Focus on ISO compliance guidelines for corporate compliance

By Deng Yong, DOCVIT Law Firm

The International Organisation for Standardisation (ISO) published the Compliance Management System Requirements and Guidelines for Use (ISO 37301) in April 2021. This was followed six months later by the China National Institute of Standardisation (CNIS) publishing the equivalent national standard of Compliance Management System Requirements and Guidelines for Use (Draft for Comment), awaiting adoption with equal status.

This article discusses the significance of this international ISO standard to domestic enterprises and compliance management in the context of its basic framework.


Deng Yong DOCVIT Law Firm
Deng Yong
Senior Partner

In general, ISO 37301 puts forward the basic concept of “PDCA”: Plan, Do, Check, Act. This concept covers the entire process of the compliance system, effectively providing methodology for organisations to build a compliance system and develop a compliance culture.

Specifically, it sets out precise requirements and guidelines regarding the six core elements of a compliance system: organisational environment; leadership role; risk assessment; investigation mechanism; training and communication; and supervision and audit.

Develop sound system. Building a compliance system begins with identifying the related internal and external environment, and systematically defining specific compliance obligations arising from the organisation’s activities, products and services, thereby developing appropriate systems and procedures consistent with its operation and evolution.

Highlight leadership role. Engagement and support of leadership are critical to the smooth operation of a compliance system. Leaders should reinforce their role as effective custodians of the compliance system, take a preventive and zero-tolerance attitude towards non-compliance, develop compliance policies, and establish and maintain a top-down compliance culture.

Compliance risk process. Compliance risk should be assessed regularly as a foundation for implementing a compliance management system and allocating appropriate and sufficient resources and procedures to manage identified risks, with irregular assessments initiated whenever there are changes to the organisation’s activities, products or services. Ultimately, all identified compliance risks should be monitored and addressed.

Investigation mechanism. A well-developed investigation mechanism is another basis for a well-functioning compliance system. It should establish not only the principles of investigation and remedial measures to be taken, but also ensure impartiality and independence of the investigation, and set up a reporting mechanism to accomplish the compliance system’s overall revision and upgrading.

Training and communication. All personnel within the organisation need to understand their compliance responsibilities and carry them out effectively. Adequate training of employees should be ensured, with a smooth communication mechanism that guarantees the compliance system works soundly.

Review, supervise and evaluate. Reviewing and supervising the compliance system to evaluate its performance is essential to detect problems, rectify loopholes and improve effectiveness of the compliance system.


Provides sound compliance. By providing a framework for establishing an efficient and complete compliance system, enabling development of specific compliance management systems to meet different requirements, ISO 37301 guidelines help companies operate more efficiently at a lower cost, optimise their internal management, and build quality businesses.

Wins trust and respect. ISO certification directly recognises a company’s compliance management capabilities. This contributes to demonstrating compliance culture and values publicly, as well as providing standard rules for breaking international trade barriers and promoting exchanges and co-operation, gaining companies trading opportunities. ISO-certified companies may also be included in the ISO global standard case database, enhancing their international reputation and gaining respect in the market.

Complies with regulatory requirements. With increasingly stringent regulatory requirements, a company with ISO certification in effect has a solid compliant foundation to deal with regulatory scrutiny. The equivalent draft national standard of the same name has an equal effect to adopting ISO 37301. This means that obtaining ISO certification is equivalent to full compliance with the drafted national standard, if and when implemented.

As a result, companies will be able to present a good compliance image to the regulator, and better prepared for regulations with the established compliance system.

Provides positive judiciary proof. The Supreme People’s Procuratorate has continued to pilot compliance reform for domestic enterprises since 2020, having issued a total of 10 model corporate compliance cases in two batches. In the event of involvement in a criminal justice case, a company’s ISO compliance certification can serve as a positive basis for the court’s consideration, which may result favourably – such as with non-arrest or non-prosecution – and gain opportunities for business development.


ISO 37301 states that it “applies to all types of organisations, regardless of the type, size and nature of their activities and whether they originate from the public, private or not-for-profit sector”. ISO certification is therefore available for almost all organisations across the spectrum.

In the first six months of this year alone, companies such as Midea Group, China Mobile, China Mobile Hong Kong, Baidu Smart Cloud, Baishan Cloud Technology and China Telecom were reportedly awarded ISO 37301 certification.

DOCVIT Law Firm WeChat Platform
“Welcome to follow DOCVIT Law Firm WeChat Platform account”

The Guangdong State-owned Assets Supervision and Administration Commission also issued its Year Action Plan of Strengthening Compliance Management in May this year, requiring that “all provincial enterprises strive to obtain ISO 37301 certification within three years”.

Accordingly, all central and state-owned enterprises, listed companies and enterprises with cross-border business need to consider obtaining ISO certification at this stage. Regardless of an enterprise’s nature, size or industry, having a sound compliance system will always remain a vital factor in maintaining competitiveness and achieving long-term prosperity in future market competition.

Deng Yong is a senior partner at DOCVIT Law Firm. Yang Shuang, an associate at the firm, also contributed to this article

Li Jing DOCVIT Law Firm non-performing assets

56/F Fortune Financial Center
No.5 East Third Ring MiddleRoad
Chaoyang District, Beijing 100020, China
Tel: +86 10 8586 1018
Fax: +86 10 8586 3605-8006