This document provides summaries of the scopes and key requirements for ISO/IEC 27001:2013 on information security management systems, ISO 37001:2016 on anti-bribery management systems, and ISO 9001:2015 on quality management systems. All three standards specify requirements for establishing, implementing, maintaining and improving management systems. ISO/IEC 27001 focuses on information security risks, ISO 37001 addresses preventing, detecting and responding to bribery, and ISO 9001 emphasizes consistently meeting customer and regulatory requirements to enhance customer satisfaction.
This document provides summaries of the scopes and key requirements for ISO/IEC 27001:2013 on information security management systems, ISO 37001:2016 on anti-bribery management systems, and ISO 9001:2015 on quality management systems. All three standards specify requirements for establishing, implementing, maintaining and improving management systems. ISO/IEC 27001 focuses on information security risks, ISO 37001 addresses preventing, detecting and responding to bribery, and ISO 9001 emphasizes consistently meeting customer and regulatory requirements to enhance customer satisfaction.
This document provides summaries of the scopes and key requirements for ISO/IEC 27001:2013 on information security management systems, ISO 37001:2016 on anti-bribery management systems, and ISO 9001:2015 on quality management systems. All three standards specify requirements for establishing, implementing, maintaining and improving management systems. ISO/IEC 27001 focuses on information security risks, ISO 37001 addresses preventing, detecting and responding to bribery, and ISO 9001 emphasizes consistently meeting customer and regulatory requirements to enhance customer satisfaction.
Information technology — Security techniques — Anti-bribery management systems – Requirements with Quality management systems - Requirements Information security management systems — Requirements guidance for use 1 Scope 1 Scope 1 Scope
This International Standard specifies the requirements for This standard specifies requirements and provides guidance This International Standard specifies requirements for a quality establishing,implementing, maintaining and continually for establishing, implementing, maintaining, reviewing and management system when an organization: improving an information security management system improving an anti-bribery management system. within the context of the organization. a) needs to demonstrate its ability to consistently provide This International Standard also includes requirements for The system can be stand-alone or can be integrated into products and services that meet customer and the assessment and treatment of information security risks an overall management system. applicable statutory and regulatory requirements, and tailored to the needs of the organization. b) aims to enhance customer satisfaction through the This standard addresses the following in relation to the effective application of the system, including processes organization's activities: for improvement of the system and the assurance of conformity to customer and applicable statutory and — bribery in the public, private and not-for- profit sectors; regulatory requirements. — bribery by the organization; All the requirements of this International Standard are generic — bribery by the organization's personnel acting on the and are intended to be applicable to any organization, regardless organization's behalf or for its benefit; of its type or size, or the products and services it provides. — bribery by the organization's business associates acting NOTE 1 In this International Standard, the terms “product” or on the organization's behalf or for its benefit; “service” only apply to products and services — bribery of the organization; intended for, or required by, a customer. — bribery of the organization's personnel in relation to the NOTE 2 Statutory and regulatory requirements can be expressed organization’s activities; as legal requirements. — bribery of the organization's business associates in relation to the organization’s activities; — direct and indirect bribery (e.g. a bribe offered or accepted through or by a third party).
This standard is applicable only to bribery. It sets out requirements and provides guidance for a management system designed to help an organization to prevent, detect and respond to bribery and comply with anti- bribery laws and voluntary commitments applicable to its activities
This standard does not specifically address fraud, cartels and other anti-trust/competition offences, money-laundering or other activities related to corrupt practices, although an organization can choose to extend the scope of the management system to include such activities.
v03 8 Desember 2017 1
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 The requirements set out in this International Standard are The requirements of this standard are generic and are generic and are intended to be applicable to all organizations, intended to be applicable to all organizations (or parts of an regardless of type, size or nature. Excluding any of the organization), regardless of type, size and nature of activity, requirements specified in Clauses 4 to 10 is not acceptable and whether in the public, private or not-for- profit sectors. when an organization claims conformity to this International The extent of application of these requirements depends Standard. on the factors specified in 4.1, 4.2 and 4.5.
NOTE 1 See Clause A.2 for guidance. NOTE 2 The measures necessary to prevent, detect and mitigate the risk of bribery by the organization can be different from the measures used to prevent, detect and respond to bribery of the organization (or its personnel or business associates acting on the organization's behalf). See A.8.4 for guidance. 2 Normative references 2 Normative references 2 Normative references The following documents, in whole or in part, are normatively There are no normative references in this standard The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its referenced in this document and are application. For dated references, only the edition cited indispensable for its application. For dated references, only the applies. For undated references, the latest edition of the edition cited applies. For undated referenced document (including any amendments) applies. references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 27000, Information technology — Security ISO 9000:2015, Quality management systems — Fundamentals techniques — Information security management systems — and vocabulary Overview and vocabulary
3 Terms and definitions 3 Terms and definitions 3 Terms and definitions
For the purposes of this document, the terms and definitions For the purposes of this standard, the following terms and For the purposes of this document, the terms and definitions given in ISO/IEC 27000 apply. definitions apply. given in ISO 9000:2015 apply
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at http://www.iso.org/obp — IEC Electropedia: available at http://www.electropedia.org/
3.1 bribery offering, promising, giving, accepting or soliciting of an undue
v03 8 Desember 2017 2
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 advantage of any value (which could be financial or non- financial), directly or indirectly, and irrespective of location(s), in violation of applicable law, as an inducement or reward for a person acting or refraining from acting in relation to the performance (3.16) of that person's duties
NOTE 1 to entry: The above is a generic definition. The meaning of the term “bribery” is as defined by the anti- bribery law applicable to the organization (3.2) and by the anti-bribery management system (3.5) designed by the organization.
3.2 organization person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives (3.11)
NOTE 1 to entry: The concept of organization includes, but is not limited to sole-trader, company, corporation, firm, enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not, public or private.
NOTE 2 to entry: For organizations with more than one operating unit, one or more of the operating units can be defined as an organization.
3.3 Interested party (preferred term) stakeholder (admitted term) person or organization (3.2) that can affect, be affected by, or perceive itself to be affected by a decision or activity
NOTE 1 to entry: A stakeholder can be internal or external to the organization
3.4 requirement need that is stated and obligatory
NOTE 1 to entry: The core definition of “requirement” in ISO
v03 8 Desember 2017 3
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 management system standards is “need or expectation that is stated, generally implied or obligatory”. “Generally implied requirements” are not applicable in the context of anti-bribery management.
NOTE 2 to entry: “Generally implied” means that it is custom or common practice for the organization and interested parties that the need or expectation under consideration is implied.
NOTE 3 to entry: A specified requirement is one that is stated, for example in documented information
3.5 management system set of interrelated or interacting elements of an organization (3.2) to establish policies (3.10) and objectives (3.11) and processes (3.15) to achieve those objectives
NOTE 1 to entry: A management system can address a single discipline or several disciplines.
NOTE 2 to entry: The management system elements include the organization’s structure, roles and responsibilities, planning and operation.
NOTE 3 to entry: The scope of a management system may include the whole of the organization, specific and identified functions of the organization, specific and identified sections of the organization, or one or more functions across a group of organizations. <diringkas> 4 Context of the organization 4 Context of the organization 4 Context of the organization
4.1 Understanding the organization and its context 4.1 Understanding the organization and its context 4.1 Understanding the organization and its context
The organization shall determine external and internal issues The organization shall determine external and internal The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to issues that are relevant to its purpose and that affect its that are relevant to its purpose and its strategic direction and achieve the intended outcome(s) of its information security ability to achieve the objectives of its anti-bribery that affect its ability to achieve the intended result(s) of its management system. management system. quality management system.
v03 8 Desember 2017 4
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 The organization shall monitor and review information about NOTE Determining these issues refers to establishing the These issues will include, without limitation, the following these external and internal issues. external and internal context of the organization considered factors in Clause 5.3 of ISO 31000:2009[5]. a) the size, structure and delegated decision-making NOTE 1 Issues can include positive and negative factors or authority of the organization; conditions for consideration. b) the locations and sectors in which the organization NOTE 2 Understanding the external context can be facilitated by operates or anticipates operating; considering issues arising from legal, technological, competitive, c) the nature, scale and complexity of the market, cultural, social and economic environments, whether organization's activities and operations; international, national, regional or local. d) the organization’s business model; NOTE 3 Understanding the internal context can be facilitated by e) the entities over which the organization has control considering issues related to values, culture, knowledge and and entities which exercise control over the performance of the organization. organization; a) the organization's business associates; b) the nature and extent of interactions with public officials; c) applicable statutory, regulatory, contractual and professional obligations and duties.
NOTE An organization has control over another organization if it directly or indirectly controls the management of the organization (see A.13.1.3). 4.2 Understanding the needs and expectations of interested 4.2 Understanding the needs and expectations of 4.2 Understanding the needs and expectations of interested parties stakeholders parties
The organization shall determine: The organization shall determine: Due to their effect or potential effect on the organization’s a) interested parties that are relevant to the a) the stakeholders that are relevant to the anti-bribery ability to consistently provide products and services that meet information security management system; and management system; customer and applicable statutory and regulatory requirements, b) the requirements of these interested parties b) the relevant requirements of these stakeholders. the organization shall determine: relevant to information security. a) the interested parties that are relevant to the quality management system; NOTE The requirements of interested parties may include NOTE In identifying the requirements of stakeholders, an b) the requirements of these interested parties that are relevant legal and regulatory requirements and contractual organization can distinguish between mandatory to the quality management system. obligations. requirements and the non-mandatory expectations of, and voluntary commitments to, stakeholders The organization shall monitor and review information about these interested parties and their relevant requirements. 4.3 Determining the scope of the information security 4.3 Determining the scope of the anti-bribery management 4.3 Determining the scope of the quality management system management system system
v03 8 Desember 2017 5
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 The organization shall determine the boundaries and The organization shall determine the boundaries and The organization shall determine the boundaries and applicability of the information security management system applicability of the anti-bribery management system to applicability of the quality management system to establish its to establish its scope. establish its scope. scope.
When determining this scope, the organization shall consider: When determining this scope, the organization shall consider: When determining this scope, the organization shall consider: a) the external and internal issues referred to in 4.1; a) the external and internal issues referred to in 4.1; a) the external and internal issues referred to in 4.1; b) the requirements referred to in 4.2; and b) the requirements referred to in 4.2 b) the requirements of relevant interested parties referred to in c) interfaces and dependencies between activities performed c) the results of the bribery risk assessment referred to in 4.5 4.2; by the organization, and those that are performed by other c) the products and services of the organization. organizations. The scope shall be available as documented information. The organization shall apply all the requirements of this The scope shall be available as documented information. NOTE See Clause A.2 for guidance. International Standard if they are applicable within the determined scope of its quality management system.
The scope of the organization’s quality management system shall be available and be maintained as documented information. The scope shall state the types of products and services covered, and provide justification for any requirement of this International Standard that the organization determines is not applicable to the scope of its quality management system. Conformity to this International Standard may only be claimed if the requirements determined as not being applicable do not affect the organization’s ability or responsibility to ensure the conformity of its products and services and the enhancement of customer satisfaction.
4.4 Information security management system 4.4 Anti-bribery management system 4.4 Quality management system and its processes
The organization shall establish, implement, maintain and The organization shall establish, document, implement, 4.4.1 The organization shall establish, implement, maintain and continually improve an information security management maintain and continually review and, where necessary, continually improve a quality management system, including the system, in accordance with the requirements of this improve an anti- bribery management system, including the processes needed and their interactions, in accordance with the International Standard. processes needed and their interactions, in accordance with requirements of this International Standard. the requirements of this standard. The organization shall determine the processes needed for the The anti-bribery management system shall contain measures quality management system and their application throughout designed to identify and evaluate the risk of, and to prevent, the organization, and shall: detect and respond to, bribery. a) determine the inputs required and the outputs expected from these processes; NOTE 1 It is not possible to completely eliminate the risk of b) determine the sequence and interaction of these processes; bribery, and no anti-bribery management system will be c) determine and apply the criteria and methods (including
v03 8 Desember 2017 6
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 capable of preventing and detecting all bribery. monitoring, measurements and related performance indicators) needed to ensure the effective The anti-bribery management system shall be reasonable operation and control of these processes; and proportionate, taking into account the factors referred to d) determine the resources needed for these processes and in 4.3. ensure their availability; e) assign the responsibilities and authorities for these processes; NOTE 2 See Clause A.3 for guidance f) address the risks and opportunities as determined in accordance with the requirements of 6.1; g) evaluate these processes and implement any changes needed to ensure that these processes achieve their intended results; h) improve the processes and the quality management system.
4.4.2 To the extent necessary, the organization shall: a) maintain documented information to support the operation of its processes; b) retain documented information to have confidence that the processes are being carried out as planned. 4.5 Bribery risk assessment
4.5.1 The organization shall undertake regular bribery risk assessment(s) which shall: a) identify the bribery risks the organization might reasonably anticipate given the factors listed in 4.1 b) analyse, assess and prioritize the identified bribery risks; c) evaluate the suitability and effectiveness of the organization's existing controls to mitigate the assessed bribery risks 4.5.2 The organization shall establish criteria for evaluating its level of bribery risk, which shall take into account the organization's policies and objectives.
4.5.3 The bribery risk assessment shall be reviewed: a) on a regular basis so that changes and new information can be properly assessed based on timing and frequency defined by the organization; b) in the event of a significant change to the structure or activities of the organization.
v03 8 Desember 2017 7
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 4.5.4 The organization shall retain documented information that demonstrates that the bribery risk assessment has been conducted and used to design or improve the anti-bribery management system.
NOTE See Clause A.4 for guidance.
5 Leadership 5 Leadership 5 Leadership
5.1 Leadership and commitment 5.1 Leadership and commitment 5.1 Leadership and commitment 5.1.1 Governing body 5.1.1 General
Top management shall demonstrate leadership and When the organization has a governing body, that body shall Top management shall demonstrate leadership and commitment commitment with respect to the information security demonstrate leadership and commitment with respect to the with respect to the quality management system by: management system by: anti-bribery management system by:
a) ensuring the information security policy and the a) approving the organization’s anti-bribery policy; a) taking accountability for the effectiveness of the quality information security objectives are established and are management system; compatible with the strategic direction of the organization; b) ensuring the integration of the information security b) ensuring that the organization’s strategy and anti-bribery b) ensuring that the quality policy and quality objectives are management system requirements into the policy are aligned; established for the quality management system and are organization's processes; compatible with the context and strategic direction of the c) ensuring that the resources needed for the information c) at planned intervals receiving and reviewing information organization; security management system are available; about the content and operation of the organization’s c) ensuring the integration of the quality management system d) communicating the importance of effective information anti- bribery management system; requirements into the organization’s business processes; security management and of conforming to the d) requiring that adequate and appropriate resources d) promoting the use of the process approach and risk-based information security management system requirements; needed for effective operation of the anti-bribery thinking; e) ensuring that the information security management management system are allocated and assigned; e) ensuring that the resources needed for the quality system achieves its intended outcome(s); e) exercising reasonable oversight over the implementation management system are available; f) directing and supporting persons to contribute to the of the organization’s anti-bribery management system by f) communicating the importance of effective quality effectiveness of the information security management top management and its effectiveness. management and of conforming to the quality management system; system requirements; g) promoting continual improvement; and These activities shall be carried out by top management if the g) ensuring that the quality management system achieves its h) supporting other relevant management roles to organization does not have a governing body intended results; demonstrate their leadership as it applies to their areas h) engaging, directing and supporting persons to contribute to of responsibility. the effectiveness of the quality management system; i) promoting improvement; j) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of
v03 8 Desember 2017 8
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 responsibility.
NOTE Reference to “business” in this International Standard can be interpreted broadly to mean those activities that are core to the purposes of the organization’s existence, whether the organization is public, private, for profit or not for profit. 5.1.2 Top management 5.1.2 Customer focus
Top management shall demonstrate leadership and Top management shall demonstrate leadership and commitment commitment with respect to the anti-bribery management with respect to customer focus by ensuring that: system by: a) ensuring that the anti-bribery management system, 1) customer and applicable statutory and regulatory including policy and objectives, is established, requirements are determined, understood and implemented, maintained and reviewed to adequately consistently met; address the organization's bribery risks; b) ensuring the integration of the anti-bribery management 2) the risks and opportunities that can affect conformity of system requirements into the organization’s processes; products and services and the ability to enhance c) deploying adequate and appropriate resources for the customer satisfaction are determined and addressed; effective operation of the anti-bribery management 3) the focus on enhancing customer satisfaction is system; maintained. d) communicating internally and externally regarding the anti-bribery policy; e) e) communicating internally the importance of effective anti-bribery management and of conforming to the anti- bribery management system requirements f) ensuring that the anti-bribery management system is appropriately designed to achieve its objectives; g) directing and supporting personnel to contribute to the effectiveness of the anti- bribery management system; h) promoting an appropriate anti-bribery culture within the organization; i) promoting continual improvement; j) supporting other relevant management roles to demonstrate their leadership in preventing and detecting bribery as it applies to their areas of responsibility; k) encouraging the use of reporting procedures for suspected and actual bribery (see 8.9); l) ensuring that no personnel will suffer retaliation, discrimination or disciplinary action (see 7.2.2.1 d)) for reports made in good faith or on the basis of a
v03 8 Desember 2017 9
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 reasonable belief of violation or suspected violation of the organization’s anti-bribery policy, or for refusing to engage in bribery, even if such refusal can result in the organization losing business (except where the individual participated in the violation); m) at planned intervals, reporting to the governing body (if any) on the content and operation of the anti-bribery management system and of allegations of serious or systematic bribery.
NOTE See Clause A.5 for guidance. 5.2 Policy 5.2 Anti-bribery policy 5.2 Policy 5.2.1 Developing the quality policy
Top management shall establish an information security Top management shall establish, maintain and review an Top management shall establish, implement and maintain a policy that: anti-bribery policy that: quality policy that:
a) is appropriate to the purpose of the organization; a) prohibits bribery; a) is appropriate to the purpose and context of the b) includes information security objectives (see 6.4) or b) requires compliance with anti-bribery laws that are organization and supports its strategic direction; provides the frameworP for setting information security applicable to the organization; b) provides a framework for setting quality objectives; objectives; c) includes a commitment to satisfy applicable requirements; c) includes a commitment to satisfy applicable c) is appropriate to the purpose of the organization; d) includes a commitment to continual improvement of the requirements related to information security; and quality management system. d) includes a commitment to continual improvement of the d) provides a framework for setting, reviewingand information security management system. The achieving anti-bribery objectives; information security policy shall: e) includes a commitment to satisfy anti-bribery management system requirements; f) encourages raising concerns in good faith or on the basis of a reasonable belief in confidence without fear of reprisal; g) includes a commitment to continual improvement of the anti-bribery management system; h) explains the authority and independence of the anti- bribery compliance function; i) explains the consequences of not complying with the anti-bribery policy. j) 5.2.2 Communicating the quality policy The anti-bribery policy shall: The quality policy shall: e) be available as documented information; — be available as documented information; 1) be available and be maintained as documented
v03 8 Desember 2017 10
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 f) be communicated within the organization; and — be communicated in appropriate languages within the information; organization and to business associates who pose more 2) be communicated, understood and applied within the than a low risk of bribery; organization; g) be available to interested parties, as appropriate. — be available to relevant stakeholders, as appropriate. 3) be available to relevant interested parties, as appropriate 5.3 Organizational roles, responsibilities and authorities 5.3 Organizational roles, responsibilities and authorities 5.3 Organizational roles, responsibilities and authorities
5.3.1 Roles and responsibilities Top management shall ensure that the responsibilities and Top management shall have overall responsibility for the Top management shall ensure that the responsibilities and authorities for roles relevant to information security are implementation of, and compliance with, the anti-bribery authorities for relevant roles are assigned, communicated and assigned and communicated. management system, as described in 5.1.2. understood within the organization.
Top management shall assign the responsibility and authority Top management shall ensure that the responsibilities and Top management shall assign the responsibility and authority for: authorities for relevant roles are assigned and communicated for: within and throughout every level of the organization. a) ensuring that the quality management system conforms to a) ensuring that the information security management the requirements of this International Standard; system conforms to the requirements of this Managers at every level shall be responsible for requiring b) ensuring that the processes are delivering their intended International Standard; and that the anti-bribery management system requirements are outputs; b) reporting on the performance of the information security applied and complied with in their department or function. c) reporting on the performance of the quality management management system to top management. system and on opportunities for improvement (see 10.1), in The governing body (if any), top management and all other particular to top management; NOTE Top management may also assign responsibilities personnel shall be responsible for understanding, complying d) ensuring the promotion of customer focus throughout the and authorities for reporting performance of the information with and applying the anti-bribery management system organization; security management system within the organization. requirements, as they relate to their role in the organization. e) ensuring that the integrity of the quality management system is maintained when changes to the quality management system are planned and implemented. 5.3.2 Anti-bribery compliance function
Top management shall assign to an anti- bribery compliance function the responsibility and authority for: a) overseeing the design and implementation by the organization of the anti-bribery management system; b) providing advice and guidance to personnel on the anti- bribery management system and issues relating to bribery; c) ensuring that the anti-bribery management system conforms to the requirements of this standard; d) reporting on the performance of the anti-bribery management system to the governing body (if any) and
v03 8 Desember 2017 11
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 top management and other compliance functions, as appropriate.
The anti-bribery compliance function shall be adequately resourced and assigned to person(s) who have the appropriate competence, status, authority and independence.
The anti-bribery compliance function shall have direct and prompt access to the governing body (if any) and top management in the event that any issue or concern needs to be raised in relation to bribery or the anti- bribery management system.
Top management can assign some or all of the anti-bribery compliance function to persons external to the organization. If it does, top management shall ensure that specific personnel have responsibility for, and authority over, those externally assigned parts of the function.
NOTE See Clause A.6 for guidance. 5.3.3 Delegated decision-making
Where top management delegates to personnel the authority for the making of decisions in relation to which there is more than a low risk of bribery, the organization shall establish and maintain a decision- making process or set of controls which requires that the decision process and the level of authority of the decision-maker(s) are appropriate and free of actual or potential conflicts of interest. Top management shall ensure that these processes are reviewed periodically as part of its role and responsibility for implementation of, and compliance with, the anti-bribery management system outlined in 5.3.1
NOTE Delegation of decision-making will not exempt top management or the governing body (if any) of their duties and responsibilities as described in 5.1.1, 5.1.2 and 5.3.1, nor does it necessarily transfer to the delegated personnel potential legal responsibilities.
v03 8 Desember 2017 12
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 6 Planning 6 Planning 6 Planning
6.1 Actions to address risks and opportunities 6.1 Actions to address risks and opportunities 6.1 Actions to address risks and opportunities
6.1.1 General 6.1.1 When planning for the quality management system, the When planning for the information security management When planning for the anti-bribery management system, the organization shall consider the issues referred to in 4.1 and the system, the organization shall consider the issues referred to organization shall consider the issues referred to in 4.1, the requirements referred to in 4.2 and determine the risks and in 4.1 and the requirements referred to in 4.2 and determine requirements referred to in 4.2, the risks identified in 4.5, opportunities that need to be addressed to: the risks and opportunities that need to be addressed to: and opportunities for improvement that need to be addressed to: a) ensure the information security management system can a) give reasonable assurance that the anti- bribery a) give assurance that the quality management system can achieve its intended outcome(s); management system can achieve its objectives; achieve its intended result(s); b) prevent, or reduce, undesired effects; and b) prevent, or reduce, undesired effects relevant to the b) enhance desirable effects; anti-bribery policy and objectives; c) achieve continual improvement. c) monitor the effectiveness of the anti-bribery c) prevent, or reduce, undesired effects; management system; d) achieve continual improvement. d) achieve improvement.
The organization shall plan: The organization shall plan: 6.1.2 The organization shall plan: d) actions to address these risks and opportunities; and — actions to address these bribery risks and opportunities a) actions to address these risks and opportunities; for improvement; e) how to — how to: b) how to: 1) integrate and implement the actions into its 1) integrate and implement these actions into its anti- 1) integrate and implement the actions into its quality information security management system bribery management system processes; management system processes (see 4.4); processes; and 2) evaluate the effectiveness of these actions.. 2) evaluate the effectiveness of these actions. 2) evaluate the effectiveness of these actions. Actions taken to address risks and opportunities shall be 6.1.2 Information security risk assessment proportionate to the potential impact on the conformity of products and services. The organization shall define and apply an information security risk assessment process that: NOTE 1 Options to address risks can include avoiding risk, taking risk in order to pursue an opportunity, eliminating the risk a) establishes and maintains information security risk criteria source, changing the likelihood or consequences, sharing the that include: risk, or retaining risk by informed decision. 1) the risk acceptance criteria; and 2) criteria for performing information security risk NOTE 2 Opportunities can lead to the adoption of new practices, assessments; launching new products, opening new markets, addressing new b) ensures that repeated information security risk clients, building partnerships, using new technology and other assessments produce consistent, valid and comparable desirable and viable possibilities to address the organization’s or results; its customers’ needs.
v03 8 Desember 2017 13
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
c) identifies the information security risks: 1) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and 2) identify the risk owners; d) analyses the information security risks: 1) assess the potential consequences that would result if the risks identified in 6...4 c) 1) were to materialize; 2) assess the realistic liPelihood of the occurrence of the risks identified in 6...4 c) .); and 3) determine the levels of risk; e) evaluates the information security risks: 1) .) compare the results of risk analysis with the risk criteria established in 6...4a); and 2) prioritize the analysed risks for risk treatment.
The organization shall retain documented information about the information security risk assessment process.
6.1.3 Information security risk treatment
The organization shall define and apply an information security risk treatment process to:
a) select appropriate information security risk treatment options, taking account of the risk assessment results; b) determine all controls that are necessary to implement the information security risk treatment option(s) chosen;
NOTE Organizations can design controls as required, or identify them from any source.
c) compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been omitted;
v03 8 Desember 2017 14
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
NOTE 1 Annex A contains a comprehensive list of control objectives and controls. Users of this International Standard are directed to Annex A to ensure that no necessary controls are overlooPed.
NOTE 4 Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed.
d) produce a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c)) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A; e) formulate an information security risk treatment plan; and f) obtain risk owners' approval of the information security risk treatment plan and acceptance of the residual information security risks.
The organization shall retain documented information about the information security risk treatment process.
NOTE The information security risk assessment and treatment process in this International Standard aligns with the principles and generic guidelines provided in ISO 31000[5]. 6.2 Information security objectives and planning to achieve 6.2 Anti-bribery objectives and planning to achieve them 6.2 Quality objectives and planning to achieve them them The organization shall establish information security The organization shall establish anti-bribery management 6.2.1 The organization shall establish quality objectives at objectives at relevant functions and levels. system objectives at relevant functions and levels. relevant functions, levels and processes needed for the quality management system. The information security objectives shall: The anti-bribery management system objectives shall: The quality objectives shall: a) be consistent with the information security policy; a) be consistent with the anti-bribery policy; a) be consistent with the quality policy; b) be measurable (if practicable); b) be measurable (if practicable); b) be measurable; c) take into account applicable information security c) take into account applicable factors referredto in 4.1, the c) take into account applicable requirements; requirements, and results from risk assessment and risk requirements referred to in 4.2 and the bribery risks treatment; identified in 4.5; d) be communicated; and d) be achievable; d) be relevant to conformity of products and services and to
v03 8 Desember 2017 15
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 e) be updated as appropriate. enhancement of customer satisfaction; e) be monitored; e) be monitored; f) be communicated in accordance with 7.4; f) be communicated; g) be updated as appropriate. g) be updated as appropriate.
The organization shall retain documented information on the The organization shall retain documented information on the The organization shall maintain documented information on the information security objectives. anti-bribery management system objectives. quality objectives.
When planning how to achieve its information security When planning how to achieve its anti- bribery 6.2.2 When planning how to achieve its quality objectives, the objectives, the organization shall determine: management system objectives, the organization shall organization shall determine: determine: f) what will be done; — what will be done; a) what will be done; g) what resources will be required; — what resources will be required; b) what resources will be required; h) who will be responsible; — who will be responsible; c) who will be responsible; i) when it will be completed; and — when the objectives will be achieved; d) when it will be completed; j) how the results will be evaluated. — how the results will be evaluated and reported; e) how the results will be evaluated. — who will impose sanctions or penalties 6.3 Planning of changes When the organization determines the need for changes to the quality management system, the changes shall be carried out in a planned manner (see 4.4)..
The organization shall consider: a) the purpose of the changes and their potential consequences; b) the integrity of the quality management system; c) the availability of resources; d) the allocation or reallocation of responsibilities and authorities. 7 Support 7 Support 7 Support
7.1 Resources 7.1 Resources 7.1 Resources 7.1.1 General The organization shall determine and provide the resources The organization shall determine and provide the resources The organization shall determine and provide the resources needed for the establishment, implementation, maintenance needed for the establishment, implementation, maintenance needed for the establishment, implementation, maintenance and continual improvement of the information security and continual improvement of the anti-bribery management and continual improvement of the quality management system. management system. system. The organization shall consider: NOTE See Clause A.7 for guidance. a) the capabilities of, and constraints on, existing internal resources;
v03 8 Desember 2017 16
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 b) what needs to be obtained from external providers.
7.1.2 People The organization shall determine and provide the persons necessary for the effective implementation of its quality management system and for the operation and control of its processes.
7.1.3 Infrastructure The organization shall determine, provide and maintain the infrastructure necessary for the operation of its processes and to achieve conformity of products and services.
NOTE Infrastructure can include: a) buildings and associated utilities; b) equipment, including hardware and software; c) transportation resources; d) information and communication technology.
7.1.4 Environment for the operation of processes The organization shall determine, provide and maintain the environment necessary for the operation of its processes and to achieve conformity of products and services.
NOTE A suitable environment can be a combination of human and physical factors, such as: a) social (e.g. non-discriminatory, calm, non- confrontational); b) psychological (e.g. stress-reducing, burnout prevention, emotionally protective); c) physical (e.g. temperature, heat, humidity, light, airflow, hygiene, noise). These factors can differ substantially depending on the products and services provided.
7.1.5 Monitoring and measuring resources 7.1.5.1 General The organization shall determine and provide the resources needed to ensure valid and reliable results when monitoring or measuring is used to verify the conformity of products and
v03 8 Desember 2017 17
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 services to requirements.
The organization shall ensure that the resources provided: a) are suitable for the specific type of monitoring and measurement activities being undertaken; b) are maintained to ensure their continuing fitness for their purpose.
The organization shall retain appropriate documented information as evidence of fitness for purpose of the monitoring and measurement resources.
7.1.5.2 Measurement traceability When measurement traceability is a requirement, or is considered by the organization to be an essential part of providing confidence in the validity of measurement results, measuring equipment shall be: a) calibrated or verified, or both, at specified intervals, or prior to use, against measurement standards traceable to international or national measurement standards; when no such standards exist, the basis used for calibration or verification shall be retained as documented information; b) identified in order to determine their status; c) safeguarded from adjustments, damage or deterioration that would invalidate the calibration status and subsequent measurement results.
The organization shall determine if the validity of previous measurement results has been adversely affected when measuring equipment is found to be unfit for its intended purpose, and shall take appropriate action as necessary.
7.1.6 Organizational knowledge The organization shall determine the knowledge necessary for the operation of its processes and to achieve conformity of products and services. This knowledge shall be maintained and be made available to the extent necessary. When addressing changing needs and trends, the organization shall consider its current knowledge and determine how to
v03 8 Desember 2017 18
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 acquire or access any necessary additional knowledge and required updates.
NOTE 1 Organizational knowledge is knowledge specific to the organization; it is gained by experience. It is information that is used and shared to achieve the organization’s objectives. NOTE 2 Organizational knowledge can be based on: a) internal sources (e.g. intellectual property; knowledge gained from experience; lessons learned from failures and successful projects; capturing and sharing undocumented knowledge and experience; the results of improvements in processes, products and services); b) external sources (e.g. standards; academia; conferences; gathering knowledge from customers or external providers). 7.2 Competence 7.2 Competence 7.2 Competence 7.2.1 General The organization shall: The organization shall: The organization shall: a) determine the necessary competence of person(s) doing a) determine the necessary competence of person(s) doing a) determine the necessary competence of person(s) doing worP under its control that affects its information work under its control that affects its anti-bribery work under its control that affects the performance and security performance; performance; effectiveness of the quality management system; b) ensure that these persons are competent on the basis of b) ensure that these persons are competent on the basis of b) ensure that these persons are competent on the basis of appropriate education, training, or experience; appropriate education, training, or experience; appropriate education, training, or experience; c) where applicable, take actions to acquire the necessary c) where applicable, take actions to acquire and maintain c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the the necessary competence, and evaluate the competence, and evaluate the effectiveness of the actions actions taken; and effectiveness of the actions taken; taken; d) retain appropriate documented information as evidence d) retain appropriate documented information as evidence d) retain appropriate documented information as evidence of of competence. of competence. competence.
NOTE Applicable actions may include, for example: the NOTE Applicable actions can include, for example, the NOTE Applicable actions can include, for example, the provision provision of training to, the mentoring of, or the re- provision of training to, the coaching of, or the re-assignment of training to, the mentoring of, or the reassignment of currently assignment of current employees; or the hiring or contracting of personnel or business associates; or the hiring or employed persons; or the hiring or contracting of competent of competent persons. contracting of the same. persons. 7.2.2 Employment process
7.2.2.1 In relation to all of its personnel, the organization shall implement procedures such that: a) conditions of employment require personnel to comply with the anti-bribery policy and anti-bribery management system, and give the organization the right to discipline personnel in the event of non-compliance;
v03 8 Desember 2017 19
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 b) within a reasonable period of their employment commencing, personnel receive a copy of, or are provided with access to, the anti-bribery policy and training in relation to that policy; c) the organization has procedures which enable it to take appropriate disciplinary action against personnel who violate the anti-bribery policy or anti-bribery management system; and d) personnel will not suffer retaliation, discrimination or disciplinary action (e.g. by threats, isolation, demotion, preventing advancement, transfer, dismissal, bullying, victimization, or other forms of harassment) for: 1) refusing to participate in, or for turning down, any activity in respect of which they have reasonably judged there to be a more than low risk of bribery which has not been mitigated by the organization; or 2) concerns raised or reports made in good faith, or on the basis of a reasonable belief, of attempted, actual or suspected bribery or violation of the anti- bribery policy or the anti-bribery management system (except where the individual participated in the violation).
7.2.2.2 In relation to all positions which are exposed to more than a low bribery risk as determined in the bribery risk assessment (see 4.5), and to the anti-bribery compliance function the organization shall implement procedures which provide that: a) due diligence (see 8.2) is conducted on persons before they are employed, and on personnel before they are transferred or promoted by the organization, to ascertain as far as is reasonable that it is appropriate to employ or redeploy them and that it is reasonable to believe that they will comply with the anti-bribery policy and anti-bribery management system requirements; b) performance bonuses, performance targets and other incentivizing elements of remuneration are reviewed periodically to verify that there are reasonable safeguards in place to prevent them from encouraging
v03 8 Desember 2017 20
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 bribery; c) such personnel, top management, and the governing body (if any), file a declaration at reasonable intervals proportionate with the identified bribery risk, confirming their compliance with the anti-bribery policy.
NOTE 1 The anti-bribery compliance declaration can stand alone or be a component of a broader compliance declaration process.
NOTE 2 See Clause A.8 for guidance. 7.3 Awareness 7.3 Awareness and training 7.3 Awareness
Persons doing worP under the organization's control shall be The organization shall provide adequate and appropriate The organization shall ensure that persons doing work under the aware of: anti-bribery awareness and training to personnel. Such organization’s control are aware of: training shall address the following issues, as appropriate, taking into account the results of the bribery risk assessment (see 4.5): a) the information security policy; a) the organization’s anti-bribery policy, procedures and a) the quality policy; anti-bribery management system, and their duty to comply; b) their contribution to the effectiveness of the information b) the bribery risk and the damage to them and the b) relevant quality objectives; security management system, including the benefits of organization which can result from bribery; improved information security performance; and c) the implications of not conforming with the information c) the circumstances in which bribery can occur in relation c) their contribution to the effectiveness of the quality security management system requirements. to their duties, and how to recognize these management system, including the benefits of improved circumstances; performance; d) how to recognize and respond to solicitations or offers of d) the implications of not conforming with the quality bribes; management system requirements. e) how they can help prevent and avoid bribery and recognize key bribery risk indicators; f) their contribution to the effectiveness of the anti-bribery management system, including the benefits of improved anti-bribery performance and of reporting suspected bribery; g) the implications and potential consequences of not conforming with the anti-bribery management system requirements; h) how and to whom they are able to report any concerns (see 8,9);
v03 8 Desember 2017 21
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 i) information on available training and resources. j) Personnel shall be provided with anti-bribery awareness and training on a regular basis (at planned intervals determined by the organization), as appropriate to their roles, the risks of bribery to which they are exposed, and any changing circumstances. The awareness and training programmes shall be periodically updated as necessary to reflect relevant new information.
Taking into account the bribery risks identified (see 4.5), the organization shall also implement procedures addressing anti-bribery awareness and training for business associates acting on its behalf or for its benefit, and which could pose more than a low bribery risk to the organization. These procedures shall identify the business associates for which such awareness and training is necessary, its content, and the means by which the training shall be provided.
The organization shall retain documented information on the training procedures, the content of the training, and when and to whom it was provided.
NOTE 1 The awareness and training requirements for business associates can be communicated through contractual or similar requirements, and be implemented by the organization, the business associate or by other parties appointed for that purpose.
NOTE 2 See Clause A.9 for guidance. 7.4 Communication 7.4 Communication 7.4 Communication
The organization shall determine the need for internal and 7.4.1 The organization shall determine the internal and The organization shall determine the internal and external external communications relevant to the information security external communications relevant to the anti-bribery communications relevant to the quality management system, management system including: management system including: including: a) on what to communicate; a) on what it will communicate; a) on what it will communicate; b) when to communicate; b) when to communicate; b) when to communicate; c) with whom to communicate; c) with whom to communicate; c) with whom to communicate; d) who shall communicate; and d) how to communicate; d) how to communicate; e) the processes by which communication shall be effected. e) who will communicate; e) who communicates. f) the languages in which to communicate
v03 8 Desember 2017 22
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 7.4.2 The anti-bribery policy shall be made available to all the organization’s personnel and business associates, be communicated directly to both personnel and business associates who pose more than a low risk of bribery, and shall be published through the organization’s internal and external communication channels, as appropriate. 7.5 Documented information 7.5 Documented Information 7.5 Documented information
7.5.1 General 7.5.1 General 7.5.1 General
The organization's information security management system The organization’s anti-bribery management system shall The organization’s quality management system shall include: shall include: include: a) documented information required by this International a) documented information required by this standard; a) documented information required by this International Standard; and Standard; b) documented information determined by the organization b) documented information determined by the b) documented information determined by the organization as as being necessary for the effectiveness of the organization as being necessary for the effectiveness of being necessary for the effectiveness of the quality information security management system. the anti-bribery management system. management system.
NOTE The extent of documented information for an NOTE 1 The extent of documented information for an anti- NOTE The extent of documented information for a quality information security management system can differ from one bribery management system can differ from one organization management system can differ from one organization to another organization to another due to: to another due to: due to: 1) the size of organization and its type of activities, — the size of organization and its type of activities, — the size of organization and its type of activities, processes, processes, products and services; processes, products and services; products and services; 2) the complexity of processes and their interactions; — the complexity of processes and their interactions; — the complexity of processes and their interactions; and 3) the competence of persons. — the competence of personnel. — the competence of persons.
NOTE 2 Documented information can be retained separately as part of the anti-bribery management system, or can be retained as part of other management systems (e.g. compliance, financial, commercial, audit).
NOTE 3 See Clause A.17 for guidance. 7.5.2 Creating and updating 7.5.2 Creating and updating 7.5.2 Creating and updating
When creating and updating documented information the When creating and updating documented information the When creating and updating documented information, the organization shall ensure appropriate: organization shall ensure appropriate: organization shall ensure appropriate: a) identification and description (e.g. a title, date, author, a) identification and description (e.g. a title, date, author, a) identification and description (e.g. a title, date, author, or or reference number); or reference number); reference number); b) format (e.g. language, software version, graphics) and b) format (e.g. language, software version, graphics) and b) format (e.g. language, software version, graphics) and media
v03 8 Desember 2017 23
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 media (e.g. paper, electronic); and media (e.g. paper, electronic); (e.g. paper, electronic); c) review and approval for suitability and adequacy c) review and approval for suitability and adequacy. c) review and approval for suitability and adequacy.
7.5.3 Control of documented Information 7.5.3 Control of documented information 7.5.3 Control of documented information
Documented information required by the information Documented information required by the anti-bribery 7.5.3.1 Documented information required by the quality security management system and by this International management system and by this standard shall be controlled management system and by this International Standard shall be controlled to ensure: to ensure: Standard shall be controlled to ensure: a) it is available and suitable for use, where and when it is a) it is available and suitable for use, where and when it is a) it is available and suitable for use, where and when it is needed; and needed; needed; b) it is adequately protected (e.g. from loss of b) it is adequately protected (e.g. from loss of confidentiality, b) it is adequately protected (e.g. from loss of confidentiality, confidentiality, improper use, or loss of integrity). improper use, or loss of integrity). improper use, or loss of integrity).
For the control of documented information, the organization For the control of documented information, the organization 7.5.3.2 For the control of documented information, the shall address the following activities, as applicable: shall address the following activities, as applicable: organization shall address the following activities, as applicable: d) distribution, access, retrieval and use; — distribution, access, retrieval and use; a) distribution, access, retrieval and use; e) storage and preservation, including the preservation of — storage and preservation, including preservation of b) storage and preservation, including preservation of legibility; legibility; legibility; f) control of changes (e.g. version control); and — control of changes (e.g. version control); c) control of changes (e.g. version control); g) retention and disposition. — retention and disposition. d) retention and disposition.
Documented information of external origin, determined by Documented information of external origin determined by Documented information of external origin determined by the the organization to be necessary for the planning and the organization to be necessary for the planning and organization to be necessary for the planning and operation of operation of the information security management system, operation of the anti-bribery management system shall be the quality management system shall be identified as shall be identified as appropriate, and controlled. identified as appropriate, and controlled. appropriate, and be controlled. Documented information retained as evidence of conformity NOTE Access implies a decision regarding the permission to NOTE Access can imply a decision regarding the permission shall be protected from unintended alterations. view the documented information only, or the permission to view the documented information only, or the and authority to view and change the documented permission and authority to view and change the NOTE Access can imply a decision regarding the permission to information, etc. documented information. view the documented information only, or the permission and authority to view and change the documented information.
8 Operation 8 Operation 8 Operation
8.1 Operational planning and control 8.1 Operational planning and control 8.1 Operational planning and control
The organization shall plan, implement and control the The organization shall plan, implement, review and control The organization shall plan, implement and control the processes processes needed to meet information security the processes needed to meet requirements of the anti- (see 4.4) needed to meet the requirements for the provision of requirements, and to implement the actions determined in bribery management system, and to implement the actions products and services, and to implement the actions determined 6.1. The organization shall also implement plans to achieve determined in 6.1, by: in Clause 6, by:
v03 8 Desember 2017 24
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 information security objectives determined in 6.4. a) establishing criteria for the processes; a) determining the requirements for the products and services; b) implementing control of the processes in accordance with b) establishing criteria for: The organization shall Peep documented information to the the criteria; 1) the processes; extent necessary to have confidence that the processes have c) keeping documented information to the extent necessary 2) the acceptance of products and services; been carried out as planned. to have confidence that the processes have been carried out c) determining the resources needed to achieve conformity to as planned. the product and service requirements; d) implementing control of the processes in accordance with the These processes shall include the specific controls referred to criteria; in 8.2 to 8.10. e) determining and keeping documented information to the The organization shall control planned changes and review extent necessary: the consequences of unintended changes, taking action to 1) to have confidence that the processes have been carried out mitigate any adverse effects, as necessary. The organization shall control planned changes and review as planned; the consequences of unintended changes, taking action to 2) to demonstrate the conformity of products and services to mitigate any adverse effects, as necessary. their requirements. The organization shall ensure that outsourced processes are determined and controlled. The organization shall ensure that outsourced processes NOTE “Keeping” implies both the maintaining and the retaining are controlled. of documented information. The output of this planning shall be suitable for the NOTE The core text of ISO management system organization’s operations. standards contains a requirement in relation to outsourcing, which is not used in this standard, as The organization shall control planned changes and review the outsourcing providers are included within the definition of consequences of unintended changes, taking action to mitigate business associate. any adverse effects, as necessary. The organization shall ensure that outsourced processes are controlled (see 8.4). 8.2 Information security risk assessment 8.2 Due diligence 8.2 Requirements for products and services
The organization shall perform information security risk Where the organization's bribery risk assessment, as 8.2.1 Customer communication assessments at planned intervals or when significant changes conducted in 4,5, has assessed a more than low bribery risk in Communication with customers shall include: are proposed or occur, taking account of the criteria relation to: a) providing information relating to products and services; established in 6.1.2 a). a) specific categories of transactions, projects or activities, b) handling enquiries, contracts or orders, including changes; The organization shall retain documented information of the b) planned or on-going relationships with specific c) obtaining customer feedback relating to products and services, results of the information security risk assessments. categories of business associates, or including customer complaints; c) specific categories of personnel in certain positions (see d) handling or controlling customer property; 7.2.2.2), the organization shall assess the nature and extent e) establishing specific requirements for contingency actions, of the bribery risk in relation to specific transactions, when relevant. projects, activities, business associates and personnel falling within those categories. This assessment shall include any 8.2.2 Determining the requirements related to products and due diligence necessary to obtain sufficient information to services assess the bribery risk. The due diligence shall be updated at When determining the requirements for the products and
v03 8 Desember 2017 25
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 a defined frequency, so that changes and new information services to be offered to customers, the can be properly taken into account. organization shall ensure that: a) the requirements for the products and services are defined, NOTE 1 The organization can conclude that it is unnecessary, including: unreasonable or disproportionate to undertake due diligence 1) any applicable statutory and regulatory requirements; on certain categories of personnel and business associate. 2) those considered necessary by the organization; b) the organization can meet the claims for the products and NOTE 2 The factors listed in a), b) and c) above are not services it offers. exhaustive. 8.2.3 Review of requirements related to products and services NOTE 3 See Clause A.10 for guidance. 8.2.3.1 The organization shall ensure that it has the ability to meet the requirements for products and services to be offered to customers. The organization shall conduct a review before committing to supply products and services to a customer, to include: a) requirements specified by the customer, including the requirements for delivery and postdelivery activities; b) requirements not stated by the customer, but necessary for the specified or intended use, when known; c) requirements specified by the organization; d) statutory and regulatory requirements applicable to the products and services; e) contract or order requirements differing from those previously expressed. The organization shall ensure that contract or order requirements differing from those previously defined are resolved. The customer’s requirements shall be confirmed by the organization before acceptance, when the customer does not provide a documented statement of their requirements.
NOTE In some situations, such as internet sales, a formal review is impractical for each order. Instead, the review can cover relevant product information, such as catalogues or advertising material.
8.2.3.2 The organization shall retain documented information, as applicable: a) on the results of the review; b) on any new requirements for the products and services.
v03 8 Desember 2017 26
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015
8.2.4 Changes to requirements for products and services The organization shall ensure that relevant documented information is amended, and that relevant persons are made aware of the changed requirements, when the requirements for products and services are changed. 8.3 Information security risk treatment 8.3 Financials controls 8.3 Design and development of products and services
8.3.1 General The organization shall implement the information security The organization shall implement financial controls that The organization shall establish, implement and maintain a risk treatment plan. manage bribery risk. design and development process that is appropriate to ensure the subsequent provision of products and services. The organization shall retain documented information of the NOTE See Clause A.11 for guidance. results of the information securit y risk treatment. 8.3.2 Design and development planning In determining the stages and controls for design and development, the organization shall consider: a) the nature, duration and complexity of the design and development activities; b) the required process stages, including applicable design and development reviews; c) the required design and development verification and validation activities; d) the responsibilities and authorities involved in the design and development process; e) the internal and external resource needs for the design and development of products and services; f) the need to control interfaces between persons involved in the design and development process; g) the need for involvement of customers and users in the design and development process; h) the requirements for subsequent provision of products and services; i) the level of control expected for the design and development process by customers and other relevant interested parties; j) the documented information needed to demonstrate that design and development requirements have been met.
8.3.3 Design and development inputs The organization shall determine the requirements essential for the specific types of products and services to be designed and
v03 8 Desember 2017 27
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 developed. The organization shall consider: a) functional and performance requirements; b) information derived from previous similar design and development activities; c) statutory and regulatory requirements; d) standards or codes of practice that the organization has committed to implement; e) potential consequences of failure due to the nature of the products and services. Inputs shall be adequate for design and development purposes, complete and unambiguous. Conflicting design and development inputs shall be resolved. The organization shall retain documented information on design and development inputs.
8.3.4 Design and development controls The organization shall apply controls to the design and development process to ensure that: a) the results to be achieved are defined; b) reviews are conducted to evaluate the ability of the results of design and development to meet requirements; c) verification activities are conducted to ensure that the design and development outputs meet the input requirements; d) validation activities are conducted to ensure that the resulting products and services meet the requirements for the specified application or intended use; e) any necessary actions are taken on problems determined during the reviews, or verification and validation activities; f) documented information of these activities is retained.
NOTE Design and development reviews, verification and validation have distinct purposes. They can be conducted separately or in any combination, as is suitable for the products and services of the organization.
8.3.5 Design and development outputs The organization shall ensure that design and development outputs: a) meet the input requirements; b) are adequate for the subsequent processes for the provision of products and services;
v03 8 Desember 2017 28
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 c) include or reference monitoring and measuring requirements, as appropriate, and acceptance criteria; d) specify the characteristics of the products and services that are essential for their intended purpose and their safe and proper provision. The organization shall retain documented information on design and development outputs.
8.3.6 Design and development changes The organization shall identify, review and control changes made during, or subsequent to, the design and development of products and services, to the extent necessary to ensure that there is no adverse impact on conformity to requirements. The organization shall retain documented information on: a) design and development changes; b) the results of reviews; c) the authorization of the changes; d) the actions taken to prevent adverse impacts 8.4 Non-financials controls 8.4 Control of externally provided processes, products and services The organization shall implement non-financial controls that manage bribery risk with respect to such areas as 8.4.1 General procurement, operational, sales, commercial, human The organization shall ensure that externally provided processes, resources, legal and regulatory activities. products and services conform to requirements. The organization shall determine the controls to be applied to NOTE 1 Any particular transaction, activity or relationship externally provided processes, products and services when: can be subject to financial as well as non-financial controls. a) products and services from external providers are intended for incorporation into the organization’s own products and services; NOTE 2 See Clause A.12 for guidance. b) products and services are provided directly to the customer(s) by external providers on behalf of the organization; c) a process, or part of a process, is provided by an external provider as a result of a decision by the organization. The organization shall determine and apply criteria for the evaluation, selection, monitoring of performance, and re- evaluation of external providers, based on their ability to provide processes or products and services in accordance with requirements. The organization shall retain documented information of these activities and any necessary actions arising from the evaluations.
v03 8 Desember 2017 29
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 8.4.2 Type and extent of control The organization shall ensure that externally provided processes, products and services do not adversely affect the organization’s ability to consistently deliver conforming products and services to its customers.
The organization shall: a) ensure that externally provided processes remain within the control of its quality management system; b) define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output; c) take into consideration: 1) the potential impact of the externally provided processes, products and services on the organization’s ability to consistently meet customer and applicable statutory and regulatory requirements; 2) the effectiveness of the controls applied by the external provider; d) determine the verification, or other activities, necessary to ensure that the externally provided processes, products and services meet requirements.
8.4.3 Information for external providers The organization shall ensure the adequacy of requirements prior to their communication to the external provider. The organization shall communicate to external providers its requirements for: a) the processes, products and services to be provided; b) the approval of: 1) products and services; 2) methods, processes and equipment; 3) the release of products and services; c) competence, including any required qualification of persons; d) the external providers’ interactions with the organization; e) control and monitoring of the external providers’ performance to be applied by the organization; f) verification or validation activities that the organization, or its customer, intends to perform at the external providers’ premises. 8.5 Implementation of anti-bribery controls by controlled 8.5 Production and service provision
v03 8 Desember 2017 30
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 organizations and by business associates
8.5.1 The organization shall implement procedures which 8.5.1 Control of production and service provision require that all other organizations over which it has control The organization shall implement production and service either: provision under controlled conditions. a) implement the organization’s anti-bribery management Controlled conditions shall include, as applicable: system, or a) the availability of documented information that defines: b) implement their own anti-bribery controls, in each case 1) the characteristics of the products to be produced, the only to the extent that is reasonable and proportionate with services to be provided, or the activities to be performed; regard to the bribery risks faced by the controlled 2) the results to be achieved; organizations, taking into account the bribery risk assessment b) the availability and use of suitable monitoring and measuring conducted in accordance with 4.5. resources; c) the implementation of monitoring and measurement activities NOTE An organization has control over another at appropriate stages to verify that criteria for control of organization if it directly or indirectly controls the processes or outputs, and acceptance criteria for products and management of the organization (see A.13.1.3). services, have been met; d) the use of suitable infrastructure and environment for the operation of processes; e) the appointment of competent persons, including any required qualification; f) the validation, and periodic revalidation, of the ability to achieve planned results of the processes for production and service provision, where the resulting output cannot be verified by subsequent monitoring or measurement; g) the implementation of actions to prevent human error; h) the implementation of release, delivery and post-delivery activities.
8.5.2 Identification and traceability The organization shall use suitable means to identify outputs when it is necessary to ensure the conformity of products and services. The organization shall identify the status of outputs with respect to monitoring and measurement requirements throughout production and service provision. The organization shall control the unique identification of the outputs when traceability is a requirement, and shall retain the documented information necessary to enable traceability.
8.5.3 Property belonging to customers or external providers
v03 8 Desember 2017 31
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 The organization shall exercise care with property belonging to customers or external providers while it is under the organization’s control or being used by the organization. The organization shall identify, verify, protect and safeguard customers’ or external providers’ property provided for use or incorporation into the products and services. When the property of a customer or external provider is lost, damaged or otherwise found to be unsuitable for use, the organization shall report this to the customer or external provider and retain documented information on what has occurred.
NOTE A customer’s or external provider’s property can include material, components, tools and equipment, premises, intellectual property and personal data..
8.5.4 Preservation The organization shall preserve the outputs during production and service provision, to the extent necessary to ensure conformity to requirements. NOTE Preservation can include identification, handling, contamination control, packaging, storage, transmission or transportation, and protection.
8.5.5 Post-delivery activities The organization shall meet requirements for post-delivery activities associated with the products and services. In determining the extent of post-delivery activities that are required, the organization shall consider: a) statutory and regulatory requirements; b) the potential undesired consequences associated with its products and services; c) the nature, use and intended lifetime of its products and services; d) customer requirements; e) customer feedback. NOTE Post-delivery activities can include actions under warranty provisions, contractual obligations such as maintenance services, and supplementary services such as recycling or final disposal.
v03 8 Desember 2017 32
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 8.5.6 Control of changes The organization shall review and control changes for production or service provision, to the extent necessary to ensure continuing conformity with requirements. The organization shall retain documented information describing the results of the review of changes, the person(s) authorizing the change, and any necessary actions arising from the review. 8.6 Anti-bribery commitments 8.6 Release of products and services
For business associates which pose more than a low bribery The organization shall implement planned arrangements, at risk, the organization shall implement procedures which appropriate stages, to verify that the product and service require that, as far as practicable: requirements have been met. a) business associates commit to preventing bribery by, on The release of products and services to the customer shall not behalf of, or for the benefit of the business associate in proceed until the planned arrangements have been satisfactorily connection with the relevant transaction, project, activity, or completed, unless otherwise approved by a relevant authority relationship; and, as applicable, b) the organization is able to terminate the relationship with by the customer. the business associate in the event of bribery by, on behalf The organization shall retain documented information on the of, or for the benefit of the business associate in connection release of products and services. The documented information with the relevant transaction, project, activity, or shall include: relationship. a) evidence of conformity with the acceptance criteria; b) traceability to the person(s) authorizing the release. Where it is not practicable to meet the requirements of a) or b) above, this shall be a factor taken into account in evaluating the bribery risk of the relationship with this business associate (see 4.5 and 8.2) and the way in which the organization manages such risks (see 8.3, 8.4 and 8.5).
NOTE See Clause A.14 for guidance. 8.7 Gifts, hospitality, donations and similar benefits 8.7 Control of nonconforming outputs
The organization shall implement procedures that are 8.7.1 The organization shall ensure that outputs that do not designed to prevent the offering, provision or acceptance of conform to their requirements are identified and controlled to gifts, hospitality, donations and similar benefits where the prevent their unintended use or delivery. offering, provision or acceptance is, or could reasonably be The organization shall take appropriate action based on the perceived as, bribery. nature of the nonconformity and its effect on the conformity of products and services. This shall also apply to nonconforming NOTE See Clause A.15 for guidance products and services detected after delivery of products, during or after the provision of services.
v03 8 Desember 2017 33
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 The organization shall deal with nonconforming outputs in one or more of the following ways: a) correction; b) segregation, containment, return or suspension of provision of products and services; c) informing the customer; d) obtaining authorization for acceptance under concession. Conformity to the requirements shall be verified when nonconforming outputs are corrected.
8.7.2 The organization shall retain documented information that: a) describes the nonconformity; b) describes the actions taken; c) describes any concessions obtained; d) identifies the authority deciding the action in respect of the nonconformity. 8.8 Managing inadequacy of anti-bribery controls
Where the due diligence (see 8.2) conducted on a specific transaction, project, activity or relationship with a business associate establishes that the bribery risks cannot be managed by existing anti-bribery controls, and the organization cannot or does not wish to implement additional or enhanced anti-bribery controls or take other appropriate steps (such as changing the nature of the transaction, project, activity or relationship) to enable the organization to manage the relevant bribery risks, the organization shall: a) in the case of an existing transaction, project, activity or relationship, take steps appropriate to the bribery risks and the nature of the transaction, project, activity or relationship to terminate, discontinue, suspend or withdraw from it as soon as practicable; b) in the case of a proposed new transaction, project, activity or relationship, postpone or decline to continue with it. 8.9 Raising concerns
The organization shall implement procedures which: a) encourage and enable persons to report in good faith or on
v03 8 Desember 2017 34
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 the basis of a reasonable belief attempted, suspected and actual bribery, or any violation of or weakness in the anti- bribery management system, to the anti-bribery compliance function or to appropriate personnel (either directly or through an appropriate third party); b) except to the extent required to progress an investigation, require that the organization treats reports confidentially, so as to protect the identity of the reporter and of others involved or referenced in the report; c) allow anonymous reporting; d) prohibit retaliation, and protect those making reports from retaliation, after they have in good faith, or on the basis of a reasonable belief, raised or reported a concern about attempted, actual or suspected bribery or violation of the anti- bribery policy or the anti-bribery management system; e) enable personnel to receive advice from an appropriate person on what to do if faced with a concern or situation which could involve bribery.
The organization shall ensure that all personnel are aware of the reporting procedures and are able to use them, and are aware of their rights and protections under the procedures.
NOTE 1 These procedures can be the same as, or form part of, those used for the reporting of other issues of concern (e.g. safety, malpractice, wrongdoing or other serious risk).
NOTE 2 The organization can use a business associate to manage the reporting system on its behalf.
NOTE 3 In some jurisdictions, the requirements in b) and c) above are prohibited by law. In these cases, the organization documents its inability to comply.
8.10 Investigating and dealing with bribery
The organization shall implement procedures that:
a) require assessment and, where appropriate, investigation
v03 8 Desember 2017 35
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 of any bribery, or violation of the anti-bribery policy or the anti-bribery management system, which is reported, detected or reasonably suspected; b) require appropriate action in the event that the investigation reveals any bribery, or violation of the anti- bribery policy or the anti-bribery management system; c) empower and enable investigators; d) require co-operation in the investigation by relevant personnel; e) require that the status and results of the investigation are reported to the anti- bribery compliance function and other compliance functions, as appropriate; f) require that the investigation is carried out confidentially and that the outputs of the investigation are confidential.
The investigation shall be carried out by, and reported to, personnel who are not part of the role or function being investigated. The organization can appoint a business associate to conduct the investigation and report the results to personnel who are not part of the role or function being investigated.
NOTE 1 See Clause A.18 for guidance.
NOTE 2 In some jurisdictions, the requirement in f) above is prohibited by law. In this case, the organization documents its inability to comply. 9 Performance evaluation 9 Performance evaluation 9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation 9.1 Monitoring, measurement, analysis and evaluation 9.1 Monitoring, measurement, analysis and evaluation The organization shall evaluate the information security The organization shall determine: 9.1.1 General performance and the effectiveness of the information a) what needs to be monitored and measured; The organization shall determine: security management system. b) who is responsible for monitoring; a) what needs to be monitored and measured; c) the methods for monitoring, measurement, analysis and b) the methods for monitoring, measurement, analysis and The organization shall determine: evaluation, as applicable, to ensure valid results; evaluation needed to ensure valid results; a) what needs to be monitored and measured, including c) when the monitoring and measuring shall be performed; information security processes and controls; d) when the results from monitoring and measurement shall be b) the methods for monitoring, measurement, analysis and analysed and evaluated. evaluation, as applicable, to ensure The organization shall evaluate the performance and the valid results; effectiveness of the quality management system.
v03 8 Desember 2017 36
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 d) when the monitoring and measuring shall be performed; The organization shall retain appropriate documented NOTE : The methods selected should produce comparable e) when the results from monitoring and measurement shall information as evidence of the results. and reproducible results to be considered valid. be analysed and evaluated; f) to whom and how such information shall be reported. 9.1.2 Customer satisfaction c) when the monitoring and measuring shall be performed; The organization shall retain appropriate documented The organization shall monitor customers’ perceptions of the d) who shall monitor and measure; information as evidence of the methods and results. degree to which their needs and e) when the results from monitoring and measurement shall The organization shall evaluate the anti-bribery performance expectations have been fulfilled. The organization shall be analysed and evaluated; and and the effectiveness and efficiency of the anti-bribery determine the methods for obtaining, monitoring f ) who shall analyse and evaluate these results. management system. and reviewing this information.
NOTE See Clause A.19 for guidance. NOTE Examples of monitoring customer perceptions can include The organization shall retain appropriate documented customer surveys, customer feedback on information as evidence of the monitoring and measurement delivered products and services, meetings with customers, results. market-share analysis, compliments, warranty claims and dealer reports.
9.1.3 Analysis and evaluation The organization shall analyse and evaluate appropriate data and information arising from monitoring and measurement.
The results of analysis shall be used to evaluate: a) conformity of products and services; b) the degree of customer satisfaction; c) the performance and effectiveness of the quality management system; d) if planning has been implemented effectively; e) the effectiveness of actions taken to address risks and opportunities; f) the performance of external providers; g) the need for improvements to the quality management system. NOTE Methods to analyse data can include statistical techniques. 9.2 Internal audit 9.2 Internal audit 9.2 Internal audit 9.2.1 The organization shall conduct internal audits at 9.2.1 The organization shall conduct internal audits at planned The organization shall conduct internal audits at planned planned intervals to provide information on whether the anti- intervals to provide information on whether the quality intervals to provide information on whether the information bribery management system: management system: security management system: a) conforms to: a) conforms to: 1) the organization’s own requirements for its quality a) conforms to 1) the organization’s own requirements for its anti- management system; 1) the organization's own requirements for its bribery management system; 2) the requirements of this International Standard;
v03 8 Desember 2017 37
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 information security management system; and 2) the requirements of this standard; b) is effectively implemented and maintained. 2) the requirements of this International Standard; b) is effectively implemented and maintained. b) is effectively implemented and maintained.
The organization shall: NOTE 1 Guidance on auditing management systems is given c) plan, establish, implement and maintain an audit in ISO 19011. programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. NOTE 2 The scope and scale of the organization’s internal audit activities can vary depending on a variety of factors, The audit programme(s) shall take into consideration the including organization size, structure, maturity and importance of the processes concerned and the results of locations. previous audits; d) define the audit criteria and scope for each audit; e) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process; f ) ensure that the results of the audits are reported to relevant management; and g) retain documented information as evidence of the audit programme(s) and the audit results. 9.2.2 The organization shall: 9.2.2 The organization shall: a) plan, establish, implement and maintain an audit a) plan, establish, implement and maintain an audit programme(s), including the frequency, methods, programme(s) including the frequency, methods, responsibilities, responsibilities, planning requirements and reporting, which planning requirements and reporting, which shall take into shall take into consideration the importance of the processes consideration the importance of the processes concerned, concerned and the results of previous audits; changes affecting the organization, and the results of previous b) define the audit criteria and scope for each audit; audits; c) select competent auditors and conduct audits to ensure b) define the audit criteria and scope for each audit; objectivity and the impartiality of the audit process; c) select auditors and conduct audits to ensure objectivity and d) ensure that the results of the audits are reported to the impartiality of the audit process; relevant management, the anti-bribery compliance function, d) ensure that the results of the audits are reported to relevant top management and, as appropriate, the governing body (if management; any); e) take appropriate correction and corrective actions without e) retain documented information as evidence of the undue delay; implementation of the audit programme and the audit f) retain documented information as evidence of the results implementation of the audit programme and the audit results.
NOTE See ISO 19011 for guidance 9.2.3 These audits shall be reasonable, proportionate and risk-based. Such audits shall consist of internal audit processes or other procedures which review procedures,
v03 8 Desember 2017 38
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 controls and systems for: a) bribery or suspected bribery; b) violation of the anti-bribery policy or anti-bribery management system requirements; c) failure of business associates to conform to the applicable anti-bribery requirements of the organization; d) weaknesses in, or opportunities for improvement to, the anti-bribery management system. 9.2.4 To ensure the objectivity and impartiality of these audit programmes, the organization shall ensure that these audits are undertaken by one of the following: a) an independent function or personnel established or appointed for this process; or b) the anti-bribery compliance function (unless the scope of the audit includes an evaluation of the anti-bribery management system itself, or similar work for which the anti- bribery compliance function is responsible); or c) an appropriate person from a department or function other than the one being audited; or d) an appropriate third party; or e) a group comprising any of a) to d).
The organization shall ensure that no auditor is auditing his or her own area of work.
NOTE See Clause A.16 for guidance. 9.3 Management review 9.3 Management review 9.3 Management review
9.3.1 Top management review 9.3.1 General Top management shall review the organization's information Top management shall review the organization's anti-bribery Top management shall review the organization’s quality security management system at planned intervals to ensure management system, at planned intervals, to ensure its management system, at planned intervals, to ensure its its continuing suitability, adequacy and effectiveness. continuing suitability, adequacy and effectiveness. continuing suitability, adequacy, effectiveness and alignment with the strategic direction of the organization. The management review shall include consideration of: The top management review shall include consideration of: a) the status of actions from previous management reviews; a) the status of actions from previous management reviews; b) changes in external and internal issues that are relevant b) changes in external and internal issues that are relevant to to the anti-bribery management system; the information security management system; c) feedback on the information security performance, c) information on the performance of the anti-bribery including trends in: management system, including trends in:
v03 8 Desember 2017 39
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 1) nonconformities and corrective actions; 1) nonconformities and corrective actions; 3) monitoring and measurement results; 2) monitoring and measurement results; 4) audit results; and 3) audit results; 5) fulfilment of information security objectives; 4) reports of bribery; d) feedback from interested parties; 5) investigations; e) results of risk assessment and status of risk treatment 6) the nature and extent of the bribery risks faced by the plan; and organization; f ) opportunities for continual improvement. d) effectiveness of actions taken to address bribery risks; e) opportunities for continual improvement of the anti- The outputs of the management review shall include bribery management system, as referred to in 10.2. decisions related to continual improvement opportunities and any needs for changes to the information security The outputs of the top management review shall include management system. decisions related to continual improvement opportunities and any need for changes to the anti-bribery management The organization shall retain documented information as system. evidence of the results of management reviews. A summary of the results of the top management review shall be reported to the governing body (if any).
The organization shall retain documented information as evidence of the results of top management reviews. 9.3.2 Governing body review 9.3.2 Management review inputs The management review shall be planned and carried out taking The governing body (if any) shall undertake periodic reviews into consideration: of the anti-bribery management system based on a) the status of actions from previous management reviews; information provided by top management and the anti- b) changes in external and internal issues that are relevant to the bribery compliance function and any other information that quality management system; the governing body requests or obtains. c) information on the performance and effectiveness of the quality management system, including trends in: The organization shall retain summary documented 1) customer satisfaction and feedback from relevant interested information as evidence of the results of governing body parties; reviews. 2) the extent to which quality objectives have been met; 3) process performance and conformity of products and services; 4) nonconformities and corrective actions; 5) monitoring and measurement results; 6) audit results; 7) the performance of external providers; d) the adequacy of resources; e) the effectiveness of actions taken to address risks and
v03 8 Desember 2017 40
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 opportunities (see 6.1); f) opportunities for improvement.
9.3.3 Management review outputs The outputs of the management review shall include decisions and actions related to: a) opportunities for improvement; b) any need for changes to the quality management system; c) resource needs. The organization shall retain documented information as evidence of the results of management reviews. 9.4 Review by anti-bribery compliance function
The anti-bribery compliance function shall assess on a continual basis whether the anti- bribery management system is: a) adequate to manage effectively the bribery risks faced by the organization; b) being effectively implemented.
The anti-bribery compliance function shall report at planned intervals, and on an ad hoc basis, as appropriate, to the governing body (if any) and top management, or to a suitable committee of the governing body or top management, on the adequacy and implementation of the anti-bribery management system, including the results of investigations and audits.
NOTE 1 The frequency of such reports depends on the organization's requirements, but is recommended to be at least annually.
NOTE 2 The organization can use a business associate to assist in the review, as long as the business associate’s observations are appropriately communicated to the anti- bribery compliance function, top management and, as appropriate, the governing body (if any).
v03 8 Desember 2017 41
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 10 Improvement 10 Improvement 10 Improvement
10.1 Nonconformity and corrective action 10.1 Nonconformity and corrective action 10.1 General The organization shall determine and select opportunities for When a nonconformity occurs, the organization shall: When a nonconformity occurs, the organization shall: improvement and implement any necessary actions to meet a) react to the nonconformity, and as applicable: a) react promptly to the nonconformity, and as applicable: customer requirements and enhance customer satisfaction. 1) take action to control and correct it; and 1) take action to control and correct it; 2) deal with the consequences; 2) deal with the consequences; These shall include: b) evaluate the need for action to eliminate the causes of b) evaluate the need for action to eliminate the cause(s) of a) improving products and services to meet requirements as well nonconformity, in order that it does not recur or occur the nonconformity, in order that it does not recur or occur as to address future needs and expectations; elsewhere, by: elsewhere, by: b) correcting, preventing or reducing undesired effects; 1) reviewing the nonconformity; 1) reviewing the nonconformity; c) improving the performance and effectiveness of the quality 2) determining the causes of the nonconformity; 2) determining the causes of the nonconformity; management system. and 3) determining if similar nonconformities exist, or could NOTE Examples of improvement can include correction, 3) determining if similar nonconformities exist, or potentially occur; corrective action, continual improvement, breakthrough change, could potentially occur; c) implement any action needed; innovation and re-organization. c) implement any action needed; d) review the effectiveness of any corrective action taken; d) review the effectiveness of any corrective action taken; e) make changes to the anti-bribery management system, if and necessary. e) maPe changes to the information security management system, if necessary. Corrective actions shall be appropriate to the effects of the nonconformities encountered. Corrective actions shall be appropriate to the effects of the The organization shall retain documented information as nonconformities encountered. evidence of: The organization shall retain documented information as — the nature of the nonconformities and any subsequent evidence of: actions taken; f ) the nature of the nonconformities and any subsequent — the results of any corrective action. actions taken, and g) the results of any corrective action. NOTE See Clause A.20 for guidance
10.2 Continual improvement 10.2 Continual improvement 10.2 Nonconformity and corrective action The organization shall continually improve the suitability, The organization shall continually improve the suitability, 10.2.1 When a nonconformity occurs, including any arising from adequacy and effectiveness of the information security adequacy and effectiveness of the anti-bribery management complaints, the organization shall: management system. system. a) react to the nonconformity and, as applicable: 1) take action to control and correct it; NOTE See Clause A.20 for guidance. 2) deal with the consequences; b) evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere, by: 1) reviewing and analysing the nonconformity;
v03 8 Desember 2017 42
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 2) determining the causes of the nonconformity; 3) determining if similar nonconformities exist, or could potentially occur; c) implement any action needed; d) review the effectiveness of any corrective action taken; e) update risks and opportunities determined during planning, if necessary; f) make changes to the quality management system, if necessary. Corrective actions shall be appropriate to the effects of the nonconformities encountered.
10.2.2 The organization shall retain documented information as evidence of: a) the nature of the nonconformities and any subsequent actions taken; b) the results of any corrective action.
10.3 Continual improvement The organization shall continually improve the suitability, adequacy and effectiveness of the quality management system. The organization shall consider the results of analysis and evaluation, and the outputs from management review, to determine if there are needs or opportunities that shall be addressed as part of continual improvement Annex A Annex A Annex A (normative) (informative) (informative) Reference control objectives and controls Guidance on the use of this standard Clarification of new structure, terminology and concepts