Compliance management · United Kingdom & Malta
ISO 37301 from three seats: how a compliance standard actually lands in the business
By Stefan Gauci Scicluna · Auren Institute · Reading time 7 minutes · Updated within 30 days of standards change
ISO 37301 took compliance from a guidance note you could file and forget, to a management system an auditor can certify. Once that shift is made, the standard reads very differently depending on where you sit in the business.
In April 2021, the International Organization for Standardization published ISO 37301, "Compliance management systems, requirements with guidance for use." It cancelled and replaced ISO 19600:2014. That swap looks like housekeeping. It is not. ISO 19600 was guidance only, a Type B standard you could read, admire, and ignore. ISO 37301 is a Type A standard, written in "shall" clauses, which means an accredited body can audit you against it and certify that you meet it (ISO, ABAC Group). In 2024, ISO added Amendment 1, which asks every organisation to consider whether climate change is a relevant compliance issue (ISO, Amendment 1:2024).
For employers in the UK and Malta, the appeal is straightforward. ISO 37301 gives a recognised, certifiable answer to a question regulators, clients, insurers and tender panels keep asking: can you show that your compliance is actually managed, not just claimed? It applies to any organisation regardless of size, sector or whether it is public or private (ISO), and it sits on the same ten-clause Annex SL structure as ISO 9001 and ISO 27001, so it bolts onto systems many firms already run (Nimonik, PECB).
None of that is the interesting part. The interesting part is what happens after a leadership team decides to take it seriously. In the conversations I have with employers, the same thing surfaces: ISO 37301 is not one project. It is three jobs in three different seats, and they only add up if all three are done.
Here is the standard as it actually lands, from three seats in the same business.
The board: compliance becomes something you can be held to
For the governing body and top management, ISO 37301 does one big thing. It moves compliance from a thing the legal team worries about to a thing leadership is on the hook for.
The standard is explicit that the governing body and top management must set the compliance policy, demonstrate leadership and commitment, and put a properly resourced, independent compliance function in place (ISO, UpGuard). It builds on stated principles of good governance, proportionality, transparency and sustainability, and it expects "tone from the top" to be evidenced, not asserted. The phrase compliance culture appears because the standard treats culture as a controllable output of leadership behaviour, not a mood.
That changes the nature of the decision. Certification is voluntary, so no UK or Maltese law forces a board to adopt ISO 37301. But once a board claims the badge, it has signed up to an external auditor checking whether the system runs as written. The upside is real assurance: a credible signal to regulators, banks, insurers and larger clients that compliance here is managed. The cost is equally real: leadership can no longer treat compliance as someone else's department. Amendment 1:2024 sharpens this further, by pulling climate-related obligations into the same governance frame (ISO).
The board lesson is simple to state and uncomfortable to live. Under a guidance note, weak compliance was a private risk. Under a certifiable standard you have publicly adopted, it is an assurance you have to keep making good on.
The compliance lead: the binder becomes a system
For whoever owns compliance day to day, ISO 37301 turns a folder of policies into a working management system with moving parts.
The standard runs on a recognisable cycle. You identify your compliance obligations, the laws, regulations, codes, contracts and voluntary commitments you are bound by, and you keep that register current. You assess compliance risk against each obligation, design controls in proportion to the risk, and you monitor, measure, audit and report on whether those controls are working (ISO, Nimonik). It expects documented information, defined roles, competence requirements, a way for people to raise concerns, investigation of non-compliance, and continual improvement. In other words, the things a good compliance officer already does, now with a structure and an evidence trail behind each one.
This is where the standard either earns its keep or becomes shelfware. A register that is never refreshed, a risk assessment done once and filed, controls nobody tests, training delivered and never measured: each of those is exactly the gap an auditor is paid to find. The ten-clause Annex SL spine helps here, because it lets the compliance lead integrate ISO 37301 with quality, information security or anti-bribery systems rather than running a separate stack (PECB). Around 90% of the content carries over from ISO 19600, so firms that aligned to the old guidance are not starting from zero (Quentic).
The compliance lesson is the unglamorous one. The standard does not reward the firm with the thickest policy file. It rewards the firm that can show the policy is alive: assessed, controlled, trained, and checked.
The front line: a system is only as compliant as the people running it
For everyone who is not in the compliance function, the negotiator, the account manager, the onboarder, the line manager, ISO 37301 is neither a board decision nor a register. It is what they are expected to do on a Tuesday.
The standard puts unusual weight on people. It requires competence and awareness across the workforce, not just in the compliance team, and it treats compliant behaviour as the actual deliverable of the whole system (ISO, UpGuard). Clauses on competence, awareness and culture exist because ISO accepts a plain truth: controls live or die at the point where a person makes a decision. An obligations register does not stop a bribe being paid, a data breach being mishandled, or a conflict of interest being waved through. A trained, alert employee does.
This is where the three seats meet. A board can adopt the standard and a compliance lead can build a flawless system, but if the person handling the customer, the supplier or the data does not know what good looks like, the business fails the very test it certified itself against. Auditors and advisers say the same thing about every management system: the weakest-trained role sets the real level of assurance, not the best-written policy.
Training, then, is not the soft edge of ISO 37301. It is a clause requirement and the control that makes every other clause true at the desk. It is also the cheapest part of the whole exercise, and the part most often skimped.
The point of the standard is the system, not the certificate
The organisations that get value from ISO 37301 will not be the ones that frame the certificate fastest. They will be the ones that treat it as three jobs at once: a governance commitment the board has to own, a managed system the compliance lead has to run, and a set of behaviours the workforce has to be trained into. Get one of the three wrong and the other two will not save you, because the audit, the regulator and the incident all eventually find the weakest of the three.
That is also why ISO 37301 is worth the effort even for firms that never seek formal certification. Used as a framework rather than a badge, it gives a board, a compliance lead and a workforce a common, internationally recognised picture of what "compliance, done properly" looks like, and a structure to build it in proportion to their size and risk.
ISO 37301 in brief: common questions
Is ISO 37301 a law?
No. It is a voluntary international standard, not a UK or Maltese statute. It does not replace your legal obligations, it gives you a recognised, auditable way to manage them. Certification is optional, but it can be expected by clients, tenders, insurers or regulators as evidence of good practice.
What is the difference between ISO 37301 and ISO 19600?
ISO 19600:2014 was guidance only and could not be certified. ISO 37301:2021 replaced it with "shall" requirements, making it a Type A standard that an accredited body can audit and certify against. Roughly 90% of the content carries over, so the move is an upgrade, not a rebuild (Quentic, ABAC Group).
Can a small or mid-sized employer use it?
Yes. ISO 37301 applies to any organisation regardless of size, type or sector, and is designed to be applied in proportion to the organisation's compliance risk. An SME does not need an enterprise compliance department to adopt the framework, it needs the obligations identified, the risks assessed, the controls sized to the business, and the people trained.
What changed with Amendment 1:2024?
The 2024 amendment added climate action considerations, asking organisations to determine whether climate change is a relevant compliance issue and noting that interested parties may have climate-related compliance requirements (ISO).
Sources
- ISO, ISO 37301:2021 Compliance management systems, requirements with guidance for use (iso.org/standard/75080)
- ISO, ISO 37301:2021/Amd 1:2024, Climate action changes (iso.org/standard/88422)
- ABAC Group, ISO 19600:2014 has been revised by ISO 37301:2021 (Type A vs Type B, certification)
- PECB, Migrating from ISO 19600:2014 to ISO 37301:2021 (Annex SL, integration)
- Nimonik, ISO 37301 Compliance Management Systems, key elements
- UpGuard, A deep dive into ISO 37301: Compliance Management Systems (leadership, culture, competence)
- Quentic, ISO 37301 set to replace ISO 19600 (continuity, c.90% carry-over)
Build the system, then train the people who run it
Auren's Compliance Management programme is built around the practitioner, not the certificate: Foundation, Intermediate and Advanced levels that take a team from what compliance is to how to run it as a managed system. Where you need the system designed as well as the people trained, our advisory service maps your obligations, sizes the controls, and builds the ISO 37301-aligned framework with you. Self-paced, CPD-registered, refreshed within 30 days of regulatory or standards change.
Start the free compliance mini-courseFounder of Auren Institute. MA, DBA candidate at Signum Magnum College, lecturer at IDEA Academy and Signum Magnum College. Writes as a practitioner who has to comply with the standards he teaches.
Last reviewed: 23 June 2026 · Next scheduled review: 23 July 2026 · Updated within 30 days of regulatory or standards change.
Compliance, Done Right.
Auren Institute is a compliance training partner for HR and L&D leaders at SMEs and mid-market employers in the UK and Malta. Eleven compliance domains. Three levels in each. UK and Maltese variants where the law differs. Updated within 30 days of legislative change.
Get in touch
sales@aureninstitute.com
UK Office
Tel: +44 7505706062
Malta Office
92, No. 1, St Edward Street,
Qormi, QRM 2136
Tel: +356 9999 1039
VAT No: MT20967027
CPD Reg. No: 22536
UK FSB No: 65539277