SIST ISO 37303:2025

SLOVENSKI STANDARD
01-september-2025
Sistemi za upravljanje skladnosti - Napotki za vodenje kompetenc
Compliance management systems — Guidance for competence management
Systèmes de management de la conformité — Lignes directrices pour la gestion des
compétences
Ta slovenski standard je istoveten z: ISO 37303:2025
ICS:
03.100.01 Organizacija in vodenje Company organization and
podjetja na splošno management in general
03.100.02 Upravljanje in etika Governance and ethics
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

International
Standard
ISO 37303
First edition
Compliance management
2025-07
systems — Guidance for
competence management
Systèmes de management de la conformité — Recommandations
pour la gestion des compétences
Reference number
© ISO 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Competence management . 2
4.1 General .2
4.2 Objectives of competence management .2
4.3 Determining competence needs .3
4.3.1 General .3
4.3.2 Organizational competence .4
4.3.3 Governing body and top management competence .4
4.3.4 Compliance function competence .4
4.3.5 Management competence .4
4.3.6 Risk-exposed personnel competence .5
4.3.7 Third party competence .5
4.4 Assessing the current state of the competence and development needs .5
4.4.1 Status needs of competence .5
4.4.2 Risk assessment in relation to determination of status and needs of competence .6
5 Competence development . 7
5.1 General .7
5.2 Planning .7
5.3 Programme structure .7
5.4 Activities .8
5.4.1 General .8
5.4.2 Competence development activities .8
5.5 Roles and responsibilities .10
6 Evaluation of competence management programme . 10
6.1 General .10
6.2 Evaluating competence management .11
6.3 Maintaining and continuous improvement of competence management .11
Annex A (informative) Competence portfolio .13
Bibliography . 19

iii
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO document should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 309, Governance of organizations.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.

iv
Introduction
A compliance management system enables an organization to demonstrate its commitment to complying with:
— relevant laws;
— regulatory requirements;
— industry codes;
— organizational standards;
— standards of good governance;
— generally accepted best practices;
— ethics;
— the expectations of the interested parties.
The compliance management system has become an integral part of any organization that aims to be
successful and sustainable in the long term. A compliance management system is made sustainable by
creating a compliance culture within the organization and by establishing common standards of behaviour
and attitude related to compliance. ISO 37301 sets out the requirements and provides guidance for
establishing, developing, implementing, evaluating and improving the competence necessary to ensure
the compliance management system is effective. This document provides guidance to help implement the
requirements related to competence and training in ISO 37301. These requirements are mostly expressed in
ISO 37301:2021, Clause 7.
Competence management is fundamental to an organization's compliance management system and activities.
Competence management helps an organization recognize and determine the competence requirements of
the personnel doing work under its control to implement its compliance management system. Competence
management ensures that persons doing work under the organizations’ control are qualified with knowledge
and skills and have the experience to fulfil the relevant compliance obligations.
Competence management is tailored to the context of the organization. This includes its roles and
responsibilities; planning and support activities; and the operations of the compliance management system.
Compliance management can help the organization evaluate and determine the competence needs, including
the relevant knowledge, skills and experience. It also ensures that the organization:
— fulfils its compliance obligations;
— integrates compliance management into the organization's business processes and operational links;
— develops a compliance culture.
Competence management can also improve the overall efficiency and productivity of the organization's
compliance management system. It can make an important contribution to enhancing personnel
competitiveness and to achieving the strategic direction and expected results of the organization.
Competence is managed through the systematic process of the compliance management system. It follows
the "Plan, do, check, act" method.
This document provides guidance to organizations in addressing issues related to competence management
within its compliance management system. It can also provide guidance for competence management within
other management systems standards.
This document provides guidance on fully integrating competence management within a compliance
management system by following the "Plan, do, check, act" method. Figure 1 outlines this process.

v
Figure 1 — Process for competence management

vi
International Standard ISO 37303:2025(en)
Compliance management systems — Guidance for
competence management
1 Scope
This document provides guidance for the determination and development of competencies necessary to
achieve an organization's compliance management system objectives. It provides guidance for establishing
the adequate level of competencies of certain internal functions and third parties.
This document is applicable to all organizations regardless of the type, size and nature of the activity, as
well as whether the organization is from the public, private or non-profit sector.
This document does not add to, change or otherwise modify requirements for compliance management
system or any other standards.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO 37301, Compliance management systems — Requirements with guidance for use
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 37301 apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
competence
ability to apply knowledge and skills to achieve intended results
[SOURCE: ISO 37301:2021, 3.9]
3.2
knowledge
human or organizational asset enabling effective decisions and action in context
[SOURCE: ISO 30401:2018, 3.25, modified — Note 1 to entry, Note 2 to entry and Note 3 to entry have been
removed.]
3.3
skill
learned capacity to perform a task to a specified expectation
[SOURCE: ISO 30401:2018, 3.30]

3.4
competence management
systematic approach to identifying, determining, assessing and continuously improving competencies
needed within an organization to ensure that individuals have the required knowledge (3.2) and skills (3.3)
to meet organizational objectives
Note 1 to entry: Competence management also encompasses the strategic planning and oversight of competencies at
an organizational level. This includes the encouragement of person(s) to acquire new or advanced competence (3.1) by
creating learning and training opportunities and circumstances in which acquired competencies can be applied.
3.5
behaviour
way in which someone acts, reacts and interacts with others in a certain situation
Note 1 to entry: Behaviour can be shaped by personal values, beliefs, habits and social norms. It can reflect a person's
attitudes and feelings. This includes their emotional intelligence and their ability to remain calm in a crisis, maintain
concentration during monotonous work and work cooperatively.
4 Competence management
4.1 General
The organization should identify and assess competence needs and improve the competence of person(s)
doing work under its control that affects its compliance performance. Competence requires knowledge,
skills and experience so that person(s) can perform their function(s) in such ways that support the objectives
of the compliance management system.
The organization should determine competency criteria for the development, implementation, monitoring
and continual improvement of the compliance management system, as well as for compliance risk areas in
relation to relevant compliance obligations.
The competence criteria should be determined for person(s) doing work under the organization's control
that can affect its compliance performance, including functions assigned to roles and responsibilities in
the compliance management system, and personnel and third parties that pose a compliance risk to the
organization.
The organization should determine the expected and common standard of ethical and professional
behaviours related to the relevant compliance obligations to foster compliance.
The organization should review and update the competence needs for each function, either periodically or as
necessary, to ensure personnel are able to fulfil the compliance obligations and objectives of the compliance
management system.
Documented information should be maintained as appropriate to provide support and demonstrate:
— the determination at the level of the organization, the governing body, top management, compliance
function, management, risk-exposed personnel and relevant third parties;
— the results of individual qualifications, performance and appraisal;
— the achievements of development programmes and other initiatives, e.g. training;
— the evaluation of the impact of competence management and associated actions.
4.2 Objectives of competence management
The intended result of competence management is to provide the organization, its personnel and third
parties acting on the organization’s behalf and that can pose a compliance risk, with the necessary

knowledge, skills and experience and to create an environment that fosters ethical behaviours to sustain
a compliance culture. The organization should establish objectives of competence management in order to:
— ensure consistency with the objectives of the compliance management system and the business strategy
of the organization;
— ensure activities and opportunities for personnel and third parties acting on the organization’s behalf
and that can pose a compliance risk to acquire the necessary competencies and experiences, including
but not limited to employment processes, training and communications;
— develop, maintain and promote a compliance culture at all levels within the organization;
— implement the requirements of the compliance management system and compliance policy to create an
environment that fosters ethical values and behaviours;
— ensure monitoring, communication, updating as appropriate and availability as documented information.
4.3 Determining competence needs
4.3.1 General
There are various internal and external factors that determine what competences are needed to achieve the
objectives of the compliance management system.
The organization should have processes for determining competence needs by:
— identifying the functions and roles that are responsible for achieving the compliance obligations and/or
that can impact the objectives and performance of its compliance management system;
— understanding and considering these functions and roles for strategic competence management planning,
development and maintenance of needed competencies, which contributes to the intended compliance
performance of the organization.
These functions and roles include but are not limited to the following:
— the governing body and top management;
— compliance functions;
— management;
— risk-exposed personnel;
— third parties acting on the organization’s behalf and that can pose a compliance risk.
The organization should determine and develop the knowledge and skills necessary to meet the objectives
of the compliance management system. An integrated approach should be taken, one with four dimensions
of competence, or “key competencies”:
— personal competence;
— methodological competence;
— technical competence;
— social competence.
The specific knowledge and skills needed should be identified considering relevant factors, including but not
limited to:
— the context of the organization and its operating environment;
— the level of maturity of the organization’s compliance management system.

4.3.2 Organizational competence
The organization should have a process to identify the factors that influence competence needs. The process
should also allow for evaluating the influence of these factors on compliance management, including
changes in these factors and the potential consequences. This process should be carried out regularly and
systematically at the organizational level.
The organization should consider the relevant factors at the organizational level, including but not limited to:
— external issues (e.g. statutory and regulatory requirements, technological advances);
— internal factors (e.g. mission, vision, strategic objectives, values and culture of the organization, range of
activities or services, resource availability, organizational knowledge);
— the needs and expectations of relevant interested parties (e.g. regulators, customers, suppliers, society
at large);
— the compliance management system (e.g. its scope, organizational structure, compliance obligations and
compliance risks related to the organization and the third parties).
4.3.3 Governing body and top management competence
When determining the competence needs of the governing body and top management, the organization
should consider:
— the responsibilities, authorities and commitments required for/of leadership in the compliance
management system;
— the objectives, operational performance and intended results of the compliance management system;
— organizational activities, processes and system;
— the hierarchy, number of personnel and the roles and responsibilities;
— the compliance culture and the ability to cooperate, collaborate and cultivate respect;
— the impact of change upon compliance needs of the governing body and top management.
4.3.4 Compliance function competence
The organization should adopt a standardized approach to:
— determine and evaluate the scope of functions affecting compliance performance;
— measure and evaluate competence needs and expectations of the organization’s compliance function.
The organization should have a standardized approach to determining the knowledge, skills and behaviours
that are required for the roles within the compliance function and that are responsible for the operations of
the competence management in accordance with its compliance management system.
The compliance functions can require continuous updates to reflect changes in the compliance landscape.
The specific knowledge and skills required for compliance function can vary based on the level of the
position.
The organization should determine specific knowledge and skill requirements in respect to the compliance
risks they are assigned to address.
4.3.5 Management competence
The organization should have knowledge of the management roles whose tasks expose them to compliance
risk that can have a negative impact on the achievement of the organization’s compliance performance.

The specific knowledge and skills required for each management role can vary based on the organization's
industry, size, specific compliance obligations and exposure to compliance risks.
The organization should assess their compliance risks within each operational function to determine the
knowledge and skills required for their management roles.
Providing updates on regulatory changes and industry best practices is important for management for
ensuring compliance within their area of responsibility.
4.3.6 Risk-exposed personnel competence
The organization should have knowledge of the personnel whose tasks expose them to the risk of non-
fulfilment of relevant compliance obligations.
The compliance risk-exposed personnel should be identified in relation to individual compliance obligations
that include but are not limited to:
— any member of the governing body and top management;
— any member of the compliance function;
— any member of management from the functions exposed to compliance risks;
— personnel doing work under the control of the organization from functions exposed to compliance risks.
The organization should identify individual competence needs considering:
— the context of the organization;
— the organization’s compliance obligations and risks;
— the roles and responsibilities;
— compliance performance;
— the knowledge attained through education, training and practice;
— practical and professional experiences gained in previous functions;
— due diligence, including reference or background checks.
The organization should review and update the requirements for each function periodically or as necessary.
The organization should assess competence and development needs on an ongoing process to ensure
compliance risk-exposed personnel meet the competence needs.
4.3.7 Third party competence
The organization should ensure that personnel in third party business associates exposed to compliance
risk are identified. It should provide support for establishing and maintaining the competencies needed to
ensure that they can fulfil the compliance obligations as required.
Third parties include but are not limited to contractors, personnel of external organizations and individuals
acting on behalf of the organization.
4.4 Assessing the current state of the competence and development needs
4.4.1 Status needs of competence
The organization should compare its current competence at all levels with required needs as determined in
4.3 to establish if or where action needs to be taken.

For identifying, analysing and assessing gaps of required competencies, the organization should consider,
for example:
— key factors of competence determination;
— the extent of training on compliance policies and practices based on regularly updated training materials;
— adequate documentation and reporting of conducted training and records of participation;
— addressing frequent ethical dilemmas in training;
— the number of compliance violations or a noticeable increase in instances of non-compliance;
— frequent turnover of employees in functions that are exposed to compliance risk;
— increased findings during internal or external compliance audits;
— taking a reactive approach by addressing compliance gaps only after audits or incidents;
— resistance to change by personnel showing reluctance in adopting new compliance practices;
— surveys on personnel satisfaction to gain insight into the compliance culture.
4.4.2 Risk assessment in relation to determination of status and needs of competence
The organization should identify, analyse and assess risks related to the determination of necessary
competencies by considering, for example, factors such as:
— insufficient or outdated criteria due to incomprehensive data, lack of understanding of compliance
obligations, delayed responses to regulatory changes and disregard for industry standards, best
practices and benchmarks;
— incomplete analysis due to failing to conduct a thorough analysis of job roles and their requirements;
— lack of alignment with the business strategy due to prioritizing of short-term goals over the broader
business strategy to establish a workforce that is prepared to support the organization's objectives;
— insufficient validation due to failing to validate the determined competencies with input from relevant
interested parties;
— missing follow-up due to not addressing identifi
...