Module 10:  The benefits and requirements of ISO 37001

Requirements: (15) Controls over business associates

Controlled business associates

The organisation should ensure that all other organisations over which it has control implement reasonable and proportionate anti-bribery procedures. 

An organisation might have control, for example, over a subsidiary, joint venture or consortium, either through exercising management control or through having a majority ownership interest.

Non-controlled business associates

In relation to business associates over which the organisation has no control, and in relation to which the organisation’s risk assessment has identified a more than low bribery risk, the organisation should, where it is reasonable to do so, take steps to ensure that its business associate has in place appropriate anti-bribery procedures which include the relevant business transaction within their scope.

Contractual provisions

The organisation should, as far as is reasonable, ensure that all contracts between the organisation and any business associate which poses a more than low bribery risk:

  • contain a prohibition of bribery
  • allow the organisation to terminate the contract in the event of bribery by the business associate.

Inability to ensure that these controls are in place

Where it is not reasonable for the organisation to ensure that its business associate has in place appropriate anti-bribery procedures, or to ensure that the contract contains an anti-bribery prohibition and termination rights, then the absence of such procedures or provisions should be taken into account by the organisation as a negative factor in undertaking the risk assessment on the business associate.

                            14 of 22

January 2025
© GIACC