ISO 37301 Checklist

Title Page

ISO 37301 Audit

Section 4: Context of the Organization

4.1 Understanding the Organization and its Context - Have external and internal issues that may affect compliance been clearly identified and documented?
4.2 Understanding the Needs and Expectations of Interested Parties - Are the relevant interested parties and their compliance-related needs and expectations well understood?
4.3 Determining the Scope of the Compliance Management System - Is the scope of the Compliance Management System (CMS) clearly defined, documented, and communicated within the organization?
4.4 Compliance Management System - Is there evidence that the organization has established, documented, implemented, and maintains a CMS in accordance with ISO 37301 requirements?
4.5 Compliance Obligations - Are all relevant legal, regulatory, contractual, and other compliance obligations identified and documented?
4.6 Compliance Risk Assessment - Is there a documented process for assessing compliance-related risks and opportunities within the organization?

5.1 Leadership Commitment - Is there clear evidence of top management's commitment to the compliance management system?
5.2 Compliance Policy - Does the organization have a documented compliance policy that includes a commitment to compliance, legal requirements, and continual improvement?
5.3 Roles, Responsibilities, and Authorities - Have clear roles, responsibilities, and authorities been defined for individuals within the organization who manage, oversee, or contribute to the CMS?

6.1 Actions to Address Risks and Opportunities - Has the organization identified and documented compliance-related risks and opportunities, and is there a plan to address them?
6.2 Compliance Objectives and How to Achieve Them - Are compliance objectives established, measurable, and aligned with the organization's context and compliance policy?
6.3 Planning of Changes - Is there a documented process in place for planning and managing changes to the CMS?

7.1 Resources - Is there a process in place to identify, allocate, and ensure the availability of adequate resources (human, financial, technological) to support the CMS?
7.2 Competence - Are mechanisms in place to assess and ensure the competence of personnel involved in compliance-related activities, including training, qualifications, and ongoing professional development?
7.3 Awareness - Is there a structured program to raise awareness among personnel about their compliance-related responsibilities, the significance of the CMS, and the potential impact of their activities on compliance objectives?
7.4 Communication - Are effective communication processes established to facilitate the exchange of relevant compliance information within the organization, including communication of the compliance policy, objectives, and changes to the CMS?
7.5 Documented Information - Is there a robust document control system in place to manage and control documented information related to the CMS, ensuring accessibility, accuracy, and protection against unauthorized alterations or loss?

8.1 Operational Planning and Control - Is there a systematic approach in place for operational planning and control to ensure that compliance-related activities are planned, implemented, and monitored effectively within the CMS?
8.2 Establishing Controls and Procedures - Are controls and documented procedures established to address identified compliance risks and opportunities, providing guidance for personnel on the appropriate steps to ensure compliance?
8.3 Raising Concerns - Is there a clearly defined process for personnel to raise concerns related to compliance, and is this process communicated throughout the organization, fostering a culture of open communication and accountability?
8.4 Investigation Processes - Are there documented processes for investigating and addressing compliance-related incidents, deviations, or nonconformities, ensuring a thorough analysis and appropriate corrective actions to prevent recurrence?

9.1 Monitoring, Measurement, Analysis, and Evaluation - Is there a systematic process in place for monitoring, measuring, analyzing, and evaluating the performance of the CMS against established compliance objectives and key performance indicators?
9.2 Internal Audit - Are regular internal audits conducted to assess the effectiveness and conformity of the CMS, and is there evidence of documented procedures outlining the audit process, responsibilities, and reporting?
9.3 Management Review - Is there a structured management review process involving top management to evaluate the suitability, adequacy, and effectiveness of the CMS, with documented records of reviews and resulting actions taken for continual improvement?

10.1 Continual Improvement - Is there a systematic approach in place to identify, evaluate, and implement opportunities for continual improvement within the CMS, ensuring a proactive response to changing circumstances and compliance requirements?
10.2 Nonconformity and Corrective Action - Are there documented processes for identifying, documenting, and addressing nonconformities within the CMS, including the implementation of corrective actions to prevent recurrence and enhance the effectiveness of the compliance management processes?

Completion