ISO/FDIS 37302

FINAL DRAFT
International
Standard
ISO/TC 309
Compliance management
Secretariat: BSI
systems — Guidance for the
Voting begins on:
evaluation of effectiveness
2025-04-10
Systèmes de management de la conformité — Lignes directrices
Voting terminates on:
pour l'évaluation de l'efficacité
2025-06-05
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT,
WITH THEIR COMMENTS, NOTIFICATION OF ANY
RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE
AND TO PROVIDE SUPPOR TING DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
LOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT
INTERNATIONAL STANDARDS MAY ON OCCASION HAVE
TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL
TO BECOME STAN DARDS TO WHICH REFERENCE MAY BE
MADE IN NATIONAL REGULATIONS.
Reference number
FINAL DRAFT
International
Standard
ISO/TC 309
Compliance management
Secretariat: BSI
systems — Guidance for the
Voting begins on:
evaluation of effectiveness
Systèmes de management de la conformité — Lignes directrices
Voting terminates on:
pour l'évaluation de l'efficacité
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT,
WITH THEIR COMMENTS, NOTIFICATION OF ANY
RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE
AND TO PROVIDE SUPPOR TING DOCUMENTATION.
© ISO 2025
IN ADDITION TO THEIR EVALUATION AS
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
LOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
INTERNATIONAL STANDARDS MAY ON OCCASION HAVE
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL
or ISO’s member body in the country of the requester.
TO BECOME STAN DARDS TO WHICH REFERENCE MAY BE
MADE IN NATIONAL REGULATIONS.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 General principles . 2
5 Evaluation methodology . 2
5.1 General .2
5.2 Evaluation scales .2
5.3 Evaluation indicator framework .3
6 Evaluation criteria . 4
6.1 Planning and establishment of the compliance management system .4
6.1.1 Analysis of the context of the organization, including requirements of interested
parties .4
6.1.2 Identification and update of compliance obligations .6
6.1.3 Determination of the scope of the compliance management system and
assessment of compliance risk .8
6.1.4 Leadership and commitment of governing body and top management.10
6.1.5 Implementation of compliance governance principles . 12
6.1.6 Maintenance and promotion of compliance culture .14
6.1.7 Assignment of the roles, responsibilities, and authorities for personnel at
different levels . 15
6.1.8 Compliance policy and setting of objectives . .17
6.1.9 Planning of actions to address risk and opportunity and the resources required .19
6.2 Implementation of the planned compliance management system . 20
6.2.1 Operational actions to address risk and opportunity . 20
6.2.2 Allocation of resources .21
6.2.3 Competences, capacity building and raising awareness . 23
6.2.4 Employment process, rewards and disciplinary actions . 25
6.2.5 Training . 26
6.2.6 Internal and external communication . 28
6.2.7 Establishment of a mechanism for raising concerns . 29
6.2.8 Implementation of processes for investigation . 30
6.2.9 Management of documented information .32
6.3 Evaluating performance and improvement of the compliance management system . 33
6.3.1 Monitoring, measurement analysis and evaluation of performance . 33
6.3.2 Internal audit . 34
6.3.3 Management review . 36
6.3.4 Actions to address nonconformity and/or noncompliance and correction .37
6.3.5 Continual improvement in a planned manner . 39
7 Evaluation process .40
7.1 Objectives . 40
7.2 Structured approach . 40
7.3 Evaluators .41
7.4 Evaluation method .41
7.4.1 Design .41
7.4.2 Implementation .41
7.4.3 Reporting and response . .42
Annex A (informative) Figure of the evaluation indicator framework .43

iii
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO document should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 309, Governance of organizations.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.

iv
Introduction
An effective compliance management system supports an organization. It enables the organization to
demonstrate its commitment to complying with:
— relevant laws;
— regulatory requirements;
— industry codes;
— organizational standards;
— standards of good governance;
— generally accepted best practices;
— ethics;
— the expectations of the interested parties.
Compliance becomes sustainable when it is embedded in the culture of the organization and in the behaviour
and attitude of personnel under the control of the organization. Embedded compliance positively influences
the compliance performance of the organization.
ISO 37301 sets out the requirements and provides guidance for establishing, developing, implementing,
evaluating and improving an effective and responsive compliance management system within an
organization. This document provides guidance to support the implementation of the requirements in
ISO 37301 related to evaluating the performance of a compliance management system (including monitoring,
measurement, analysis, evaluation and management reviews) and thus ensuring continual improvement in
any type of organization.
The framework can also be used to evaluate the effectiveness of other types of compliance management
systems.
v
----
...

ISO /TC 309/WG 4
Date: 2024-12-16
Secretariat: BSI
Date: 2025-03-26
Compliance management systems — Guidance for the evaluation of
effectiveness
Systèmes de management de la conformité — Lignes directrices pour l'évaluation de l'efficacité
FDIS stage
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication
may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying,
or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO
at the address below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: + 41 22 749 01 11
EmailE-mail: copyright@iso.org
Website: www.iso.orgwww.iso.org
Published in Switzerland
ii
Contents
Foreword . iv
Introduction . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 General principles . 2
5 Evaluation methodology . 2
5.1 General . 2
5.2 Evaluation scales . 2
5.3 Evaluation indicator framework . 3
6 Evaluation criteria . 4
6.1 Planning and establishment of the compliance management system . 4
6.2 Implementation of the planned compliance management system . 18
6.3 Evaluating performance and improvement of the compliance management system . 29
7 Evaluation process . 36
7.1 Objectives . 36
7.2 Structured approach . 36
7.3 Evaluators . 37
7.4 Evaluation method . 37
Annex A (informative) Figure of the evaluation indicator framework . 40

Foreword . iv
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 General principles . 2
5 Evaluation methodology . 2
5.1 General . 2
5.2 Evaluation scales . 2
5.3 Evaluation indicator framework . 3
6 Evaluation criteria . 4
6.1 Planning and establishing of the compliance management system . 4
6.2 Implementation of the planned compliance management system . 17
6.3 Evaluating performance and improvement of the compliance management system . 29
7 Evaluation process . 36
7.1 Objectives . 36
7.2 Structured approach . 36
7.3 Evaluators . 36
7.4 Evaluation method . 37
Annex A (informative) Figure of the evaluation indicator framework . 39

© ISO 2025 – All rights reserved
iii
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of
ISO document should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent rights
in respect thereof. As of the date of publication of this document, ISO had not received notice of (a) patent(s)
which may be required to implement this document. However, implementers are cautioned that this may not
represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents.www.iso.org/patents. ISO shall not be held responsible for identifying any or all such
patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.htmlwww.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 309, Governance of organizations.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.htmlwww.iso.org/members.html.
iv
Introduction
An effective compliance management system supports an organization. It enables the organization to
demonstrate its commitment to complying with:
— — relevant laws;
— — regulatory requirements;
— — industry codes;
— — organizational standards;
— — standards of good governance;
— — generally accepted best practices;
— — ethics;
— — the expectations of the interested parties.
Compliance becomes sustainable when it is embedded in the culture of the organization and in the behaviour
and attitude of personnel under the control of the organization. Embedded compliance positively influences
the compliance performance of the organization.
ISO 37301 sets out the requirements and provides guidance for establishing, developing, implementing,
evaluating and improving an effective and responsive compliance management system within an organization.
This document provides guidance to support the implementation of the requirements in ISO 37301 related to
evaluating the performance of a compliance management system (including monitoring, measurement,
analysis, evaluation and management reviews) and thus ensuring continual improvement in any type of
organization.
The framework can also be used to evaluate the effectiveness of other types of compliance management
systems.
.
© ISO 2025 – All rights reserved
v
FINAL DRAFT International Standard ISO/FDIS 37302:2024(en)

Compliance management systems — Guidance for the evaluation of
effectiveness
1 Scope
This document establishes principles and an evaluation indicator framework for assessing the effectiveness
of a compliance management system. This includes evaluation criteria for specified indicators. This document
also provides guidance as well as suggestions on the evaluation model.
The guidance provided in this document aims to support the monitoring, measurement, analysis and
evaluation of a compliance management system. It aims to support management review of the compliance
management system to foster continual improvement. It does not add to, change or otherwise modify
requirements for compliance management systems or any other standards.
This document is applicable to the activities for evaluating the effectiveness of the compliance management
system in all organizations, regardless of the type, size and nature, including organizations from the public,
private or non-profit sector.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO 37301, Compliance management systems — Requirements with guidance for use
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 37301 and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— — ISO Online browsing platform: available at https://www.iso.org/obphttps://www.iso.org/obp
— — IEC Electropedia: available at https://www.electropedia.org/https://www.electropedia.org/
3.1 3.1
effectiveness
extent to which planned activities are realized and planned results are achieved
[SOURCE: ISO 37301:2021, 3.13]
3.2 3.2
evaluation indicator
measurable reference point of the current status or condition of a compliance management system activity
Note 1 to entry: Evaluation indicators can be quantitative or qualitative.

3.43.3 3.3
evaluation indicator framework
schema comprizedcomprised of evaluation indicators (3.2)(3.2) that reflects the effectiveness of a compliance
management system
4 General principles
The evaluation of the effectiveness of a compliance management system should be based on the following
principles:
a) a) Objectivity: theThe evaluation indicator framework can be used in different contexts and for different
purposes and is established so that the results of thean evaluation reflect the actual status of the
compliance management system.
b) b) Completeness and scalability: theThe evaluation criteria for each indicator considers the planning,
development, implementation and continual improvement of processes, the achievement of planned
results and the degree of achievement.
c) c) Traceability: theThe evaluation results are verified through objective methods and evidence of
documented information as well as other supporting information.
5 Evaluation methodology
5.1 General
The effectiveness of the compliance management system refers to its ability to consistently achieve its
objectives and intended results. Moreover, an effective compliance management system results in improved
performance and enhanced value for the organi
...