Is ISO 37001 mandatory for Indonesian SOEs?

MoSOE Regulation PER-11/MBU/07/2021 requires ISO 37001 certification for designated SOEs and SOE subsidiaries. Check the latest Ministry of SOE circular for the current list. Many large SOEs are already certified; many subsidiaries are currently in process.

How long from scratch to certificate?

For organizations starting from zero, 8–14 months is a realistic range. Key variables: organization size, number of third parties, procurement-process complexity. Small SOEs with strong Board commitment: 6–9 months. Multi-jurisdiction corporates: 12–18 months.

Does ISO 37001 guarantee an organization is bribery-free?

No. The standard itself explicitly states it does not guarantee a bribery-free organization. What is assured is a management system designed to be effective at preventing, detecting, and responding to bribery. Auditors assess the framework and its implementation; absolute cleanliness is something no standard can guarantee.

What happens if a whistleblower report arrives during the audit?

Reports are evidence that the ABMS works, never a weakness. Auditors are in fact keen to see how the organization responds: whether independent investigation is run, whether the whistleblower is protected, whether investigation outcomes are followed up. A report plus a strong response is an indicator of a living ABMS.

How much does an ISO 37001 audit cost?

Determined by the certification body based on IAF MD 5 mandays. Main variables: employees in scope, sites, and bribery risk profile (sector, third parties). Solicit quotes from 2–3 bodies. For SOEs, audit cost is typically captured in the annual budget with commissioner/AGM approval.

Must the anti-bribery compliance function be full-time?

It need not be full-time, but it must be independent, competent, and have direct access to the governing body (clause 5.3.2). In small organizations the role is often combined with general compliance or internal audit leadership. In large SOEs it is typically a separate unit with several staff.

Do ISO 37001 internal audit results need to be reported externally?

There is no legal duty to report internal audit results externally. However, if internal audit finds indications of bribery offences, there is an ethical and legal duty (under the Indonesian Anti-Corruption Law) to report to the competent law-enforcement authority. Most organizations regulate this through an internal investigation protocol involving legal counsel.

Awareness + Internal Auditor

Build an Anti-Bribery Management System toward ISO 37001:2016

Q: Can Neksus directly issue an ISO 37001 certificate?

No. ISO 37001 certificates can only be issued by accredited certification bodies (KAN in Indonesia, internationally recognized via the IAF MLA). Neksus trains your ABMS to readiness; you select the certification body.

Q: What is the difference between ISO 37001 and KPK’s UKAP?

UKAP (Comprehensive Anti-Bribery Effort) is a KPK-administered assessment program with Indonesia-specific criteria. ISO 37001 is the international management system standard. Many organizations use ISO 37001 as a foundation that helps meet a portion of UKAP criteria, but they are separate programs with different assessment processes.

Training for the Board, Commissioners, Compliance Officers, Internal Auditors, and Procurement — understand the ABMS clauses, perform third-party due diligence, and prepare the organization for Stage 1. Aligned with MoSOE Regulation PER-11/MBU/07/2021.

Core clauses: Clauses 4–10Core clauses
Key function: Anti-Bribery Compliance FunctionKey function
Supporting regulation: MoSOE PER-11/2021Supporting regulation
Format: Inhouse, online, hybridFormat

Short answer

ISO 37001 Awareness + Internal Auditor training equips your team to understand the Anti-Bribery Management System clauses, perform third-party due diligence, and run internal audits per ISO 19011. Neksus trains to readiness; a KAN-accredited certification body performs the audit and issues your ISO 37001:2016 certificate.

About the Standard

The first international management system standard dedicated to bribery

ISO 37001:2016 is the first international standard for an Anti-Bribery Management System (ABMS). Its clause structure follows the Annex SL High Level Structure (clauses 4–10), same as ISO 9001 and 14001. The core of ISO 37001 is bribery risk assessment, anti-bribery policy, the appointment of an anti-bribery compliance function, financial and non-financial controls, third-party due diligence, plus reporting and investigation mechanisms. In Indonesia, ISO 37001 is recognized as a commitment to anti-corruption and is required for certain SOEs/SOE subsidiaries through MoSOE Regulation PER-11/MBU/07/2021. Neksus trains your team to implement an effective ABMS and prepare for the external audit.

Annex SL — easily integrated with ISO 9001, 14001, 45001, 27001
Clause 5.3.2 — the anti-bribery compliance function must be independent and have direct access to the governing body
Clause 8.2 — third-party due diligence is a key control
Required for many SOEs/SOE subsidiaries per MoSOE Regulation PER-11/MBU/07/2021

Neksus trains, the certification body certifies

ISO 37001 certificates can only be issued by accredited certification bodies (KAN in Indonesia, internationally recognized via the IAF MLA). Neksus prepares your ABMS to pass Stage 1 and Stage 2 — without promises of guaranteed certification.

ISO 37001 differs from KPK’s UKAP program

UKAP (Comprehensive Anti-Bribery Effort) is an assessment program by the Indonesian Corruption Eradication Commission. ISO 37001 is the international management system standard. Many organizations use ISO 37001 as a foundation that helps meet UKAP criteria, but they are separate programs.

Certification ≠ guarantee of bribery-free operation

ISO 37001 explicitly does not guarantee an organization free of bribery. The standard sets requirements for an anti-bribery management system designed to be effective. Auditors assess the framework and its implementation; absolute cleanliness is something no standard can guarantee.

Scope of Certification

Typical ABMS scopes that get certified

Scope definition affects due-diligence complexity and audit cost.

SOEs & SOE subsidiaries

Required per MoSOE Regulation PER-11/MBU/07/2021 for designated SOEs. Scope: entire operations, or a limited scope (e.g. strategic procurement unit).

Ministries/Agencies & Provincial Governments

Scope on high-risk units (procurement, licensing, public services). Often a requirement for achieving WBK/WBBM status.

Construction & infrastructure

High bribery risk in public tender processes and subcontractor procurement. Scope: entire operations plus project management.

Financial services

Banks, insurance, securities — risk in customer onboarding, KYC, vendor procurement. Often parallel with AML/CFT compliance.

Multi-site & multi-jurisdiction

Global corporates with cross-border operations — bribery risks differ per country. Scope can be sampled per IAF MD 1.

Extractive industries & energy

High bribery risk in permitting, land acquisition, and government relations. Scope is usually entire operations.

Organizational Readiness

Organizational readiness before inviting a certification body

Anti-bribery policy authorized by the governing body & top management
A firm commitment: zero tolerance for bribery, reporting obligations, whistleblower support, no retaliation.
Documented bribery risk assessment (clause 4.5)
Identification of high-risk processes (procurement, licensing, public-official interaction), high-risk third parties, and high-risk transactions (gifts, hospitality, donations, sponsorship).
Anti-Bribery Compliance Function appointed
Formal appointment of a person/unit that is independent, competent, and has direct access to the governing body (clause 5.3.2).
Third-party due-diligence procedure (clause 8.2)
Risk-tiered classification of partners/suppliers; layered due diligence by risk level; anti-bribery clauses in contracts.
Gifts, hospitality, donations, sponsorship procedure (clause 8.7)
Nominal limits, approvals, registers, and periodic audits for giving/receiving.
Reporting & investigation mechanism (clauses 8.9–8.10)
Anonymous whistleblower channel, non-retaliation guarantee, fair and independent investigation procedure.
One internal audit cycle + management review
ISO 19011-conformant internal audit, ABMS effectiveness evaluation, and review by the governing body & top management.

Certification Audit Path

Audit path from contract to certificate

Per ISO/IEC 17021-1 — 3-year certification cycle.

1
Application & contract
1–2 weeks
Submit scope, employees in scope, sites, bribery risk profile (sector, third parties). The body computes mandays per IAF MD 5.
2
Stage 1 — ABMS documentation review
1–2 days
Auditor reviews the anti-bribery policy, bribery risk assessment, due-diligence procedure, gifts/hospitality procedure, reporting mechanism, and internal audit results. Output: readiness confirmed, or prerequisites to close.
3
Stage 2 — Implementation audit
3–10 days onsite
Auditor goes into critical processes: procurement, public-official interactions, contract management, gifts/hospitality transactions. Interviews compliance function, internal audit, procurement, and the governing body.
4
Closure of findings & certification recommendation
30–90 days
Major NCs closed with effective corrective action. For ABMS, major NCs commonly involve absent independent compliance function or un-executed due diligence.
5
Certificate issuance (3-year cycle)
—
Certificate carries a specific scope. For SOEs, the certificate evidences fulfillment of MoSOE Regulation PER-11/MBU/07/2021.
6
Year 1 & 2 surveillance audits
Annual, 2–5 days
Focus on execution effectiveness, investigation outcomes (reported cases), changes in risk profile, and prior finding follow-up.
7
Recertification audit (year 3)
Before certificate expires
Full re-audit. Pass → renewed for another 3 years.

Internal Auditor (ISO 19011)

What an ISO 37001 Internal Auditor does — beyond box-ticking

Internal Auditor training follows ISO 19011:2018 with focus on anti-bribery control auditing.

What they do

An ISO 37001 internal auditor verifies the effectiveness of anti-bribery controls: whether third-party due diligence was genuinely performed before contracts were signed, whether the gifts/hospitality register is complete and monitored, whether the whistleblower channel functions (tested with a control case), whether investigation of reports is performed independently from the subject. Auditor independence is absolute — an ABMS internal auditor never audits a process they manage. Internal audit results are a mandatory input to governing-body and top-management review.

Competencies built

Understanding of ABMS clauses 4–10 and the Annex SL structure
Understanding of regulation: Indonesian Criminal Code, Anti-Corruption Law, Law 8/2010 AML, MoSOE PER-11/2021
Bribery risk assessment methods: identifying high-risk processes, third parties, and transactions
Audit of third-party due diligence (clause 8.2) — due-diligence documentation review
Audit of gifts/hospitality, donations, sponsorship transactions
Audit of reporting & investigation mechanisms: independence & whistleblower protection
ISO 19011 — independence, objectivity, evidence-based, with heightened confidentiality

Findings Categories

Major NC
E.g. anti-bribery compliance function absent or not independent, third-party due diligence not performed for high-risk contracts, or the whistleblower channel not functioning.
Minor NC
E.g. gifts/hospitality register incomplete for one quarter, a due-diligence procedure not updated, or awareness training not delivered to a procurement unit.
OFI
E.g. recommendation to automate due diligence against public databases (sanctions, PEP), or to enhance the whistleblower channel with an independent third-party platform.
Observation
E.g. note on a new high-risk area (e.g. expansion into a jurisdiction with low Corruption Perception Index).

Outcomes

Expected outcomes for your team

Bribery risk assessment

Class output: a bribery risk matrix per process, third party, and transaction — defensible at Stage 2.

Layered due-diligence procedure

Three risk-tiered due-diligence levels with document templates and escalation criteria.

Anti-Bribery Compliance Function

Formal appointment with a written charter, independent position, and direct access to the governing body.

Active ABMS internal auditors

4–8 cross-functional internal auditors trained in anti-bribery control auditing.

Reporting mechanism tested

Whistleblower channel has been tested with a case scenario at least once; non-retaliation demonstrably enforced.

Decision Aid

Awareness vs Internal Auditor vs Lead Auditor preparation (ABMS)

Criterion	Awareness	Internal Auditor ★	Lead Auditor preparation
Typical duration	1 day	3 days	5 days (IRCA-style)
Target audience	All employees + Board + Commissioners	Internal audit team & compliance officer	Aspiring Lead Auditors / compliance consultants
Main output	Anti-bribery policy understood; gifts/hospitality limits clear	Audit checklist + due diligence drafts + finding reports	Individual certificate from a registered training scheme
Delivered by	Training vendor (e.g. Neksus)	Training vendor (e.g. Neksus)	Registered training organization (e.g. IRCA / PECB)

Engagement Path with Neksus

Engagement path with Neksus for ISO 37001

1
Kickoff & gap analysis
Week 1
2-hour workshop with Board/Compliance: existing bribery risk mapping, existing ABMS documentation, and target certification schedule.
2
1-day awareness
Week 2
For all employees + a dedicated session for the Board/Commissioners. Topics: anti-bribery policy, gifts/hospitality limits, whistleblower channel, and consequences.
3
3-day Internal Auditor workshop
Weeks 3–4
ISO 37001 clauses 4–10, Indonesian regulation, due-diligence audit, gifts/hospitality audit, whistleblower channel audit, and ISO 19011 technique with elevated confidentiality.
4
Mock audit in high-risk processes
Week 5
Facilitator accompanies audit in strategic procurement and government-relations units. Participants practice observation and finding-writing with discretion.
5
Readiness review & recommendations
Week 6
Report: remaining gaps, priority actions, Stage 1 document readiness.
6
Handoff to the certification body
Week 7+
Stage 1 document package is ready. Body selection is entirely your decision.

Target Roles

Target roles

Board of Directors & Commissioners (Governing Body)

Board

Accountable for the anti-bribery policy and oversight of ABMS effectiveness.

Compliance Officer / Anti-Bribery Compliance Function

Senior

ABMS owner, coordinator of internal audit & report investigation.

Internal Audit Team

4–8 cross-functional auditors for independence.

Procurement

Runs supplier due diligence and applies anti-bribery clauses in contracts.

Legal & General Counsel

Maintains the anti-bribery regulation register and supports investigations.

HR (Human Resources)

Clause 7.2 — competence & training; clause 8.7 — disciplinary process.

Sales / Business Development

Gifts/hospitality risk with clients and public officials; needs limit awareness and recording discipline.

Examples of Accredited Certification Bodies

Examples of accredited certification bodies for ISO 37001 in Indonesia

The list below is not a Neksus recommendation. Body selection is entirely your organization’s decision.

Sucofindo

KAN

State-owned inspection & certification body; widely used in SOE/government tender environments.

TÜV Rheinland

DAkkS + KAN

ABMS audit experience across SOEs and multinational corporates.

BSI (British Standards Institution)

UKAS + KAN

UK-origin body, involved in ISO 37001 development.

SGS

UKAS / ANAB + KAN

ABMS audit experience in energy, construction, and services sectors.

Bureau Veritas

COFRAC + KAN

Commonly used by large SOEs for integration of 37001 with other management standards.

TÜV NORD Indonesia

KAN

Frequent presence in SOE certification, particularly energy & infrastructure.

Important — Transparency

The bodies above are examples of organizations accredited (typically through KAN and the IAF MLA network) that can perform certification audits. They are not Neksus partners and do not receive referrals from Neksus. Choosing a certification body is entirely your organization’s decision based on scope, sector, and internal procurement requirements.

Typical Outcome Patterns

Typical outcome patterns from comparable clients

Context

SOE subsidiary 200 employees, first-time certification to fulfill MoSOE PER-11/2021.

Intervention

Awareness for all employees + dedicated Board session (1 day) + 3-day Internal Auditor for 6 people + mock audits in procurement & government relations.

Indicative result

Stage 1 passed without critical findings; Stage 2 produced 2 Minor NCs (incomplete gifts/hospitality register, anti-bribery clauses not yet addendumed into legacy vendor contracts) closed within 60 days.

Context

Ministry/agency, scope on strategic procurement unit, targeting WBK/WBBM.

Intervention

Training + coaching on drafting policy, due-diligence procedures, and whistleblower channel. Focus on integration with government anti-bribery management systems.

Indicative result

Focused-scope ISO 37001 certificate supported the achievement of WBK status the following year.

Context

Multi-project construction corporate, due-diligence demands from international clients.

Intervention

Awareness + Internal Auditor + mock audits across three major construction projects. Coaching on a subcontractor due-diligence template.

Indicative result

ISO 37001 certificate issued within 8 months, satisfying international client vendor-list documentation.

Procurement Info

Procurement information

Contract format
Inhouse training or continuous program (including mock audits in high-risk processes).
Location
Onsite at the client site (Jabodetabek with no extra travel charge), regional onsite, or live online.
Language of delivery
Indonesian (default for SOE/government) or bilingual ID/EN.
Materials & participant certificate
Modules, handouts, third-party due-diligence template, gifts/hospitality register, audit checklists, Neksus participation certificate.
Tax documentation
VAT invoice, receipt, BAST. SOE/government e-procurement support (LKPP) available.
Payment terms
30% advance on contract, 70% on training completion.
Optional coaching
Separate consulting on a manday basis: ABMS policy-drafting coaching, pre-Stage-1 coaching.

Frequently Asked Questions

Discuss ISO 37001:2016 readiness for your organization

Send your planned ABMS scope and target certification schedule. The Neksus team studies your context and prepares a program design within 2 business days.

Awareness for the Board/Commissioners + all employees, focused Internal Auditor, mock audits in high-risk processes
Facilitators with compliance officer, anti-fraud audit, and investigation backgrounds
Alignment with MoSOE Regulation PER-11/MBU/07/2021 and the UKAP framework
Structured handoff to your chosen certification body

Build an Anti-Bribery Management System toward ISO 37001:2016

The first international management system standard dedicated to bribery

Typical ABMS scopes that get certified

Organizational readiness before inviting a certification body

Audit path from contract to certificate

Application & contract

Stage 1 — ABMS documentation review

Stage 2 — Implementation audit

Closure of findings & certification recommendation

Certificate issuance (3-year cycle)

Year 1 & 2 surveillance audits

Recertification audit (year 3)

What an ISO 37001 Internal Auditor does — beyond box-ticking

Expected outcomes for your team

Awareness vs Internal Auditor vs Lead Auditor preparation (ABMS)

Engagement path with Neksus for ISO 37001

Kickoff & gap analysis

1-day awareness

3-day Internal Auditor workshop

Mock audit in high-risk processes

Readiness review & recommendations

Handoff to the certification body

Target roles

Examples of accredited certification bodies for ISO 37001 in Indonesia

Neksus training topics that reinforce an ISO 37001 ABMS

Strategic Procurement Negotiation Training (Kraljic)

Leadership for First-Line Managers

Organizational Change Management

Typical outcome patterns from comparable clients

Procurement information

Frequently Asked Questions

Can Neksus directly issue an ISO 37001 certificate?

Is ISO 37001 mandatory for Indonesian SOEs?

What is the difference between ISO 37001 and KPK’s UKAP?

How long from scratch to certificate?

Does ISO 37001 guarantee an organization is bribery-free?

What happens if a whistleblower report arrives during the audit?

How much does an ISO 37001 audit cost?

Must the anti-bribery compliance function be full-time?

Do ISO 37001 internal audit results need to be reported externally?

Discuss ISO 37001:2016 readiness for your organization