Skip to main content

ISO 37301 Compliance management systems (CMS): An Opportunity for Change

Is your organisation looking for a way to stand out from the crowd when it comes to compliance?



You may already be familiar with ISO 19600, launched in 2014, which provides guidance for establishing, developing, implementing, maintaining, and improving effective compliance management systems. This standard is expected to be replaced internationally by ISO 37301 in Q2, 2021. In contrast to ISO 19600, the new standard will be certifiable. Should organisations pursue and achieve third party certification, significant comfort can be provided to regulators, boards, management, employees, and customers.

ISO 19600 is being replaced against the backdrop of increased regulatory scrutiny and stakeholder interest in ensuring organisations have accountability and responsibility for compliance embedded throughout their value chains. Consequences for ineffective compliance processes and a poor compliance culture continue to attract significant penalties from regulators and reputational damage at both national and international levels. As a result, ISO 37301 is centered on the importance of building a positive compliance culture aligned with sustainable business practices.

Key changes

Is your organisation already aligned with ISO 19600? If so, your organisation has a head-start as ISO 37301 leverages a significant portion of its contents from ISO 19600. However, there are two notable differences: 

1. Certifiable Standard 

ISO 37301 is a Type A standard, which means that it is articulated in directive language such as ‘shall’. This means that the new standard is “Certifiable”, and both regulators and independent experts may use the standard in assessing an organisation’s compliance management system. 

Certification enables an organisation to demonstrate, to customers, business partners and regulators, that its practices, processes, structures, and systems align to globally accepted standards which should result in compliance with its obligations. 

2. Acknowledgement of the compliance ecosystem 

ISO 37301 also introduces the concept of a compliance ecosystem and emphasises that the management of compliance risk involves several inter-related common elements across the whole organisation and sets out the objectives and principles for a compliance management system.

Organisations should view compliance management as a continuous improvement practice that requires management and staff to constantly monitor and assess their organisations’ compliance risks and controls, structures and processes.

 What will ISO 37301 mean for you and your organisation? 

The new standard can be applied to organisations of all sizes and all industries and both in Australia and internationally.  

Organisations that align their compliance management system with ISO 37301, and obtain and promote the third-party certification, are likely to gain a competitive advantage.

How can Deloitte help?

Deloitte has over 30 years of experience supporting organisations to assess their compliance management systems against prior standards, advising on required changes and assisting with implementation. Our Partner, Heather Loewenthal, is part of the Governance Risk and Compliance Institute (GRCI) team, representing the International Federation of Compliance Associations (IFCA), in the ISO Working Group, developing ISO 37301. 

Keep watching this space as we will be providing regular updates on the development of ISO 37301. If you require further information or other support with improving your compliance management system or preparing for ISO 37301, please contact us.