ISO/TC 309 - Governance of organizations

This document provides guidance to organizations on how to identify, assess, resolve and monitor conflict of interest based on the principles of trust, integrity, transparency and accountability. The guidance in this document is generic and intended to be applicable to all organizations, regardless of type, size and nature of activity and whether in the public, private or not-for-profit sectors. It distinguishes between actual, apparent and potential conflict of interest.

This document establishes principles and an evaluation indicator framework for assessing the effectiveness of a compliance management system. This includes evaluation criteria for specified indicators. This document also provides guidance as well as suggestions on the evaluation model. The guidance provided in this document aims to support the monitoring, measurement, analysis and evaluation of a compliance management system. It aims to support management review of the compliance management system to foster continual improvement. It does not add to, change or otherwise modify requirements for compliance management systems or any other standards. This document is applicable to the activities for evaluating the effectiveness of the compliance management system in all organizations, regardless of the type, size and nature, including organizations from the public, private or non-profit sector.

This document provides guidance for the determination and development of competencies necessary to achieve an organization's compliance management system objectives. It provides guidance for establishing the adequate level of competencies of certain internal functions and third parties. This document is applicable to all organizations regardless of the type, size and nature of the activity, as well as whether the organization is from the public, private or non-profit sector. This document does not add to, change or otherwise modify requirements for compliance management system or any other standards.

This document provides guidance for organizations for the development, implementation and maintenance of an effective fraud control management system (FCMS). This includes fraud prevention, early detection of fraud and effective response to fraud events that have occurred or can occur in the future. The document provides guidance for managing the risk of fraud, including: a) internal fraud against the organization; b) external fraud against the organization; c) internal fraud in collaboration with business associates or other third parties; d) external fraud in collaboration with the organization’s personnel; e) fraud by the organization or by persons purporting to act on behalf of and in the interests of the organization. This document is applicable to all organizations, regardless of type, size, nature of activity and whether in the public or private, profit or not-for-profit sectors. It is not intended to assist consumers in preventing, detecting or responding to what is generally termed "consumer fraud".

This document specifies requirements and provides guidance for establishing, implementing, maintaining, reviewing and improving an anti-bribery management system. The system can be stand-alone or can be integrated into an overall management system. This document addresses the following in relation to the organization's activities: — bribery in the public, private and not-for-profit sectors; — bribery by the organization; — bribery by the organization's personnel acting on the organization's behalf or for its benefit; — bribery by the organization's business associates acting on the organization's behalf or for its benefit; — bribery of the organization; — bribery of the organization's personnel in relation to the organization’s activities; — bribery of the organization's business associates in relation to the organization’s activities; — direct and indirect bribery (e.g. a bribe offered or accepted through or by a third party). This document is applicable only to bribery. It sets out requirements and provides guidance for a management system designed to help an organization to prevent, detect and respond to bribery and comply with anti-bribery laws and voluntary commitments applicable to its activities. The requirements of this document are generic and are intended to be applicable to all organizations (or parts of an organization), regardless of type, size and nature of activity, and whether in the public, private or not-for-profit sectors. The extent of application of these requirements depends on the factors specified in 4.1, 4.2 and 4.5. NOTE 1 See Clause A.2 for guidance. NOTE 2 The measures necessary to prevent, detect and mitigate the risk of bribery by the organization can be different from the measures used to prevent, detect and respond to bribery of the organization (or its personnel or business associates acting on the organization's behalf). See A.8 for guidance.

This document provides guidance to governing bodies on how to approach the development and use of indicators in their governing activities. This document is primarily written for use by governing bodies, it is also written to be of relevance to a range of other stakeholders inside and outside of the organization to help them improve the quality of the information on which they assess and make decisions regarding the organization’s governance. It is applicable to all organizations regardless of type, size, location, structure or purpose. This document does not cover indicators of effective governance.

This document gives guidance on evaluating the establishment of governance conditions and on the application of governance principles with consideration for the ISO 37000 key aspects of practice. It sets out the concept of governance maturity and its measurement and provides a governance maturity measurement framework, associated governance maturity scale and a governance maturity model. This document is applicable to all types and sizes of organizations no matter their location.

This document gives guidance on internal investigations within organizations, including: — the principles; — support for investigations; — establishment of the policy, procedures, processes and standards for carrying out and reporting on an investigation; — the reporting of investigation results; — the application of remedial measures. This document is applicable to all organizations regardless of type, size, location, structure or purpose. NOTE See Annex A for guidance on the use of this document.

This document specifies the competence requirements for personnel involved in the audit and certification process for compliance management systems (CMS). It complements the existing requirements of ISO/IEC 17021‑1.

This document gives guidance on the governance of organizations. It provides principles and key aspects of practices to guide governing bodies and governing groups on how to meet their responsibilities so that the organizations they govern can fulfil their purpose. It is also intended for stakeholders involved in, or impacted by, the organization and its governance. It is applicable to all organizations regardless of type, size, location, structure or purpose.

This document gives guidelines for establishing, implementing and maintaining an effective whistleblowing management system based on the principles of trust, impartiality and protection in the following four steps: a) receiving reports of wrongdoing; b) assessing reports of wrongdoing; c) addressing reports of wrongdoing; d) concluding whistleblowing cases. The guidelines of this document are generic and intended to be applicable to all organizations, regardless of type, size, nature of activity, and whether in the public, private or not-for profit sectors. The extent of application of these guidelines depends on the factors specified in 4.1, 4.2 and 4.3. The whistleblowing management system can be stand-alone or can be used as part of an overall management system.

This document specifies requirements and provides guidelines for establishing, developing, implementing, evaluating, maintaining and improving an effective compliance management system within an organization. This document is applicable to all types of organizations regardless of the type, size and nature of the activity, as well as whether the organization is from the public, private or non-profit sector. All requirements specified in this document that refer to a governing body apply to top management in cases where an organization does not have a governing body as a separate function.

ISO 37001:2016 specifies requirements and provides guidance for establishing, implementing, maintaining, reviewing and improving an anti-bribery management system. The system can be stand-alone or can be integrated into an overall management system. ISO 37001:2016 addresses the following in relation to the organization's activities: · bribery in the public, private and not-for-profit sectors; · bribery by the organization; · bribery by the organization's personnel acting on the organization's behalf or for its benefit; · bribery by the organization's business associates acting on the organization's behalf or for its benefit; · bribery of the organization; · bribery of the organization's personnel in relation to the organization's activities; · bribery of the organization's business associates in relation to the organization's activities; · direct and indirect bribery (e.g. a bribe offered or accepted through or by a third party). ISO 37001:2016 is applicable only to bribery. It sets out requirements and provides guidance for a management system designed to help an organization to prevent, detect and respond to bribery and comply with anti-bribery laws and voluntary commitments applicable to its activities. ISO 37001:2016 does not specifically address fraud, cartels and other anti-trust/competition offences, money-laundering or other activities related to corrupt practices, although an organization can choose to extend the scope of the management system to include such activities. The requirements of ISO 37001:2016 are generic and are intended to be applicable to all organizations (or parts of an organization), regardless of type, size and nature of activity, and whether in the public, private or not-for-profit sectors. The extent of application of these requirements depends on the factors specified in 4.1, 4.2 and 4.5.

ISO 19600:2014 provides guidance for establishing, developing, implementing, evaluating, maintaining and improving an effective and responsive compliance management system within an organization. The guidelines on compliance management systems are applicable to all types of organizations. The extent of the application of these guidelines depends on the size, structure, nature and complexity of the organization. ISO 19600:2014 is based on the principles of good governance, proportionality, transparency and sustainability.