All you need to know about ISO 37001: Going for certification (6 of 7)

How does one get certified under ISO 37001?


Jean-Pierre Méan

By Jean-Pierre Méan 
Published on Tuesday January 23, 2018



One of the features of ISO 37001 is that it is a requirements standard and, as such, certifiable. This requires, however, some explanation as ISO 37001 may be used in different ways, viz:

  • for a first party audit or self-assessment;
  • for a second party audit or assessment by e.g. a supplier or the member of an association, by a business partner or the officers of the association;
  • for a third party audit by an independent third party.

Only a third party audit by an independent party can lead to certification.

All standards, including ISO 37001, can be used in these various ways. However, while a self-assessment may serve to prepare a second party audit or a certification, its value is limited to that of a statement by the assessed organization on itself. A second party audit carries more weight, but its value depends on the credibility of the second party and generally has a specific, limited purpose such as the verification by a business association that its members conform to association standards

Accredited or Non-Accredited

Third party audits may be carried out by both accredited or non-accredited auditing bodies. However, in the case of certifications by a non-accredited body, known as private certifications, the independence and qualifications of the auditor rest entirely on the reputation and credibility of the auditing body. Therefore, candidates for certification by a non-accredited body should themselves verify that that body’s auditors fulfill the competency requirements for auditing and certification of anti-bribery management systems (see below).

Competence Requirements for Accredited Bodies

Only accredited certification bodies assure the auditors’ independence and qualifications by a neutral authority because their accreditation requires them to conform to a number of standards related to the certification process issued by ISO’s Committee on Conformity Assessment (CASCO). Of particular relevance to the certification of anti-bribery management systems are the following:

ISO/IEC 17021-1:2015 – Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements; and

ISO/IEC TS 17021-9:2016   ISO/IEC TS 17021-9:2016 – Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 9: Competence requirements for auditing and certification of anti-bribery management systems. It is worth noting that specific requirements have only been issued for a few standards; in the specific case of anti-bribery it was considered necessary since auditing anti-bribery management systems requires specific knowledge and skills that an auditor of other management systems may not necessarily possess.

Accreditation authorities must check that these requirements are met and continue to be met by accredited certification bodies. Accreditation is granted not by ISO or its members but by national accreditation bodies which provide information on accredited certifiers. A list of national accreditation bodies can be found on the website of the International Accreditation Forum.

Submitting to the certification process brings the direct benefits of certification. Moreover, experience shows that an audit by a competent auditor experienced in anti-bribery management and knowledgeable about the practices of other companies (especially in similar industries or locations) can lead to a valuable and profitable exchange with the company’s compliance and management personnel and its management.


Do you want to contribute to the blog?
Please have a look at our Blog Guidelines



  1. Hello,

    We are an independent third party testing, inspection and certification company. We are interested in applying for ISO37001 certification. I want to know if we can apply for ISO certification on our own or we must contact a third-party certification body to do it?


    • Dear Jenny, thank you for your message. A certification company cannot audit and certify itself. It does indeed have to contact a third-party certification body that is not related to it, i.e is not part of the same group of companies. Care should be taken to select a certifier who is accredited by a National Accreditation Body.

      I shall be happy to answer any other queries that you may have. You can write to me at:

      Best regards,


Leave a Reply

Your e-mail address will not be published. Required fields are marked with an asterisk*


Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.