ISO 37003:2025

International
Standard
ISO 37003
First edition
Fraud control management systems —
2025-05
Guidance for organizations managing
the risk of fraud
Systèmes de management du contrôle de la fraude — Lignes
directrices destinées aux organisations gérant le risque de fraude
Reference number
All rights reserved.
ISO publications, in their entirety or in fragments, are owned by ISO. They are licensed, not sold, and are subject to the
terms and conditions set forth in the ISO End Customer License Agreement, the License Agreement of the relevant ISO
member body, or those of authorized third-party distributors.
Unless otherwise specified or required for its implementation, no part of this ISO publication may be reproduced,
distributed, modified, or used in any form or by any means, electronic or mechanical, including photocopying, scanning,
recording, or posting on any intranet, internet, or other digital platforms, without the prior written permission of ISO,
the relevant ISO member body or an authorized third-party distributor.
This publication shall not be disclosed to third parties, and its use is strictly limited to the license type and purpose
specified in the applicable license grant. Unauthorized reproduction, distribution, or use beyond the granted license is
prohibited and may result in legal action.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
Licensing and use terms
As stated above, ISO documents, as well as any updates and/or corrections, and any intellectual property or
other rights pertaining thereto, are owned by ISO. ISO documents are licensed, not sold. This document does
not in any way operate to assign or transfer any intellectual property rights from ISO to the user. ISO
documents are protected by copyright law, database law, trademark law, unfair competition law, trade secrecy
law, and any other applicable law. Users acknowledge and agree to respect ISO’s intellectual property rights
in the ISO documents.
The use of ISO documents is subject to the terms and conditions of the applicable licence agreement.
ISO documents are provided under different licensing agreement types (“Licence Type”) allowing a non-
exclusive, non-transferable, limited, revocable right to use/access the ISO documents for one or more of the
purposes described below (“Purpose”), which may be internal or external in scope. The applicable Purpose(s)
must be agreed in the purchase order and/or in the applicable licence agreement.
a) Licence Type:
1) Single registered end-user licence (watermarked in the user’s name) for the specified Purpose. Under
this license, the user cannot share the ISO document with a third party, including on a network.
2) Network licence for the specified Purpose. The network licence can be assigned to either unnamed
concurrent end-users or named concurrent end-users within the same organization.
ii
b) Purpose:
1) Internal Purpose. Internal use only within the user’s organization, including but not limited to own
implementation (“Internal Purpose”).
The scope of permitted internal use is specified at the time of purchase or through subsequent
agreement with ISO, the ISO member body in the user’s country, any other ISO member body or an
authorized third-party distributor, including any applicable internal use rights (such as for internal
meetings, internal training programmes, preparation of certification services, for integration or
illustration in internal manuals, internal training materials, and internal guidance documents). Each
internal use must be explicitly specified in the purchase order and/or in the applicable licence
agreement, and specific fees and requirements apply to each permitted use.
2) External Purpose. External use, including but not limited to:
— testing services;
— inspection services;
— certification services;
— auditing services;
— consulting services;
— conformity assessment scheme development and implementation;
— training services;
— education;
— research;
— software development and other digital platform or software-enabled digital services;
— any other services or activities conducted by the user or the user’s organization to third parties,
whether for commercial or non-commercial purposes (“External Purpose”).
The scope of permitted external use is specified at the time of purchase or through subsequent
agreement with ISO, the ISO member body in the user’s country, any other ISO member body or an
authorized third-party distributor, including any applicable external use rights (e.g. in publications,
products, or services marketed and sold by the user/the user’s organization). Each external use must
be explicitly specified in the purchase order and/or in the applicable licence agreement, and specific
fees and requirements apply to each permitted use.
Unless users have been granted use rights according to the above provisions, they are not granted the right to
share or sublicense ISO documents inside or outside their organization for either Purpose. If users wish to
obtain additional use rights for ISO documents or their content, users can contact ISO or the ISO member body
in their country to explore possible options.
If the user or the user’s organization is granted a licence for the External Purpose of providing any of the
following services to third parties:
— testing services;
— inspection services;
ii(bis)
— certification services;
— auditing services;
— consulting services,
and if any of these five (5) services reference, rely upon, incorporate, or otherwise make use of any aspect,
requirement, provision, or any other information of any ISO document, the user or the user’s organization
agrees to verify that the third party receiving such services has obtained from the ISO member body in their
country, any other ISO member body, ISO or an authorized third-party distributor, a valid licence for its own
implementation of such ISO document or other use related to such services. This verification obligation must
be included in the applicable licence agreement obtained by the user or the user’s organization.
ISO documents must not be disclosed to third parties, and users must use them solely for the purpose specified
in the purchase order and/or applicable licensing agreement. Unauthorized disclosure or use of ISO
documents beyond the licensed purpose is prohibited and can result in legal action.
Use restrictions
Except as provided for in the applicable licence agreement and subject to a separate licence by ISO, the ISO
member body in the user’s country, any other ISO member body or an authorized third-party distributor, users
are not granted the right to:
— use ISO documents for any purpose other than the Purpose;
— grant use or access rights to ISO documents beyond the Licence Type;
— disclose ISO documents beyond the intended Purpose and/or Licence Type;
— sell, lend, lease, reproduce, distribute, import/export or otherwise commercially exploit ISO documents.
In the case of documents that are joint publications (such as ISO/IEC documents), this clause applies to
the respective joint copyright ownership;
— assign or otherwise transfer ownership of ISO documents, in whole or in part, to any third party.
Regardless of the Licence Type or Purpose for which users are granted access and use rights for ISO
documents, users are not permitted to access or use any ISO documents, in whole or in part, for any machine
learning and/or artificial intelligence and/or similar purposes, including but not limited to accessing or using
them
a) as training data for large language or similar models, or
b) for prompting or otherwise enabling artificial intelligence or similar tools to generate responses.
Such use is only permitted if expressly authorized through a specific licence agreement by the ISO member
body in the requester’s country, another ISO member body, or ISO. Requests for such authorization are
considered on a case-by-case basis to ensure compliance with intellectual property rights. Specifically, it is not
possible to claim the benefit of copyright exception of Article 4 of the Directive (EU) 2019/790 of the European
Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market, for
the purpose of text and data mining on ISO documents, as ISO hereby opts out of this exception.
If ISO, or the ISO member body in the user’s country, has reasonable doubt that users are not compliant with
these terms, it can request in writing to perform an audit, or have an audit performed by a third-party auditor,
during business hours at the user’s premises or via remote access.
ii(ter)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization . 8
4.1 Understanding the organization and its context .8
4.2 Understanding the needs and expectations of interested parties .8
4.3 Determining the scope of the fraud control management system (FCMS) .9
4.4 Fraud control management system (FCMS) .9
4.5 Fraud risk assessment .9
4.5.1 General .9
4.5.2 Collaboration with other risk management functions .10
5 Leadership . 10
5.1 Leadership and commitment .10
5.1.1 Governing body .10
5.1.2 Top management .10
5.2 Fraud control policy .11
5.3 Roles, responsibilities and authorities .11
5.3.1 General .11
5.3.2 Delegated decision-making to managers and organizational functions .11
5.3.3 Fraud control function .11
5.3.4 Information security management system function . 12
5.3.5 Internal audit function . 12
6 Planning .13
6.1 Actions to address risks and opportunities . 13
6.1.1 General . 13
6.2 Fraud control objectives and planning to achieve them . 13
6.3 Planning of changes .14
7 Support . 14
7.1 Resources .14
7.1.1 General .14
7.1.2 Information security management system function .14
7.2 Competence .14
7.2.1 General .14
7.2.2 Employment process. 15
7.3 Awareness . 15
7.3.1 Awareness of personnel . 15
7.3.2 Training for personnel .16
7.3.3 Training for business associates .16
7.3.4 Awareness and training programmes . .16
7.4 Communication .17
7.4.1 General .17
7.4.2 Promoting the FCMS .17
7.5 Documented information .17
7.5.1 General .17
7.5.2 Creating and updating documented information .18
7.5.3 Control of documented information .18
7.5.4 Record keeping and confidentiality of information .18
8 Operation . 19
8.1 Operational planning and control .19
8.2 Preventing fraud . 20

iii
8.2.1 General . 20
8.2.2 Developing and promoting an effective integrity framework . 20
8.2.3 Managing conflicts of interest.21
8.2.4 Internal controls and the internal control environment .21
8.2.5 Pressure testing the internal control system . 22
8.2.6 Managing performance-based targets . 22
8.2.7 Personnel screening . 23
8.2.8 Screening and management of business associates . 23
8.2.9 Preventing technology-enabled fraud .24
8.2.10 Physical security and asset management . 25
8.3 Detecting fraud . 25
8.3.1 General . 25
8.3.2 Post-transactional review . 25
8.3.3 Analysis of management accounting reports . 25
8.3.4 Identification of early warning indicators . 26
8.3.5 Data analytics . 26
8.3.6 Fraud reporting .27
8.3.7 Artificial intelligence systems . .27
8.3.8 Complaint management . 28
8.3.9 Exit interviews . 28
8.4 Responding to fraud events . 28
8.4.1 General . 28
8.4.2 Immediate actions in response to discovery of fraud . 28
8.4.3 Digital evidence first response . 29
8.4.4 Investigation of a detected fraud event . 29
8.4.5 Consideration of grievances . 29
8.4.6 Disciplinary procedures . 29
8.4.7 Separation of investigation and decision-making processes . 29
8.4.8 Crisis management following discovery of a fraud event . 29
8.4.9 Internal reporting and escalation . 30
8.4.10 Fraud event register . 30
8.4.11 Analysis and reporting of fraud events . 30
8.4.12 External reporting .31
8.4.13 Recovery of stolen funds or property .31
8.4.14 Responding to fraud events involving business associates .32
8.4.15 Insuring against fraud events .32
8.4.16 Assessing internal controls, systems and processes post-detection of a fraud
event .32
8.4.17 Impact of fraud on other interested parties . 33
8.4.18 Disruption of fraud . 33
9 Performance evaluation .34
9.1 Monitoring, measurement, analysis and evaluation . . 34
9.2 Internal audit . 34
9.2.1 General . 34
9.2.2 Internal audit programme . 35
9.3 External audit . 35
9.4 Management review . 36
9.4.1 General . 36
9.4.2 Management review inputs . 36
9.4.3 Management review results . 36
10 Improvement .36
10.1 Continual improvement . 36
10.2 Nonconformity and corrective action . 36
Annex A (informative) Examples of fraud risks impacting global entities .38
Annex B (informative) Models for fraud prevention — Guidance . 41
Bibliography .45

iv
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO document should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
http://www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 309, Governance of organizations.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at http://www.iso.org/members.html.

v
Introduction
Fraud is a risk for all organizations in the private, public or not-for-profit sectors. Fraud events can
significantly impact the financial position of the target organization and often have flow-on financial
consequences for global and local economies. Fraud can lead to serious legal and financial consequences as
well as enduring psychological and emotional harm for the individuals involved. For a summary of the types
of fraud commonly encountered by organizations, see Annex A.
The pervasiveness and increasing sophistication of information technology, the rapid uptake of electronic
payment systems by the general population and economic globalization have led to an increased incidence
of external fraudulent attack on organizations across all sectors.
Managing and controlling the risk of fraud should be considered by the leadership of all organizations.
NOTE For more information on fraud as it relates to governance, see ISO 37000:2021, 6.9.
This document includes guidance on:
a) creating and maintaining processes for fraud risk identification, assessment and monitoring;
b) mitigating internal and external fraud, including fraud against, and by, the organization;
c) detecting fraud against or by the organization based on its assessed fraud risk exposures;
d) effective response to fraud events in order to ensure that:
— damage to the organization's image can be minimized;
— its reputation can be restored and improved;
— funds lost due to fraud can be recovered.
e) ensuring continual improvement.
Following this guidance cannot provide assurance that fraud has not occurred or will not occur in the future
as it is not possible to eliminate the risk of fraud. However, it will help organizations to effectively manage
fraud risk and to respond appropriately to fraud events and avoid or reduce the compliance liability risk of
the organization.
Effective fraud control requires the organization to commit to prevention, detection and response initiatives
underpinned by leadership, planning and resourcing as summarised in Figure 1.

vi
Figure 1 — Principles, structure and objectives of this document

vii
International Standard ISO 37003:2025(en)
Fraud control management systems — Guidance for
organizations managing the risk of fraud
1 Scope
This document provides guidance for organizations for the development, implementation and maintenance
of an effective fraud control management system (FCMS). This includes fraud prevention, early detection of
fraud and effective response to fraud events that have occurred or can occur in the future.
The document provides guidance for managing the risk of fraud, including:
a) internal fraud against the organization;
b) external fraud against the organization;
c) internal fraud in collaboration with business associates or other third parties;
d) external fraud in collaboration with the organization’s personnel;
e) fraud by the organization or by persons purporting to act on behalf of and in the interests of the
organization.
This document is applicable to all organizations, regardless of type, size, nature of activity and whether in
the public or private, profit or not-for-profit sectors. It is not intended to assist consumers in preventing,
detecting or responding to what is generally termed "consumer fraud".
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
fraud
intentional dishonest act causing actual or potential gain or loss that creates social or economic harm
Note 1 to entry: Fraud also includes the deliberate falsification, concealment, destruction or use of falsified
documentation used or intended for use for a normal business purpose or the improper use of information or position
for personal financial benefit.
Note 2 to entry: Fraudulent conduct need not necessarily represent a breach of law.
Note 3 to entry: Fraud can involve fraudulent conduct by internal and/or external parties targeting the organization
(3.3) or fraudulent conduct by the organization itself targeting external parties.
Note 4 to entry: Fraud can include loss of moneys or other property by persons internal and external to the organization
and where deception is used at the time, immediately before or immediately following the activity.

Note 5 to entry: Fraud can be external or internal or both. External fraud is where no perpetrator is employed by
or has a close association with the target organization. Internal fraud is where at least one perpetrator is employed
by or has a close association with the target organization and has detailed internal knowledge of the organization’s
operations, systems and procedures.
3.2
fraud event
instance of fraud (3.1) against or by an organization (3.3)
3.3
organization
person or group of people that has its own functions with responsibilities, authorities and relationships to
achieve its objectives (3.14)
Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not,
public or private.
Note 2 to entry: If the organization is part of a larger entity, the term “organization” refers only to the part of the larger
entity that is within the scope of the fraud controlmanagement system (3.11).
3.4
target organization
organization (3.3) that is the object of a fraud event (3.2).
3.5
interested party
person or organization (3.3) that can affect, be affected by, or perceive itself to be affected by a decision or
activity
3.6
top management
person or group of people who directs and controls an organization (3.3) at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the organization.
Note 2 to entry: If the scope of the management system (3.10) covers only part of an organization, then top management
refers to those who direct and control that part of the organization.
Note 3 to entry: Organizations can be organized depending on which legal framework they are obliged to operate under
and also according to their size, sector, etc. Some organizations have both a governing body (3.7) and top management
(3.6), while some organizations do not have responsibilities divided into several bodies. These variations, both in
respect of organization and responsibilities, can be considered when applying the requirements in Clause 5.
3.7
governing body
person or group of people who have ultimate accountability for the whole organization (3.3)
Note 1 to entry: A governing body can be explicitly established in a number of formats including, but not limited to, a
board of directors, supervisory board, sole director, joint and several directors, or trustees.
Note 2 to entry: ISO management system standards make reference to the term “top management” to describe a role
that, depending on the standard and organizational context, reports to, and is held accountable by, the governing body.
Note 3 to entry: Not all organizations, particularly small and medium organizations, will have a governing body
separate from top management. In such cases, top management exercises the role of the governing body.
[SOURCE: ISO 37000:2021, 3.3.4, modified — The Notes to entry were reordered: Note 2 to entry is now Note
1 to entry; Note 3 to entry is now Note 2 to entry; and Note 3 to entry was added.]

3.8
personnel
organization’s (3.3) directors, officers, employees, temporary staff or workers, and volunteers
Note 1 to entry: Different types of personnel pose different types and degrees of fraud risk (3.15) and can be treated
differently by the organization's fraud risk assessment and fraud risk management procedures.
[SOURCE: ISO 37001:2025, 3.24, modified — Note 1 has been amended and Note 2 to entry has been deleted]
3.9
business associate
external party with whom the organization (3.3) has, or plans to establish, some form of business relationship
Note 1 to entry: Business associate includes but is not limited to clients, customers, joint ventures, joint venture
partners, consortium partners, outsourcing providers, contractors, consultants, sub-contractors, suppliers, vendors,
advisors, agents, distributors, representatives, intermediaries and investors. This definition is deliberately broad and
should be interpreted in line with the fraud risk (3.15) profile of the organization to apply to business associates which
can reasonably expose the organization to fraud risks.
Note 2 to entry: Different types of business associate pose different types and degrees of fraud risk, and an organization
will have differing degrees of ability to influence different types of business associate.
Note 3 to entry: Reference to “business” in this document can be interpreted broadly to mean those activities that are
relevant to the purposes of the organization’s existence.
[SOURCE: ISO 37001:2025, 3.26, modified]
3.10
management system
set of interrelated or interacting elements of an organization (3.3) to establish policies (3.12) and objectives
(3.14) as well as processes (3.18) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
Note 2 to entry: The management system elements include the organization’s structure, roles and responsibilities,
planning and operation.
3.11
fraud control management system (FCMS)
part of the overall management system (3.10) for controlling the risks of fraud (3.1) against or by an
organization (3.3)
3.12
policy
intentions and direction of an organization (3.3) as formally expressed by its top management (3.6)
3.13
conflict of interest
situation in which an interested party has personal interest or organizational interest, directly or indirectly,
that can compromise, or interfere with, the ability to act impartially in carrying out their duties in the best
interest of the organization (3.3)
Note 1 to entry: There can be different types of personal interests: business, financial, family, professional, religious
or political.
Note 2 to entry: Organizational interest relates to the interests of an organization or part of an organization (e.g. team
or department) rather than an individual.
1)
[SOURCE: ISO 37009:20— , 3.1.10]
1) Under preparation. Stage at the time of publication: ISO/DIS 37009:2024.

3.14
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.
Note 2 to entry: Objectives can relate to different disciplines (such as finance, health and safety, and environment).
They can be, for example, organization-wide or specific to a project, product or process (3.18).
Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended result, as a purpose, as an operational
criterion, as a fraud control objective or by the use of other words with similar meaning (e.g. aim, goal, or target).
Note 4 to entry: In the context of fraud controlmanagement systems (3.11), fraud control objectives are set by the
organization (3.3), consistent with the fraud control policy (3.12), to achieve specific results.
3.15
risk
effect of uncertainty on objectives (3.14)
Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.
Note 3 to entry: Risk is often characterized by reference to potential events and consequences, or a combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes
in circumstances) and the associated likelihood of occurrence.
3.16
level of risk
magnitude of a risk (3.15) or combination of risks, expressed in terms of the combination of consequences
...