Time to get ISO 37001:2016 certified... What is the process?


ISO 37001:2016 Anti-Bribery Management System Certification is critical for organisations in the public, private and non-profit sectors. After all, consider the benefits: Certification adds a distinct level of credibility to the organisation's management systems, and ensures that the organization is implementing a viable anti-bribery management program utilizing widely accepted controls and systems.

It provides assurance to management, investors, business associates, personnel and other stakeholders that the organisation is actively pursuing internationally recognized and accepted processes to prevent bribery and corruption. ISO 37001:2016 certification also protects the organization, its assets, shareholders and directors from the effects of bribery.

But what, exactly, is the process for getting ISO37001:2016 certified by CRI Group? Once your organisation has submitted questionnaire information and completed the approval and contract stage, the certification cycle is ready to begin.

Step 1: Audit confirmation
An audit agenda will be developed with your organisation and confirmed to the Certification’s Body Assessment Team at least 3 months prior to the organisation’s first audit.

Step 2: Pre-assessment audit (optional)
The organisation can opt to perform a pre-assessment audit to identify any possible gaps between its current management system and the requirements of the standard. This audit is optional and helps the organisation to check its preparedness of the stage 1 and 2 assessments by identifying any major non-conformities which have not been addressed.

Step 3: Stage 1 audit
Review the results of the audit, including:

  • General observations
  • Nonconformities (major or minor, see below)

Minor nonconformities: These are not seen as serious. The organisation must complete internal Corrective Action Plan (CAP) before Stage 2. CAP is not required to be sent to the Assessment Team at Stage 1.

Major nonconformities: These are more serious and the organisation will need to submit a CAP, within 10 days of receiving audit report, with all actions scheduled to be completed before Stage 2. The CAP should be sent to the Assessment Team. The major non-conformities raised during Stage 1 will be re-assessed during Stage 2 Audit.

Step 4: Stage 2 audit
This is an on-site audit and takes place after the organisation has successfully completed Stage 1 and corrected any major nonconformities identified during Stage 1 audit. Stage 2 confirms that the organisation’s management system is fully aligned to the standard.  The evaluation is of management system implementation and its effectiveness.

Outcome: The audit report will detail the following:

  • Any positive observations
  • Opportunities for improvement - suggestions for improvement, as well as any findings that could lead to potential nonconformities.
  • Nonconformities (Major or Minor)
  • Recommendation for Certification

Minor nonconformities: The organisation must complete internal Corrective Action Plan (CAP) and submit this to the Assessment Team within 45 working days of receiving the audit report. The CAP will be reviewed by the Assessment Team and must detail the nonconformity, the cause, the proposed corrective action, who is responsible and the date the action will be implemented. Based on the evaluation of CAP, the recommendation for certification will be made.

For minor non-conformities, if an organisation has a corrective action procedure in place, this will not delay the certificate.

Major nonconformities: The organisation must complete internal Corrective Action Plan (CAP) and submit within 90 days (or 180 days depending on the number and risk of major nonconformities) of receiving the audit report and must be sent to the auditor.

What comes next? Stay tuned for the second instalment in our two-part series about the ISO 37001:2016 certification process.

Read to get started? Learn more at CRICertification.com.