ISO 37001:2025: key changes and transition deadlines

·

The ISO 37001 is the international reference standard for anti-bribery management systems. Originally published in 2016, it has guided thousands of organisations — from multinationals to SMEs supplying public administrations — in implementing controls to prevent, detect and respond to bribery. In 2025, technical committee ISO/TC 309 approved a substantial revision of the standard. Whether your company is already certified, in the process of implementation, or simply evaluating certification, this article gives you the information you need to stay on track.

Why ISO 37001 is being revised now

Every ISO standard undergoes periodic review, generally every five years. In the case of ISO 37001, the 2025 revision also responds to significant regulatory changes: the adoption of Directive (EU) 2024/1760 on corporate sustainability due diligence (CSDDD), which imposes direct obligations to control value chains; increased judicial scrutiny of the role of compliance as a mitigating factor in criminal liability; and the proliferation of whistleblowing schemes — driven by the Whistleblower Protection Directive (EU) 2019/1937 — which overlap with the reporting channels required by ISO 37001 itself.

The International Organization for Standardization has not published the 2025 edition of ISO 37001 as a minor revision, but as a complete second edition that replaces the 2016 text in its entirety. Organisations with a valid certificate will have a transition period, but it is advisable to understand the changes as early as possible to avoid surprises at the next surveillance audit.

Key changes in ISO 37001:2025 compared to the 2016 edition

1. Harmonized Structure (HS)

The 2016 edition followed Annex SL, the high-level structure then in force. The 2025 revision adopts the new Harmonized Structure (HS) that ISO has established for all its management system standards from 2023 onwards. This facilitates integration with ISO 9001, ISO 14001, ISO 45001 or ISO 37301 (general compliance) into a single management system. For companies that already manage several standards in an integrated way, this change is a real advantage: terminology, clause sequence and shared requirements align better.

2. Greater emphasis on third-party due diligence

One of the most criticised weaknesses of the 2016 edition was the lack of specificity in controls over third parties (suppliers, agents, intermediaries, joint-venture partners). The 2025 edition expands and details the requirements of the former clause 8.6, requiring:

3. Organisational culture and leadership

The revision reinforces the role of the Anti-Bribery Control Committee (or equivalent function) and adds explicit requirements on organisational culture. Having a published anti-bribery policy is no longer sufficient: the standard requires evidence that ethical values are integrated into decision-making, performance assessment processes and incentives. This directly connects with the regulatory trend of requiring corporate culture as an element of effective compliance.

4. Reporting channel aligned with EU whistleblower legislation

The 2016 edition required internal reporting mechanisms but did not specify their form. The 2025 edition expands this requirement so that the reporting system is also accessible to external third parties (suppliers, clients) and meets the confidentiality and non-retaliation standards required by European legislation. Companies that have already implemented a reporting channel to comply with the EU Whistleblower Directive can leverage the synergies to satisfy both requirements at once.

5. Emerging risks: facilitation payments

The revised standard explicitly addresses facilitation payments — small amounts paid to officials to speed up administrative procedures — as a form of bribery that must be expressly prohibited in the organisation's policy. It also addresses risks linked to markets with high perceptions of corruption (Transparency International's Corruption Perceptions Index as a reference), requiring additional controls when the organisation operates in those environments.

6. Performance indicators and continuous improvement

The 2025 edition gives greater weight to measurement. Organisations are expected to define anti-bribery system KPIs (number of reports received, investigations initiated, resolution time, training sessions completed, percentage of third parties assessed) and review them periodically in the management review. This raises the bar for what certification auditors consider sufficient evidence.

Comparison table: ISO 37001:2016 vs ISO 37001:2025

Area 2016 Edition 2025 Edition
Structure Annex SL (10 clauses) Harmonized Structure (HS)
Third-party due diligence Generic requirements (clause 8.6) Detailed by category and risk
Reporting channel Mandatory internal mechanism External access + alignment with whistleblower legislation
Organisational culture Implicit mention in leadership Explicit and measurable requirements
Facilitation payments No specific mention Express prohibition in policy
System KPIs Basic performance assessment Defined indicators reviewed periodically
High-risk markets General context analysis Explicit reference to corruption indices
Integration with other standards Compatible, not optimised Common HS clauses facilitate integration

Transition deadlines: what ISO says and what it means in practice

The International Accreditation Forum (IAF) has set a two-year transition period for ISO 37001:2025. The final deadline, confirmed by national accreditation bodies and accredited certification bodies (AENOR, Bureau Veritas, SGS, among others), is 28 February 2027. From 1 September 2026, new certifications must be conducted against the 2025 edition.

In practice, this means that:

If your company has a surveillance or renewal audit scheduled in the next twelve months, now is the time to review with your consultant what gaps the new edition creates and whether it makes sense to address them in preparation for that audit or to plan a formal transition.

Sectors most affected by ISO 37001:2025

The anti-bribery standard has universal application, but there are sectors where regulatory and market pressure makes the update particularly relevant:

How to prepare the transition: concrete steps

If you already hold the ISO 37001:2016 and want to manage the transition smoothly, these are the steps we recommend from our ISO 37001 implementation and certification service:

  1. Gap analysis: map the new requirements of the 2025 edition against your current system. Not all changes create gaps; it depends on what you have already implemented.
  2. Review of the anti-bribery policy: include the express prohibition of facilitation payments and update regulatory references (CSDDD if applicable).
  3. Internal audit of the third-party map: identify which suppliers, agents and partners are in the high-risk radar and update the due diligence procedures.
  4. Review of the reporting channel: verify that it meets the required standards (access, confidentiality, non-retaliation) and extend access to third parties if not already enabled.
  5. Definition of system KPIs: if no formal indicators exist, define them and document how they will be reviewed at the next management review.
  6. Training of the Anti-Bribery Control Committee: update training content to reflect the new standard requirements and regulatory changes.
  7. Internal pre-audit: before the transition certification audit, carry out at least one full internal audit against the 2025 edition.

The actual effort depends on how much you have invested in your system since the initial certification. A company with a live and well-documented system can make the transition with a relatively contained effort. A company that has been running its system in "just get through the audit" mode will have more work to do.

ISO 37001 and its relationship with criminal compliance

The criminal liability of legal persons is regulated in many European jurisdictions. Bribery — active and passive, domestic and international — is among the offences that can entail criminal liability for the organisation. Compliance programmes that include an anti-bribery system certified under ISO 37001 constitute material evidence that the organisation has adopted effective crime prevention measures, the standard required for exemption or mitigation of liability.

The 2025 edition, by reinforcing controls and culture, raises the level of compliance programme that a judge or prosecutor will consider "effective". Holding the certificate of the previous edition when a more demanding version already exists may not be a sufficient defence argument in future criminal proceedings. At Summum Calidad we work jointly on the implementation of the anti-bribery system and coordinate with the client's legal advisors when the project includes updating the criminal compliance model.

Frequently asked questions

Is my ISO 37001:2016 certificate still valid as long as it has not expired?

Yes, as long as the transition period is in force and the certificate has not expired, it remains valid. However, certification bodies will progressively migrate their audits to the 2025 edition. Check with your certification body when they plan to start auditing exclusively against the new edition, so you can plan your transition with adequate lead time.

Can I certify directly to the 2025 edition if I do not yet have a certificate?

Yes, and that is what we recommend for any project starting now. Certifying against the 2016 edition in 2026 or 2027 would require making the transition shortly afterwards, duplicating the effort. The logical approach is to implement the system directly under the 2025 edition from the outset.

How long does a company take to transition from the 2016 to the 2025 edition?

It depends on the starting state of the system. A company with a well-implemented system and no significant gaps can complete the transition in two to four months (documentary update, training, internal audit, certification audit). If there are structural gaps — such as an outdated third-party map or a reporting channel that does not meet the required standards — the timeline may extend to six or nine months. An initial gap analysis allows the effort to be estimated precisely before committing resources.

Does ISO 37001:2025 require reporting bribery to the authorities?

The standard does not directly impose an obligation to report to the authorities; that is regulated by the legal system of each country. What it does require is that the organisation has clear procedures for investigating reports received, documenting investigations and taking corrective actions. If an internal investigation reveals indications of a criminal offence, the obligation to report is established by applicable criminal law and sector-specific regulations, not by the ISO standard itself.