If you currently struggle to understand how to identify and evaluate your compliance obligations (or legal requirements) - especially when a new law is introduced or when an ISO Standard is first published or revised - the ISO 37301 standard can provide you with the framework to develop a solution to this problem.
ISO 37301 is a management system standard which sets out the requirements and provides guidelines for establishing, developing, implementing, evaluating, maintaining, and continually improving a compliance management system (CMS).
By implementing a CMS based on ISO 37301, your organisation will be able to:
1. Context of the organisation
Determine external (legal, technological, international, local, etc) and internal issues (values, culture, and knowledge) that influence the organisation (including understanding needs of interested parties) in order to define the scope of the management system.
Top management to demonstrate leadership and commitment, through a proper governance structure with polices in place; while ensuring relevant roles, responsibilities as well as relevant authorities are communicated and understood.
Adopt a risk-based approach to address threats and opportunities to prevent or reduce undesired affects, and develop the necessary objectives and plans in place (taking into account planning of changes), which in turn need to be cascaded through the organisation (including responsibilities and timeframes).
Support the management system through providing resources and adequate infrastructure; as well as ensuring the necessary competencies, awareness and communication with the necessary documented information in place.
Develop processes (controls, measures and procedures) as well as relevant feedback channels and contingency plans for non-conformances, incidents and emergency preparedness while taking into account change management and control of external providers.
6. Performance evaluation
Monitor with relevant metrics, analyse performance measures (including evaluation of compliance) as well as conduct internal audits and management reviews
Address non-conformities and incidents, with the necessary actions to control, correct, deal with consequences, and eliminate the root causes while taking remedial actions to improve the suitability, adequacy, and effectiveness of the management system.
It offers several easy-to-use authoring tools - both content and creation software widgets that enable you to create the following components that can be mapped to each of the ISO sections:
Thus whether you are looking to implement a compliance management system for anti-bribery and ethics; data protection; information security; third party management, or other risk-based frameworks, you will need similar components. However, you can configure your product in the way you want, and embed your customised content into the components. For example, you can upload Assessment questionnaires that you have composed into your product.
Your organisation decides on the content, compliance areas and workflows.
When configuring your product, you can choose to implement certain sections like risk and compliance management, or all of the above to conform to the full ISO 37301 requirements.
When deploying the components you have selected, you get to decide how you want to design the user menu of your system - whether it is your own customised compliance workflow, or using the ISO process - Plan-Do-Check-Act. See diagram below.
Ultimately ISO 37301 provides the guiding principles and framework from which all Compliance Management Systems can be crafted.
CEO, Straits Interactive