Your Guide to ISO 37002: Building Comprehensive Whistleblowing Systems
Apr 2024
6 Minutes

Your Guide to ISO 37002: Building Comprehensive Whistleblowing Systems

In 2021, the International Organisation for Standardisation (ISO) published ISO 37002, a new standard defining a clear framework for internal whistleblowing systems. As a global standard, ISO 37002 guides businesses across all industries in establishing effective whistleblowing systems and strategies. 

Building on previously published compliance frameworks (like ISO 37302), ISO 37002 provides the first truly comprehensive approach to whistleblowing. Additionally, while whistleblowing regulations focus primarily on whistleblower protections, ISO 37002 clearly defines how organisations can establish a well-functioning, compliant whistleblowing program. 

ISO 37002 standardizes whistleblowing management systems in four key ways:

  1. Receiving reports of wrongdoing
  2. Assessing reports of wrongdoing
  3. Addressing reports of wrongdoing
  4. Concluding whistleblowing cases

Join us as we take a deep dive into the specifics of ISO 37002, including potential business impacts and how you can implement the standard at your business. 

The Three Guiding Principles of ISO 37002

Throughout every aspect of the whistleblowing system described in ISO 37002, the standard emphasizes the importance of three guiding principles — trust, impartiality, and protection.

To better understand the purpose and scope of ISO 37002, let’s examine these principles more closely:

  • Trust: Trust is essential for encouraging whistleblowers to come forward with information about misconduct or wrongdoing within an organization. For a whistleblowing system to be successful, whistleblowers must correctly perceive that their reports will be taken seriously, investigated thoroughly, and addressed appropriately by management. Without trust, individuals may be reluctant to report concerns due to fear of retaliation or skepticism about the process.
  • Impartiality: Impartiality ensures that whistleblowing investigations are conducted objectively and without bias. In all whistleblowing cases, organisations should consider the benefit of employing an external investigator to conduct whistleblowing investigations. Doing so ensures all reports fairly and equally, regardless of the individuals involved or their positions within the organization. An impartial whistleblowing system fosters confidence in the integrity of the process and helps to prevent conflicts of interest from influencing outcomes.
  • Protection: Ensuring proper protections within a whistleblowing system is crucial for safeguarding whistleblowers from retaliation or victimization as a result of their disclosures. Whistleblowers often face risks, such as harassment, job loss, or damage to their reputation, for speaking out against wrongdoing. In the worst cases, whistleblowers can even face threats to their life and well-being if their identity is not properly protected. Protecting whistleblowers not only upholds their rights but also encourages others to report misconduct without fear of reprisal.

By prioritizing trust, impartiality, and protection within whistleblowing systems, organisations can create an environment where employees feel empowered to raise concerns. These three principles help guarantee that organization can address wrongdoing effectively and uphold strong ethical standards.  

The Business Impact of ISO 37002

When wrongdoing occurs at a business, that business’s employees are the most likely parties to first become aware of misconduct. How an organisation approaches and manages internal whistleblowing processes can massively influence the outcome of an incident or investigation. 

While some regulatory steps have been taken to increase oversight of whistleblowing — such as the EU Whistleblowing Directive — there’s still a long way to go in terms of regulatory change. 

As it stands now, how an organisation handles the establishment and maintenance of a whistleblowing system often comes down to a voluntary choice. ISO 37002 aims to make this choice easier to achieve, while simultaneously helping businesses in more heavily regulated regions fulfill compliance obligations. 

ISO 37002 is designed to help businesses achieve five main outcomes:

  • Encouragement and facilitation of whistleblowing reports
  • Support and protection for whistleblowers and other involved parties
  • Timely resolutions for whistleblowing reports 
  • Improved organisational culture and governance
  • Reducing the risks of wrongdoing within the organisation

For businesses across all industries, the benefits of these outcomes can be immense. Not only does a comprehensive whistleblowing system allow early identification of potential misconduct but it also enables businesses to take action and minimize negative impacts more quickly. 

In terms of reducing the risk of misconduct, establishing a clear and thorough whistleblowing program can attract personnel committed to the core values of trust, impartiality, and protection. Businesses can, in turn, establish a well-documented culture of transparency and integrity that can be showcased to customers, shareholders, and regulators alike. 

Additionally, organisations can further build internal and external trust by establishing an effective whistleblowing management system. By demonstrating leadership commitment, encouraging early reporting, and preventing abuse toward whistleblowers, businesses build a foundation of integrity and accountability that contributes to overall business resilience. 

Is ISO 37002 a Legal Requirement? 

The ISO is an independent organisation unaffiliated with any one government — not a regulatory body.

Standards developed by the ISO are done so through partnerships with representatives from the different member countries of the ISO. Together, these representatives compare their national standards to achieve universally recognized standards for a broad range of products, services, and processes. 

Since the ISO is not a regulator, the standards it publishes are not mandatory. However, ISO standards often enable organisations to meet other regulatory requirements more easily.

For example, the EU Whistleblowing Directive puts forth a variety of different obligations for affected businesses to fulfill, such as the duty to inform the relevant authorities of internal reporting processes. By implementing the ISO 37702 standard, organisations can establish a clear, well-documented framework for receiving, assessing, addressing, and concluding whistleblowing reports. This system can be easily shared with regulatory authorities to prove organisational compliance with specific legal obligations. 


ISO 37002 in Action: The Four Pillars of Standardisation

Earlier, we briefly discussed the four ways ISO 37002 standardizes whistleblowing — receiving, assessing, addressing, and concluding reports. 

These four applications of ISO 37002 form the pillars of the standard, enabling a truly comprehensive approach that adheres to the values of trust, impartiality, and protection. 

Here’s an overview of what each of these four pillars entail:

  1. Receiving Reports: The ISO 37002 framework defines that a whistleblowing system should specify how reports can be made and received. In this framework, the organisation is responsible for implementing secure, visible, and accessible reporting channels, with at least one channel connecting to a distinct authority outside of the management hierarchy. 
  2. Assessing Reports: The framework dictates that whistleblowing systems must have a clear and consistent process for assessing received reports. An organisation’s reporting process needs to ensure impartial assessment and management of reports. Additionally, any assessment-related decisions should be well-documented. 
  3. Addressing Reports: Under the ISO 37002 framework, the management of whistleblowing reports should be as efficient as possible while still addressing the full scope of the report. To accomplish this, all investigations must be adequately resourced, with clear terms of reference and well-defined and well-documented scope. When addressing whistleblowing reports, proper protections for whistleblowers and other relevant parties must be upheld. 
  4. Concluding Whistleblowing Cases: An effective whistleblowing system following the guidelines of ISO 37002 should have a clear mechanism for resolving and closing whistleblowing investigations. This resolution process must include steps for issuing the investigation’s findings, collecting relevant feedback, and identifying controls or policies in need of improvement to prevent similar future incidents. 

Preparing for an ISO 37002 Implementation

Implementing the ISO 37002 standard requires a mixture of current policy analysis and new whistleblowing program policies. Per the official standard, organisations need to address their existing policies, processes, and functions to determine the scope of updating their existing program in accordance with ISO 37002. 

Key tasks when preparing for an ISO 37002 implementation include:

  • Assuring the new whistleblowing system can achieve the desired results
  • Setting up specific channels for submitting whistleblowing reports
  • Defining clear support mechanisms and processes for whistleblowers
  • Establishing an efficient report management process
  • Improved organisational culture surrounding reporting and transparency
  • Evaluating the effectiveness of newly implemented actions in the whistleblowing process
  • Addressing instances when misconduct has been reported externally
  • Ensuring participation from all relevant parties within the organisation
  • Enabling the collection of feedback from whistleblowers

As a whole, ISO 37002 outlines several key characteristics for whistleblowing program objectives. When designing and implementing a whistleblowing program, organisations must ensure that the resulting whistleblowing management system has:

  • Consistency with all relevant whistleblowing policies
  • Measurable performance metrics when applicable
  • Accountability with all applicable requirements
  • Regular monitoring and evaluations
  • Clear channels of communication
  • Regular updates and revisions
  • Early detection capabilities

The whistleblowing system should also be readily available through documented information, such as who is responsible for specific functions in the system or what resources the organisation leverages to operate the whistleblowing system. 

Avoiding Disaster with a Comprehensive ISO 37002 Whistleblowing Program 

Comprehensive whistleblowing programs offer essential support for businesses to maintain integrity.

The ISO 37002 standard provides a well-defined, structured mechanism for organisations to establish a thorough whistleblowing management system. This standard not only ensures that a whistleblowing program operates smoothly but also that it aligns with different global whistleblowing regulations.

While whistleblowing may not be widely or globally regulated yet, the rise of regulations like the EU Whistleblowing Directive reveals shifting regulatory priorities. As regulators hone in more closely on whistleblowing system management, ISO 37002 serves as a crucial resource for achieving a streamlined and highly effective program that reduces the risk of misconduct and safeguards whistleblowers.

Ensure Whistleblower Safety with Confide

As ISO 37002 brings a new era of standardisation to whistleblowing, finding whistleblowing software you can rely on is key. With Confide’s end-to-end whistleblowing platform, you gain the tools and resources necessary to identify misconduct early and take a proactive approach to whistleblowing.

Should a case of misconduct occur, Confide provides your organisation with secure reporting channels and total whistleblower anonymity to enable you to handle the incident internally. If you are recovering post-scandal, Confide helps you prove to regulators and stakeholders alike that you have taken the necessary steps to improve your whistleblowing system. 

Unlock the power of business integrity with Confide

Transform governance today.

Protect your stakeholders from losing billions with our expert guidance.