Building Block 1
Principles
Good governance, proportionality, integrity, transparency, accountability and sustainability. They form the ethical and organisational foundation of the entire CMS.
6 Core PrinciplesCONSUVATION GmbH guides you in building an effective compliance management system according to ISO 37301:2021 – from the initial gap analysis through to successful certification. With more than 25 years of consulting experience, our own correlation matrix, and 100% senior consultants. For the DACH region and international clients.
Quick Check
Find out in 30 seconds where your company stands on compliance management according to ISO 37301 – free & without registration.
At a Glance
ISO 37301 is the world's leading standard for compliance management systems (CMS). It defines how organisations systematically comply with, monitor and continuously improve adherence to legal, contractual and internal requirements.
Published in 2021, the standard replaces the pure guideline ISO 19600 and is designed as a genuine certification standard (Type A). It is based on the principles of good governance, proportionality, integrity, transparency and sustainability, and follows the PDCA cycle.
A key element is the whistleblowing system – confidential reporting channels and a fair, timely investigation of incidents are core requirements of any effective CMS.
Our consultants combine compliance expertise with practical experience from ISO 27001, ISO 37001 and risk management projects. This cross-cutting perspective makes us an experienced partner for integrating ISO 37301 into your existing management systems in the DACH region.
ISO 37301:2021 – Standard Structure
ISO 37301 is a requirements standard with a clear high-level structure: principles, the compliance function and a systematic compliance risk process work together.
Building Block 1
Good governance, proportionality, integrity, transparency, accountability and sustainability. They form the ethical and organisational foundation of the entire CMS.
6 Core PrinciplesBuilding Block 2
Clear responsibilities between senior management, the compliance officer and the compliance function. Leading by example ("tone from the top") is key to a genuinely lived compliance culture.
Governance & ResponsibilityBuilding Block 3
A risk-based approach modelled on ISO 31000: identify, assess, treat and monitor compliance risks – tailored to the organisation's size and risk exposure.
Risk-Based PDCA CycleBuilding Block 4
Confidential reporting channels for employees, business partners and other stakeholders. Fair, independent and timely investigation of every reported incident – a key new element compared to ISO 19600.
Whistleblowing RequirementBuilding Block 5
Documented end-to-end processes for identifying, assessing, controlling and monitoring compliance requirements – visualised as a flowchart and directly applicable in day-to-day operations.
Documented & VisualisedOur Tool
Rather than a mere collection of policies, we deliver a documented and visualised process model that translates the requirements of ISO 37301 into a repeatable, auditable workflow – from identifying a compliance requirement through to verifying its effectiveness.
Our Approach
Structured, predictable and without surprises – our proven approach follows the ISO 37301 compliance management process and results in a CMS that is genuinely lived in everyday business.
01
Free initial consultation, defining the scope and context, identifying relevant legal and compliance requirements, creating a project plan.
02
Current-state assessment of existing compliance management, comparison against the requirements of ISO 37301:2021, identifying gaps and action areas.
03
Defining governance, roles and responsibilities, documenting compliance policies, embedding the compliance function organisationally.
04
Identifying, analysing and prioritising compliance risks. Creating a risk register, deriving controls and measures.
05
Implementing confidential reporting channels, defining investigation processes, training managers and employees.
06
Conducting internal audit and management review, supporting the certification audit (Stage 1 & 2), establishing continual improvement.
ISO 37301 & Other Standards
ISO 37301 integrates seamlessly into existing management systems – the shared high-level structure of all ISO standards makes this possible. CONSUVATION connects compliance management with your established standards.
ISO 37001 specialises in anti-bribery management systems as a sub-area of compliance. Both standards follow the same structure and can be certified together with manageable additional effort.
Compliance risk management under ISO 37301 is methodologically modelled on ISO 31000. Companies already applying ISO 31000 can use their established risk methodology directly for compliance risks.
Data protection and information security compliance are core components of a CMS. ISO 27001 provides the technical and organisational measures, while ISO 37301 embeds them within the overarching compliance framework.
ISO 37301 replaces the earlier guideline ISO 19600 and turns it into a genuine certification standard. Companies with an ISO-19600-oriented CMS only need a manageable gap assessment, not a complete rebuild.
Data protection is a classic compliance risk. An effective CMS under ISO 37301 ensures that GDPR requirements are systematically monitored, violations are detected, and incidents can be reported through the whistleblowing system.
Both standards follow the same high-level structure and the PDCA cycle. Companies with an established QMS can integrate compliance requirements into their integrated management system with significantly reduced effort.
Core Elements
ISO 37301 requires more than a collection of policies – it's about a genuinely lived compliance culture, clear responsibilities and a functioning risk process.
Identifying relevant legal, contractual and internal requirements, defining the scope of the CMS, involving stakeholder expectations.
Senior management actively takes responsibility for compliance ("tone from the top"), provides resources, and appoints an independent compliance function.
Systematically identifying, analysing and prioritising compliance risks – risk-based, according to the organisation's size, industry and exposure.
Establishing confidential, easily accessible reporting channels, ensuring the protection of whistleblowers' identity, investigating incidents independently and promptly.
Regularly training employees and managers on compliance topics, actively communicating the compliance culture, embedding a code of conduct.
Regularly evaluating the effectiveness of the CMS through internal audits and management review, consistently following up on violations, incorporating lessons learned.
Implementation Checklist
Services
From gap analysis to successful certification – everything from a single source, with senior consultants and our own correlation matrix.
01
Systematic comparison of current state vs. target state against the requirements of ISO 37301:2021: what exists, what's missing, what needs to be prioritised – clearly documented with a measures plan.
02
Complete build-up according to ISO 37301: governance, roles, compliance policies, risk register, whistleblowing system and documentation.
03
Structured identification and assessment of compliance risks, prioritisation according to defined criteria, selection of suitable controls and measures.
04
Linking the CMS with ISO 27001, ISO 9001, ISO 37001 and ISO 31000 – a consistent compliance framework instead of isolated point solutions.
05
Setting up confidential reporting channels, defining the investigation process, protecting whistleblowers – including training for responsible staff.
06
Support from documentation through to the certification audit (Stage 1 & 2): system analysis, internal audit, management review – prepared to be audit-ready.
07
Compliance training for all levels: basics for employees, in-depth training for compliance officers, management briefings on governance obligations.
08
Ongoing support for compliance operations: regular audits, updating the risk register, supporting recertification after three years.
Frequently Asked Questions
Our ISO 37301 Solutions
Project plan, process models, training portal, dashboard and an external compliance officer – all from a single source. Scalable for small, medium and large enterprises.
The 6 Building Blocks of Our Complete ISO 37301 Solution
Compliance Management System
Foundation & Steering
Policies & Risk Register
All Core Principles
Compliance Process Model
Documented & Visualised
Training Portal
DE & EN, with test
Whistleblowing System
Reporting & Investigation
External Compliance Officer
Remote + optional on-site
Entry-level solution for small companies. Includes all essential building blocks for a first functioning compliance management system – pragmatic, fast and cost-efficient.
Complete ISO 37301 solution for mid-sized companies – including whistleblowing system, training portal and an external compliance officer on demand.
Maximum solution for complex organisations – with an individual project structure plan, on-site support, certification preparation, and integration with ISO 27001, ISO 9001 or ISO 37001.
All packages include an individual project plan tailored to your company. Remote guidance included – on-site appointments available on request. Schedule a Consultation Now →
Our Expertise
CONSUVATION exclusively employs senior consultants. With more than 25 years of consulting experience in information security, risk management and compliance, we are among the most experienced compliance consultancies in the DACH region.
Our consultants bring compliance experience from numerous ISO 27001, ISO 37001 and risk management projects. They combine this practice-proven knowledge with the requirements of ISO 37301:2021 to develop a CMS that is genuinely lived in everyday operations.
As active members of ISO working groups, we bring insider knowledge that flows directly into your compliance implementation.
Our Tool: ISO 37301 Correlation Matrix
CONSUVATION has developed its own correlation matrix for compliance requirements, mapping all relevant standards – ISO 37301, ISO 37001, ISO 27001, ISO 9001 and ISO 31000. This allows us to spot synergies immediately and produce a complete gap analysis in the shortest possible time – without duplicate work, with maximum standard coverage.
Experienced compliance management consultants – from gap analysis to successful certification
The most renowned ISACA certifications – from IT audit to IT governance to compliance management
Integrated compliance framework for all related standards – in one project, without duplicate work
Compliance experience from information security, risk management and anti-bribery projects
Get Started Now
Get advice from an experienced CONSUVATION consultant – free, non-binding and without empty phrases.