ISO 37000 is the first international standard specifically for the governance of organisations — published in 2021, applicable to any organisation regardless of type, size, or sector. It does for organisational governance what ISO 9001 did for quality management: provides a structured set of principles and practices that have international recognition. Most boards have not heard of it. The underuse is partly because corporate governance has historically been shaped by national codes (UK Corporate Governance Code, German Corporate Governance Code, ASX Corporate Governance Principles), and partly because ISO's contribution to governance has been quieter than its contribution to management systems.
What ISO 37000 Actually Contains
The standard is structured around purpose, value generation, strategy, oversight, accountability, stakeholder engagement, leadership, data and decisions, risk governance, social responsibility, and viability. Each is treated as a principle with associated practices. The structure is not original — most national governance codes cover similar ground — but the synthesis is concise, internationally recognised, and applicable beyond the listed companies that most national codes target.
Where the Standard Adds Something
For organisations that are not listed companies — privately held businesses, non-profits, public sector entities, cooperatives — national governance codes often do not apply directly. ISO 37000 provides a recognised framework that fits these organisations. For multinational organisations operating across multiple jurisdictions with different national codes, ISO 37000 provides a common spine. For organisations in regulated sectors where governance evidence matters, the standard offers a framework regulators recognise. The contribution is not novel theory; it is concrete applicability where national codes fall short.
Why Boards Should Care
Boards spend meaningful time on governance topics — risk oversight, strategy review, succession, regulatory compliance, stakeholder relationships. Most do so without a structured framework for what good governance actually requires across all these dimensions. ISO 37000 provides that structure — a brief, internationally credible reference that organises board responsibilities and gives directors a defensible framework for evaluating whether they are doing the job they are meant to do.
A useful framing: directors typically read national governance codes once at appointment and refer to them under specific circumstances afterwards. ISO 37000 is short enough to be re-read periodically as a check on whether the board's practice is meeting the standard. The brevity makes it usable in a way that comprehensive governance manuals are not. Boards that use it as a periodic self-assessment tool tend to identify governance gaps before they become regulatory or reputational issues.
How to Use the Standard in Practice
For new boards or boards revisiting their governance framework, ISO 37000 can serve as the structured starting point — the principles map directly to the topics a board needs to address, and the practices provide a baseline for what good looks like. For established boards, the standard works well as an annual self-assessment reference — review each principle against current practice, identify where the board's actual behaviour is weaker than the standard implies, and target improvement deliberately. The standard is not certifiable, but it does not need to be to be useful.
Relationship to Other Governance Frameworks
ISO 37000 does not replace national governance codes for listed companies — the codes carry legal weight that an international standard does not. It complements them by providing a broader framework for organisations the codes do not directly cover, and by providing a common reference for multinational organisations. For organisations holding ISO 37301 (compliance management) and considering deeper governance maturity, ISO 37000 sits above 37301 at the principles level. For organisations focused on IT governance specifically, ISO 38500 sits alongside as the IT-specific application of the same governance discipline.