ISO 37001 Clause 4.2

This sub-clause requires identification of the parties relevant to the ABMS and their requirements, including legal, regulatory and contractual obligations connected to bribery.

ISO 37001 Clause 4.2 - Understanding the Needs and Expectations of Interested Parties

Clause 4.2 is the second half of the context analysis. Clause 4.1 looks at issues. Clause 4.2 looks at people and organisations. The clause asks who has an interest in how bribery risk is managed, what those parties expect, and which of their requirements the management system needs to deliver against.

What ISO 37001 Clause 4.2 Requires

The clause has three parts. The organisation must determine the interested parties relevant to the ABMS, the relevant requirements of those interested parties, and which of those requirements will be addressed through the ABMS. The standard does not require the analysis to be documented but most organisations capture it in an interested parties register.

An interested party is anyone or any organisation that can affect, be affected by, or perceive itself to be affected by the ABMS. The clause is about identifying them and being clear about their expectations - it is not about doing whatever they ask.

Who the Interested Parties Usually Are for ISO 37001

For an ABMS the relevant parties typically include employees, the governing body and top management, customers (especially government and public-sector customers), business associates and intermediaries, suppliers and subcontractors, regulators, certification bodies, professional bodies, the certification body for ISO 37001 itself, and in some cases the wider public or NGOs interested in transparency and corruption.

In the UK the regulator landscape includes the Serious Fraud Office (SFO) for serious or complex bribery cases, the Crown Prosecution Service (CPS) for prosecutions and the Financial Conduct Authority (FCA) where the organisation is regulated for financial services. Public-sector customers typically pass procurement-related anti-bribery requirements through contractual clauses and pre-qualification questionnaires.

Identifying the Requirements That Apply

The relevant requirements of interested parties usually fall into three groups. Legal and regulatory requirements such as the Bribery Act 2010, the Fraud Act 2006 and sector-specific rules. Contractual requirements such as customer anti-bribery clauses, supplier code-of-conduct expectations and certification commitments. Other reasonable expectations, such as employee expectations about how they can raise concerns safely.

The interested parties register pulls these together in one place. Each entry records the party, the type of relationship, the relevant requirements and how the ABMS addresses them. The register links across to Clause 4.3 (scope), Clause 4.5 (bribery risk assessment) and the legal register.

Keep this list practical. Every supplier and every customer is technically an interested party. The clause asks for the ones that are relevant to the ABMS. If a party is not affecting, or affected by, how you manage bribery risk, leave them off.

I look at the interested parties register early in an ISO 37001 audit. I am checking that the requirements identified are actually being addressed somewhere in the ABMS. If a customer requires anti-bribery training to be evidenced annually and there is nothing in the training records about that, the link from 4.2 to the rest of the system has broken down.

Practical Compliance Guidance

The interested parties register is one of the foundation documents of the ABMS. It is reviewed during management review and updated whenever the organisation gains a significant new customer, supplier, regulator or contractual obligation.

The documents below support identification and management of interested parties for an ISO 37001 ABMS.

alphaZ document	How to use it
ISO 37001 Toolkit	Complete documentation set for ISO 37001:2025 compliance, including the IMS1 Manual, the PP-1-19 Anti-bribery procedure and all supporting registers and forms.
F-IMS22 Interested Parties Register	Records each interested party, their requirements and how the ABMS addresses them. Used as the master reference for Clause 4.2.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Does the interested parties register need to list every customer and supplier?

No. The clause asks for the parties that are relevant to the ABMS. Group similar parties together where their requirements are similar - for example public-sector customers in a particular sector, or agents acting in a particular region. Individual entries are needed where the requirements are specific.

Do I have to record requirements from regulators if my organisation is small?

Yes - regulator requirements apply regardless of size. The Bribery Act 2010 applies to all commercial organisations operating in the UK, so the regulator dimension belongs in the interested parties register even for small businesses.

How does the interested parties register relate to the legal register?

They overlap but serve different purposes. The interested parties register identifies who has requirements and what they want. The legal register lists the specific legal and regulatory requirements that apply. The interested parties register signposts to the legal register where regulators are involved.

UK Legislation

The following UK legislation creates obligations that typically appear in the interested parties register through regulator and customer requirements.

Further Resources