Posted: 05 Mar. 2021 05 min. read

ISO 37301 Compliance management systems (CMS): An Opportunity for Change

Is your organisation looking for a way to stand out from the crowd when it comes to compliance?


You may already be familiar with ISO 19600, launched in 2014, which provides guidance for establishing, developing, implementing, maintaining, and improving effective compliance management systems. This standard is expected to be replaced internationally by ISO 37301 in Q2, 2021. In contrast to ISO 19600, the new standard will be certifiable. Should organisations pursue and achieve third party certification, significant comfort can be provided to regulators, boards, management, employees, and customers.

ISO 19600 is being replaced against the backdrop of increased regulatory scrutiny and stakeholder interest in ensuring organisations have accountability and responsibility for compliance embedded throughout their value chains. Consequences for ineffective compliance processes and a poor compliance culture continue to attract significant penalties from regulators and reputational damage at both national and international levels. As a result, ISO 37301 is centered on the importance of building a positive compliance culture aligned with sustainable business practices.

Key changes

Is your organisation already aligned with ISO 19600? If so, your organisation has a head-start as ISO 37301 leverages a significant portion of its contents from ISO 19600. However, there are two notable differences: 

1. Certifiable Standard 

ISO 37301 is a Type A standard, which means that it is articulated in directive language such as ‘shall’. This means that the new standard is “Certifiable”, and both regulators and independent experts may use the standard in assessing an organisation’s compliance management system. 

Certification enables an organisation to demonstrate, to customers, business partners and regulators, that its practices, processes, structures, and systems align to globally accepted standards which should result in compliance with its obligations. 

2. Acknowledgement of the compliance ecosystem 

ISO 37301 also introduces the concept of a compliance ecosystem and emphasises that the management of compliance risk involves several inter-related common elements across the whole organisation and sets out the objectives and principles for a compliance management system.

Organisations should view compliance management as a continuous improvement practice that requires management and staff to constantly monitor and assess their organisations’ compliance risks and controls, structures and processes.

 What will ISO 37301 mean for you and your organisation? 

The new standard can be applied to organisations of all sizes and all industries and both in Australia and internationally.  

Organisations that align their compliance management system with ISO 37301, and obtain and promote the third-party certification, are likely to gain a competitive advantage.

How can Deloitte help?

Deloitte has over 30 years of experience supporting organisations to assess their compliance management systems against prior standards, advising on required changes and assisting with implementation. Our Partner, Heather Loewenthal, is part of the Governance Risk and Compliance Institute (GRCI) team, representing the International Federation of Compliance Associations (IFCA), in the ISO Working Group, developing ISO 37301. 

Keep watching this space as we will be providing regular updates on the development of ISO 37301. If you require further information or other support with improving your compliance management system or preparing for ISO 37301, please contact us.

More about authors

Heather Loewenthal

Heather Loewenthal

Partner, Audit & Assurance

As part of the GRC team in Audit & Assurance, Heather’s focus is on Compliance operating models - design, implementation and embedding - including the development of RegTech solutions to achieve more with less. Over the last 20 plus years, Heather’s work at the C-suite level in financial services has included reviewing, designing, implementing and testing compliance operating models and advising boards and management on how to develop a positive compliance culture as well as negotiating and interacting with regulators, politicians and industry bodies across Europe, the Americas, Middle East, Africa and Australasia. If organisations plan to build resilience and increase profitability post the requirements flowing from the Royal Commission, they must take a different approach. Bolting-on people, processes and systems in the second line is not an answer but rather empowering the first line and utilising existing and new systems and new technologies (including Regtech) will have impact and sustainable outcomes. Without a cross-organisational approach and a positive compliance culture, change will be ineffective.

Angela Jaric

Angela Jaric

Partner, Risk Advisory

Angela is a Risk Advisory Partner at Deloitte who seeks to help the power and utilities sector embrace regulatory disruption through her deep and trusted relationships, her tenacity and fast adoption of tech-enabled solutions. Angela is a regulatory compliance and conduct risk professional with over 19 years of experience working in Australia and across the Asia Pacific region. She has a strong focus on helping clients navigate disruption in both regulatory and stakeholder expectations, and understand the impact of this change to business processes, controls, customers, third party relationships and operational performance. She has been working as a professional consultant for Tier 1 firms, with a solid foundation in governance, risk and compliance technical skills, team leadership and business development acumen.