Improvement for ISO 37001 Anti-Bribery

ISO 37001 Clause 10

Improvement - non-conformity and corrective action, plus continual improvement of the ABMS.

ISO 37001 Clause 10 - Improvement

Clause 10 closes the management system loop. The previous clauses set up the system, run it and evaluate it. Clause 10 takes what evaluation reveals and turns it into change. The clause has two sub-clauses - 10.1 covers continual improvement and 10.2 covers the response to non-conformity through corrective action.

Why Improvement Matters for Anti-Bribery

An ABMS that is not improving over time is going backwards. The risk environment changes - new business associates, new countries, new transaction types, regulatory developments, lessons learned from concerns and investigations. The control set that was effective last year may not be effective this year. Clause 10 requires the organisation to act on what it learns rather than just record it.

Both sub-clauses produce documented information that demonstrates the system is alive. Corrective action records under 10.2 and improvement decisions under 10.1 are evidence the management system responds to what evaluation surfaces. Without this evidence, the ABMS looks static and the auditor will say so.

How 10.1 and 10.2 Differ

10.2 deals with non-conformity - something has happened that should not have happened, and the organisation has to react, deal with consequences, eliminate the cause and check the same will not happen again. 10.1 is broader - it requires continual improvement of the suitability, adequacy and effectiveness of the ABMS, whether or not anything has gone wrong. 10.1 covers the planned step-changes that come from management review and the function review under 9.4. 10.2 covers the reactive response to specific non-conformities.

The two sub-clauses work together. Corrective action under 10.2 fixes specific issues. Continual improvement under 10.1 takes the lessons from those issues and from the audit and review process and feeds them back into the ABMS design. A pattern of similar non-conformities is itself an input to continual improvement - it tells you the system needs a structural change, not just another corrective action.

I look at the corrective action records and the trend data. A small number of corrective actions does not necessarily mean a strong system - it can mean the organisation is not finding issues. A larger number of corrective actions with evidence of root cause analysis and trends being acted on is often a stronger sign. The standard does not penalise organisations for finding non-conformities - it expects them to.

Clause 10 Sub-Clauses

The links below provide detailed guidance on each sub-clause:

Practical Compliance Guidance

Improvement actions are tracked using F-Q16 Improvement Request, with non-conformities and corrective actions logged on ER1 Issues and Actions Register. The 37001-specific F-Q3 management review captures continual improvement decisions.

The documents below support the improvement activities required by Clause 10.

alphaZ document	How to use it
ISO 37001 Toolkit	Complete documentation set for ISO 37001:2025 compliance, including the IMS1 Manual, the PP-1-19 Anti-bribery procedure and all supporting registers and forms.
F-Q16 Improvement Request	Records improvement requests from any source - non-conformities, audit findings, monitoring data, management review.
ER1 Issues and Actions Register	Logs issues and tracks both corrective and improvement actions to closure.
F-Q3 Anti-bribery Management Review	Captures continual improvement decisions as outputs of management review.
F-IMS34 Anti-bribery Compliance Register	ABMS compliance data - the trend information that drives continual improvement decisions.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Does Clause 10 require any specific frequency of improvement activity?

No. The standard requires continual improvement and corrective action when needed but does not prescribe a frequency or a minimum number of improvement actions. The expectation is that improvement is a feature of how the ABMS operates, not a separate scheduled activity.

How is corrective action different from a fix?

A fix corrects the immediate issue. Corrective action under 10.2 also evaluates the cause, determines whether similar issues exist or could occur, and changes the ABMS if needed to prevent recurrence. The standard explicitly distinguishes between dealing with the consequences (the fix) and addressing the cause (the corrective action). Both are required.

What evidence does an external auditor look for under Clause 10?

Records of non-conformities and the corrective actions taken, evidence of root cause analysis, evidence of effectiveness review of corrective actions, and evidence of continual improvement decisions arising from management review and other inputs. Trend data showing how the ABMS has evolved over time is strong evidence that 10.1 is being met.

UK Legislation

Improvement of bribery controls supports the corporate due-diligence defences in UK legislation - acting on identified weaknesses is part of demonstrating ongoing diligence.

Further Resources