ISO 37301How to Create your own Compliance Management System

If you currently struggle to understand how to identify and evaluate your compliance obligations (or legal requirements) - especially when a new law is introduced or when an ISO Standard is first published or revised - the ISO 37301 standard can provide you with the framework to develop a solution to this problem.

ISO 37301 is a management system standard which sets out the requirements and provides guidelines for establishing, developing, implementing, evaluating, maintaining, and continually improving a compliance management system (CMS).

Benefits of the ISO 37301 Standard

By implementing a CMS based on ISO 37301, your organisation will be able to:

  1. Undergo a formal third-party conformity assessment for their CMS
  2. Develop a positive culture of compliance
  3. Quickly and effectively address compliance concerns
  4. Protect its reputation and safeguard its integrity by preventing and detecting unethical conduct
  5. Improve business opportunities and sustainability
  6. Carefully consider requirements and expectations of internal and external interested parties
  7. Develop strong and valuable relationships with regulators
  8. Increase the confidence of third parties in the organisation’s capacity to achieve sustained success
  9. Build customer trust and loyalty

Requirements of compliance management

1. Context of the organisation

Determine external (legal, technological, international, local, etc) and internal issues (values, culture, and knowledge) that influence the organisation (including understanding needs of interested parties) in order to define the scope of the management system.

2. Leadership

Top management to demonstrate leadership and commitment, through a proper governance structure with polices in place; while ensuring relevant roles, responsibilities as well as relevant authorities are communicated and understood.

3. Planning

Adopt a risk-based approach to address threats and opportunities to prevent or reduce undesired affects, and develop the necessary objectives and plans in place (taking into account planning of changes), which in turn need to be cascaded through the organisation (including responsibilities and timeframes).

4. Support

Support the management system through providing resources and adequate infrastructure; as well as ensuring the necessary competencies, awareness and communication with the necessary documented information in place.

5. Operation

Develop processes (controls, measures and procedures) as well as relevant feedback channels and contingency plans for non-conformances, incidents and emergency preparedness while taking into account change management and control of external providers.

6. Performance evaluation

Monitor with relevant metrics, analyse performance measures (including evaluation of compliance) as well as conduct internal audits and management reviews

7. Improvement

Address non-conformities and incidents, with the necessary actions to control, correct, deal with consequences, and eliminate the root causes while taking remedial actions to improve the suitability, adequacy, and effectiveness of the management system.

Using Genexist to Create Your Own Customised Compliance Management System

It offers several easy-to-use authoring tools - both content and creation software widgets that enable you to create the following components that can be mapped to each of the ISO sections:

  1. Governance (5.1-5.3)
  2. Business Context Analysis (4.1-4.3)
  3. Risk Management (6.1-6.3, 10.1-10.2)
  4. Compliance Management (4.5-4.6, 8.1-8.2)
  5. Policy Management & Distribution (5.2, 7.4-7.5)
  6. Training and Communication (7.2-7.4)
  7. Audit Management & Review (9.1-9.3)
  8. Response Management (8.3-8.4)

Thus whether you are looking to implement a compliance management system for anti-bribery and ethics; data protection; information security; third party management, or other risk-based frameworks, you will need similar components. However, you can configure your product in the way you want, and embed your customised content into the components. For example, you can upload Assessment questionnaires that you have composed into your product.

Your organisation decides on the content, compliance areas and workflows.

Deploying the ISO 37301 Compliance Management System

When configuring your product, you can choose to implement certain sections like risk and compliance management, or all of the above to conform to the full ISO 37301 requirements.

When deploying the components you have selected, you get to decide how you want to design the user menu of your system - whether it is your own customised compliance workflow, or using the ISO process - Plan-Do-Check-Act. See diagram below.

Ultimately ISO 37301 provides the guiding principles and framework from which all Compliance Management Systems can be crafted.

Kevin Shepherdson
CEO, Straits Interactive