ISO 37001 Clause 9.1

Monitoring, measurement, analysis and evaluation - what to monitor, methods, timing, and evidence of results.

ISO 37001 Clause 9.1 - Monitoring, Measurement, Analysis and Evaluation

Clause 9.1 is the operational heartbeat of the ABMS. It requires four decisions - what gets monitored, by what method, when measurement happens, and when the results are analysed and evaluated. Documented evidence of all four is required.

What ISO 37001 Clause 9.1 Requires

The clause requires the organisation to determine: what needs to be monitored and measured (this includes the bribery risks identified under Clause 4.5 and the controls put in place to address them); the methods for monitoring, measurement, analysis and evaluation, where applicable, to evaluate ABMS performance and effectiveness (the methods need to produce comparable and reproducible results); when the monitoring and measuring takes place; when the results are analysed and evaluated; and who is responsible.

The output is documented evidence of the results. Evaluation determines whether the ABMS is performing as intended and whether it is effective. Both performance (is it operating as designed) and effectiveness (is it achieving the intended results) have to be evaluated.

What to Monitor in Practice

The decision on what to monitor is driven by the risks identified in the bribery risk assessment. For most organisations the monitoring set covers: training completion rates against the training programme, business associate due diligence completion (covered by F-AB4 reviews), reports raised through the F-AB1 procedure and their assessment outcomes, hospitality and gifts logged on the ER22 register including any approvals required, declarations from greater-than-low-risk personnel and from top management or the governing body, and any unusual financial transactions flagged by the financial controls under Clause 8.3.

Each of these has a measurable form. Training completion is a percentage. Due diligence reviews completed within target time are a percentage. Concerns received per period is a count. Hospitality items above threshold are a count. The methods need to produce numbers that can be compared period to period.

Analysis and Evaluation

Raw monitoring data is not the point - analysis is. The question is what the data tells you about whether the ABMS is working. Three months of zero concerns reported can mean the procedure is not credible just as easily as it can mean the controls are effective. Hospitality logged at unusually low or high volumes can both be signals. The analysis is what turns numbers into insight, and the evaluation step is the judgement on whether the ABMS is achieving its intended results.

Monitoring is the part most organisations manage to do. Analysis is what they often skip. A spreadsheet of training percentages does not by itself tell you anything - what matters is whether the percentages are consistent with the risk profile, whether the gaps are in the right places, and whether the trend is heading the right way.

Choose a small set of measures that connect directly to the bribery risk assessment. If a particular risk is rated significant, the measures that monitor the controls for that risk should be in the set. If a measure does not connect to a risk, ask whether it is worth collecting at all. Less, but better.

I look at what is monitored, how often, who reviews it and what they do with the analysis. I want to see a documented schedule, evidence the monitoring actually happened, and evidence the results were reviewed and acted on. Without the analysis step, monitoring is busy work and the audit finding writes itself.

Practical Compliance Guidance

Monitoring covers training completion (drawn from ER2), business associate reviews (using F-AB4), concerns received (F-AB1), and hospitality activity (ER22). Results are analysed and reported into management review using the F-Q3 37001 form.

The documents below support the monitoring required by Clause 9.1.

alphaZ document	How to use it
ISO 37001 Toolkit	Complete documentation set for ISO 37001:2025 compliance, including the IMS1 Manual, the PP-1-19 Anti-bribery procedure and all supporting registers and forms.
ER2 Staff Training and Competency Matrix	Tracks training completion and ABMS-related competency - the basis for the training-based monitoring measures.
F-AB4 Bribery Due Diligence Review	Records due diligence reviews on business associates - completion and outcomes feed monitoring of Clause 8.2.
F-AB1 Bribery Concerns Report	Concerns received and assessed under the procedure - count and outcomes are key monitoring data.
ER22 Hospitality and Gifts Register	Logs hospitality and gifts - volume, value distribution and approval rates feed monitoring of Clause 8.7.
F-IMS34 Anti-bribery Compliance Register	Records ABMS compliance activities and the basis for analysis of overall ABMS performance.
F-Q3 Anti-bribery Management Review	Management review template - monitoring results form key inputs.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

How specific does the monitoring plan have to be?

Specific enough that someone can pick it up and run it. The clause requires the four decisions to be documented - what is monitored, the method, the timing and the analysis frequency. A monitoring plan that says "we monitor the ABMS" is not enough. A plan that names each measure, identifies the data source, sets the frequency and assigns ownership is.

What is the difference between performance and effectiveness in Clause 9.1?

Performance is whether the ABMS is operating as designed - controls are in place, procedures are followed, training is delivered. Effectiveness is whether the ABMS is achieving the intended results - bribery risk is reduced, the policy is supported in practice, the culture is what the standard expects. Both have to be evaluated. A high-performing ABMS that is not effective tells you the design needs to change.

How does monitoring under 9.1 connect to internal audit under 9.2?

Monitoring is continuous and operational, internal audit is periodic and structured. Monitoring catches issues as they arise. Internal audit verifies that the ABMS as a whole is conforming and effective. The two complement each other - audit findings often point at where monitoring should be improved, and monitoring data is one of the inputs an internal audit reviews.

Where do the monitoring results go?

Into the analysis the organisation conducts at planned points, into the inputs to internal audit, and into the inputs to management review under Clause 9.3.2. Trends and exceptions identified through monitoring are explicit inputs to management review, so the monitoring set has to produce information at the right level of detail for those uses.

UK Legislation

Monitoring of bribery controls supports compliance with UK bribery and corporate crime legislation.

Further Resources