What is the difference between ISO 19600 and ISO 37301?
What Is ISO 19600?
If you’re operating a compliance management system, ISO 19600 sets out a clear structure for mitigating compliance risks. It makes a series of recommendations in terms of building a compliance-driven culture, but is not certifiable.
Here are ISO 19600’s main points:
- Top-level policy: Company and team leaders should work hard to foster a culture of compliance.
- Awareness: Through effective training, teams must understand the need for good governance at every stage.
- Improvement: The company needs to set clear goals to measure how well they are managing internal compliance.
- Risk assessments: Firms should know the risks affecting their compliance policy and how to address them.
- Auditing: Similarly, they must also regularly review their own performance to look for potential shortcomings.
- Obligations monitoring: A company must keep up with new obligations or regulations that affect compliance.
- Risk management: Finally, there must be processes and controls in place to report instances of non-compliance.
What Is ISO 37301?
ISO 37301 released in 2021, making it newer than ISO 19600 (2014). This standard is also certifiable, meaning third-party bodies can measure a company’s use of compliance management systems. If it passes every test, the company will then receive a special certification.
When setting up a compliance management system, ISO 37301 offers a number of clear benefits. These include:
- Specific practices: Rather than vague guidance, ISO 37301 is much more specific. The recommendations of ISO 19600 are now requirements.
- HLS structure: ISO 37301 follows a High-Level Structure that is consistent with other ISO standards, allowing for easier implementation.
- Greater trust: A certified ISO 37301 standard assures stakeholders that you take concerns about compliance management very seriously.
- Highly efficient: Knowing how to manage compliance on a deeper level helps businesses deal with compliance issues more easily.
ISO 37301 is essential for any company hoping to abide by compliance laws and standards.
Key Differences Between ISO 19600 and ISO 37301
In many ways, ISO 37301 evolves upon ISO 19600’s main points. However, it does much more than solidify its recommendations. Here are the differences between ISO 19600 compliance management systems and their ISO 37301 equivalents.
Certifiability
ISO 19600 has no certification. This means there is no way of verifying that your company is actually implementing the standard’s recommendations effectively.
By following ISO 37301, your organisation can prove that it is carefully managing its own compliance. Certification allows everyone to navigate compliance-related situations with full confidence.
Structure
Both ISO 19600 and ISO 37301 compliance management systems follow the HLS (High-Level Structure) model. However, the former only uses it to outline generic guidance.
By contrast, ISO 37301 is much more versatile. Whereas ISO 19600 is only for organisations of certain sizes and structures, ISO 37301 has no such limits.
Approach
ISO 37301 is more specific than ISO 19600. For example, it clearly outlines how to handle whistleblowing. It also delves deeper into third-party relationships.
In contrast, ISO 19600 is much more broad. It only asks you to consider adding a certain contingency or control, with very few specifics.
Leadership Requirements
ISO 19600 suggests that leaders should involve themselves in the establishment of clear compliance practices. This includes building a compliance-friendly culture.
Conversely, ISO 37301 requires management to commit themselves to setting up compliance strategies. They must allocate their resources well and stay accountable for any instances of non-compliance.
Compliance Management Systems Under ISO 37301
There are a number of rules that all ISO 37301 compliance management systems must adhere to. This ensures your system is able to pass future certifications and show your company’s commitment to good governance.
The standard’s introduction clarifies the importance of a company’s culture. This is vital for making sure staff members take compliance seriously. The new addition of whistleblowing protocols mainly exists to help with this.
Using these protocols as an example, here is how ISO 37301 requires companies to act regarding whistleblowers:
- There must be accessible, anonymous reporting processes.
- The company must investigate allegations promptly.
- This investigation should be independent and equitable.
- The organization must respond to allegations in writing.
To this end, a company’s compliance should ideally interlink with their other main management processes. Compliance should inform how the company charts its course forward and manages resources, for example.
Leaders must set a strong example. They should be proactive in regularly looking over the company’s rules, which must reflect legislative changes.
By ensuring a robust compliance management system, ISO 37301 lets businesses mitigate risks. They will be able to anticipate and remedy any failures before they happen. This helps the company continue to improve.
Transitioning From ISO 19600 to ISO 37301
ISO 19600 compliance management systems can reach new heights by adopting ISO 37301 instead. This gives a company greater assurance that their approach is the right one. The new standard’s more-specific advice is especially useful.
Here is how to migrate to the new ISO 37301 standard:
- Conduct a gap analysis to compare your current strategy with ISO 37301.
- Familiarise your team with the standard’s certification requirements.
- Set up training sessions to ensure a compliance-friendly team culture.
- Make sure the leadership team has clear compliance responsibilities.
- Carry out a compliance risk assessment and develop control measures.
- Update all documents to match the new, more-specific requirements.
- Choose a reputable body to certify your organisation’s new approach.
Even after certification, ISO 37301 compliance management systems must set up continuous monitoring plans. These should include key performance indicators and reporting/whistleblowing protocols.
By following the standard’s requirements, your company will run into few issues.
Conclusion: Why ISO 37301 Is the Future of Compliance Management
An ISO 37301-compliant certification shows that your business treats governance with the importance it deserves. However, a company must work hard to maintain this credential.
With ISO 19600 now obsolete, this standard is the only compliance-specific ISO regulation. On top of this, its clear requirements easily translate into a practical setting.
Organisations of all kinds face risks of non-compliance at some point. Adopt this standard today, and your company will be ready to fix any issues that arise.