top of page

How to Implement ISO 37001:2025

This guide provides a roadmap for Singapore businesses on how to implement the ISO 37001:2025 Anti-Bribery Management System (ABMS). The 2025 edition introduces critical updates, including a dedicated Anti-Bribery Culture (Clause 5.1.3), Climate Change risk integration (Clauses 4.1 & 4.2), and stricter Conflict of Interest oversight. Utilizing ISOGuruSG’s proven 3-step framework—Gap Analysis, Process Alignment, and Audit Readiness—organizations can transition from the 2016 version or build a new system that ensures legal compliance and enhances ESG credibility. The transition deadline is February 28, 2027, making early implementation essential for maintaining competitive advantages in high-stakes procurement.

Phase 1: Understanding Your Organization (Clause 4)
ISO 37001:2025 — Context, Scope, Interested Parties, Risk Assessment

1. Understand Your Context (4.1)

Start by taking a clear look at what shapes your organization. This includes:

  • How big you are, how you are structured, and who can make decisions

  • Where you operate and what industries you serve

  • How complex your operations are

  • When and how you engage with public officials

  • All the laws, contracts, and professional obligations you must follow

  • ISO 37001:2025 now asks you to consider whether climate change is a relevant factor

This helps you build an ABMS that fits your real-world environment.

2. Identify Your Key Stakeholders (4.2)

Next, list the groups who have expectations about your anti-bribery performance.
These could be customers, regulators, employees, bankers, or partners.
Identify:

  • What they expect

  • Which expectations your ABMS will address

 

3. Define Your ABMS Scope (4.3)

Your scope should clearly state what parts of the business and which activities the ABMS covers.
It must align with:

  • Your context (4.1)

  • Stakeholder expectations (4.2)

  • Bribery risk assessment results (4.5)

Make sure you document it—this is a mandatory ISO requirement.

 

4. Build Your Anti-Bribery Management System (4.4)

Now, put the ABMS structure in place.
It should be proportionate, meaning it matches the size and risk level of your organization.
It must also provide a way to:

  • Identify

  • Evaluate

  • Prevent

  • Detect

  • Respond to bribery risks

 

5. Run Your Bribery Risk Assessment (4.5)

This is the engine of the whole ABMS.
At planned intervals, you need to:

  • Identify bribery risks

  • Analyse and prioritize them

  • Evaluate whether your current controls can handle them

  • Document everything

This becomes the foundation for designing or improving your ABMS.

Phase 2: Leadership & Culture (Clause 5)
ISO 37001:2025 — Leadership, Policy, Roles, Culture

6. Show Leadership Commitment (5.1)

ISO 37001:2025 requires visible involvement from top management and the governing body.
This includes:

  • Approving the anti-bribery policy

  • Ensuring resources are provided

  • Embedding the ABMS into daily operations

  • Protecting people who refuse bribery or report concerns

  • Driving an ethical culture

 

7. Build an Integrity-First Culture (5.1.3)

Culture is not a slogan—it requires consistent behaviour.
Leaders must show ethical conduct through active, visible, and ongoing commitment.

 

8. Create and Communicate Your Anti-Bribery Policy (5.2)

The policy must:

  • Prohibit bribery

  • Require legal compliance

  • Encourage confidential reporting without fear

  • Clarify the independence of the anti-bribery function

Share this internally and with external partners who present more than a low bribery risk.

9. Assign Roles and Responsibilities (5.3)

Top management still owns the ABMS.
But the Anti-Bribery Function handles day-to-day oversight.
It must be:

  • Competent

  • Independent

  • Properly resourced

  • Able to report directly to top management and the governing body

 

10. Manage Delegated Decision-Making (5.3.3)

When authority is delegated for decisions involving higher bribery risks, ensure:

  • Controls exist

  • Conflict-of-interest risks are avoided

  • The decision-making process is appropriate and transparent

Phase 3: Planning Your ABMS (Clause 6)
ISO 37001:2025 — Risk Planning, Objectives, Change Management

11. Plan Actions for Risks and Opportunities (6.1)

Based on your risk assessment, decide:

  • What actions are needed

  • How to integrate them into daily operations

  • How you will check if they’re effective

 

12. Set Practical and Measurable Objectives (6.2)

Objectives should be:

  • Consistent with your policy

  • Achievable

  • Measurable (when possible)

  • Assigned to someone

  • Supported with timelines and resources

 

13. Manage Change (6.3)

Any changes to the ABMS—big or small—should be planned, controlled, and documented.

Phase 4: Supporting the ABMS (Clause 7)
ISO 37001:2025 — Resources, Competence, Training, Documentation

14. Provide the Right Resources (7.1)

Ensure your ABMS has the people, tools, and financial support it needs.

15. Ensure Competence (7.2.1)

Identify the skills needed for ABMS-related roles and document proof of competence.

16. Apply Employment Controls (7.2.2)

This includes:

  • Making employees commit to the ABMS

  • Training them early

  • Requiring conflict-of-interest disclosures

  • Running due diligence for high-risk roles

  • Reviewing incentive schemes

  • Obtaining compliance declarations periodically

 

17. Deliver Awareness and Training (7.3)

People must know the policy, their responsibilities, and where to report concerns.
High-risk business partners may also need training.

 

18. Set Up Communication Processes (7.4)

Define what, when, how, and with whom ABMS communications will happen.

19. Control Documented Information (7.5)

Make sure documents are:

  • Accurate

  • Up to date

  • Accessible to the right people

  • Properly protected and retained

Phase 5: Operating the ABMS (Clause 8)
ISO 37001:2025 — Operational Controls, Due Diligence, Financial & Non-Financial Controls

20. Operational Planning & Control (8.1)

Put in place the operational controls necessary to meet ABMS requirements.

21. Conduct Due Diligence (8.2)

Apply due diligence to:

  • High-risk personnel

  • Third parties

  • Projects and transactions

And review it regularly.

22. Implement Financial Controls (8.3)

Examples include:

  • Segregation of duties

  • Tiered approval levels

  • Verifying that payments match actual work performed

 

23. Apply Non-Financial Controls (8.4)

Include controls in:

  • Procurement

  • Sales

  • Legal

  • HR

  • Access to sensitive information

 

24. Controls for Controlled Organizations & Business Associates (8.5)

Your subsidiaries and high-risk partners must adopt equivalent anti-bribery controls.

 

25. Obtain Anti-Bribery Commitments (8.6)

Where possible, require business associates to commit contractually to anti-bribery obligations.

 

26. Manage Gifts, Hospitality & Donations (8.7)

Set limits, define approval processes, and prevent anything that could look like bribery.

27. Manage Inadequate Controls (8.8)

If the risks are too high and cannot be mitigated—walk away.

28. Implement Whistleblowing Channels (8.9)

Enable confidential or anonymous reporting (where legal) with non-retaliation protection.

29. Investigate Any Bribery Concerns (8.10)

Investigations must be independent, confidential, and documented, with results reported to top management.

Phase 6: Evaluating Performance (Clause 9)
ISO 37001:2025 — Monitoring, Internal Audit, Management Review

30. Monitor and Measure Performance (9.1)

Define what you will monitor, how you will do it, and how often.

31. Conduct Internal Audits (9.2)

Plan risk-based internal audits to check compliance with both ISO 37001 and your own ABMS.

32. Management Review (9.3)

Top management reviews the ABMS periodically.
The governing body also reviews performance based on these reports.

33. Anti-Bribery Function Review (9.4)

The anti-bribery function must regularly assess ABMS effectiveness and report results.

Phase 7: Continual Improvement (Clause 10)
ISO 37001:2025 — Improvement & Corrective Actions

34. Continual Improvement (10.1)

The goal is ongoing improvement—not a “one and done” certification.

35. Corrective Actions (10.2)

When things go wrong, you must:

  • React quickly

  • Identify root causes

  • Implement corrective actions

  • Check whether they worked

  • Document everything

Learn how ISOGuruSG supports companies through ISO 37001 consultancy

 

For personalized guidance, feel free to contact us directly.

bottom of page