ISO 27001, ISO 37001 and ISO 9001 standards comparison

ISO/IEC
27001:2013 ISO 37001:2016 ISO 9001:2015

Information technology — Security techniques — Anti-bribery management systems – Requirements with Quality management systems - Requirements
Information security management systems — Requirements guidance for use
1 Scope 1 Scope 1 Scope

This International Standard specifies the requirements for This standard specifies requirements and provides guidance This International Standard specifies requirements for a quality
establishing,implementing, maintaining and continually for establishing, implementing, maintaining, reviewing and management system when an organization:
improving an information security management system improving an anti-bribery management system.
within the context of the organization. a) needs to demonstrate its ability to consistently provide
This International Standard also includes requirements for The system can be stand-alone or can be integrated into products and services that meet customer and
the assessment and treatment of information security risks an overall management system. applicable statutory and regulatory requirements, and
tailored to the needs of the organization. b) aims to enhance customer satisfaction through the
This standard addresses the following in relation to the effective application of the system, including processes
organization's activities: for improvement of the system and the assurance of
conformity to customer and applicable statutory and
— bribery in the public, private and not-for- profit sectors; regulatory requirements.
— bribery by the organization; All the requirements of this International Standard are generic
— bribery by the organization's personnel acting on the and are intended to be applicable to any organization, regardless
organization's behalf or for its benefit; of its type or size, or the products and services it provides.
— bribery by the organization's business associates acting NOTE 1 In this International Standard, the terms “product” or
on the organization's behalf or for its benefit; “service” only apply to products and services
— bribery of the organization; intended for, or required by, a customer.
— bribery of the organization's personnel in relation to the NOTE 2 Statutory and regulatory requirements can be expressed
organization’s activities; as legal requirements.
— bribery of the organization's business associates in
relation to the organization’s activities;
— direct and indirect bribery (e.g. a bribe offered or
accepted through or by a third party).

This standard is applicable only to bribery. It sets out
requirements and provides guidance for a management
system designed to help an organization to prevent,
detect and respond to bribery and comply with anti-
bribery laws and voluntary commitments applicable to its
activities

This standard does not specifically address fraud, cartels and
other anti-trust/competition offences, money-laundering
or other activities related to corrupt practices, although
an organization can choose to extend the scope of the
management system to include such activities.
v03 8 Desember 2017 1

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
The requirements set out in this International Standard are The requirements of this standard are generic and are
generic and are intended to be applicable to all organizations,
intended to be applicable to all organizations (or parts of an
regardless of type, size or nature. Excluding any of the organization), regardless of type, size and nature of activity,
requirements specified in Clauses 4 to 10 is not acceptable and whether in the public, private or not-for- profit sectors.
when an organization claims conformity to this International The extent of application of these requirements depends
Standard. on the factors specified in 4.1, 4.2 and 4.5.

NOTE 1 See Clause A.2 for guidance.
NOTE 2 The measures necessary to prevent, detect and
mitigate the risk of bribery by the organization can be
different from the measures used to prevent, detect and
respond to bribery of the organization (or its personnel or
business associates acting on the organization's behalf).
See A.8.4 for guidance.
2 Normative references 2 Normative references 2 Normative references
The following documents, in whole or in part, are normatively There are no normative references in this standard The following documents, in whole or in part, are normatively
referenced in this document and are indispensable for its referenced in this document and are
application. For dated references, only the edition cited indispensable for its application. For dated references, only the
applies. For undated references, the latest edition of the edition cited applies. For undated
referenced document (including any amendments) applies. references, the latest edition of the referenced document
(including any amendments) applies.
ISO/IEC 27000, Information technology — Security ISO 9000:2015, Quality management systems — Fundamentals
techniques — Information security management systems — and vocabulary
Overview and vocabulary

3 Terms and definitions 3 Terms and definitions 3 Terms and definitions

For the purposes of this document, the terms and definitions For the purposes of this standard, the following terms and For the purposes of this document, the terms and definitions
given in ISO/IEC 27000 apply. definitions apply. given in ISO 9000:2015 apply

ISO and IEC maintain terminological databases for use in
standardization at the following addresses:

— ISO Online browsing platform: available at
http://www.iso.org/obp
— IEC Electropedia: available at
http://www.electropedia.org/

3.1 bribery
offering, promising, giving, accepting or soliciting of an undue

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
advantage of any value (which could be financial or non-
financial), directly or indirectly, and irrespective of
location(s), in violation of applicable law, as an inducement or
reward for a person acting or refraining from acting in
relation to the performance (3.16) of that person's duties

NOTE 1 to entry: The above is a generic definition. The
meaning of the term “bribery” is as defined by the anti-
bribery law applicable to the organization (3.2) and by the
anti-bribery management system (3.5) designed by the
organization.

3.2 organization
person or group of people that has its own functions with
responsibilities, authorities and relationships to achieve its
objectives (3.11)

NOTE 1 to entry: The concept of organization includes, but
is not limited to sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or
part or combination thereof, whether incorporated or not,
public or private.

NOTE 2 to entry: For organizations with more than one
operating unit, one or more of the operating units can be
defined as an organization.

3.3
Interested party (preferred term)
stakeholder (admitted term)
person or organization (3.2) that can affect, be affected by,
or perceive itself to be affected by a decision or activity

NOTE 1 to entry: A stakeholder can be internal or external
to the organization

3.4 requirement
need that is stated and obligatory

NOTE 1 to entry: The core definition of “requirement” in ISO

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
management system standards is “need or expectation that
is stated, generally implied or obligatory”. “Generally
implied requirements” are not applicable in the context of
anti-bribery management.

NOTE 2 to entry: “Generally implied” means that it is
custom or common practice for the organization and
interested parties that the need or expectation under
consideration is implied.

NOTE 3 to entry: A specified requirement is one that is
stated, for example in documented information

3.5
management system
set of interrelated or interacting elements of an organization
(3.2) to establish policies (3.10) and objectives (3.11) and
processes (3.15) to achieve those objectives

NOTE 1 to entry: A management system can address a single
discipline or several disciplines.

NOTE 2 to entry: The management system elements include
the organization’s structure, roles and responsibilities,
planning and operation.

NOTE 3 to entry: The scope of a management system may
include the whole of the organization, specific and identified
functions of the organization, specific and identified
sections of the organization, or one or more functions across
a group of organizations.
<diringkas>
4 Context of the organization 4 Context of the organization 4 Context of the organization

4.1 Understanding the organization and its context 4.1 Understanding the organization and its context 4.1 Understanding the organization and its context

The organization shall determine external and internal issues The organization shall determine external and internal The organization shall determine external and internal issues
that are relevant to its purpose and that affect its ability to issues that are relevant to its purpose and that affect its that are relevant to its purpose and its strategic direction and
achieve the intended outcome(s) of its information security ability to achieve the objectives of its anti-bribery that affect its ability to achieve the intended result(s) of its
management system. management system. quality management system.

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
The organization shall monitor and review information about
NOTE Determining these issues refers to establishing the These issues will include, without limitation, the following these external and internal issues.
external and internal context of the organization considered factors
in Clause 5.3 of ISO 31000:2009[5]. a) the size, structure and delegated decision-making NOTE 1 Issues can include positive and negative factors or
authority of the organization; conditions for consideration.
b) the locations and sectors in which the organization NOTE 2 Understanding the external context can be facilitated by
operates or anticipates operating; considering issues arising from legal, technological, competitive,
c) the nature, scale and complexity of the market, cultural, social and economic environments, whether
organization's activities and operations; international, national, regional or local.
d) the organization’s business model; NOTE 3 Understanding the internal context can be facilitated by
e) the entities over which the organization has control considering issues related to values, culture, knowledge and
and entities which exercise control over the performance of the organization.
organization;
a) the organization's business associates;
b) the nature and extent of interactions with public
officials;
c) applicable statutory, regulatory, contractual and
professional obligations and duties.

NOTE An organization has control over another organization
if it directly or indirectly controls the management of the
organization (see A.13.1.3).
4.2 Understanding the needs and expectations of interested 4.2 Understanding the needs and expectations of 4.2 Understanding the needs and expectations of interested
parties stakeholders parties

The organization shall determine: The organization shall determine: Due to their effect or potential effect on the organization’s
a) interested parties that are relevant to the a) the stakeholders that are relevant to the anti-bribery ability to consistently provide products and services that meet
information security management system; and management system; customer and applicable statutory and regulatory requirements,
b) the requirements of these interested parties b) the relevant requirements of these stakeholders. the organization shall determine:
relevant to information security. a) the interested parties that are relevant to the quality
management system;
NOTE The requirements of interested parties may include NOTE In identifying the requirements of stakeholders, an b) the requirements of these interested parties that are relevant
legal and regulatory requirements and contractual organization can distinguish between mandatory to the quality management system.
obligations. requirements and the non-mandatory expectations of, and
voluntary commitments to, stakeholders The organization shall monitor and review information about
these interested parties and their relevant
requirements.
4.3 Determining the scope of the information security 4.3 Determining the scope of the anti-bribery management 4.3 Determining the scope of the quality management system
management system system


ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
The organization shall determine the boundaries and The organization shall determine the boundaries and The organization shall determine the boundaries and
applicability of the information security management system applicability of the anti-bribery management system to applicability of the quality management system to establish its
to establish its scope. establish its scope. scope.

When determining this scope, the organization shall consider: When determining this scope, the organization shall consider: When determining this scope, the organization shall consider:
a) the external and internal issues referred to in 4.1; a) the external and internal issues referred to in 4.1; a) the external and internal issues referred to in 4.1;
b) the requirements referred to in 4.2; and b) the requirements referred to in 4.2 b) the requirements of relevant interested parties referred to in
c) interfaces and dependencies between activities performed c) the results of the bribery risk assessment referred to in 4.5 4.2;
by the organization, and those that are performed by other c) the products and services of the organization.
organizations. The scope shall be available as documented information.
The organization shall apply all the requirements of this
The scope shall be available as documented information. NOTE See Clause A.2 for guidance. International Standard if they are applicable within the
determined scope of its quality management system.

The scope of the organization’s quality management system shall
be available and be maintained as documented information. The
scope shall state the types of products and services covered, and
provide justification for any requirement of this International
Standard that the organization determines is not applicable to
the scope of its quality management system.
Conformity to this International Standard may only be claimed if
the requirements determined as not being applicable do not
affect the organization’s ability or responsibility to ensure the
conformity of its
products and services and the enhancement of customer
satisfaction.

4.4 Information security management system 4.4 Anti-bribery management system 4.4 Quality management system and its processes

The organization shall establish, implement, maintain and The organization shall establish, document, implement, 4.4.1 The organization shall establish, implement, maintain and
continually improve an information security management maintain and continually review and, where necessary, continually improve a quality management system, including the
system, in accordance with the requirements of this improve an anti- bribery management system, including the processes needed and their interactions, in accordance with the
International Standard. processes needed and their interactions, in accordance with requirements of this International Standard.
the requirements of this standard. The organization shall determine the processes needed for the
The anti-bribery management system shall contain measures quality management system and their application throughout
designed to identify and evaluate the risk of, and to prevent, the organization, and shall:
detect and respond to, bribery. a) determine the inputs required and the outputs expected from
these processes;
NOTE 1 It is not possible to completely eliminate the risk of b) determine the sequence and interaction of these processes;
bribery, and no anti-bribery management system will be c) determine and apply the criteria and methods (including

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
capable of preventing and detecting all bribery. monitoring, measurements and related
performance indicators) needed to ensure the effective
The anti-bribery management system shall be reasonable operation and control of these processes;
and proportionate, taking into account the factors referred to d) determine the resources needed for these processes and
in 4.3. ensure their availability;
e) assign the responsibilities and authorities for these processes;
NOTE 2 See Clause A.3 for guidance f) address the risks and opportunities as determined in
accordance with the requirements of 6.1;
g) evaluate these processes and implement any changes needed
to ensure that these processes achieve
their intended results;
h) improve the processes and the quality management system.

4.4.2 To the extent necessary, the organization shall:
a) maintain documented information to support the operation of
its processes;
b) retain documented information to have confidence that the
processes are being carried out as planned.
4.5 Bribery risk assessment

4.5.1 The organization shall undertake regular bribery risk
assessment(s) which shall:
a) identify the bribery risks the organization might
reasonably anticipate given the factors listed in 4.1
b) analyse, assess and prioritize the identified bribery
risks;
c) evaluate the suitability and effectiveness of the
organization's existing controls to mitigate the assessed
bribery risks
4.5.2 The organization shall establish criteria for evaluating
its level of bribery risk, which shall take into account the
organization's policies and objectives.

4.5.3 The bribery risk assessment shall be reviewed:
a) on a regular basis so that changes and new information
can be properly assessed based on timing and frequency
defined by the organization;
b) in the event of a significant change to the structure or
activities of the organization.


ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
4.5.4 The organization shall retain documented information
that demonstrates that the bribery risk assessment has been
conducted and used to design or improve the anti-bribery
management system.

NOTE See Clause A.4 for guidance.

5 Leadership 5 Leadership 5 Leadership

5.1 Leadership and commitment 5.1 Leadership and commitment 5.1 Leadership and commitment
5.1.1 Governing body 5.1.1 General

Top management shall demonstrate leadership and When the organization has a governing body, that body shall Top management shall demonstrate leadership and commitment
commitment with respect to the information security demonstrate leadership and commitment with respect to the with respect to the quality management system by:
management system by: anti-bribery management system by:

a) ensuring the information security policy and the a) approving the organization’s anti-bribery policy; a) taking accountability for the effectiveness of the quality
information security objectives are established and are management system;
compatible with the strategic direction of the
organization;
b) ensuring the integration of the information security b) ensuring that the organization’s strategy and anti-bribery b) ensuring that the quality policy and quality objectives are
management system requirements into the policy are aligned; established for the quality management system and are
organization's processes; compatible with the context and strategic direction of the
c) ensuring that the resources needed for the information c) at planned intervals receiving and reviewing information organization;
security management system are available; about the content and operation of the organization’s c) ensuring the integration of the quality management system
d) communicating the importance of effective information anti- bribery management system; requirements into the organization’s business processes;
security management and of conforming to the d) requiring that adequate and appropriate resources d) promoting the use of the process approach and risk-based
information security management system requirements; needed for effective operation of the anti-bribery thinking;
e) ensuring that the information security management management system are allocated and assigned; e) ensuring that the resources needed for the quality
system achieves its intended outcome(s); e) exercising reasonable oversight over the implementation management system are available;
f) directing and supporting persons to contribute to the of the organization’s anti-bribery management system by f) communicating the importance of effective quality
effectiveness of the information security management top management and its effectiveness. management and of conforming to the quality management
system; system requirements;
g) promoting continual improvement; and These activities shall be carried out by top management if the g) ensuring that the quality management system achieves its
h) supporting other relevant management roles to organization does not have a governing body intended results;
demonstrate their leadership as it applies to their areas h) engaging, directing and supporting persons to contribute to
of responsibility. the effectiveness of the quality management system;
i) promoting improvement;
j) supporting other relevant management roles to
demonstrate their leadership as it applies to their areas of

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
responsibility.

NOTE Reference to “business” in this International Standard can
be interpreted broadly to mean those activities that are core to
the purposes of the organization’s existence, whether the
organization is public, private, for profit or not for profit.
5.1.2 Top management 5.1.2 Customer focus

Top management shall demonstrate leadership and Top management shall demonstrate leadership and commitment
commitment with respect to the anti-bribery management with respect to customer focus by ensuring that:
system by:
a) ensuring that the anti-bribery management system, 1) customer and applicable statutory and regulatory
including policy and objectives, is established, requirements are determined, understood and
implemented, maintained and reviewed to adequately consistently met;
address the organization's bribery risks;
b) ensuring the integration of the anti-bribery management 2) the risks and opportunities that can affect conformity of
system requirements into the organization’s processes; products and services and the ability to enhance
c) deploying adequate and appropriate resources for the customer satisfaction are determined and addressed;
effective operation of the anti-bribery management 3) the focus on enhancing customer satisfaction is
system; maintained.
d) communicating internally and externally regarding the
anti-bribery policy;
e) e) communicating internally the importance of effective
anti-bribery management and of conforming to the anti-
bribery management system requirements
f) ensuring that the anti-bribery management system is
appropriately designed to achieve its objectives;
g) directing and supporting personnel to contribute to the
effectiveness of the anti- bribery management system;
h) promoting an appropriate anti-bribery culture within the
organization;
i) promoting continual improvement;
j) supporting other relevant management roles to
demonstrate their leadership in preventing and detecting
bribery as it applies to their areas of responsibility;
k) encouraging the use of reporting procedures for
suspected and actual bribery (see 8.9);
l) ensuring that no personnel will suffer retaliation,
discrimination or disciplinary action (see 7.2.2.1 d)) for
reports made in good faith or on the basis of a

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
reasonable belief of violation or suspected violation of
the organization’s anti-bribery policy, or for refusing to
engage in bribery, even if such refusal can result in the
organization losing business (except where the individual
participated in the violation);
m) at planned intervals, reporting to the governing body (if
any) on the content and operation of the anti-bribery
management system and of allegations of serious or
systematic bribery.

5.2 Policy 5.2 Anti-bribery policy 5.2 Policy
5.2.1 Developing the quality policy

Top management shall establish an information security Top management shall establish, maintain and review an Top management shall establish, implement and maintain a
policy that: anti-bribery policy that: quality policy that:

a) is appropriate to the purpose of the organization; a) prohibits bribery; a) is appropriate to the purpose and context of the
b) includes information security objectives (see 6.4) or b) requires compliance with anti-bribery laws that are organization and supports its strategic direction;
provides the frameworP for setting information security applicable to the organization; b) provides a framework for setting quality objectives;
objectives; c) includes a commitment to satisfy applicable requirements;
c) includes a commitment to satisfy applicable c) is appropriate to the purpose of the organization; d) includes a commitment to continual improvement of the
requirements related to information security; and quality management system.
d) includes a commitment to continual improvement of the d) provides a framework for setting, reviewingand
information security management system. The achieving anti-bribery objectives;
information security policy shall:
e) includes a commitment to satisfy anti-bribery
management system requirements;
f) encourages raising concerns in good faith or on the basis
of a reasonable belief in confidence without fear of
reprisal;
g) includes a commitment to continual improvement of the
anti-bribery management system;
h) explains the authority and independence of the anti-
bribery compliance function;
i) explains the consequences of not complying with the
anti-bribery policy.
j) 5.2.2 Communicating the quality policy
The anti-bribery policy shall: The quality policy shall:
e) be available as documented information; — be available as documented information; 1) be available and be maintained as documented

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
f) be communicated within the organization; and — be communicated in appropriate languages within the information;
organization and to business associates who pose more 2) be communicated, understood and applied within the
than a low risk of bribery; organization;
g) be available to interested parties, as appropriate. — be available to relevant stakeholders, as appropriate.
3) be available to relevant interested parties, as
appropriate
5.3 Organizational roles, responsibilities and authorities 5.3 Organizational roles, responsibilities and authorities 5.3 Organizational roles, responsibilities and authorities

5.3.1 Roles and responsibilities
Top management shall ensure that the responsibilities and Top management shall have overall responsibility for the Top management shall ensure that the responsibilities and
authorities for roles relevant to information security are implementation of, and compliance with, the anti-bribery authorities for relevant roles are assigned, communicated and
assigned and communicated. management system, as described in 5.1.2. understood within the organization.

Top management shall assign the responsibility and authority Top management shall ensure that the responsibilities and Top management shall assign the responsibility and authority
for: authorities for relevant roles are assigned and communicated for:
within and throughout every level of the organization. a) ensuring that the quality management system conforms to
a) ensuring that the information security management the requirements of this International Standard;
system conforms to the requirements of this Managers at every level shall be responsible for requiring b) ensuring that the processes are delivering their intended
International Standard; and that the anti-bribery management system requirements are outputs;
b) reporting on the performance of the information security applied and complied with in their department or function. c) reporting on the performance of the quality management
management system to top management. system and on opportunities for improvement (see 10.1), in
The governing body (if any), top management and all other particular to top management;
NOTE Top management may also assign responsibilities personnel shall be responsible for understanding, complying d) ensuring the promotion of customer focus throughout the
and authorities for reporting performance of the information with and applying the anti-bribery management system organization;
security management system within the organization. requirements, as they relate to their role in the organization. e) ensuring that the integrity of the quality management
system is maintained when changes to the quality
management system are planned and implemented.
5.3.2 Anti-bribery compliance function

Top management shall assign to an anti- bribery compliance
function the responsibility and authority for:
a) overseeing the design and implementation by the
organization of the anti-bribery management system;
b) providing advice and guidance to personnel on the anti-
bribery management system and issues relating to
bribery;
c) ensuring that the anti-bribery management system
conforms to the requirements of this standard;
d) reporting on the performance of the anti-bribery
management system to the governing body (if any) and

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
top management and other compliance functions, as
appropriate.

The anti-bribery compliance function shall be adequately
resourced and assigned to person(s) who have the
appropriate competence, status, authority and
independence.

The anti-bribery compliance function shall have direct and
prompt access to the governing body (if any) and top
management in the event that any issue or concern needs to
be raised in relation to bribery or the anti- bribery
management system.

Top management can assign some or all of the anti-bribery
compliance function to persons external to the organization.
If it does, top management shall ensure that specific
personnel have responsibility for, and authority over, those
externally assigned parts of the function.

5.3.3 Delegated decision-making

Where top management delegates to personnel the authority
for the making of decisions in relation to which there is more
than a low risk of bribery, the organization shall establish and
maintain a decision- making process or set of controls which
requires that the decision process and the level of authority
of the decision-maker(s) are appropriate and free of actual or
potential conflicts of interest. Top management shall ensure
that these processes are reviewed periodically as part of its
role and responsibility for implementation of, and compliance
with, the anti-bribery management system outlined in 5.3.1

NOTE Delegation of decision-making will not exempt top
management or the governing body (if any) of their duties
and responsibilities as described in 5.1.1, 5.1.2 and 5.3.1, nor
does it necessarily transfer to the delegated personnel
potential legal responsibilities.


ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
6 Planning 6 Planning 6 Planning

6.1 Actions to address risks and opportunities 6.1 Actions to address risks and opportunities 6.1 Actions to address risks and opportunities

6.1.1 General 6.1.1 When planning for the quality management system, the
When planning for the information security management When planning for the anti-bribery management system, the organization shall consider the issues referred to in 4.1 and the
system, the organization shall consider the issues referred to organization shall consider the issues referred to in 4.1, the requirements referred to in 4.2 and determine the risks and
in 4.1 and the requirements referred to in 4.2 and determine requirements referred to in 4.2, the risks identified in 4.5, opportunities that need to be addressed to:
the risks and opportunities that need to be addressed to: and opportunities for improvement that need to be
addressed to:
a) ensure the information security management system can a) give reasonable assurance that the anti- bribery a) give assurance that the quality management system can
achieve its intended outcome(s); management system can achieve its objectives; achieve its intended result(s);
b) prevent, or reduce, undesired effects; and b) prevent, or reduce, undesired effects relevant to the b) enhance desirable effects;
anti-bribery policy and objectives;
c) achieve continual improvement. c) monitor the effectiveness of the anti-bribery c) prevent, or reduce, undesired effects;
management system;
d) achieve continual improvement. d) achieve improvement.

The organization shall plan: The organization shall plan: 6.1.2 The organization shall plan:
d) actions to address these risks and opportunities; and — actions to address these bribery risks and opportunities a) actions to address these risks and opportunities;
for improvement;
e) how to — how to: b) how to:
1) integrate and implement the actions into its 1) integrate and implement these actions into its anti- 1) integrate and implement the actions into its quality
information security management system bribery management system processes; management system processes (see 4.4);
processes; and 2) evaluate the effectiveness of these actions.. 2) evaluate the effectiveness of these actions.
2) evaluate the effectiveness of these actions.
Actions taken to address risks and opportunities shall be
6.1.2 Information security risk assessment proportionate to the potential impact on the
conformity of products and services.
The organization shall define and apply an information
security risk assessment process that: NOTE 1 Options to address risks can include avoiding risk, taking
risk in order to pursue an opportunity, eliminating the risk
a) establishes and maintains information security risk criteria source, changing the likelihood or consequences, sharing the
that include: risk, or retaining risk by informed decision.
1) the risk acceptance criteria; and
2) criteria for performing information security risk NOTE 2 Opportunities can lead to the adoption of new practices,
assessments; launching new products, opening new markets, addressing new
b) ensures that repeated information security risk clients, building partnerships, using new technology and other
assessments produce consistent, valid and comparable desirable and viable possibilities to address the organization’s or
results; its customers’ needs.

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015

c) identifies the information security risks:
1) apply the information security risk assessment
process to identify risks associated with the loss of
confidentiality, integrity and availability for
information within the scope of the information
security management system; and
2) identify the risk owners;
d) analyses the information security risks:
1) assess the potential consequences that would result
if the risks identified in 6...4 c) 1) were to
materialize;
2) assess the realistic liPelihood of the occurrence of
the risks identified in 6...4 c) .); and
3) determine the levels of risk;
e) evaluates the information security risks:
1) .) compare the results of risk analysis with the risk
criteria established in 6...4a); and
2) prioritize the analysed risks for risk treatment.

The organization shall retain documented information about
the information security risk assessment process.

6.1.3 Information security risk treatment

The organization shall define and apply an information
security risk treatment process to:

a) select appropriate information security risk treatment
options, taking account of the risk assessment results;
b) determine all controls that are necessary to implement
the information security risk treatment option(s) chosen;

NOTE Organizations can design controls as required, or
identify them from any source.

c) compare the controls determined in 6.1.3 b) above with
those in Annex A and verify that no necessary controls
have been omitted;

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015

NOTE 1 Annex A contains a comprehensive list of control
objectives and controls. Users of this International Standard
are directed to Annex A to ensure that no necessary controls
are overlooPed.

NOTE 4 Control objectives are implicitly included in the
controls chosen. The control objectives and controls listed in
Annex A are not exhaustive and additional control objectives
and controls may be needed.

d) produce a Statement of Applicability that contains the
necessary controls (see 6.1.3 b) and c)) and justification
for inclusions, whether they are implemented or not, and
the justification for exclusions of controls from Annex A;
e) formulate an information security risk treatment plan;
and
f) obtain risk owners' approval of the information security
risk treatment plan and acceptance of the residual
information security risks.

The organization shall retain documented information about
the information security risk treatment process.

NOTE The information security risk assessment and
treatment process in this International Standard aligns with
the principles and generic guidelines provided in ISO
31000[5].
6.2 Information security objectives and planning to achieve 6.2 Anti-bribery objectives and planning to achieve them 6.2 Quality objectives and planning to achieve them
them
The organization shall establish information security The organization shall establish anti-bribery management 6.2.1 The organization shall establish quality objectives at
objectives at relevant functions and levels. system objectives at relevant functions and levels. relevant functions, levels and processes needed for the quality
management system.
The information security objectives shall: The anti-bribery management system objectives shall: The quality objectives shall:
a) be consistent with the information security policy; a) be consistent with the anti-bribery policy; a) be consistent with the quality policy;
b) be measurable (if practicable); b) be measurable (if practicable); b) be measurable;
c) take into account applicable information security c) take into account applicable factors referredto in 4.1, the c) take into account applicable requirements;
requirements, and results from risk assessment and risk requirements referred to in 4.2 and the bribery risks
treatment; identified in 4.5;
d) be communicated; and d) be achievable; d) be relevant to conformity of products and services and to

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
e) be updated as appropriate. enhancement of customer satisfaction;
e) be monitored; e) be monitored;
f) be communicated in accordance with 7.4; f) be communicated;
g) be updated as appropriate. g) be updated as appropriate.

The organization shall retain documented information on the The organization shall retain documented information on the The organization shall maintain documented information on the
information security objectives. anti-bribery management system objectives. quality objectives.

When planning how to achieve its information security When planning how to achieve its anti- bribery 6.2.2 When planning how to achieve its quality objectives, the
objectives, the organization shall determine: management system objectives, the organization shall organization shall determine:
determine:
f) what will be done; — what will be done; a) what will be done;
g) what resources will be required; — what resources will be required; b) what resources will be required;
h) who will be responsible; — who will be responsible; c) who will be responsible;
i) when it will be completed; and — when the objectives will be achieved; d) when it will be completed;
j) how the results will be evaluated. — how the results will be evaluated and reported; e) how the results will be evaluated.
— who will impose sanctions or penalties
6.3 Planning of changes
When the organization determines the need for changes to the
quality management system, the changes shall be carried out in
a planned manner (see 4.4)..

The organization shall consider:
a) the purpose of the changes and their potential
consequences;
b) the integrity of the quality management system;
c) the availability of resources;
d) the allocation or reallocation of responsibilities and
authorities.
7 Support 7 Support 7 Support

7.1 Resources 7.1 Resources 7.1 Resources
7.1.1 General
The organization shall determine and provide the resources The organization shall determine and provide the resources The organization shall determine and provide the resources
needed for the establishment, implementation, maintenance needed for the establishment, implementation, maintenance needed for the establishment, implementation, maintenance
and continual improvement of the information security and continual improvement of the anti-bribery management and continual improvement of the quality management system.
management system. system.
The organization shall consider:
NOTE See Clause A.7 for guidance. a) the capabilities of, and constraints on, existing internal
resources;

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
b) what needs to be obtained from external providers.

7.1.2 People
The organization shall determine and provide the persons
necessary for the effective implementation of
its quality management system and for the operation and control
of its processes.

7.1.3 Infrastructure
The organization shall determine, provide and maintain the
infrastructure necessary for the operation of its processes and to
achieve conformity of products and services.

NOTE Infrastructure can include:
a) buildings and associated utilities;
b) equipment, including hardware and software;
c) transportation resources;
d) information and communication technology.

7.1.4 Environment for the operation of processes
The organization shall determine, provide and maintain the
environment necessary for the operation of its processes and to
achieve conformity of products and services.

NOTE A suitable environment can be a combination of human
and physical factors, such as:
a) social (e.g. non-discriminatory, calm, non-
confrontational);
b) psychological (e.g. stress-reducing, burnout prevention,
emotionally protective);
c) physical (e.g. temperature, heat, humidity, light, airflow,
hygiene, noise).
These factors can differ substantially depending on the products
and services provided.

7.1.5 Monitoring and measuring resources
7.1.5.1 General
The organization shall determine and provide the resources
needed to ensure valid and reliable results when monitoring or
measuring is used to verify the conformity of products and

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
services to requirements.

The organization shall ensure that the resources provided:
a) are suitable for the specific type of monitoring and
measurement activities being undertaken;
b) are maintained to ensure their continuing fitness for their
purpose.

The organization shall retain appropriate documented
information as evidence of fitness for purpose of the monitoring
and measurement resources.

7.1.5.2 Measurement traceability
When measurement traceability is a requirement, or is
considered by the organization to be an essential part of
providing confidence in the validity of measurement results,
measuring equipment shall be:
a) calibrated or verified, or both, at specified intervals, or prior
to use, against measurement standards traceable to
international or national measurement standards; when no
such standards exist, the basis used for calibration or
verification shall be retained as documented information;
b) identified in order to determine their status;
c) safeguarded from adjustments, damage or deterioration
that would invalidate the calibration status and subsequent
measurement results.

The organization shall determine if the validity of previous
measurement results has been adversely affected when
measuring equipment is found to be unfit for its intended
purpose, and shall take appropriate action as necessary.

7.1.6 Organizational knowledge
The organization shall determine the knowledge necessary for
the operation of its processes and to achieve conformity of
products and services.
This knowledge shall be maintained and be made available to the
extent necessary.
When addressing changing needs and trends, the organization
shall consider its current knowledge and determine how to

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
acquire or access any necessary additional knowledge and
required updates.

NOTE 1 Organizational knowledge is knowledge specific to the
organization; it is gained by experience. It is information that is
used and shared to achieve the organization’s objectives.
NOTE 2 Organizational knowledge can be based on:
a) internal sources (e.g. intellectual property; knowledge gained
from experience; lessons learned from failures and successful
projects; capturing and sharing undocumented knowledge and
experience; the results of
improvements in processes, products and services);
b) external sources (e.g. standards; academia; conferences;
gathering knowledge from customers or external providers).
7.2 Competence 7.2 Competence 7.2 Competence
7.2.1 General
The organization shall: The organization shall: The organization shall:
a) determine the necessary competence of person(s) doing a) determine the necessary competence of person(s) doing a) determine the necessary competence of person(s) doing
worP under its control that affects its information work under its control that affects its anti-bribery work under its control that affects the performance and
security performance; performance; effectiveness of the quality management system;
b) ensure that these persons are competent on the basis of b) ensure that these persons are competent on the basis of b) ensure that these persons are competent on the basis of
appropriate education, training, or experience; appropriate education, training, or experience; appropriate education, training, or experience;
c) where applicable, take actions to acquire the necessary c) where applicable, take actions to acquire and maintain c) where applicable, take actions to acquire the necessary
competence, and evaluate the effectiveness of the the necessary competence, and evaluate the competence, and evaluate the effectiveness of the actions
actions taken; and effectiveness of the actions taken; taken;
d) retain appropriate documented information as evidence d) retain appropriate documented information as evidence d) retain appropriate documented information as evidence of
of competence. of competence. competence.

NOTE Applicable actions may include, for example: the NOTE Applicable actions can include, for example, the NOTE Applicable actions can include, for example, the provision
provision of training to, the mentoring of, or the re- provision of training to, the coaching of, or the re-assignment of training to, the mentoring of, or the reassignment of currently
assignment of current employees; or the hiring or contracting of personnel or business associates; or the hiring or employed persons; or the hiring or contracting of competent
of competent persons. contracting of the same. persons.
7.2.2 Employment process

7.2.2.1 In relation to all of its personnel, the organization
shall implement procedures such that:
a) conditions of employment require personnel to comply
with the anti-bribery policy and anti-bribery
management system, and give the organization the right
to discipline personnel in the event of non-compliance;

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
b) within a reasonable period of their employment
commencing, personnel receive a copy of, or are
provided with access to, the anti-bribery policy and
training in relation to that policy;
c) the organization has procedures which enable it to take
appropriate disciplinary action against personnel who
violate the anti-bribery policy or anti-bribery
management system; and
d) personnel will not suffer retaliation, discrimination or
disciplinary action (e.g. by threats, isolation, demotion,
preventing advancement, transfer, dismissal, bullying,
victimization, or other forms of harassment) for:
1) refusing to participate in, or for turning down, any
activity in respect of which they have reasonably
judged there to be a more than low risk of
bribery which has not been mitigated by the
organization; or
2) concerns raised or reports made in good faith, or
on the basis of a reasonable belief, of attempted,
actual or suspected bribery or violation of the anti-
bribery policy or the anti-bribery management
system (except where the individual participated
in the violation).

7.2.2.2 In relation to all positions which are exposed to more
than a low bribery risk as determined in the bribery risk
assessment (see 4.5), and to the anti-bribery compliance
function the organization shall implement procedures which
provide that:
a) due diligence (see 8.2) is conducted on persons before
they are employed, and on personnel before they are
transferred or promoted by the organization, to
ascertain as far as is reasonable that it is appropriate to
employ or redeploy them and that it is reasonable to
believe that they will comply with the anti-bribery policy
and anti-bribery management system requirements;
b) performance bonuses, performance targets and other
incentivizing elements of remuneration are reviewed
periodically to verify that there are reasonable
safeguards in place to prevent them from encouraging

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
bribery;
c) such personnel, top management, and the governing
body (if any), file a declaration at reasonable intervals
proportionate with the identified bribery risk, confirming
their compliance with the anti-bribery policy.

NOTE 1 The anti-bribery compliance declaration can stand
alone or be a component of a broader compliance
declaration process.

7.3 Awareness 7.3 Awareness and training 7.3 Awareness

Persons doing worP under the organization's control shall be The organization shall provide adequate and appropriate The organization shall ensure that persons doing work under the
aware of: anti-bribery awareness and training to personnel. Such organization’s control are aware of:
training shall address the following issues, as appropriate,
taking into account the results of the bribery risk assessment
(see 4.5):
a) the information security policy; a) the organization’s anti-bribery policy, procedures and a) the quality policy;
anti-bribery management system, and their duty to
comply;
b) their contribution to the effectiveness of the information b) the bribery risk and the damage to them and the b) relevant quality objectives;
security management system, including the benefits of organization which can result from bribery;
improved information security performance; and
c) the implications of not conforming with the information c) the circumstances in which bribery can occur in relation c) their contribution to the effectiveness of the quality
security management system requirements. to their duties, and how to recognize these management system, including the benefits of improved
circumstances; performance;
d) how to recognize and respond to solicitations or offers of d) the implications of not conforming with the quality
bribes; management system requirements.
e) how they can help prevent and avoid bribery and
recognize key bribery risk indicators;
f) their contribution to the effectiveness of the anti-bribery
management system, including the benefits of improved
anti-bribery performance and of reporting suspected
bribery;
g) the implications and potential consequences of not
conforming with the anti-bribery management system
requirements;
h) how and to whom they are able to report any concerns
(see 8,9);

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
i) information on available training and resources.
j) Personnel shall be provided with anti-bribery awareness
and training on a regular basis (at planned intervals
determined by the organization), as appropriate to their
roles, the risks of bribery to which they are exposed, and
any changing circumstances. The awareness and training
programmes shall be periodically updated as necessary
to reflect relevant new information.

Taking into account the bribery risks identified (see 4.5),
the organization shall also implement procedures
addressing anti-bribery awareness and training for business
associates acting on its behalf or for its benefit, and which
could pose more than a low bribery risk to the organization.
These procedures shall identify the business associates for
which such awareness and training is necessary, its content,
and the means by which the training shall be provided.

The organization shall retain documented information on the
training procedures, the content of the training, and when
and to whom it was provided.

NOTE 1 The awareness and training requirements for
business associates can be communicated through
contractual or similar requirements, and be implemented by
the organization, the business associate or by other parties
appointed for that purpose.

7.4 Communication 7.4 Communication 7.4 Communication

The organization shall determine the need for internal and 7.4.1 The organization shall determine the internal and The organization shall determine the internal and external
external communications relevant to the information security external communications relevant to the anti-bribery communications relevant to the quality management system,
management system including: management system including: including:
a) on what to communicate; a) on what it will communicate; a) on what it will communicate;
b) when to communicate; b) when to communicate; b) when to communicate;
c) with whom to communicate; c) with whom to communicate; c) with whom to communicate;
d) who shall communicate; and d) how to communicate; d) how to communicate;
e) the processes by which communication shall be effected. e) who will communicate; e) who communicates.
f) the languages in which to communicate

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
7.4.2 The anti-bribery policy shall be made available to all the
organization’s personnel and business associates, be
communicated directly to both personnel and business
associates who pose more than a low risk of bribery, and
shall be published through the organization’s internal and
external communication channels, as appropriate.
7.5 Documented information 7.5 Documented Information 7.5 Documented information

7.5.1 General 7.5.1 General 7.5.1 General

The organization's information security management system The organization’s anti-bribery management system shall The organization’s quality management system shall include:
shall include: include:
a) documented information required by this International a) documented information required by this standard; a) documented information required by this International
Standard; and Standard;
b) documented information determined by the organization b) documented information determined by the b) documented information determined by the organization as
as being necessary for the effectiveness of the organization as being necessary for the effectiveness of being necessary for the effectiveness of the quality
information security management system. the anti-bribery management system. management system.

NOTE The extent of documented information for an NOTE 1 The extent of documented information for an anti- NOTE The extent of documented information for a quality
information security management system can differ from one bribery management system can differ from one organization management system can differ from one organization to another
organization to another due to: to another due to: due to:
1) the size of organization and its type of activities, — the size of organization and its type of activities, — the size of organization and its type of activities, processes,
processes, products and services; processes, products and services; products and services;
2) the complexity of processes and their interactions; — the complexity of processes and their interactions; — the complexity of processes and their interactions;
and
3) the competence of persons. — the competence of personnel. — the competence of persons.

NOTE 2 Documented information can be retained separately
as part of the anti-bribery management system, or can be
retained as part of other management systems (e.g.
compliance, financial, commercial, audit).

7.5.2 Creating and updating 7.5.2 Creating and updating 7.5.2 Creating and updating

When creating and updating documented information the When creating and updating documented information the When creating and updating documented information, the
organization shall ensure appropriate: organization shall ensure appropriate: organization shall ensure appropriate:
a) identification and description (e.g. a title, date, author, a) identification and description (e.g. a title, date, author, a) identification and description (e.g. a title, date, author, or
or reference number); or reference number); reference number);
b) format (e.g. language, software version, graphics) and b) format (e.g. language, software version, graphics) and b) format (e.g. language, software version, graphics) and media

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
media (e.g. paper, electronic); and media (e.g. paper, electronic); (e.g. paper, electronic);
c) review and approval for suitability and adequacy c) review and approval for suitability and adequacy. c) review and approval for suitability and adequacy.

7.5.3 Control of documented Information 7.5.3 Control of documented information 7.5.3 Control of documented information

Documented information required by the information Documented information required by the anti-bribery 7.5.3.1 Documented information required by the quality
security management system and by this International management system and by this standard shall be controlled management system and by this International
Standard shall be controlled to ensure: to ensure: Standard shall be controlled to ensure:
a) it is available and suitable for use, where and when it is a) it is available and suitable for use, where and when it is a) it is available and suitable for use, where and when it is
needed; and needed; needed;
b) it is adequately protected (e.g. from loss of b) it is adequately protected (e.g. from loss of confidentiality, b) it is adequately protected (e.g. from loss of confidentiality,
confidentiality, improper use, or loss of integrity). improper use, or loss of integrity). improper use, or loss of integrity).

For the control of documented information, the organization For the control of documented information, the organization 7.5.3.2 For the control of documented information, the
shall address the following activities, as applicable: shall address the following activities, as applicable: organization shall address the following activities, as applicable:
d) distribution, access, retrieval and use; — distribution, access, retrieval and use; a) distribution, access, retrieval and use;
e) storage and preservation, including the preservation of — storage and preservation, including preservation of b) storage and preservation, including preservation of legibility;
legibility; legibility;
f) control of changes (e.g. version control); and — control of changes (e.g. version control); c) control of changes (e.g. version control);
g) retention and disposition. — retention and disposition. d) retention and disposition.

Documented information of external origin, determined by Documented information of external origin determined by Documented information of external origin determined by the
the organization to be necessary for the planning and the organization to be necessary for the planning and organization to be necessary for the planning and operation of
operation of the information security management system, operation of the anti-bribery management system shall be the quality management system shall be identified as
shall be identified as appropriate, and controlled. identified as appropriate, and controlled. appropriate, and be controlled.
Documented information retained as evidence of conformity
NOTE Access implies a decision regarding the permission to NOTE Access can imply a decision regarding the permission shall be protected from unintended alterations.
view the documented information only, or the permission to view the documented information only, or the
and authority to view and change the documented permission and authority to view and change the NOTE Access can imply a decision regarding the permission to
information, etc. documented information. view the documented information only, or the permission and
authority to view and change the documented information.

8 Operation 8 Operation 8 Operation

8.1 Operational planning and control 8.1 Operational planning and control 8.1 Operational planning and control

The organization shall plan, implement and control the The organization shall plan, implement, review and control The organization shall plan, implement and control the processes
processes needed to meet information security the processes needed to meet requirements of the anti- (see 4.4) needed to meet the requirements for the provision of
requirements, and to implement the actions determined in bribery management system, and to implement the actions products and services, and to implement the actions determined
6.1. The organization shall also implement plans to achieve determined in 6.1, by: in Clause 6, by:

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
information security objectives determined in 6.4. a) establishing criteria for the processes; a) determining the requirements for the products and services;
b) implementing control of the processes in accordance with b) establishing criteria for:
The organization shall Peep documented information to the the criteria; 1) the processes;
extent necessary to have confidence that the processes have c) keeping documented information to the extent necessary 2) the acceptance of products and services;
been carried out as planned. to have confidence that the processes have been carried out c) determining the resources needed to achieve conformity to
as planned. the product and service requirements;
d) implementing control of the processes in accordance with the
These processes shall include the specific controls referred to criteria;
in 8.2 to 8.10. e) determining and keeping documented information to the
The organization shall control planned changes and review extent necessary:
the consequences of unintended changes, taking action to 1) to have confidence that the processes have been carried out
mitigate any adverse effects, as necessary. The organization shall control planned changes and review as planned;
the consequences of unintended changes, taking action to 2) to demonstrate the conformity of products and services to
mitigate any adverse effects, as necessary. their requirements.
The organization shall ensure that outsourced processes are
determined and controlled. The organization shall ensure that outsourced processes NOTE “Keeping” implies both the maintaining and the retaining
are controlled. of documented information.
The output of this planning shall be suitable for the
NOTE The core text of ISO management system organization’s operations.
standards contains a requirement in relation to
outsourcing, which is not used in this standard, as The organization shall control planned changes and review the
outsourcing providers are included within the definition of consequences of unintended changes, taking action to mitigate
business associate. any adverse effects, as necessary.
The organization shall ensure that outsourced processes are
controlled (see 8.4).
8.2 Information security risk assessment 8.2 Due diligence 8.2 Requirements for products and services

The organization shall perform information security risk Where the organization's bribery risk assessment, as 8.2.1 Customer communication
assessments at planned intervals or when significant changes conducted in 4,5, has assessed a more than low bribery risk in Communication with customers shall include:
are proposed or occur, taking account of the criteria relation to: a) providing information relating to products and services;
established in 6.1.2 a). a) specific categories of transactions, projects or activities, b) handling enquiries, contracts or orders, including changes;
The organization shall retain documented information of the b) planned or on-going relationships with specific c) obtaining customer feedback relating to products and services,
results of the information security risk assessments. categories of business associates, or including customer complaints;
c) specific categories of personnel in certain positions (see d) handling or controlling customer property;
7.2.2.2), the organization shall assess the nature and extent e) establishing specific requirements for contingency actions,
of the bribery risk in relation to specific transactions, when relevant.
projects, activities, business associates and personnel falling
within those categories. This assessment shall include any 8.2.2 Determining the requirements related to products and
due diligence necessary to obtain sufficient information to services
assess the bribery risk. The due diligence shall be updated at When determining the requirements for the products and

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
a defined frequency, so that changes and new information services to be offered to customers, the
can be properly taken into account. organization shall ensure that:
a) the requirements for the products and services are defined,
NOTE 1 The organization can conclude that it is unnecessary, including:
unreasonable or disproportionate to undertake due diligence 1) any applicable statutory and regulatory requirements;
on certain categories of personnel and business associate. 2) those considered necessary by the organization;
b) the organization can meet the claims for the products and
NOTE 2 The factors listed in a), b) and c) above are not services it offers.
exhaustive.
8.2.3 Review of requirements related to products and services
NOTE 3 See Clause A.10 for guidance. 8.2.3.1 The organization shall ensure that it has the ability to
meet the requirements for products and services to be offered to
customers. The organization shall conduct a review before
committing to supply products and services to a customer, to
include:
a) requirements specified by the customer, including the
requirements for delivery and postdelivery activities;
b) requirements not stated by the customer, but necessary for
the specified or intended use, when known;
c) requirements specified by the organization;
d) statutory and regulatory requirements applicable to the
products and services;
e) contract or order requirements differing from those previously
expressed.
The organization shall ensure that contract or order
requirements differing from those previously defined are
resolved.
The customer’s requirements shall be confirmed by the
organization before acceptance, when the customer does not
provide a documented statement of their requirements.

NOTE In some situations, such as internet sales, a formal review
is impractical for each order. Instead, the review can cover
relevant product information, such as catalogues or advertising
material.

8.2.3.2 The organization shall retain documented information, as
applicable:
a) on the results of the review;
b) on any new requirements for the products and services.

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015

8.2.4 Changes to requirements for products and services
The organization shall ensure that relevant documented
information is amended, and that relevant persons are made
aware of the changed requirements, when the requirements for
products and services are changed.
8.3 Information security risk treatment 8.3 Financials controls 8.3 Design and development of products and services

8.3.1 General
The organization shall implement the information security The organization shall implement financial controls that The organization shall establish, implement and maintain a
risk treatment plan. manage bribery risk. design and development process that is appropriate to ensure
the subsequent provision of products and services.
The organization shall retain documented information of the NOTE See Clause A.11 for guidance.
results of the information securit y risk treatment. 8.3.2 Design and development planning
In determining the stages and controls for design and
development, the organization shall consider:
a) the nature, duration and complexity of the design and
development activities;
b) the required process stages, including applicable design and
development reviews;
c) the required design and development verification and
validation activities;
d) the responsibilities and authorities involved in the design and
development process;
e) the internal and external resource needs for the design and
development of products and services;
f) the need to control interfaces between persons involved in the
design and development process;
g) the need for involvement of customers and users in the design
and development process;
h) the requirements for subsequent provision of products and
services;
i) the level of control expected for the design and development
process by customers and other relevant interested parties;
j) the documented information needed to demonstrate that
design and development requirements have been met.

8.3.3 Design and development inputs
The organization shall determine the requirements essential for
the specific types of products and services to be designed and

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
developed. The organization shall consider:
a) functional and performance requirements;
b) information derived from previous similar design and
development activities;
c) statutory and regulatory requirements;
d) standards or codes of practice that the organization has
committed to implement;
e) potential consequences of failure due to the nature of the
products and services. Inputs shall be adequate for design and
development purposes, complete and unambiguous.
Conflicting design and development inputs shall be resolved.
The organization shall retain documented information on design
and development inputs.

8.3.4 Design and development controls
The organization shall apply controls to the design and
development process to ensure that:
a) the results to be achieved are defined;
b) reviews are conducted to evaluate the ability of the results of
design and development to meet requirements;
c) verification activities are conducted to ensure that the design
and development outputs meet the input requirements;
d) validation activities are conducted to ensure that the resulting
products and services meet the requirements for the specified
application or intended use;
e) any necessary actions are taken on problems determined
during the reviews, or verification and validation activities;
f) documented information of these activities is retained.

NOTE Design and development reviews, verification and
validation have distinct purposes. They can be conducted
separately or in any combination, as is suitable for the products
and services of the organization.

8.3.5 Design and development outputs
The organization shall ensure that design and development
outputs:
a) meet the input requirements;
b) are adequate for the subsequent processes for the provision
of products and services;

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
c) include or reference monitoring and measuring requirements,
as appropriate, and acceptance criteria;
d) specify the characteristics of the products and services that
are essential for their intended purpose and their safe and
proper provision.
The organization shall retain documented information on design
and development outputs.

8.3.6 Design and development changes
The organization shall identify, review and control changes made
during, or subsequent to, the design and development of
products and services, to the extent necessary to ensure that
there is no adverse impact on conformity to requirements.
The organization shall retain documented information on:
a) design and development changes;
b) the results of reviews;
c) the authorization of the changes;
d) the actions taken to prevent adverse impacts
8.4 Non-financials controls 8.4 Control of externally provided processes, products and
services
The organization shall implement non-financial controls that
manage bribery risk with respect to such areas as 8.4.1 General
procurement, operational, sales, commercial, human The organization shall ensure that externally provided processes,
resources, legal and regulatory activities. products and services conform to requirements.
The organization shall determine the controls to be applied to
NOTE 1 Any particular transaction, activity or relationship externally provided processes, products and services when:
can be subject to financial as well as non-financial controls. a) products and services from external providers are intended for
incorporation into the organization’s own products and services;
NOTE 2 See Clause A.12 for guidance. b) products and services are provided directly to the customer(s)
by external providers on behalf of the organization;
c) a process, or part of a process, is provided by an external
provider as a result of a decision by the organization.
The organization shall determine and apply criteria for the
evaluation, selection, monitoring of performance, and re-
evaluation of external providers, based on their ability to provide
processes or products and services in accordance with
requirements. The organization shall retain documented
information of these activities and any necessary actions arising
from the evaluations.


ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
8.4.2 Type and extent of control
The organization shall ensure that externally provided processes,
products and services do not adversely affect the organization’s
ability to consistently deliver conforming products and services
to its customers.

The organization shall:
a) ensure that externally provided processes remain within the
control of its quality management system;
b) define both the controls that it intends to apply to an external
provider and those it intends to apply to the resulting output;
c) take into consideration:
1) the potential impact of the externally provided processes,
products and services on the organization’s ability to consistently
meet customer and applicable statutory and regulatory
requirements;
2) the effectiveness of the controls applied by the external
provider;
d) determine the verification, or other activities, necessary to
ensure that the externally provided processes, products and
services meet requirements.

8.4.3 Information for external providers
The organization shall ensure the adequacy of requirements
prior to their communication to the external provider.
The organization shall communicate to external providers its
requirements for:
a) the processes, products and services to be provided;
b) the approval of:
1) products and services;
2) methods, processes and equipment;
3) the release of products and services;
c) competence, including any required qualification of persons;
d) the external providers’ interactions with the organization;
e) control and monitoring of the external providers’ performance
to be applied by the organization;
f) verification or validation activities that the organization, or its
customer, intends to perform at the
external providers’ premises.
8.5 Implementation of anti-bribery controls by controlled 8.5 Production and service provision

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
organizations and by business associates

8.5.1 The organization shall implement procedures which 8.5.1 Control of production and service provision
require that all other organizations over which it has control The organization shall implement production and service
either: provision under controlled conditions.
a) implement the organization’s anti-bribery management Controlled conditions shall include, as applicable:
system, or a) the availability of documented information that defines:
b) implement their own anti-bribery controls, in each case 1) the characteristics of the products to be produced, the
only to the extent that is reasonable and proportionate with services to be provided, or the activities to be performed;
regard to the bribery risks faced by the controlled 2) the results to be achieved;
organizations, taking into account the bribery risk assessment b) the availability and use of suitable monitoring and measuring
conducted in accordance with 4.5. resources;
c) the implementation of monitoring and measurement activities
NOTE An organization has control over another at appropriate stages to verify that criteria for control of
organization if it directly or indirectly controls the processes or outputs, and acceptance criteria for products and
management of the organization (see A.13.1.3). services, have been met;
d) the use of suitable infrastructure and environment for the
operation of processes;
e) the appointment of competent persons, including any
required qualification;
f) the validation, and periodic revalidation, of the ability to
achieve planned results of the processes
for production and service provision, where the resulting output
cannot be verified by subsequent monitoring or measurement;
g) the implementation of actions to prevent human error;
h) the implementation of release, delivery and post-delivery
activities.

8.5.2 Identification and traceability
The organization shall use suitable means to identify outputs
when it is necessary to ensure the conformity of products and
services.
The organization shall identify the status of outputs with respect
to monitoring and measurement requirements throughout
production and service provision.
The organization shall control the unique identification of the
outputs when traceability is a requirement, and shall retain the
documented information necessary to enable traceability.

8.5.3 Property belonging to customers or external providers

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
The organization shall exercise care with property belonging to
customers or external providers while it is under the
organization’s control or being used by the organization.
The organization shall identify, verify, protect and safeguard
customers’ or external providers’ property provided for use or
incorporation into the products and services.
When the property of a customer or external provider is lost,
damaged or otherwise found to be unsuitable for use, the
organization shall report this to the customer or external
provider and retain documented information on what has
occurred.

NOTE A customer’s or external provider’s property can include
material, components, tools and equipment, premises,
intellectual property and personal data..

8.5.4 Preservation
The organization shall preserve the outputs during production
and service provision, to the extent necessary to ensure
conformity to requirements.
NOTE Preservation can include identification, handling,
contamination control, packaging, storage, transmission or
transportation, and protection.

8.5.5 Post-delivery activities
The organization shall meet requirements for post-delivery
activities associated with the products and services.
In determining the extent of post-delivery activities that are
required, the organization shall consider:
a) statutory and regulatory requirements;
b) the potential undesired consequences associated with its
c) the nature, use and intended lifetime of its products and
services;
d) customer requirements;
e) customer feedback.
NOTE Post-delivery activities can include actions under warranty
provisions, contractual obligations such as maintenance services,
and supplementary services such as recycling or final disposal.


ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
8.5.6 Control of changes
The organization shall review and control changes for production
or service provision, to the extent necessary to ensure
continuing conformity with requirements.
The organization shall retain documented information describing
the results of the review of changes, the person(s) authorizing
the change, and any necessary actions arising from the review.
8.6 Anti-bribery commitments 8.6 Release of products and services

For business associates which pose more than a low bribery The organization shall implement planned arrangements, at
risk, the organization shall implement procedures which appropriate stages, to verify that the product and service
require that, as far as practicable: requirements have been met.
a) business associates commit to preventing bribery by, on The release of products and services to the customer shall not
behalf of, or for the benefit of the business associate in proceed until the planned arrangements have been satisfactorily
connection with the relevant transaction, project, activity, or completed, unless otherwise approved by a relevant authority
relationship; and, as applicable,
b) the organization is able to terminate the relationship with by the customer.
the business associate in the event of bribery by, on behalf The organization shall retain documented information on the
of, or for the benefit of the business associate in connection release of products and services. The documented information
with the relevant transaction, project, activity, or shall include:
relationship. a) evidence of conformity with the acceptance criteria;
b) traceability to the person(s) authorizing the release.
Where it is not practicable to meet the requirements of a) or
b) above, this shall be a factor taken into account in
evaluating the bribery risk of the relationship with this
business associate (see 4.5 and 8.2) and the way in which the
organization manages such risks (see 8.3, 8.4 and 8.5).

8.7 Gifts, hospitality, donations and similar benefits 8.7 Control of nonconforming outputs

The organization shall implement procedures that are 8.7.1 The organization shall ensure that outputs that do not
designed to prevent the offering, provision or acceptance of conform to their requirements are identified and controlled to
gifts, hospitality, donations and similar benefits where the prevent their unintended use or delivery.
offering, provision or acceptance is, or could reasonably be The organization shall take appropriate action based on the
perceived as, bribery. nature of the nonconformity and its effect on the conformity of
products and services. This shall also apply to nonconforming
NOTE See Clause A.15 for guidance products and services detected after delivery of products, during
or after the provision of services.


ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
The organization shall deal with nonconforming outputs in one
or more of the following ways:
a) correction;
b) segregation, containment, return or suspension of provision of
c) informing the customer;
d) obtaining authorization for acceptance under concession.
Conformity to the requirements shall be verified when
nonconforming outputs are corrected.

8.7.2 The organization shall retain documented information that:
a) describes the nonconformity;
b) describes the actions taken;
c) describes any concessions obtained;
d) identifies the authority deciding the action in respect of the
nonconformity.
8.8 Managing inadequacy of anti-bribery controls

Where the due diligence (see 8.2) conducted on a specific
transaction, project, activity or relationship with a business
associate establishes that the bribery risks cannot be
managed by existing anti-bribery controls, and the
organization cannot or does not wish to implement
additional or enhanced anti-bribery controls or take other
appropriate steps (such as changing the nature of the
transaction, project, activity or relationship) to enable the
organization to manage the relevant bribery risks, the
organization shall:
a) in the case of an existing transaction, project, activity or
relationship, take steps appropriate to the bribery risks and
the nature of the transaction, project, activity or relationship
to terminate, discontinue, suspend or withdraw from it as
soon as practicable;
b) in the case of a proposed new transaction, project,
activity or relationship, postpone or decline to continue with
it.
8.9 Raising concerns

The organization shall implement procedures which:
a) encourage and enable persons to report in good faith or on

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
the basis of a reasonable belief attempted, suspected and
actual bribery, or any violation of or weakness in the anti-
bribery management system, to the anti-bribery compliance
function or to appropriate personnel (either directly or
through an appropriate third party);
b) except to the extent required to progress an investigation,
require that the organization treats reports confidentially, so
as to protect the identity of the reporter and of others
involved or referenced in the report;
c) allow anonymous reporting;
d) prohibit retaliation, and protect those making reports from
retaliation, after they have in good faith, or on the basis of a
reasonable belief, raised or reported a concern about
attempted, actual or suspected bribery or violation of the
anti- bribery policy or the anti-bribery management system;
e) enable personnel to receive advice from an appropriate
person on what to do if faced with a concern or situation
which could involve bribery.

The organization shall ensure that all personnel are aware of
the reporting procedures and are able to use them, and are
aware of their rights and protections under the
procedures.

NOTE 1 These procedures can be the same as, or form part
of, those used for the reporting of other issues of concern
(e.g. safety, malpractice, wrongdoing or other serious risk).

NOTE 2 The organization can use a business associate to
manage the reporting system on its behalf.

NOTE 3 In some jurisdictions, the requirements in b) and c)
above are prohibited by law. In these cases, the organization
documents its inability to comply.

8.10 Investigating and dealing with bribery

The organization shall implement procedures that:

a) require assessment and, where appropriate, investigation

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
of any bribery, or violation of the anti-bribery policy or the
anti-bribery management system, which is reported,
detected or reasonably suspected;
b) require appropriate action in the event that the
investigation reveals any bribery, or violation of the anti-
bribery policy or the anti-bribery management system;
c) empower and enable investigators;
d) require co-operation in the investigation by relevant
personnel;
e) require that the status and results of the investigation are
reported to the anti- bribery compliance function and other
compliance functions, as appropriate;
f) require that the investigation is carried out confidentially
and that the outputs of the investigation are confidential.

The investigation shall be carried out by, and reported to,
personnel who are not part of the role or function being
investigated. The organization can appoint a business
associate to conduct the investigation and report the results
to personnel who are not part of the role or function being
investigated.


NOTE 2 In some jurisdictions, the requirement in f) above is
prohibited by law. In this case, the organization documents
its inability to comply.
9 Performance evaluation 9 Performance evaluation 9 Performance evaluation

9.1 Monitoring, measurement, analysis and evaluation 9.1 Monitoring, measurement, analysis and evaluation 9.1 Monitoring, measurement, analysis and evaluation
The organization shall evaluate the information security The organization shall determine: 9.1.1 General
performance and the effectiveness of the information a) what needs to be monitored and measured; The organization shall determine:
security management system. b) who is responsible for monitoring; a) what needs to be monitored and measured;
c) the methods for monitoring, measurement, analysis and b) the methods for monitoring, measurement, analysis and
The organization shall determine: evaluation, as applicable, to ensure valid results; evaluation needed to ensure valid results;
a) what needs to be monitored and measured, including c) when the monitoring and measuring shall be performed;
information security processes and controls; d) when the results from monitoring and measurement shall be
b) the methods for monitoring, measurement, analysis and analysed and evaluated.
evaluation, as applicable, to ensure The organization shall evaluate the performance and the
valid results; effectiveness of the quality management system.

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
d) when the monitoring and measuring shall be performed; The organization shall retain appropriate documented
NOTE : The methods selected should produce comparable e) when the results from monitoring and measurement shall information as evidence of the results.
and reproducible results to be considered valid. be analysed and evaluated;
f) to whom and how such information shall be reported. 9.1.2 Customer satisfaction
c) when the monitoring and measuring shall be performed; The organization shall retain appropriate documented The organization shall monitor customers’ perceptions of the
d) who shall monitor and measure; information as evidence of the methods and results. degree to which their needs and
e) when the results from monitoring and measurement shall The organization shall evaluate the anti-bribery performance expectations have been fulfilled. The organization shall
be analysed and evaluated; and and the effectiveness and efficiency of the anti-bribery determine the methods for obtaining, monitoring
f ) who shall analyse and evaluate these results. management system. and reviewing this information.

NOTE See Clause A.19 for guidance. NOTE Examples of monitoring customer perceptions can include
The organization shall retain appropriate documented customer surveys, customer feedback on
information as evidence of the monitoring and measurement delivered products and services, meetings with customers,
results. market-share analysis, compliments, warranty claims
and dealer reports.

9.1.3 Analysis and evaluation
The organization shall analyse and evaluate appropriate data and
information arising from monitoring and measurement.

The results of analysis shall be used to evaluate:
a) conformity of products and services;
b) the degree of customer satisfaction;
c) the performance and effectiveness of the quality management
system;
d) if planning has been implemented effectively;
e) the effectiveness of actions taken to address risks and
opportunities;
f) the performance of external providers;
g) the need for improvements to the quality management
system.
NOTE Methods to analyse data can include statistical techniques.
9.2 Internal audit 9.2 Internal audit 9.2 Internal audit
9.2.1 The organization shall conduct internal audits at 9.2.1 The organization shall conduct internal audits at planned
The organization shall conduct internal audits at planned planned intervals to provide information on whether the anti- intervals to provide information on whether the quality
intervals to provide information on whether the information bribery management system: management system:
security management system: a) conforms to:
a) conforms to: 1) the organization’s own requirements for its quality
a) conforms to 1) the organization’s own requirements for its anti- management system;
1) the organization's own requirements for its bribery management system; 2) the requirements of this International Standard;

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
information security management system; and 2) the requirements of this standard; b) is effectively implemented and maintained.
2) the requirements of this International Standard;
b) is effectively implemented and maintained. b) is effectively implemented and maintained.

The organization shall: NOTE 1 Guidance on auditing management systems is given
c) plan, establish, implement and maintain an audit in ISO 19011.
programme(s), including the frequency, methods,
responsibilities, planning requirements and reporting. NOTE 2 The scope and scale of the organization’s internal
audit activities can vary depending on a variety of factors,
The audit programme(s) shall take into consideration the including organization size, structure, maturity and
importance of the processes concerned and the results of locations.
previous audits;
d) define the audit criteria and scope for each audit;
e) select auditors and conduct audits that ensure objectivity
and the impartiality of the audit process;
f ) ensure that the results of the audits are reported to
relevant management; and
g) retain documented information as evidence of the audit
programme(s) and the audit results.
9.2.2 The organization shall: 9.2.2 The organization shall:
a) plan, establish, implement and maintain an audit a) plan, establish, implement and maintain an audit
programme(s), including the frequency, methods, programme(s) including the frequency, methods, responsibilities,
responsibilities, planning requirements and reporting, which planning requirements and reporting, which shall take into
shall take into consideration the importance of the processes consideration the importance of the processes concerned,
concerned and the results of previous audits; changes affecting the organization, and the results of previous
b) define the audit criteria and scope for each audit; audits;
c) select competent auditors and conduct audits to ensure b) define the audit criteria and scope for each audit;
objectivity and the impartiality of the audit process; c) select auditors and conduct audits to ensure objectivity and
d) ensure that the results of the audits are reported to the impartiality of the audit process;
relevant management, the anti-bribery compliance function, d) ensure that the results of the audits are reported to relevant
top management and, as appropriate, the governing body (if management;
any); e) take appropriate correction and corrective actions without
e) retain documented information as evidence of the undue delay;
implementation of the audit programme and the audit f) retain documented information as evidence of the
results implementation of the audit programme and the audit results.

NOTE See ISO 19011 for guidance
9.2.3 These audits shall be reasonable, proportionate and
risk-based. Such audits shall consist of internal audit
processes or other procedures which review procedures,

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
controls and systems for:
a) bribery or suspected bribery;
b) violation of the anti-bribery policy or anti-bribery
management system requirements;
c) failure of business associates to conform to the applicable
anti-bribery requirements of the organization;
d) weaknesses in, or opportunities for improvement to, the
anti-bribery management system.
9.2.4 To ensure the objectivity and impartiality of these
audit programmes, the organization shall ensure that these
audits are undertaken by one of the following:
a) an independent function or personnel established or
appointed for this process; or
b) the anti-bribery compliance function (unless the scope of
the audit includes an evaluation of the anti-bribery
management system itself, or similar work for which the anti-
bribery compliance function is responsible); or
c) an appropriate person from a department or function
other than the one being audited; or
d) an appropriate third party; or
e) a group comprising any of a) to d).

The organization shall ensure that no auditor is auditing his
or her own area of work.

9.3 Management review 9.3 Management review 9.3 Management review

9.3.1 Top management review 9.3.1 General
Top management shall review the organization's information Top management shall review the organization's anti-bribery Top management shall review the organization’s quality
security management system at planned intervals to ensure management system, at planned intervals, to ensure its management system, at planned intervals, to ensure its
its continuing suitability, adequacy and effectiveness. continuing suitability, adequacy and effectiveness. continuing suitability, adequacy, effectiveness and alignment
with the strategic direction of the organization.
The management review shall include consideration of: The top management review shall include consideration of:
a) the status of actions from previous management reviews;
a) the status of actions from previous management reviews; b) changes in external and internal issues that are relevant
b) changes in external and internal issues that are relevant to to the anti-bribery management system;
the information security management system;
c) feedback on the information security performance, c) information on the performance of the anti-bribery
including trends in: management system, including trends in:

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
1) nonconformities and corrective actions; 1) nonconformities and corrective actions;
3) monitoring and measurement results; 2) monitoring and measurement results;
4) audit results; and 3) audit results;
5) fulfilment of information security objectives; 4) reports of bribery;
d) feedback from interested parties; 5) investigations;
e) results of risk assessment and status of risk treatment 6) the nature and extent of the bribery risks faced by the
plan; and organization;
f ) opportunities for continual improvement. d) effectiveness of actions taken to address bribery risks;
e) opportunities for continual improvement of the anti-
The outputs of the management review shall include bribery management system, as referred to in 10.2.
decisions related to continual improvement opportunities
and any needs for changes to the information security The outputs of the top management review shall include
management system. decisions related to continual improvement opportunities
and any need for changes to the anti-bribery management
The organization shall retain documented information as system.
evidence of the results of management reviews.
A summary of the results of the top management review shall
be reported to the governing body (if any).

The organization shall retain documented information as
evidence of the results of top management reviews.
9.3.2 Governing body review 9.3.2 Management review inputs
The management review shall be planned and carried out taking
The governing body (if any) shall undertake periodic reviews into consideration:
of the anti-bribery management system based on a) the status of actions from previous management reviews;
information provided by top management and the anti- b) changes in external and internal issues that are relevant to the
bribery compliance function and any other information that quality management system;
the governing body requests or obtains. c) information on the performance and effectiveness of the
quality management system, including
trends in:
The organization shall retain summary documented 1) customer satisfaction and feedback from relevant interested
information as evidence of the results of governing body parties;
reviews. 2) the extent to which quality objectives have been met;
3) process performance and conformity of products and services;
4) nonconformities and corrective actions;
5) monitoring and measurement results;
6) audit results;
7) the performance of external providers;
d) the adequacy of resources;
e) the effectiveness of actions taken to address risks and

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
opportunities (see 6.1);
f) opportunities for improvement.

9.3.3 Management review outputs
The outputs of the management review shall include decisions
and actions related to:
a) opportunities for improvement;
b) any need for changes to the quality management system;
c) resource needs. The organization shall retain documented
information as evidence of the results of management reviews.
9.4 Review by anti-bribery compliance function

The anti-bribery compliance function shall assess on a
continual basis whether the anti- bribery management
system is:
a) adequate to manage effectively the bribery risks faced by
the organization;
b) being effectively implemented.

The anti-bribery compliance function shall report at planned
intervals, and on an ad hoc basis, as appropriate, to the
governing body (if any) and top management, or to a suitable
committee of the governing body or top management, on the
adequacy and implementation of the anti-bribery
management system, including the results of investigations
and audits.

NOTE 1 The frequency of such reports depends on the
organization's requirements, but is recommended to be at
least annually.

NOTE 2 The organization can use a business associate to
assist in the review, as long as the business associate’s
observations are appropriately communicated to the anti-
bribery compliance function, top management and, as
appropriate, the governing body (if any).


ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
10 Improvement 10 Improvement 10 Improvement

10.1 Nonconformity and corrective action 10.1 Nonconformity and corrective action 10.1 General
The organization shall determine and select opportunities for
When a nonconformity occurs, the organization shall: When a nonconformity occurs, the organization shall: improvement and implement any necessary actions to meet
a) react to the nonconformity, and as applicable: a) react promptly to the nonconformity, and as applicable: customer requirements and enhance customer satisfaction.
1) take action to control and correct it; and 1) take action to control and correct it;
2) deal with the consequences; 2) deal with the consequences; These shall include:
b) evaluate the need for action to eliminate the causes of b) evaluate the need for action to eliminate the cause(s) of a) improving products and services to meet requirements as well
nonconformity, in order that it does not recur or occur the nonconformity, in order that it does not recur or occur as to address future needs and expectations;
elsewhere, by: elsewhere, by: b) correcting, preventing or reducing undesired effects;
1) reviewing the nonconformity; 1) reviewing the nonconformity; c) improving the performance and effectiveness of the quality
2) determining the causes of the nonconformity; 2) determining the causes of the nonconformity; management system.
and 3) determining if similar nonconformities exist, or could NOTE Examples of improvement can include correction,
3) determining if similar nonconformities exist, or potentially occur; corrective action, continual improvement, breakthrough change,
could potentially occur; c) implement any action needed; innovation and re-organization.
c) implement any action needed; d) review the effectiveness of any corrective action taken;
d) review the effectiveness of any corrective action taken; e) make changes to the anti-bribery management system, if
and necessary.
e) maPe changes to the information security management
system, if necessary. Corrective actions shall be appropriate to the effects of the
nonconformities encountered.
Corrective actions shall be appropriate to the effects of the The organization shall retain documented information as
nonconformities encountered. evidence of:
The organization shall retain documented information as — the nature of the nonconformities and any subsequent
evidence of: actions taken;
f ) the nature of the nonconformities and any subsequent — the results of any corrective action.
actions taken, and
g) the results of any corrective action. NOTE See Clause A.20 for guidance

10.2 Continual improvement 10.2 Continual improvement 10.2 Nonconformity and corrective action
The organization shall continually improve the suitability, The organization shall continually improve the suitability, 10.2.1 When a nonconformity occurs, including any arising from
adequacy and effectiveness of the information security adequacy and effectiveness of the anti-bribery management complaints, the organization shall:
management system. system. a) react to the nonconformity and, as applicable:
1) take action to control and correct it;
NOTE See Clause A.20 for guidance. 2) deal with the consequences;
b) evaluate the need for action to eliminate the cause(s) of the
nonconformity, in order that it does not
recur or occur elsewhere, by:
1) reviewing and analysing the nonconformity;

ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
2) determining the causes of the nonconformity;
3) determining if similar nonconformities exist, or could
potentially occur;
c) implement any action needed;
d) review the effectiveness of any corrective action taken;
e) update risks and opportunities determined during planning, if
necessary;
f) make changes to the quality management system, if necessary.
Corrective actions shall be appropriate to the effects of the
nonconformities encountered.

10.2.2 The organization shall retain documented information as
evidence of:
a) the nature of the nonconformities and any subsequent actions
taken;
b) the results of any corrective action.

10.3 Continual improvement
The organization shall continually improve the suitability,
adequacy and effectiveness of the quality management system.
The organization shall consider the results of analysis and
evaluation, and the outputs from management review, to
determine if there are needs or opportunities that shall be
addressed as part of continual improvement
Annex A Annex A Annex A
(normative) (informative) (informative)
Reference control objectives and controls Guidance on the use of this standard Clarification of new structure, terminology and concepts

ISO 27001, ISO 37001 and ISO 9001 standards comparison

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

ISO 27001, ISO 37001 and ISO 9001 standards comparison

Enviado por

Direitos autorais:

Formatos disponíveis

ISO/IEC

27001:2013 ISO 37001:2016 ISO 9001:2015

v03 8 Desember 2017 1

v03 8 Desember 2017 2

v03 8 Desember 2017 3

v03 8 Desember 2017 4

v03 8 Desember 2017 5

v03 8 Desember 2017 6

v03 8 Desember 2017 7

v03 8 Desember 2017 8

v03 8 Desember 2017 9

v03 8 Desember 2017 10

v03 8 Desember 2017 11

v03 8 Desember 2017 12

v03 8 Desember 2017 13

v03 8 Desember 2017 14

v03 8 Desember 2017 15

v03 8 Desember 2017 16

v03 8 Desember 2017 17

v03 8 Desember 2017 18

v03 8 Desember 2017 19

v03 8 Desember 2017 20

v03 8 Desember 2017 21

v03 8 Desember 2017 22

v03 8 Desember 2017 23

v03 8 Desember 2017 24

v03 8 Desember 2017 25

v03 8 Desember 2017 26

v03 8 Desember 2017 27

v03 8 Desember 2017 28

v03 8 Desember 2017 29

v03 8 Desember 2017 30

v03 8 Desember 2017 31

v03 8 Desember 2017 32

v03 8 Desember 2017 33

v03 8 Desember 2017 34

v03 8 Desember 2017 35

v03 8 Desember 2017 36

v03 8 Desember 2017 37

v03 8 Desember 2017 38

v03 8 Desember 2017 39

v03 8 Desember 2017 40

v03 8 Desember 2017 41

v03 8 Desember 2017 42

v03 8 Desember 2017 43

Você também pode gostar