ISO 37001 vs Your Existing ISO Certification: Can You Integrate ABMS with ISO 9001 or ISO 45001?
If you're a G7 contractor who already holds ISO 9001 or ISO 45001, the question isn't whether you can add ISO 37001 — it's how much faster and cheaper you can do it. The answer, in most cases, is significantly. This article explains exactly how integration works, what you can reuse, and what still needs to be built from scratch.
When G7 contractors who already hold ISO certifications hear about the January 2027 ISO 37001 mandate, a common first reaction is concern about adding another full management system on top of what already exists. More documentation. More audits. More management time diverted from running projects.
In most cases, that concern is overstated. ISO 37001 is designed to integrate efficiently with ISO 9001, ISO 14001, ISO 45001, and ISO 27001 because all of these standards share a common structural framework. If you have an existing, well-maintained ISO management system, you are not starting from scratch — you are extending what already works.
This article explains precisely how that integration works, what it saves, and where ISO 37001 still requires genuinely new work regardless of your existing certification status. If you are not yet familiar with what ISO 37001 requires in full, read our foundation post first: ISO 37001 ABMS: What Every CIDB G7 Contractor Must Know Before 2027.
The Annex SL Framework: Why Integration Works
The key to understanding ISO 37001 integration is Annex SL — the ISO directive that standardised the high-level structure for all management system standards published since 2012. Every modern ISO standard — ISO 9001:2015, ISO 14001:2015, ISO 45001:2018, ISO 27001:2022, and now ISO 37001:2025 — follows the same ten-clause skeleton:
| Annex SL Clause | Topic | Shared Across All Standards? |
|---|---|---|
| Clause 4 | Context of the Organisation | ✓ Yes |
| Clause 5 | Leadership and Commitment | ✓ Yes |
| Clause 6 | Planning (Risks, Objectives) | ✓ Yes |
| Clause 7 | Support (Resources, Competence, Communication, Documentation) | ✓ Yes |
| Clause 8 | Operation | ~ Standard-specific content |
| Clause 9 | Performance Evaluation (Internal Audit, Management Review) | ✓ Yes |
| Clause 10 | Improvement (Non-conformity, Corrective Action) | ✓ Yes |
The practical implication: if your company has ISO 9001 and your management system is properly maintained, Clauses 4, 5, 6, 7, 9, and 10 of your ISO 37001 ABMS are largely already built. You extend existing frameworks with ABMS-specific content rather than creating parallel documents. Only Clause 8 — the operational controls specific to anti-bribery — requires genuinely new work from the ground up.
What You Can Directly Reuse or Extend
Context of the Organisation (Clause 4)
Your ISO 9001 Clause 4 analysis already documents your organisation's internal and external context, interested parties, and the scope of your management system. For ISO 37001, you extend this by adding anti-bribery-relevant interested parties (MACC, government clients, business associates) and anti-bribery considerations to your context analysis. In a well-maintained IMS, this is a single document update, not a new document.
Leadership and Top Management Commitment (Clause 5)
Your existing leadership clause establishes top management's commitment to the management system. For ISO 37001, you add ABMS-specific commitments — the anti-bribery policy, the culture requirements of ISO 37001:2025, and explicit accountability assignments for anti-bribery roles. The leadership structure and evidence mechanisms (policy sign-offs, management review records) already exist.
Objectives and Planning (Clause 6)
Your existing quality or safety objectives framework extends to include anti-bribery objectives. The planning mechanisms for addressing risks and opportunities already exist in your ISO 9001 or ISO 45001 system — you add anti-bribery risk assessment outputs as an additional input to this planning process.
Competence, Training, and Communication (Clause 7)
Your training records system, competence assessment process, and internal/external communication frameworks already exist. Anti-bribery training is added to your existing training programme structure. Training records for ISO 37001 are maintained in your existing training records system. No new infrastructure is required — only new content.
Internal Audit Programme (Clause 9.2)
This is one of the most significant practical savings of integration. Your existing internal audit programme, audit procedure, auditor competence records, and non-conformance management process are all directly extended to include ISO 37001 audit scope. You train your existing internal auditors on ISO 37001 requirements — through the ISO 37001 Internal Auditor Training — and add ABMS audit checklist items to your existing audit programme. Combined audits covering ISO 9001 and ISO 37001 in the same audit cycle are operationally efficient and reduce management time.
Management Review (Clause 9.3)
Your existing management review process — the meeting structure, input data requirements, output documentation — is extended to include ABMS performance inputs: anti-bribery objectives performance, results of ABMS internal audits, any incidents or concerns raised, and the effectiveness of anti-bribery controls. One management review covers all standards simultaneously.
Non-conformity and Corrective Action (Clause 10)
Your existing corrective action process handles non-conformities from ISO 37001 internal audits using exactly the same methodology as non-conformities from your ISO 9001 or ISO 45001 audits. No new systems needed.
What ISO 37001 Requires That Is Genuinely New
Integration saves significant time and cost, but it does not eliminate the need for ABMS-specific work. The following elements are unique to ISO 37001 and must be built regardless of your existing certification portfolio.
Anti-Bribery Risk Assessment and Risk Register
While ISO 9001 and ISO 45001 both require risk assessments, they address quality and safety risks respectively. ISO 37001 requires a specific anti-bribery risk assessment covering your organisation's exposure to bribery across all relevant operations. For a G7 construction contractor, this is typically the most substantial new work — mapping procurement, tendering, government liaison, and subcontractor management processes specifically through an anti-bribery risk lens.
Due Diligence System for Business Associates
ISO 37001 requires documented due diligence procedures for business associates — subcontractors, suppliers, agents, intermediaries. While you likely have some supplier assessment processes under ISO 9001, these focus on quality and capability. Anti-bribery due diligence has specific requirements around bribery risk screening, PEP (politically exposed person) checks, and ongoing monitoring that go beyond standard supplier assessment. This system needs to be purpose-built.
Gifts, Hospitality and Donations Policy and Register
This is entirely new for most construction companies. The policy must define permissible limits, require approval for gifts above threshold values, and mandate recording of all gifts offered and received. A live register must be maintained. This operational control has no equivalent in ISO 9001 or ISO 45001 and must be created and embedded into daily operations.
Conflict of Interest Procedure and Declarations
Formal conflict of interest disclosure requirements, the declaration process, and the register are specific to ISO 37001. While some companies have informal policies, the documented procedure and evidence of completed declarations is new work for most organisations.
Whistleblowing Mechanism
ISO 45001 requires workers to be able to report safety concerns, and many companies have some version of this. ISO 37001 requires a confidential reporting channel specifically for bribery concerns, accessible to employees, business associates, and third parties, with documented non-retaliation protections and investigation procedures. If you don't have a purpose-built whistleblowing channel meeting these specifications, this needs to be established as new infrastructure.
The Real Numbers: Time and Cost Savings from Integration
| Factor | Standalone ISO 37001 | Integrated with ISO 9001 / ISO 45001 |
|---|---|---|
| Implementation timeline | 6–9 months | 3–4 months |
| Documentation to create | Full ABMS documentation suite | ABMS-specific documents only |
| Internal audit setup | New programme, new auditors | Extend existing programme + top-up training |
| Management review | New review structure | Extend existing review agenda |
| Training preparation | Full management system orientation + ABMS | ABMS-specific content only |
| Consultancy fee saving | Baseline | 20–35% reduction |
| Ongoing audit cost | Separate annual surveillance audits | Combined audits possible |
For a typical G7 contractor with active ISO 9001 certification and 100–250 employees, integration typically saves 2–3 months on the implementation timeline and approximately RM 8,000 to RM 15,000 in consultancy fees compared to a standalone ISO 37001 implementation. On an ongoing basis, combined surveillance audits reduce annual certification costs by 15–25% versus maintaining two separate audit cycles.
💡 Maintenance Programme Advantage
Companies already enrolled in YHY Consultancy's ISO Maintenance Programme benefit from a continuous connection to their management system documentation and audit schedule. Adding ISO 37001 to an active maintenance relationship is the most efficient path to integration — we know your system already and can identify integration points immediately.
Real Scenario: G7 Contractor with ISO 9001 Adding ISO 37001 in 3 Months
Illustrative Case Study
G7 Civil Engineering Contractor, Selangor — 180 Employees
Starting position: Holds ISO 9001:2015 certification (3 years, well-maintained), no ISO 37001 in place. Contacted YHY Consultancy in January 2026 after receiving an ESG supplier questionnaire from their primary government client that included anti-bribery certification questions.
Gap analysis findings (Week 1–2): Existing IMS provides strong documentation infrastructure — context analysis, competence framework, internal audit programme, and corrective action process all reusable. ABMS-specific gaps: no anti-bribery risk register, no formal due diligence procedure for subcontractors, no gifts register, no whistleblowing channel, and no anti-bribery training records.
Documentation phase (Week 3–8): Anti-bribery policy added to IMS manual. Anti-bribery risk assessment conducted — 14 risk areas identified across procurement, tendering, and government liaison. Risk register developed. Due diligence procedure drafted for subcontractor screening, tiered by contract value. Gifts, hospitality and conflict of interest policies and registers created. Whistleblowing procedure established with a dedicated email channel and non-retaliation policy.
Training (Week 6–8, overlapping): 2-day ISO 37001 Internal Auditor training for 3 staff (HRD Corp claimed). Half-day awareness training for all 180 employees delivered in 4 groups across 2 weeks.
Implementation and evidence gathering (Week 9–14): Due diligence screening completed for 23 active subcontractors. Gifts register populated with 6 entries. Conflict of interest declarations signed by all directors and project managers. Anti-bribery clauses added to standard subcontractor agreement template.
Internal audit (Week 14–15): ABMS-scope internal audit added to existing IMS audit cycle. 2 minor non-conformities identified (incomplete due diligence records for 2 legacy subcontractors, gifts register approval threshold not communicated to site managers). Both closed within 2 weeks.
Certification audit (Week 16–17): Stage 1 documentation review passed. Stage 2 implementation audit conducted — certificate issued in Week 20.
Total elapsed time: approximately 5 months from engagement to certificate. Consultancy fee: within the RM 15,000–25,000 band. The company submitted their ISO 37001 certificate to their government client's supplier portal in June 2026 — 7 months before the CIDB deadline.
What If You Only Have ISO 37001 — Is That Enough?
For companies that currently hold no ISO certifications at all, ISO 37001 standalone certification satisfies the CIDB G7 mandate — and only ISO 37001 is required for the mandate itself. However, most G7 contractors operate in a procurement environment where ISO 9001 and ISO 45001 are also assessed in tender scoring.
If you are starting from zero certifications and need to prioritise, ISO 37001 addresses the January 2027 regulatory deadline. ISO 9001 and ISO 45001 address competitive positioning and may be required by specific clients. Building an Integrated Management System that incorporates all three from the outset — rather than retrofitting later — is typically the most efficient long-term approach. This is exactly the kind of strategic assessment YHY Consultancy provides as part of our initial engagement.
A Note on Standards Transition
Companies currently certified to ISO 9001:2015 or ISO 45001:2018 should be aware that ISO 9001 revision discussions are ongoing and ISO 45001 is also subject to future updates. Our Standards Transition service helps companies navigate version transitions without disruption to their certification status. When adding ISO 37001, we assess transition risk across your entire IMS simultaneously — avoiding a situation where you add ISO 37001 integration work only to face an ISO 9001 version transition shortly after.
Already Have ISO Certification? Talk to Us About Fast-Track ABMS
If you hold ISO 9001, ISO 14001, or ISO 45001, we can typically add ISO 37001 ABMS to your existing management system in 3–4 months. Tell us what you currently hold and we'll give you a specific integration plan and cost estimate within 48 hours.
WhatsApp Us for a Fast-Track Assessment →Frequently Asked Questions
Can ISO 37001 be integrated with ISO 9001 or ISO 45001?
Yes. ISO 37001:2025 shares the Annex SL high-level structure with ISO 9001, ISO 14001, ISO 45001, and ISO 27001. This means that context of the organisation, leadership, planning, support, performance evaluation, and improvement frameworks are common across all standards. Companies with existing ISO certifications extend their Integrated Management System with ABMS-specific content rather than building a separate system from scratch.
How much time does ISO 37001 integration save compared to standalone implementation?
Integration typically reduces the ISO 37001 implementation timeline from 6–9 months (standalone) to 3–4 months. The time savings come from reusing existing documentation frameworks, extending existing internal audit programmes, adding ABMS scope to existing management review processes, and avoiding duplication across staff training and competence systems.
What documentation from ISO 9001 can be reused for ISO 37001?
Documentation that can be directly extended includes: context of the organisation analysis (Clause 4), leadership and commitment section (Clause 5), objectives and planning framework (Clause 6), competence and training records structure (Clause 7), internal audit programme and procedure (Clause 9.2), and management review process (Clause 9.3). ABMS-specific content — anti-bribery risk register, due diligence procedure, gifts register, whistleblowing mechanism — is added to these frameworks rather than created in parallel documents.
Do I need a separate certification body audit for ISO 37001 if I already have ISO 9001?
The ISO 37001 certification audit must be conducted by a MACC-scheme accredited certification body. If your existing ISO 9001 body also holds MACC scheme accreditation, combined surveillance audits are possible after initial certification, reducing total annual audit costs. Discuss combined audit options when selecting or engaging your certification body for ISO 37001.
Does ISO 37001 integration reduce ongoing surveillance audit costs?
Yes. When your ISO 37001 certification body also covers your existing ISO standards, combined surveillance audits reduce total annual audit days. In practice, this delivers a 15–25% reduction in annual certification costs compared to maintaining two completely separate audit cycles. This saving compounds every year, making integration increasingly cost-effective over the full certificate lifecycle.
What is genuinely new work in ISO 37001 that I can't reuse from ISO 9001?
Five elements must be built from scratch regardless of your existing certifications: the anti-bribery risk assessment and risk register; the due diligence system for business associates (subcontractors, agents, suppliers); the gifts, hospitality and donations policy and live register; the conflict of interest procedure and declaration records; and the whistleblowing mechanism with documented non-retaliation protections. These are specific to anti-bribery management and have no direct equivalent in ISO 9001 or ISO 45001.