Insight · January 28, 2026
The most useful thing I've learned auditing ISO 37001: you probably already have most of the controls
The instinct when facing a new management-system standard is to build a parallel compliance universe. For anti-bribery controls, that instinct is almost always wrong.
The common misconception with ISO 37001 is that certification means building an entirely new control environment from nothing. In practice, most organisations already run the bulk of what the standard requires somewhere in the business: segregation of duties on payments, competitive tendering, background screening for higher-risk roles, a gifts and hospitality register, a whistleblowing channel. The real work is finding those controls, mapping them formally against the standard, and closing whatever specific gaps remain, not starting over.
The sequence that actually works: inventory every control across finance, procurement, HR and legal with a plausible bearing on bribery risk, map each one to the specific clause it satisfies, run a gap analysis clause by clause rather than assuming coverage exists, and only then adopt what already works into the management system, named owner, explicit bribery-risk purpose, included in monitoring and audit, before building anything new.
The most common finding in any gap analysis I've reviewed isn't an absent control. It's a control that works perfectly well for its original purpose and was simply never brought inside the ABMS, no bribery-risk purpose attached to it, no ownership under the system, never touched by the management review cycle. Fixing that is a documentation and governance exercise, not a rebuild, which is exactly why it gets underestimated and then rushed right before an audit instead of handled properly the first time.
Written by Scott Lane, Founder & Chief Executive Officer, Speeki
Contact for media →Cite this page
Lane, S. (2026). The most useful thing I've learned auditing ISO 37001: you probably already have most of the controls. Speeki Experts. Retrieved July 14, 2026, from https://experts.speeki.com/scott-lane/insights/iso-37001-you-probably-already-have-most-of-the-controls