ISO 37001:2016 is the international standard for anti-bribery management systems. Certification has moved from “nice to have” to “expected” in a growing list of procurement processes — Italy’s PA, French defence contracts, the UAE’s commercial code, large infrastructure tenders across Europe, the World Bank’s anti-corruption due diligence, and a rising number of supplier codes in the FMCG and pharma sectors. This guide is for the compliance officer who has been told to “get us ISO 37001 certified” and is now staring at a software market that ranges from €49 per month to €100,000 per year.
Direct answer
ISO 37001 software is not a single product — it is the combination of (i) a whistleblowing channel that captures bribery and corruption reports, (ii) third-party due-diligence tooling that screens counterparties against sanctions and PEP lists, (iii) a policy and training management module, and (iv) an audit and evidence repository that an external certifier can read. You can buy these as a single platform from large GRC vendors (€20-100k/year) or assemble them from focused tools (typically €5-15k/year). Whistleblowing — the speak-up channel — is the non-negotiable foundation; everything else is variable.
Why ISO 37001 needs software at all
Clause 8.9 of ISO 37001 — “Raising concerns” — explicitly requires the organization to implement procedures that allow persons to report bribery suspicions in confidence and without retaliation. In every ISO 37001 audit we have observed, the certifier asks for the channel first. A working channel is the load-bearing wall of the entire ISO 37001 case.
But the standard goes further. Clause 4.5 requires due diligence on the organization’s relationships with third parties; Clause 7.4 requires communication of the anti-bribery policy; Clause 9.1 requires monitoring and measurement; Clause 10.2 requires investigation and corrective action. Each of these clauses creates a documentation obligation — and ad-hoc spreadsheets do not survive an external audit.
The four-layer software stack
Layer 1 — Speak-up channel (mandatory)
A confidential, accessible channel through which employees, suppliers, contractors, and third parties can report bribery suspicions. The same channel typically serves the broader EU Directive 2019/1937 obligation, so a single deployment can satisfy both regimes.
Selection criteria for ISO 37001 specifically:
- Anonymous reporting must be available — bribery is high-stakes, and reporters often won’t engage a channel that captures email or IP. Confidly operationalizes this with server-issued case codes and no identifier capture.
- Third-party access — the channel must be accessible to suppliers and contractors, not just employees. Most ISO 37001 cases come from outside the org chart.
- Append-only audit log — the certifier will sample cases and demand to see every action taken. A log that can be edited fails the audit.
- Multi-language intake — bribery-prone industries (construction, defence, extractives) operate across linguistic boundaries; the channel must serve them.
Layer 2 — Third-party due diligence
ISO 37001 Clause 8.2 requires the organization to assess and document bribery risk in its third-party relationships. Software in this layer screens counterparties against sanctions lists (OFAC, EU consolidated, UN, UK HMT), politically exposed person (PEP) lists, adverse media, and beneficial ownership data.
The market here is mature — Dow Jones Risk and Compliance, Refinitiv World-Check, LexisNexis Bridger, ComplyAdvantage. Pricing scales by number of screenings (typically €5-15 per name; bulk plans negotiated annually). For most mid-market companies, a focused screening tool is more cost-effective than an enterprise GRC platform.
Layer 3 — Policy and training management
Clause 7.4 requires the anti-bribery policy to be communicated and understood. Software in this layer manages policy attestations (employees sign-off), training delivery and tracking, and refresher cycles. LMS platforms with compliance modules (Cornerstone, SAP SuccessFactors, Litmos) cover this — or specialized compliance training (NAVEX, GAN Integrity, Skillsoft Compliance).
For organizations under 1,000 employees, a lightweight policy attestation tool plus an off-the-shelf training video usually suffices.
Layer 4 — Audit and evidence repository
The least glamorous but operationally most important layer. ISO 37001 audits are documentation-heavy. The certifier wants:
- The anti-bribery policy and its version history
- The risk assessment with dates and methodology
- Training completion records
- Due-diligence reports for sampled third parties
- All raised concerns and their resolution
- Management review minutes
- Internal audit reports
A SharePoint folder works for the first audit. By the second surveillance audit (12 months later), most organizations regret not adopting a structured GRC tool. ISO 37001 audits run on a 3-year cycle (initial certification, two annual surveillance audits, recertification audit), so the documentation burden compounds.
All-in-one vs. best-of-breed
The compliance software market consolidates around two patterns:
All-in-one GRC platforms — Diligent, Wolters Kluwer Enablon, MetricStream, ServiceNow GRC, NAVEX One. Price band: €20-150k/year. Strengths: single login, integrated reporting, vendor accountability for the full stack. Weaknesses: heavy implementation (3-6 months typical), feature breadth that you may not need, per-module pricing that escalates.
Best-of-breed assembly — pick a focused whistleblowing channel (Confidly, Vault Platform, AllVoices), a focused due-diligence tool (ComplyAdvantage, Dow Jones), and a lightweight policy attestation tool. Price band: €5-15k/year. Strengths: fast deployment (15 minutes for the channel; an afternoon for due diligence), transparent pricing, easy to replace any single component. Weaknesses: you own the integration story.
In our experience with mid-market customers (200-2000 employees), best-of-breed wins on cost and time-to-certification. Above 2000 employees and across multiple jurisdictions, the integrated GRC platforms often win on operational simplicity.
What ISO 37001 certifiers actually ask for
We have collected the questions asked by three major certifying bodies (BSI, DNV, Bureau Veritas) across roughly forty audits. The most common requests:
- “Show me the last 90 days of cases raised through your speak-up channel, sorted by date received.”
- “For case [random ID], walk me through every action taken from intake to closure.”
- “Show me how the reporter was protected from identification.”
- “Show me the SLA for acknowledgement. Show me one case where the SLA was missed and what you did about it.”
- “Show me your third-party due-diligence reports for the top ten suppliers by spend.”
- “Show me the training completion records for the executive team.”
- “Show me the management review minutes from the last two cycles.”
Notice the pattern: every question is a request for evidence. Software that produces evidence on demand passes ISO 37001 audits. Software that requires manual report assembly fails the first time the certifier asks for case #47.
How Confidly fits
Confidly is the speak-up channel (Layer 1). For ISO 37001 specifically:
- Anonymous, third-party-accessible intake — supplier-facing public page; no identifier capture.
- Append-only audit log — every action hash-chained, exportable as JSON/CSV for the certifier in one click.
- Multi-language reporter UI — 27 EU languages plus English; configurable per channel.
- Pre-mapped to ISO 37002 — the companion whistleblowing-management-system standard; clause-by-clause mapping is provided as part of onboarding.
- GDPR + national-transposition compliant by default — EU hosting, RoPA pre-filled, DPIA template available.
It does not cover Layers 2-4. Customers typically pair Confidly with a focused due-diligence tool and SharePoint/Notion for evidence repository, then upgrade to a structured GRC tool once they cross 1,000+ employees.
Pricing benchmarks (May 2026)
For a typical mid-market ISO 37001 candidate (300 employees, EU operations, no listed-company obligations):
| Layer | Lean option | Mid-market option |
|---|---|---|
| Speak-up channel | Confidly Pro — €149/mo | Confidly Enterprise — €399/mo |
| Third-party DD | ComplyAdvantage starter — €4,800/yr | Dow Jones RiskCenter — €15,000/yr |
| Policy / training | LMS module — €3,000/yr | Skillsoft Compliance — €8,000/yr |
| Evidence repo | SharePoint (existing) — €0 | Diligent Entities — €12,000/yr |
| Annual total | ~€9,500 | ~€39,800 |
Both options can pass an ISO 37001 audit. The mid-market option saves operational time at the cost of cash.