ISO 37301:2021 pdf download – Compliance management systems一Requirements with guidance for use.
4.4 Compliance management system The organization shall establish, implement, maintain and continually improve a compliance management system, including the processes needed and their interactions, in accordance with the requirements of this document. The compliance management system shall reflect the organization’s values, objectives, strategy and compliance risks, taking into account the context of the organization (see 4.1). 4.5 Compliance obligations The organization shall systematically identify its compliance obligations resulting from its activities, products and services, and assess their impact on its operations. The organization shall have processes in place to: a) identify new and changed compliance obligations to ensure ongoing compliance; b] evaluate the impact of the identified changes and implement any necessary changes in the management of the compliance obligations. The organization shall maintain documented information of its compliance obligations. 4.6 Compliance risk assessment The organization shall identify, analyse and evaluate its compliance risks based upon a compliance risk assessment. The organization shall identify compliance risks by relating its compliance obligations to its activities, products, services and relevant aspects of its operations. The organization shall assess compliance risks related to outsourced and third-party processes. The compliance risks shall be assessed periodically and whenever there are material changes in circumstances or organizational context. The organization shall retain documented information on the compliance risk asssment and on the actions to address its compliance risks.
7.2.2 Employment process In relation to all its personnel, the organization shall develop, establish, implement and maintain processes such that: a) conditions of employment require personnel to comply with the organization’s compliance obligations, policies, processes and procedures; b) within a reasonable period of their employment commencing, personnel receive a copy of, or are provided with access to, the compliance policy and training in relation to that policy; c) appropriate disciplinary action shall be taken against personnel who violate the organization’s compliance obligations, policies, processes and procedures. As part of the employment process, the organization shall consider the compliance risks posed by roles and by personnel and apply due diligence procedures as required prior to any hiring, transfer and promotion. The organization shall implement a process that provides for a periodic review of performance targets, performance bonuses and other incentives, to verify that there are appropriate measures in place to prevent encouraging noncompliance. 7.2.3 Training The organization shall provide relevant personnel with training on a regular basis, from the time of commencement of employment and at planned intervals determined by the organization. Training shall be: a] appropriate to the roles of personnel and the compliance risks to which personnel are exposed; b) assessed for effectiveness; c reviewed regularly.