Get started
Get started

Compliance Management Systems: ISO 37301, Set-Up, Software

Compliance Management Systems: ISO 37301, Set-Up, Software

A compliance management system (CMS) is the organised way your organisation stays onside with laws, regulations, standards and internal policies. It blends people, processes and technology to map obligations, embed practical controls, train staff, monitor activity and fix issues—so you reduce risk, avoid fines and keep operations running smoothly. Think of it as a living framework, not just a piece of software.

This guide explains how to set up a modern CMS with ISO 37301 as the blueprint. You’ll learn the key clauses and governance roles, how it connects with ISO 27001 and ISO 31000, how to build controls and measure effectiveness, what to expect from software and automation, why an integration‑first approach from your CRM matters, and what’s required in Australia.

Why compliance management systems matter today

Regulatory obligations are complex, change frequently, and differ by industry and region. Non‑compliance brings fines and disruption—Ireland’s data protection authority fined Meta USD 1.3B for GDPR breaches—and increases breach exposure. Customers also care: 85% want to know a company’s privacy policy before buying. Effective compliance management systems standardise obligations, embed controls, and use automation to flag risks and enable near real‑time corrective action—lifting resilience, trust, and board‑level accountability.

Overview of ISO 37301 (the CMS standard)

ISO 37301 is the international standard for compliance management systems. It provides guidelines for establishing, developing, implementing, evaluating and improving a CMS, giving organisations a single, structured way to stay aligned with legal requirements, internal policies and industry standards. It’s applicable across sectors and sizes, and is adopted in Australia as AS ISO 37301, building on earlier guidance such as AS ISO 19600.

Practically, ISO 37301 helps you formalise governance, map obligations, define roles, document policies and controls, deliver training, and set up monitoring, audits and continual improvement—so your CMS operates as a coherent system rather than scattered activities.

Key principles and clauses in ISO 37301

ISO 37301 turns compliance from scattered tasks into a structured framework. Its core ideas are governance, a risk‑based approach, and continual improvement. Rather than prescribing one-size-fits-all controls, it asks you to define your context and obligations, design proportionate controls, embed them through training and operations, and evidence performance via monitoring, audits and corrective action.

  • Leadership and accountability: Board oversight; independent, empowered compliance function.
  • Context and obligations: Define scope; maintain a live obligations register.
  • Risk‑based planning: Assess risks; set objectives and proportionate controls.
  • Support and culture: Resource, train, build awareness; keep documentation.
  • Operation: Implement policies, third‑party controls and complaint handling.
  • Evaluation and improvement: Monitor, audit, correct and continually improve.

How ISO 37301 relates to ISO 27001, ISO 31000 and industry regulations

Treat ISO 37301 as the compliance spine that connects risk and security systems. It structures how you identify obligations, plan proportionate controls and evidence assurance. ISO 31000 supplies the enterprise risk methodology you use to prioritise compliance work, while ISO 27001 provides an information‑security management system to meet privacy and data‑handling obligations referenced by many regulations.

  • ISO 31000: Translate risk context, criteria and appetite into compliance objectives, controls and KRIs.
  • ISO 27001: Align privacy/security obligations with ISMS controls, roles, monitoring, audits and records.
  • Industry regulations: Map laws like GDPR and HIPAA into your obligations register, policies and control testing.

The glue across all three is governance and clear accountability.

Governance and roles: board, senior management and the compliance function

Governance is the difference between a documented CMS and one that actually works. The board sets the tone and is ultimately accountable for the compliance management system, creating a culture of compliance, approving policy and resources, and setting consistent expectations across the organisation and its third‑party providers. Senior management turns intent into operations, while an empowered, independent compliance function maintains oversight, provides continuous reporting to the board, and drives corrective action and continual improvement.

  • Board: Set culture; approve the CMS and resources; ensure third‑party coverage; require regular, evidence‑based reporting.
  • Senior management: Appoint a chief compliance officer; embed controls in processes; ensure training; remediate issues promptly.
  • Compliance function: Independent with direct board access; monitor and audit; handle complaints; report findings; drive corrective actions.

Mapping obligations: laws, regulations, standards and commitments

A robust CMS starts with a clear map of what you must and choose to comply with. Build a live obligations register that distinguishes binding requirements (laws, regulations, ministerial directions, government policy) from voluntary commitments (standards, industry codes). Use it to drive controls, testing and reporting, and to evidence that your compliance management system is risk‑based and current.

  • Classify obligations: Mark each as a legal requirement or voluntary commitment.
  • Source and citation: Record official titles, clauses and authoritative sources (e.g., GDPR, HIPAA, ISO 37301).
  • Scope and applicability: Define entities, products, jurisdictions and processes in scope.
  • Owner and intent: Assign accountable owners and capture the purpose of the obligation.
  • Control linkage: Map each obligation to policies, procedures and control tests.
  • Evidence and records: Specify artefacts needed for audits and regulator inquiries.
  • Change monitoring: Track updates via regulator websites, mailing lists, industry forums and scheduled reviews.

Building the compliance programme: policies, procedures and controls

With your obligations register set, the compliance programme translates “what” into “how”. Under ISO 37301, this means documented policies that set intent, clear procedures that show the steps, and proportionate internal controls that prevent, detect and correct non‑compliance. Keep it risk‑based, consistently applied across the business, and evidenced through records that stand up to internal and external audit.

  • Policy library: Top‑level commitments and scope aligned to legal requirements and voluntary standards.
  • Procedures and work instructions: Plain‑English, accessible, role‑specific steps that embed compliance into daily operations.
  • Control catalogue: Preventive and detective controls (e.g., approval gates, reconciliations, segregation of duties) mapped to obligations.
  • Complaint and issue handling: Standardised intake, triage, investigation and documented corrective actions.
  • Reporting workflows: Defined owners, due dates and escalation paths for incidents, breaches and regulator requests.
  • Audit and testing plan: Scheduled control testing, monitoring and independent audits with remediation tracking.

Training, awareness and culture of compliance

A compliance management system lives or dies by culture. Training and awareness turn policy into behaviour: ISO 37301 expects organisations to resource, educate and build awareness, with the board setting the tone and senior leaders reinforcing it while the compliance function ensures coverage and records. Include employees, contractors and relevant third parties; make learning role‑specific, explain the “why” in plain English, and schedule refreshers when obligations change. Track completion and comprehension, and keep evidence to support monitoring, audits and corrective action.

  • Role‑based onboarding: Emphasise compliance in induction with scenarios taken from real processes.
  • Manager‑led communication: Equip leaders with talking points and keep compliance visible in regular team huddles.
  • Targeted refreshers: Push concise updates when laws, policies or controls change.
  • Attestations and accountability: Use signed policy attestations and enforce clear consequences for breaches.

Monitoring, testing and internal audits

Monitoring, testing and internal audits are the assurance loop of your compliance management system. ISO 37301 expects proportionate, risk‑based monitoring; routine control testing; and independent, impartial audits to evidence compliance, surface weaknesses early and drive continual improvement. Use near real‑time compliance monitoring where possible, and between formal audits run risk assessments and control health checks so findings translate quickly into corrective actions with accountable owners.

  • Structured monitoring: Sample transactions; compare actual practices with policies and external disclosures; interview staff; assess training effectiveness.
  • Control testing: Validate preventive and detective controls; document evidence; record defects; track remediation with owners and due dates.
  • Internal audits: Plan risk‑based audits; define scope; keep workpapers; issue reports with findings and agreed corrective actions.
  • Records and readiness: Maintain organised, accessible evidence to streamline internal reviews and external regulator or auditor requests.

Handling complaints, incidents and corrective actions

Complaints and incidents are your CMS’s smoke alarm. Customers often spot issues first, and regulators scrutinise how quickly you respond. Standardise logging, triage, investigation and remediation with evidence. Close the loop with root‑cause fixes and updates to policy, controls and training.

  • Intake and triage: Single channel, severity rating, owner.
  • Investigation: Preserve evidence; compare practice to policy.
  • Regulatory assessment: Decide notifications and timeframes; brief leaders.
  • Correct and prevent: Fix issue, implement controls, verify effectiveness.

Measuring effectiveness: KPIs, KRIs and reporting

A CMS only proves its value when you can show performance. Track a balanced set of KPIs (outcomes) and KRIs (early warnings) aligned to your obligations register and risk appetite. Monitor trends, not just counts, and set thresholds that trigger escalation. Keep verifiable evidence for monitoring, audits and corrective actions, as ISO 37301 expects continual evaluation and improvement.

  • Incidents and severity: Rate, trend and time to contain/resolve.
  • Audit outcomes: Findings, ratings and remediation cycle time.
  • Control effectiveness: Test pass rates and defect density.
  • Training impact: Completion plus comprehension/attestation rates.
  • Complaints handling: SLA adherence and recurrence after fixes.
  • Regulatory change uptake: Time from change to policy/control update.

Reporting should be regular, evidence‑based and candid: dashboards for management, concise summaries for the board, and ad‑hoc briefings for material issues. Include root causes, agreed corrective actions, owners and due dates, and link everything back to risks, obligations and audit‑ready records.

Technology and automation in CMS

Technology is the accelerator of a modern compliance management system. GRC platforms and productised integrations automate obligation tracking, reminders and approvals; continuously monitor controls and transactions; centralise evidence and audit trails; and push near real‑time alerts. Crucially, they embed compliance into day‑to‑day tools—e.g., running KYC/AML identity verification from your CRM with privacy guardrails that keep PII restricted and access MFA‑controlled.

  • Real‑time monitoring: Alerts for potential non‑compliance and control failures.
  • Workflow automation: Approvals, attestations, escalations and SLA tracking.
  • Assurance at scale: Scheduled control tests with evidence and audit trails.
  • Reg change intake: Feeds that update the obligations register automatically.

Compliance management software: must‑have features and evaluation criteria

The right compliance management software should operationalise ISO 37301 and make compliance part of daily work, not a side system. Prioritise platforms that centralise obligations, automate approvals and attestations, support near real‑time monitoring and testing, and keep audit‑ready evidence—while enforcing strong privacy and access controls for any personal or sensitive data.

  • Single source of truth: Live obligations register with regulatory‑change feeds, mapped to controls, owners and evidence.
  • Workflow automation: Approvals, attestations, role‑based training, complaints handling and corrective‑action tracking with SLAs.
  • Monitoring and testing: Real‑time alerts, dashboards and scheduled control testing to surface issues early.
  • Audit‑ready records: Immutable logs, versioned documents and exportable reports with role‑based access, MFA and encryption.
  1. Standards alignment: Supports ISO 37301, with clear linkage to ISO 27001/31000.
  2. Integration and usability: Native CRM/ERP integrations, robust APIs and in‑context evidence capture.
  3. Security and governance: Strong access controls, audit trails and transparent data residency.

Integration-first approach: operating compliance from your CRM

An integration‑first CMS puts compliance where teams already work—the CRM. Staff can trigger KYC/AML and background checks from contact records, with outcomes written back as audit‑ready evidence. Productised integrations (e.g., StackGo IdentityCheck for HubSpot/Salesforce) standardise steps, cut re‑keying and avoid brittle custom automations. A privacy layer ensures PII stays out of the CRM and access is MFA‑controlled, with global coverage across 200+ countries and 10,000 document types.

  • Faster onboarding: triggered in‑CRM, fewer handoffs and delays.
  • Stronger assurance: in‑context evidence, status tracking and escalations.

Data privacy, security and PII safeguards in a CMS

Privacy and security are non‑negotiable in a compliance management system. Align controls to your mapped obligations (for example GDPR or HIPAA) and evidence them, because breaches attract heavy penalties and erode trust. Build PII safeguards into both the CMS and the tools staff use daily, so protection is by design rather than bolted on.

  • Data minimisation: Only necessary fields; keep PII out of CRMs via a privacy layer.
  • Access + MFA: Role‑based access; MFA; admin‑only raw PII.
  • Encryption/segregation: Encrypt; store evidence separately; link via metadata.
  • Auditability: Immutable access logs and version history.
  • Retention/erasure: Policy‑driven retention and proof of deletion.

Third‑party and supplier compliance management

Suppliers, contractors and other third parties can widen your exposure if their practices don’t meet your obligations. ISO 37301 expects your compliance management system to extend controls to outsourced processes, and board‑level policies should be communicated to third‑party service providers. Treat this as part of core operations: apply a risk‑based approach, verify before you trust, monitor continuously, and use the same complaint, audit and corrective‑action rigour you apply internally.

  • Risk tiering: Classify vendors by criticality, data access and jurisdiction; map applicable obligations to each tier.
  • Due diligence: At onboarding and periodically, check licences, sanctions, information security and privacy posture; record evidence.
  • Contracts that bite: Include compliance warranties, right‑to‑audit, breach‑notification timeframes, data‑processing and sub‑processor controls, and flow‑down obligations.
  • Ongoing oversight: Collect KRIs/KPIs, attestations and control evidence; route third‑party incidents and complaints through standard workflows.
  • Remediation and exit: Enforce corrective‑action plans with owners and deadlines; escalate non‑remediation; offboard securely with defined retention/erasure.

Australian context: TPB, AUSTRAC AML/CTF and privacy obligations

In Australia, your compliance management system should align with AS ISO 37301 and map concrete statutory obligations into day‑to‑day controls. For professional services and accounting firms, that means capturing Tax Practitioners Board (TPB) requirements for registered practitioners, AUSTRAC’s AML/CTF regime for designated services, and the Privacy Act 1988 including the Australian Privacy Principles (APPs) for handling personal information—then evidencing how policies, training and monitoring meet those obligations.

  • TPB (tax practitioners): Include TPB registration and conduct obligations; define client‑onboarding checks, staff responsibilities and documented evidence paths.
  • AUSTRAC AML/CTF: Implement risk‑based KYC/CTF programs, ongoing customer due diligence, transaction monitoring and suspicious matter reporting—tested and audit‑ready.
  • Privacy Act & APPs: Apply data minimisation, lawful collection and secure handling of PII with role‑based access and recorded training/attestations.
  • Sector add‑ons (financial services): Where applicable, align with APRA standards such as CPS 220 (risk management) and CPS 234 (information security).

An integration‑first approach makes this practical: trigger KYC/AML from your CRM and write results back as evidence, while a privacy layer keeps raw PII out of the CRM and accessible only to MFA‑authenticated admins—meeting AML/CTF and privacy expectations without adding another standalone tool.

Implementation roadmap: set‑up steps and timelines

Use a phased, risk‑based rollout aligned to ISO 37301 so you deliver controls quickly without losing rigour. The sequence below is indicative; duration depends on size, complexity and regulator exposure. Anchor each phase with owners, artefacts and evidence so you can demonstrate governance, monitoring and corrective action from day one.

  1. Mobilise governance, scope and roles: (Weeks 0–2)
  2. Build obligations register and risk assessment: (Weeks 2–6)
  3. Draft/approve policy, procedures and control catalogue: (Weeks 4–8)
  4. Enable tech: CRM‑first workflows, MFA, evidence hub (Weeks 6–10)
  5. Train, pilot, test controls, fix gaps: (Weeks 8–12)
  6. Go‑live, report to board, audit and improve: (Week 12+)

Common pitfalls and how to avoid them

Most breakdowns in compliance management systems aren’t about intent; they’re about execution. Teams write good policies, then fail to embed them into day‑to‑day work, keep obligations current or produce audit‑ready evidence. Avoid the usual traps by hard‑wiring governance, automation and assurance into routine operations.

  • Policy over practice: Embed controls in processes; train roles; verify with tests.
  • No board ownership: Set oversight cadence, metrics and escalation; appoint an empowered compliance lead.
  • Static obligations register: Schedule reviews; track regulator updates; link changes to controls and training.
  • Siloed tools and brittle integrations: Use productised, CRM‑native workflows; minimise re‑keying; standardise evidence capture.
  • Evidence and incident gaps: Centralise records, logs and root‑cause actions; assign owners and due dates.

Right‑sizing a CMS for SMEs and growing firms

SMEs don’t need enterprise GRC stacks. ISO 37301 is designed to scale, so right‑size your compliance management system by applying proportionate, risk‑based controls. Prioritise obligations that carry real penalties or service disruption, keep documents simple, automate inside existing tools, and control costs with productised, CRM‑native checks and a privacy layer.

  • Scope to material risks: focus on high‑impact obligations.
  • Automate the basics: approvals, attestations, KYC/AML from CRM.
  • Evidence by default: audit trails, owners, due dates.

Future trends: AI, TRiSM and regulatory change monitoring

AI is shifting compliance management systems from periodic checks to proactive, evidence‑rich assurance. Expect machine learning to flag anomalies in control activity, summarise incidents, and assist with obligation classification—backed by governance. AI TRiSM is becoming standard practice: maintain an inventory of AI uses, apply guardrails to workloads, monitor for drift and bias, and ensure auditability and oversight. Regulatory change monitoring is accelerating too, with automated updates proposing impacted policies/controls and routing reviews with citations.

  • AI‑enabled monitoring: Near real‑time alerts on control failures and suspicious patterns.
  • TRiSM essentials: Inventory, guardrails, lineage, human‑in‑the‑loop, incident playbooks.
  • Reg‑change intelligence: Auto‑update obligations registers and trigger approvals.
  • Privacy‑first automation: PII minimisation, role‑based access, MFA and immutable logs.

Quick checklist for launching or upgrading your CMS

Use this quick checklist to launch a new compliance management system or lift the maturity of an existing one. It reflects ISO 37301’s risk‑based approach and the governance, controls and evidence themes above. Tick each item and retain artefacts to stay audit‑ready.

  • Board mandate set
  • Obligations register live
  • Policies/controls approved
  • Training and attestations complete
  • Monitoring and audit plan agreed

Final thoughts

A practical CMS is less about binders and more about evidence‑backed behaviours. ISO 37301 gives you the structure; governance gives you pace; a live obligations register points the controls; training, monitoring, audits and corrective action keep you trustworthy; and integration‑first tech makes it all effortless in daily work. The result is fewer surprises, faster onboarding and demonstrable compliance when regulators or customers come calling.

If you’re ready to embed client onboarding and KYC/AML checks directly in your CRM—with PII safeguarded and outcomes written back for audits—take an integration‑first path with StackGo. Start small, prove value fast, and scale with confidence.

More Posts

Share:

Stay connected to StackGo

Related Posts