Investigating and Dealing with Bribery for ISO 37001
ISO 37001 Clause 8.10
Procedures to investigate and deal with bribery - confidentially, by independent investigators, with action taken on findings.
ISO 37001 Clause 8.10 - Investigating and Dealing with Bribery
Clause 8.10 requires the organisation to implement procedures that assess and where appropriate investigate any bribery, violation of the anti-bribery policy or violation of the ABMS that is reported, detected or reasonably suspected. The procedures must require appropriate action where the investigation establishes bribery or violation, empower and enable investigators, require cooperation from relevant personnel, require the status and results to be reported to the anti-bribery function and other compliance functions as appropriate, and require investigations to be conducted confidentially with confidential outputs.
Investigations must be carried out by - and reported to - personnel who are not part of the role or function being investigated. Business associates can be appointed to conduct investigations and report the results to personnel who are not part of the role or function being investigated.
How Investigations Work in Practice
The investigation typically starts after a concern reported under Clause 8.9 has been assessed using F-AB2 Bribery Concerns Assessment and the assessment has determined that further investigation is appropriate. The anti-bribery function appoints an investigator or investigation team. For more contained matters this may be a single person from the anti-bribery function. For more complex or sensitive matters a Focus-ABC committee can be established using F-AB5 Focus-ABC Committee.
The investigator must be independent of the role or function being investigated. For investigations involving the anti-bribery function itself, an external party is usually appointed. The investigator must be empowered - able to access records, request interviews and call on relevant resources. Personnel must cooperate - this requirement is normally backed up through the conditions of employment under Clause 7.2.2.1.
Reporting and Action
The status of investigations is reported to the anti-bribery function and to other compliance functions as appropriate. Where bribery or a policy violation is confirmed, appropriate action is taken - which may include disciplinary action, termination of business associate relationships, reporting to law enforcement where required, customer notification where contractual or regulatory obligations require it, and corrective action under Clause 10.2.
The results are confidential. Information about specific investigations is not shared more widely than is necessary to take the action required and to satisfy reporting obligations. The patterns and lessons from investigations - rather than the specifics - feed into management review under Clause 9.3 and continual improvement under Clause 10.
The combination that works is the F-AB2 assessment to triage incoming concerns, the Focus-ABC committee approach for more significant investigations, and the anti-bribery lead acting as the named owner throughout. The records track each step - assessment, decision to investigate, investigator appointment, investigation, findings, action, closure.
The independence point is the one that catches organisations out. An investigator who reports to the same line manager as the person being investigated is not independent. The procedure has to provide a route for serious investigations that does not depend on the same management chain - a Focus-ABC committee, an external investigator or a direct line to the governing body where one exists.
I check that any investigations that have been conducted are documented. I look for the assessment, the appointment of investigators, the investigation record and the action taken. I want to see independence in the investigators chosen and confidentiality in how the records have been handled. The pattern of decisions tells me whether the procedure is operating fairly.
Practical Compliance Guidance
Investigations follow the assessment of concerns through F-AB2 and are conducted by independent investigators with the Focus-ABC committee structure available for more significant matters. Findings flow into corrective action under Clause 10.2.
The documents below support the investigation requirements of Clause 8.10.
| alphaZ document | How to use it |
|---|---|
| ISO 37001 Toolkit | Complete documentation set for ISO 37001:2025 compliance, including the IMS1 Manual, the PP-1-19 Anti-bribery procedure and all supporting registers and forms. |
| F-AB2 Bribery Concerns Assessment | Form for assessing a reported concern and determining whether full investigation is needed. |
| F-AB5 Focus-ABC Committee | Template for setting up an anti-bribery compliance committee for more significant investigations. |
| PP-1-19 Anti-bribery Procedure | Sets out the procedural detail for investigations including independence, cooperation and reporting. |
| ER1 Issues Actions Register | Tracks the actions arising from investigations through to closure under Clause 10.2. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation
The following UK legislation creates the legal context for investigations - including reporting obligations to law enforcement and the legal framework for protected disclosures.
- Bribery Act 2010
- Fraud Act 2006
- Proceeds of Crime Act 2002
- Criminal Finances Act 2017
- Public Interest Disclosure Act 1998
