Compliance management system according to ISO 37301

Legally compliant. Audit-proof. Effective. – Professional setup and implementation for companies and public authorities.

‍

An effective compliance management system (CMS) is essential for organizations of all sizes today. The international standard ISO 37301 sets out precise requirements and guidelines on how organizations can systematically fulfill their legal, regulatory, and internal obligations—and how they can establish a robust and active culture of integrity.

‍

We support companies and public institutions in the complete setup, further development, and audit-proof implementation of a CMS that meets the requirements of ISO 37301—and works in practice.

Why ISO 37301?

ISO 37301 is the globally applicable standard for compliance management systems. Unlike the previous ISO 19600, it is a genuine requirements standard that defines not only recommendations but also concrete, verifiable specifications for a CMS.

Among other things, it demands:

A risk- and action-based CMS
Active leadership and role model function of top management
clear roles, responsibilities, and accountabilities
A systematic screening of rights and obligations ("legal register")
Process and control systems for monitoring compliance
documented evidence of effectiveness
Mechanisms for continuous improvement (PDCA cycle)

ISO 37301 thus forms the foundation of organized legal compliance—and demonstrably protects management and the organization from liability and reputational risks.

What a compliance system according to ISO 37301 must include

The standard follows the so-called Harmonized Structure of all modern ISO management systems (including ISO 9001, ISO 27001, and ISO 45001)

A complete CMS comprises:

1. Context analysis & compliance risks

Analysis of the business environment
Identification of all compliance obligations
Risk analysis according to severity and probability of occurrence
Prioritization ("risk ownership")

2. Governance & Leadership

active support from top management
Compliance Policy & Values
Role model function ("Tone from the Top")
clear roles such as compliance officers/representatives

This point is the central requirement for ISO 37301 certification.

3. Legal register & monitoring

The standard requires an up-to-date legal register in order to continuously review all applicable regulations and reflect any changes.

4. Processes, controls, and documentation

defined compliance processes
control mechanisms
Training & Awareness
Whistleblowing / Reporting systems
Documentation & Evidence

5. Monitoring, audits, and continuous improvement

internal audits according to ISO 19011
KPIs & effectiveness indicators
Measures to be taken in case of deviations
PDCA cycle

How ISO 37301 is implemented in practice

Implementation takes place in several steps:
‍
Step 1: Analysis & gap assessment

We review the status quo based on ISO 37301 requirements and identify gaps.

Step 2: Compliance risk analysis

We conduct a structured risk analysis (strategic, operational, legal).

Step 3: Establishing/optimizing governance

Development of risk mitigation measures (catalogue of measures)
Roles (Compliance Officer, Risk Owner, CMS Manager)
reporting lines
policy architecture

Step 4: Documentation & legal register

Introduction or optimization of a legally compliant register of rights and obligations.

Step 5: Training & Culture

Compliance only works when it is understood—not when it is merely documented. We develop efficient and legally compliant training concepts for managers and employees.

Step 6: Internal audits & certification preparation

We accompany you all the way to successful certification—or to audit-proof internal verification.

Our service: Client-focused, effective, and audit-proof

We provide comprehensive support in setting up a CMS in accordance with ISO 37301:
✔ Setting up a complete CMS in accordance with ISO 37301
✔ Further development of existing systems
✔ Performing ISO 37301 readiness analyses
✔ Setting up export control ICP systems
✔ Compliance and enterprise risk assessments
✔ Creation of all guidelines, processes, and evidence
✔ Training and management briefings
✔ Preparation for certifications
✔ Support in dealing with supervisory and penalty authorities

Why you should build your ISO 37301 system with us

We combine legal precision, practical implementation, and experience from companies and public authorities.

Your advantages:

deep understanding of complex organizations
Extensive experience in governance and compliance
Compliant, audit-proof implementation
scientifically based methods
high implementation orientation
clear language instead of management jargon
experienced experts

A CMS in accordance with ISO 37301 not only protects the organization, but also demonstrably protects those responsible (Section 43 GmbHG, Section 93 AktG).

For companies and public authorities: Compliance that pays off

An effective compliance management system offers tangible added value for companies and public authorities. It has been proven to reduce key risks – from liability risks and the threat of fines under Section 130 of the German Administrative Offenses Act (OWiG) to reputational damage, governance deficits, and risks arising from supervisory failures. At the same time, a professionally structured CMS creates the basis for demonstrating compliance with organizational and monitoring obligations to authorities and supervisory bodies at any time.

Dr. Tony Rostalski

Lawyer

Specialist lawyer for criminal law

Do you have questions on this topic or need support? Please contact us directly.

0221 29265841

rostalski@rostalski.legal

Save contact