Perspective on Due Diligence in the ISO 37001:2025 Standard

Author: Daniel Peña I Technical Developer

Due diligence is one of the fundamental pillars of an anti-bribery management system under the ISO 37001:2025 standard. Its purpose is to allow the organization to identify, assess, and manage bribery risks associated with third parties, projects, transactions, and business relationships. It is not just about gathering information; it is about making informed decisions that are proportional to the level of risk.

In this blog, we explain what the standard requires, who must perform due diligence, and how to implement it practically and effectively.

What does ISO 37001:2025 require regarding due diligence?

The standard establishes that organizations must implement a due diligence process that:

• Is proportional to the identified risks: For example, a small company with a low level of exposure will not apply the same level of analysis as a multinational corporation working with multiple intermediaries in high-risk countries.

• Is applied before and during any business relationship: It is not enough to evaluate a third party only at the beginning. Periodic monitoring must be maintained, especially if the nature of the relationship changes, new information comes to light, the context of the country/region shifts, or red flags emerge.

• Enables informed decision-making: The information gathered must allow you to determine whether to approve the relationship; mitigate certain risks (via contracts, clauses, or additional controls); or reject/terminate the relationship.

To whom should due diligence be applied?

The standard revolves around the premise: “If the person or entity can generate, facilitate, or be involved in bribery, they must be subject to due diligence.”

Considering this, due diligence applies to all parties that may generate a bribery risk, such as:

• • Third parties: Including suppliers and contractors; intermediaries, distributors, and sales agents; consultants and advisors; joint venture partners; authorized representatives, and persons acting on behalf of the organization.

• • Specific projects and activities: Such as tenders and bids; expansion into new markets; operations in countries with a high risk of bribery; and externally funded projects.

• • Internal personnel in sensitive roles: Always proportional to their level of risk exposure. This includes personnel in purchasing, sales and business development, government relations, top management, and anyone who negotiates, manages contracts, or makes payments on behalf of the organization.

• • Business associates: For example, mergers and acquisitions, strategic alliances, investors, among others.

How should an organization conduct due diligence?

The standard does not mandate a single method, but it does define the essential elements to consider. Some of these elements are:

• Identify and classify the risk: You must be clear on the level of risk the evaluated party represents. Consider factors such as:

• • The country or region of operation.

• • The amounts involved.

• • Relationships with public officials.

• • Reputational history.

• • Ownership structure and ultimate beneficial owners.

A very useful tool for this element is a risk matrix to determine the required level of due diligence.

• • Execute due diligence at the appropriate level: You can establish three levels of depth depending on the risk, and you must document the reasons why a specific level of due diligence was applied.

• • Make decisions based on results: Use the gathered information to take actions such as establishing additional controls, clauses, training, or audits; terminating or suspending a relationship with a partner; or rejecting a relationship with a new partner. Do not forget to maintain evidence that the decision was reasoned and justified.

• • Monitor and update: Establish a continuous monitoring system (annual, semi-annual, or even quarterly depending on the risk level). Set up monitoring systems especially for long-term contracts, suppliers or agents in high-risk countries, government-related services, and activities where the third-party acts on behalf of the organization.

   

   

  • Roles and responsibilities within the organization: For due diligence to work, everyone must be clear on their role. Establish who designs and supervises the process, who reviews high-risk cases, who executes supplier due diligence, who verifies documentation, who identifies red flags, and who maintains communication with third parties.

   

   

  Tips for effective implementation

   

  Keep the process agile: Do not complicate the process more than necessary.

   

  Use digital tools: This will facilitate the storage and review of information.

   

  Adapt tools to your reality: Do not copy and paste models without analyzing them first.

   

  Establish clear red flags: Define immediate actions to take when they appear.

   

  Train key areas: Teach them how to detect real bribery risks.

   

  Document everything: Remember that in audits, evidence is everything.

   

  Due diligence is not just a requirement, but a strategic tool to protect your organization from illicit practices. Implementing it in a proportional, structured, and continuous manner allows you to make better decisions, reduce legal and reputational risks, strengthen transparency, and generate trust with clients, suppliers, and authorities.

   

  If your organization is starting the implementation of an anti-bribery system, due diligence will be one of the key processes that marks the difference between simply complying with the standard and having a truly effective system.

   

  References.

   

  International Organization for Standardization (ISO). Anti-bribery management systems. Requirements with guidance for use. ISO 37001. Second edition.

   

  Organisation for Economic Co-operation and Development (OECD). Due Diligence Guidance for Responsible Business Conduct. 2018. Retrieved from: OECD Due Diligence Guidance for Responsible Business Conduct | OECD on December 15, 2025.