CA-18 · Compliance · general

ISO 37301

The certifiable compliance management system. A single standard that integrates all your organisation's legal obligations — criminal, tax, environmental, data and labour — under a consistent, third-party-auditable governance framework.

StandardISO 37301:2021
Duration5-8 months
Scopeany sector and size

ISO 37301:2021 is the international standard that sets requirements for implementing, maintaining and improving a Compliance Management System (CMS). Published in April 2021 by ISO, it replaced the ISO 19600:2014 guidance document, elevating compliance from voluntary guidance to a certifiable standard with auditable requirements. Its structure follows the High Level Structure (HLS) shared by ISO 9001, ISO 14001 and ISO 45001, which makes integration into existing management systems straightforward without duplicating documentation.

The standard covers any type of compliance obligation: criminal and anti-corruption (linking to UNE 19601 and ISO 37001), tax and fiscal, environmental and waste (articulable with ISO 14001), personal data protection (GDPR, linking to ISO 27701), employment and equality, and sector-specific regulation. Its 'umbrella system' architecture allows each compliance vertical to have its own documented controls within a unified governance structure, with a compliance officer function, a compliance register, a risk assessment programme and a periodic internal audit cycle.

For a Spanish SME or mid-market company, ISO 37301 delivers three concrete benefits: first, it reduces the criminal exposure of the management body by demonstrating due diligence in the control system; second, it facilitates access to public tenders and corporate clients that require evidence of compliance as a supplier approval requirement; third, it consolidates in a single audited file all the regulatory traceability that today lives scattered across the tax adviser, the lawyer, the OHS manager and the DPO. Summum accompanies the entire process through to certification, which is issued by an ENAC-accredited certification body (such as AENOR, Bureau Veritas, SGS or DNV).

The ISO 37301 process.

The process · four stages
01

Diagnosis and obligations map

We identify the regulatory universe applicable to your organisation: criminal, tax, environmental, labour, sector-specific and data legislation. We build the compliance register with each obligation classified by area, regulatory source, competent supervisory body and inherent risk level. This initial snapshot sets the baseline and highlights the gaps the system will need to cover.

02

System design and document structure

We draft the compliance policy, the CMS manual and the control procedures by vertical (criminal, tax, environmental, data, labour). We define roles and responsibilities — compliance officer, process owners, supervisory body — and design the mandatory training and awareness programme based on the risk profile of each role.

03

Implementation, controls and whistleblowing channel

We pilot the controls in critical processes and integrate them with existing management systems (ERP, CRM, HR). We configure or review the whistleblowing channel aligned with Directive (EU) 2019/1937 and Spanish Law 2/2023, which requires organisations with more than 50 employees to have their own channel. We conduct the first compliance risk assessment and the first internal audit round.

04

Certification audit and ongoing support

We prepare the certification audit with the accredited body of your choice (AENOR, Bureau Veritas, SGS, DNV or other). We assist in the documentary phase and the on-site audit, manage non-conformities through to closure and maintain the system with periodic reviews, regulatory updates and annual surveillance audits.

What is included

What ISO 37301 includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Full compliance register

    Documented inventory of all applicable legal obligations, classified by area, regulatory source, potential sanction and internal owner.

  • CMS policy and manual

    Core system documentation: compliance policy signed by management, management manual and control procedures per regulatory vertical.

  • Compliance risk assessment

    Risk matrix with quantitative methodology (probability × impact), assigned mitigating controls and action plan prioritised by residual exposure.

  • Whistleblowing channel compliant with Law 2/2023

    Design or review of the internal whistleblowing channel, whistleblower protection policy and investigation procedure in line with the European Whistleblowing Directive.

  • Training and awareness programme

    Training modules differentiated by risk profile (management, middle management, operational staff). Includes attendance records for the due diligence file.

  • Internal audit and certification preparation

    Execution of the CMS internal audit, findings report, corrective action plan and full accompaniment through to the certificate issued by an ENAC-accredited body.

Frequently asked questions about ISO 37301.

What is the difference between ISO 37301 and ISO 37001?

ISO 37301 is the general compliance umbrella system: it covers any legal obligation (criminal, tax, environmental, data, labour). ISO 37001 is a specific anti-bribery and anti-corruption standard. They are compatible and complementary: an organisation can certify both, using 37001 as a vertical within the 37301 framework, or implement them independently depending on its risk profile.

Which companies are required to have a whistleblowing channel under Law 2/2023?

Law 2/2023, which transposes Directive (EU) 2019/1937, requires all private sector entities with 50 or more employees to have their own whistleblowing channel, as well as any company operating in financial services, anti-money laundering or product safety sectors, regardless of size. ISO 37301 naturally integrates this requirement as a CMS control.

How long does it take to implement ISO 37301 in an SME?

In an SME of between 20 and 150 employees with no prior compliance system, the typical process spans 5 to 8 months: diagnosis and obligations map (months 1-2), documentary design and training (months 2-4), control implementation and internal audit (months 4-6) and certification audit with the accredited body (months 6-8). The timeline varies depending on the regulatory complexity of the sector.

Who issues the ISO 37301 certificate? Does Summum issue it?

No. Summum Calidad is a consultancy, not a certification body. The certificate is issued by a certification body accredited by ENAC (the Spanish National Accreditation Entity), such as AENOR, Bureau Veritas, SGS, DNV or Lloyd's Register. Summum designs and implements the system and accompanies you through the certification audit; the certificate is signed by the independent third party.

Can ISO 37301 be integrated with ISO 9001 or ISO 14001 we already hold?

Yes, and this is precisely one of the standard's advantages. ISO 37301 follows the High Level Structure (HLS) shared by ISO 9001, ISO 14001, ISO 45001 and ISO 27001. This means that the policy, organisational context, objectives, risk management, internal audit and management review can be unified in an integrated management system, reducing the documentary burden and maintenance cost.