Implementation of Anti-bribery Controls by Controlled Organisations and Business Associates for ISO 37001
ISO 37001 Clause 8.5
Anti-bribery controls extended to controlled organisations and to non-controlled business associates where bribery risk is greater than low.
ISO 37001 Clause 8.5 - Implementation of Anti-bribery Controls by Controlled Organisations and Business Associates
Clause 8.5 has two parts. 8.5.1 covers organisations that the certified entity controls - typically subsidiaries and other entities under direct control. 8.5.2 covers business associates that are not controlled but pose greater than low bribery risk.
ISO 37001 Clause 8.5.1 - Controlled Organisations
Where the organisation has control over another organisation, it must require that controlled organisation to implement either the parent organisation ABMS or its own anti-bribery controls - to the extent that is reasonable and proportionate to the bribery risks faced by the controlled organisation, taking into account the bribery risk assessment.
In practice this typically means subsidiaries adopt the parent ABMS through the IMS structure, or operate their own equivalent ABMS that has been reviewed against the parent requirements. Where the controlled organisation is in a low-risk situation, the controls may be limited to the policy and basic awareness. Where it operates in higher-risk circumstances, the controls extend to full bribery risk assessment, due diligence and the operational controls of Clause 8.
ISO 37001 Clause 8.5.2 - Non-controlled Business Associates
Where the bribery risk assessment or due diligence has identified greater than low bribery risk for non-controlled business associates, and where their anti-bribery controls would help mitigate that risk, the organisation must implement procedures to determine whether the associate has anti-bribery controls in place.
If the associate has no controls, or it is not possible to verify their controls, the organisation has two options. Where practical, require the business associate to implement anti-bribery controls in relation to the relevant transactions, projects or activities. Or re-rate the bribery risk assessment and the way the organisation manages the risk - which may include enhancing the organisation own controls, restricting the activities, or terminating the relationship.
The clause does not give organisations a choice to ignore the issue. Where higher-risk associates have inadequate controls and cannot be required to implement them, the organisation must adjust its own approach to manage the risk a different way.
The business associate register tracks each higher-risk associate, the controls they have in place, the additional controls required and any commitments they have provided. The register is the practical tool for evidencing Clause 8.5.2 - it shows which associates have been assessed, what their controls look like and what the organisation is doing where controls are inadequate.
This clause is where the bribery risk assessment really earns its keep. If the assessment is honest about which third parties pose more than low risk, this clause tells the organisation what to do about it. Soft assessments that under-rate associate risk to avoid difficult conversations come unstuck here.
I sample the business associate register and trace it back to the bribery risk assessment. I check that higher-risk associates have been assessed for their own controls, that commitments have been received where appropriate, and that the additional controls listed are actually in place. The register is the audit trail.
Practical Compliance Guidance
Controlled organisations are typically integrated into the ABMS through the IMS1 structure. Non-controlled business associates are tracked through the business associate register with their bribery risk rating, controls and any additional requirements.
The documents below support the requirements of Clause 8.5.
| alphaZ document | How to use it |
|---|---|
| ISO 37001 Toolkit | Complete documentation set for ISO 37001:2025 compliance, including the IMS1 Manual, the PP-1-19 Anti-bribery procedure and all supporting registers and forms. |
| F-IMS35 Business Associate Register | Tracks each higher-risk business associate, their anti-bribery controls and any additional controls or training required. |
| F-AB3 Bribery Commitment Declaration | Used to capture anti-bribery commitments from business associates including controlled entities. |
| F-AB4 Bribery Due Diligence Review | Records the assessment of business associate anti-bribery controls. |
| PP-1-19 Anti-bribery Procedure | Sets out the procedures for working with controlled organisations and business associates. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation
The following UK legislation interacts directly with Clause 8.5 - the Bribery Act 2010 corporate offence makes the parent organisation liable for bribery by associated persons, which puts a legal premium on understanding what controls associates have in place.
