Operational Planning and Control for ISO 37001 Anti-Bribery
ISO 37001 Clause 8.1
The general operational planning clause - process criteria, control, planned changes and externally provided processes.
ISO 37001 Clause 8.1 - Operational Planning and Control
Clause 8.1 is the umbrella clause for operational control. The organisation must plan, implement and control the processes needed to meet ABMS requirements and to implement the actions identified in Clause 6 (actions to address risks and opportunities).
What ISO 37001 Clause 8.1 Requires
The organisation must establish criteria for the processes, implement control of the processes in accordance with those criteria, and keep documented information available to the extent necessary for confidence that the processes are being carried out as planned.
Planned changes must be controlled. The organisation must review the consequences of unintended changes and take action to mitigate any harmful effects. Externally provided processes, products and services that are relevant to the ABMS must be controlled - which links the clause directly to procurement and outsourcing.
The clause also signposts the specific controls in Clauses 8.2 (due diligence) and 8.10 (investigating and dealing with bribery) - those clauses are the specific operational requirements that flow from this general one.
What This Looks Like in Practice
The central anti-bribery procedure - PP-1-19 in the alphaZ structure - is usually the document that satisfies most of Clause 8.1. It defines the criteria for ABMS-related processes, sets out how they are controlled and points at the operational records that evidence control. Externally provided processes - typically outsourced services or key supplier relationships - are usually covered through the purchasing procedure (PP-1-18) and the business associate register.
Clause 8.1 is the framing clause - the specific controls live in 8.2 to 8.10. The most efficient way to satisfy 8.1 is a single anti-bribery procedure that points at all the supporting registers and forms, plus a clear link to the purchasing procedure for externally provided processes.
The unintended changes part is the bit that gets overlooked. If something changes that was not planned - a supplier reorganises, a regulator updates guidance, a team takes on a new type of activity - the ABMS controls need to flex with that. Clause 8.1 expects the review to happen rather than waiting for an audit to find the gap.
Practical Compliance Guidance
Operational control is centred on the anti-bribery procedure (PP-1-19) which describes the criteria for ABMS processes and points at the supporting registers. Externally provided processes are controlled through the purchasing procedure.
The documents below establish the framework for operational planning and control under Clause 8.1.
| alphaZ document | How to use it |
|---|---|
| ISO 37001 Toolkit | Complete documentation set for ISO 37001:2025 compliance, including the IMS1 Manual, the PP-1-19 Anti-bribery procedure and all supporting registers and forms. |
| PP-1-19 Anti-bribery Procedure | Central operational procedure setting out the criteria and controls for ABMS processes. |
| PP-1-18 Purchasing Outsourced Services Policy | Procedure controlling externally provided processes, products and services with bribery risk implications. |
| F-Q23 Change Review Form | Used to record the review of planned and unintended changes to ABMS processes. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation
The following UK legislation provides the legal context within which operational anti-bribery controls operate.
