111 | 7.3 | Provide personnel with anti-bribery risk awareness and training | Depending on the function and the identified and potential risks, cf. sub-clause 4.5 | |
| 112 | 7.3 | Update regularly the awareness programs | And training programs | |
| 113 | 7.3 | Implement procedures addressing anti-bribery awareness and training for business associates | Relating to anti-bribery activities | |
| 114 | 7.3 | Identify business associates | And document the content and form of the training | |
| 115 | 7.3 | Retain documented information on training | Their content, date and list of participants | |
|
7.4
|
Communication
|
|
||
| 116 | 7.4.1 a | Document on which subjects to communicate | Included in the ABMS | |
| 117 | 7.4.1 b | Document when to communicate | Included in the ABMS | |
| 118 | 7.4.1 c | Document with whom to communicate | Included in the ABMS | |
| 119 | 7.4.1 d | Document how to communicate | Included in the ABMS | |
| 120 | 7.4.1 e | Document who will communicate | Included in the ABMS | |
| 121 | 7.4.1 f | Document the language which will be used | Included in the ABMS | |
| 122 | 7.4.2 | Make available the anti-bribery policy | To personnel and business associates | |
|
7.5
|
Documented information
|
|||
|
7.5.1
|
General
|
|
||
| 123 | 7.5.1 a | Include in the ABMS the documented information required by ISO 37001 |
In the ABMS: Documented information to maintain (procedures):
.gif){kind=small}
|
|
| 124 | 7.5.1 b | Include documented information deemed necessary for the effectiveness of the ABMS |
In the ABMS |
|
|
7.5.2
|
Creating and updating
|
|
||
| 125 | 7.5.2 a | Identify and describe the documented information appropriately | Such as title, author, date, codification | |
| 126 | 7.5.2 b | Ensure that the format and media of the documented information is appropriate | Such as language, version, electronic, paper | |
| 127 | 7.5.2 c | Review and validate documented information appropriately | In order to determine their relevance and suitability | |
|
7.5.3
|
Control of documented information
|
|||
| 128 | 7.5.3 a | Control documented information so that it is available and suitable for use | Where and when needed | |
| 129 | 7.5.3 b | Control documented information so that it is properly protected | As loss of confidentiality, improper use or loss of integrity | |
| 130 | 7.5.3 | Apply distribution, access, retrieval and usage activities | In order to control the documented information | |
| 131 | 7.5.3 | Apply storage and preservation activities | In order to control the documented information | |
| 132 | 7.5.3 | Apply change control activities | In order to control the documented information | |
| 133 | 7.5.3 | Apply retention and disposition activities | In order to control the documented information | |
| 134 | 7.5.3 | Identify and control documented information of external origin | In order to control the documented information | |
|
8
|
Operation
|
Do | ||
|
8.1
|
Planning and control
|
|
||
| 135 |
8.1 a | Establish criteria for the processes | The processes of the ABMS are planned, implemented, monitored and under control, cf. sub-clause 6.1 | |
| 136 | 8.1 b | Implement control of the processes | The processes of the ABMS are planned, implemented, monitored and under control, cf. sub-clause 6.1 | |
| 137 | 8.1 c | Retain documented information to the extent necessary | In order to ensure that the processes are carried out as planned. Cf. sub-clause 7.5.1 | |
| 138 | 8.1 | Include the specific controls | Cf. sub-clauses 8.2 to 8.10 | |
| 139 | 8.1 | Control planned and unintended changes | And undertake actions to mitigate any adverse effects | |
| 140 | 8.1 | Ensure control of outsourced processes | Including business associates | |
|
Due diligence
|
|
|||
| 141 | 8.2 | Assess the nature and extent of risk related to transactions, activities, partners and personnel | Cf. sub-clauses 4.5 and 7.2.2.2 | |
| 142 | 8.2 | Include any due diligence | In order to obtain sufficient information to assess the bribery risk | |
| 143 | 8.2 | Review due diligence regularly | In order to take into account the changes | |
|
Financial controls
|
|
|||
| 144 | 8.3 | Implement financial controls | In order to manage bribery risk | |
|
Non-financial controls
|
|
|||
| 145 | 8.4 | Implement non-financial controls | In order to manage the risk of bribery such as purchasing, operations, sales, personnel, legal and regulatory activities | |
|
Business associates
|
|
|||
| 146 | 8.5.1 a | Implement a procedure for business associates | In order that business associates implement an ABMS | |
| 147 | 8.5.1 b | Implement a procedure for business associates | In order that business associates implement their own anti-bribery controls | |
| 148 | 8.5.2 a | Implement a procedure for business associates | In order to determine whether the business associate has implemented the applicable anti-bribery controls | |
| 149 | 8.5.2 b 1 | Implement a procedure for business associates | In order to require the business associate to put in place anti-bribery controls in relation to the project, transaction or activity concerned | |
| 150 | 8.5.2 b 2 | Implement a procedure for business associates | In order to take into account the impossibility of requiring the business associate to put in place anti-bribery controls, cf. sub-clauses 4.5, 8.2, 8.3, 8.4 and 8.5 | |
|
Anti-bribery commitments
|
|
|||
| 151 | 8.6 a | Implement a procedure for business associates | In order that business associates commit to preventing bribery | |
| 152 | 8.6 b | Implement a procedure for business associates | In order to terminate the relationship in event of bribery | |
| 153 | 8.6 | Consider, where requirements 8.6 a) and b) cannot be met, this factor when assessing bribery risks | And the way the organization manages such risks | |
|
Gifts, and similar benefits
|
|
|||
| 154 | 8.7 | Implement a procedures for gifts and similar benefits | In order to prevent what could reasonably be perceived as an act of bribery | |
|
Managing inadequacy of anti-bribery controls
|
|
|||
| 155 | 8.8 a | Suspend the relationship with business associates when bribery risks cannot be managed | Because the anti-bribery controls are not adequate | |
| 156 | 8.8 b | Decline to continue the relationship with business associates for any new project when bribery risks cannot be managed | Because the anti-bribery controls are not adequate | |
|
Rainsing concerns
|
|
|||
| 157 | 8.9 a | Implement a reporting procedure | In order to encourage persons to report their concerns about attempted bribery, proven cases of bribery or suspected cases | |
| 158 | 8.9 b | Implement a reporting procedure | In order to protect the identity of the reporting person | |
| 159 | 8.9 c | Implement a reporting procedure | In order to allow anonymous reporting | |
| 160 | 8.9 d | Implement a reporting procedure | in order to prohibit retaliation the persons making reports | |
| 161 | 8.9 e | Implement a reporting procedure | In order to receive advice in the face of a concern or a suspicion of bribery | |
| 162 | 8.9 | Ensure that all personnel are informed about the reporting procedure | And know how to use whistleblowing reports, knows their rights and applicable protections | |
|
Investigating and dealing with bribery
|
|
|||
| 163 | 8.10 a | Implement a procedure for investigation | In order to require the assessment or investigation of any reported, detected or suspected bribery, or violation of the anti-bribery policy or the ABMS | |
| 164 | 8.10 b | Implement a procedure for investigation | In order to implement appropriate actions if the investigation is positive | |
| 165 | 8.10 c | Implement a procedure for investigation | In order to empower and enable investigators | |
| 166 | 8.10 d | Implement a procedure for investigation | In order to require co-operation by relevant personnel | |
| 167 | 8.10 e | Implement a procedure for investigation | In order to require that the status of the investigation is reported to the anti-bribery manager | |
| 168 | 8.10 f | Implement a procedure for investigation | In order to require the confidentiality of the investigation | |
| 169 | 8.10 | Conduct the investigation by non-involved personnel | A business associate can be appointed to conduct the investigation | |
|
9
|
Performance
|
|||
|
Inspection
|
|
|||
| 170 | 9.1 a | Document what needs to be monitored | And be measured | |
| 171 | 9.1 b | Document who is responsible for monitoring | Cf. sub-clause 5.3 | |
| 172 | 9.1 c | Document the methods for inspection (monitoring, measurement, analysis and evaluation) | In order to ensure valid results | |
| 173 | 9.1 d | Document when to perform the monitoring | And the measurement | |
| 174 | 9.1 e | Document when the results from monitoring and measurement shall be analyzed | And evaluated | |
| 175 | 9.1 f | Document to whom this information shall be reported | And it will be reported | |
| 176 | 9.1 | Retain documented information on inspection | As evidence of the methods and the results obtained, cf. sub-clause 7.5 | |
| 177 | 9.1 | Evaluate the anti-bribery performance | And the effectiveness and efficiency of the ABMS | |
|
Internal audit
|
|
|||
| 178 | 9.2.1 a | Conduct internal audits at scheduled intervals | In order to provide information on whether the ABMS is compliant, cf. ISO 19011 | |
| 179 | 9.2.1 a 1 | Conduct internal audits at scheduled intervals | In order to provide evidence whether the ABMS conforms to the organization's own requirements | |
| 180 | 9.2.1 a 2 | Conduct internal audits at scheduled intervals | In order to provide evidence whether the ABMS conforms to the requirements of ISO 27001 | |
| 181 | 9.2.1 b | Conduct internal audits at scheduled intervals | In order to provide evidence whether the ABMS is effectively implemented and maintained | |
| 182 | 9.2.2 a | Plan, establish, apply and maintain the audit program | Program that includes frequency, methods, responsibilities, requirements and reporting | |
| 183 | 9.2.2 b | Define the audit criteria | And the scope of the audit | |
| 184 | 9.2.2 c | Select competent auditors | And conduct audits to ensure objective and impartial audits | |
| 185 | 9.2.2 d | Ensure that audit results are reported to relevant managers | And top management | |
| 186 | 9.2.2 e | Retain documented information on audit results | As evidence of the implementation of the audit program | |
| 187 | 9.2.3 | Conduct reasonable and appropriate internal audits | Audits are risk-based, cf. sub-clause 4.5 | |
| 188 | 9.2.3 a | Include processes that analyze procedures, controls and systems | Related to bribery and suspected bribery | |
| 189 | 9.2.3 b | Include processes that analyze procedures, controls and systems | Related to violation of the anti-bribery policy and ABMS requirements | |
| 190 | 9.2.3 c | Include processes that analyze procedures, controls and systems | Related to failure of business associates to conform to anti-bribery requirements of the organization | |
| 191 | 9.2.3 d | Include processes that analyze procedures, controls and systems | Related to weaknesses and opportunities of the ABMS | |
| 192 | 9.2.4 a | Ensure that audits are undertaken by a person independent of the process | In order to ensure the objectivity and impartiality of the audit program | |
| 193 | 9.2.4 b | Ensure that audits are undertaken by the anti-bribery manager | In order to ensure the objectivity and impartiality of the audit program | |
| 194 | 9.2.4 c | Ensure that audits are undertaken by an appropriate person from another department | In order to ensure the objectivity and impartiality of the audit program | |
| 195 | 9.2.4 d | Ensure that audits are carried out by an appropriate third party | In order to ensure the objectivity and impartiality of the audit program | |
| 196 | 9.2.4 e | Ensure that the audits are undertaken by a group comprising persons from sub-clauses 9.2.4 a) to d) | In order to ensure the objectivity and impartiality of the audit program | |
| 197 | 9.2.4 | Ensure that no auditor audits his own department | "No-one should be a judge in his own case. Latin proverb" | |
|
Management review
|
|
|||
|
Top management review
|
|
|||
| 198 | 9.3.1 | Conduct top management reviews at planned intervals | In order to ensure that the ABMS continues to be suitable, adequate and effective | |
| 199 | 9.3.1 a | Take into account | The status of actions from the previous management review | |
| 200 | 9.3.1 b | Take into account | Changes in external and internal issues, cf. sub-clause 4.1 | |
| 201 | 9.3.1 c | Take into account | ABMS performance information, including nonconformities and corrective actions, inspections, audit results, bribery reports, investigations, bribery risks | |
| 202 | 9.3.1 d | Take into account | The effectiveness of actions undertaken | |
| 203 | 9.3.1 e | Take into account | Improvement opportunities of the ABMS, cf. sub-clause 10.2 | |
| 204 | 9.3.1 | Include in the outputs of the top management review | Decisions related to improvement opportunities of the ABMS | |
| 205 | 9.3.1 | Report to the governing body (if any) | A summary of the results of the top management review | |
| 206 | 9.3.1 | Retain documented information on the results | As evidence of the results of top management review, cf. sub-clause 7.5 | |
|
9.3.2
|
Governing body review
|
|
||
| 207 | 9.3.2 | Undertake regular reviews of the ABMS based on information provided by top management | On behalf of the governing body (if any) | |
| 208 | 9.3.2 | Take into consideration the modifications of the relevant issues for the AABMS | As evidence of the results of governing body review, cf. sub-clause 7.5 | |
|
9.4
|
Review by anti-bribery compliance function
|
|
||
| 209 | 9.4 a | Assess on a continual base whether the ABMS is adequate | In order to manage effectively the bribery risks by the anti-bribery manager | |
| 210 | 9.4 b | Assess on a continual base whether the ABMS is effectively implemented | By the anti-bribery manager | |
| 211 | 9.4 | Report, at planned intervals (at least once a year), to the governance body (if any) or to top management, on the adequacy and implementation of the ABMS | Including the results of investigations and audits | |
|
10
|
Improvement
|
|||
|
10.1
|
Nonconformity
|
|
||
| 212 | 10.1 a 1 |
React promptly to the nonconformity |
In order to control and correct it | |
| 213 | 10.1 a 2 |
React promptly to the nonconformity |
In order to deal with the consequences | |
| 214 | 10.1 b 1 |
Evaluate if corrective action is needed |
By reviewing the nonconformity | |
| 215 | 10.1 b 2 |
Evaluate if corrective action is needed |
By determining the causes of the nonconformity | |
| 216 | 10.1 b 3 |
Evaluate if corrective action is needed |
By determining if similar nonconformities exist or could occur | |
| 217 | 10.1 c |
Implement any action needed |
When it is necessary | |
| 218 | 10.1 d |
Review the effectiveness of corrective actions |
Undertaken | |
| 219 | 10.1 e |
Make changes to the ABMS |
If it is necessary | |
| 220 | 10.1 |
Perform corrective actions |
Appropriate to the effects of the nonconformities | |
| 221 | 10.1 |
Retain documented information on the nature of the nonconformities |
Cf. sub-clause 7.5 | |
| 222 | 10.1 |
Retain documented information on the results of the corrective actions |
Cf. sub-clause 7.5 | |
|
Continual improvement
|
|
|||
| 223 | 10.2 | Continue to improve the ABMS | Implementing opportunities identified, cf. sub-clause 9.3 | |
|
|
|
|
|
|
.jpg){kind=small}
.gif){kind=small}
