ISO 37002 & Certification FAQ: Whistleblowing Management System

Learn about ISO 37002 and what makes an effective whistleblowing management system. See how your organisation can meet international standards and improve its organizational culture.

ISO 37002

ISO 37002 is an international standard that provides clear guidelines for establishing, implementing, and maintaining a whistleblowing management system within organisations.

The standards assist organisations to create a safe and effective environment for reporting wrongdoing, protecting whistleblowers and ensuring proper handling of reports.

ISO37002 is based on three core principles, trust, impartiality and protection:

Trust: The whistleblowing system should be designed and operated in a manner that instills trust in the process and the organisation's commitment to addressing reported concerns.
Impartiality: The system should ensure that all reports are handled fairly, objectively, and without bias, regardless of the identity or position of the whistleblower or the person(s) involved in the alleged wrongdoing.
Protection: The organisation must take appropriate measures to protect whistleblowers from victimisation (i.e. any form of retaliation, discrimination or harassment) as a result of their reporting.

ISO37002 was designed to be adaptable to a range of organisations and business types, irrespective of the nature, size, geography, and jurisdiction of the organisation.

ISO 37002 is a Type B standard, meaning it provides guidance and recommendations rather than specific requirements for certification. Instead, organisations can use the ISO 37002 standards as a tool to benchmark their existing whistleblowing management system or to develop a new one aligned with international best practices.

ISO 37002 is closely related and can fulfill requirements in Type A ISO standards:

ISO 37001: Anti-bribery Management Systems is a standard that helps organisations prevent, detect, and address bribery and other forms of financial crime. It provides a framework for implementing an effective anti-bribery management system, which includes policies, procedures, and controls to mitigate bribery risks.

By establishing a whistleblowing system, organisations can encourage employees and other stakeholders to report suspected instances of bribery and financial crime. This increased reporting can help organisations detect and address these issues more effectively, reducing the risk of legal and reputational damage.
ISO 37301: Compliance Management Systems offers a framework to design, implement, evaluate, maintain, and enhance a robust compliance management system within an organization. It helps organisations ensure that they are meeting their legal and regulatory obligations, as well as their own internal policies and procedures.

A secure whistleblowing system can serve as an early warning mechanism, allowing organisations to identify and address potential compliance issues before they escalate into more serious problems.

It is also closely related to a number of important guidance standards under the umbrella of ISO/TC 309 Governance of Organizations:

ISO 37008: Internal Investigations of Organizations is a new international standard that provides guidance on planning and scoping an internal investigation, collecting and preserving evidence, interviewing witnesses, and reporting findings.
ISO 31000: Risk Management offers organisations a set of guidelines, frameworks, and processes designed to improve risk management strategies.

The related standards can be used in conjunction with ISO 37002 to create a comprehensive framework for promoting ethical behavior, best practices and compliance within organisations committed to good governance.

ISO 37002 is not a replacement for applicable whistleblowing legislation.

While the guidelines are generally consistent with Australian requirements, they do not replace compliance with specific local laws.

As an international standard, ISO 37002 offers a comprehensive set of guidelines for managing a whistleblowing system. It acknowledges the needs of organisations to tailor their systems to their unique business and regulatory contexts. However, the stringent Australian legal requirements for whistleblower protections necessitate more rigorous processes than those suggested in the guidelines.

What is the purpose of ISO 37002?

The development of ISO 37002 was driven by the changing whistleblowing landscape in recent years. High-profile cases have prompted the introduction of new whistleblower protection regulations and legislation across the globe, leading organisations to reevaluate the effectiveness of their internal reporting systems.

Many employees still face barriers to reporting misconduct within their organisations. Despite an increased awareness about the importance of speaking up, many employees still face barriers to whistleblowing, such as:

Distrust in the organisation's ability to respond to reports effectively
Uncertainty about whether the organisation will take a report seriously
Doubt that information will be treated in a confidential manner
Fear of victimisation or retaliation

Adopting ISO 37002 allows organisations to show their dedication to ethical practices, transparency, and accountability. This standard serves as a strategic tool, reassuring stakeholders of the organisation's proactive efforts to prevent, identify, and resolve issues related to misconduct and safety.

In the event of an investigation, adherence to ISO 37002 may also be taken into account as evidence that an organisation has taken proactive measures to identify and mitigate wrongdoing while protecting whistleblowers and other stakeholders.

Key aspects of ISO 37002

Some key aspects addressed in ISO 37002 include:

Developing a clear whistleblowing policy
Establishing secure and confidential reporting channels
Defining roles and responsibilities for managing the WMS
Investigating and addressing reports of wrongdoing
Protecting whistleblowers from retaliation
Providing training and communication to employees and stakeholders

The table of contents and introduction can be read here.

Whistleblower Management Systems based on ISO 37002 standards, like Elker

How to implement an effective whistleblowing management system based on ISO 37002 standards

Developing an effective whistleblowing management system with ISO 37002 involves a systematic, step-by-step approach. Below is a guide to help organisations create a robust WMS that aligns with these standards.

1. Assess current practices and identify gaps

Begin by evaluating your organisation's existing whistleblowing policy, practices and procedures. Identify any gaps or areas for improvement in relation to the guidelines provided in ISO 37002. This assessment will help you determine the scope of work required to align your WMS with the standard.

2. Develop a comprehensive whistleblowing policy

Create a clear and comprehensive whistleblowing policy that outlines the purpose, scope, and procedures of your WMS. The policy should:

Define what constitutes reportable wrongdoing
Explain how to make a report
Emphasise the organisation's commitment to protecting whistleblowers and other interested parties from retaliation
Outline the investigation process and potential outcomes
Ensure that the policy is easily accessible and communicated to all employees and relevant stakeholders.

3. Establish secure reporting channels

Provide multiple secure and confidential channels for individuals to report suspected wrongdoing, such as:

Dedicated hotline
Web-based reporting platform
Email address
In-person reporting to designated personnel

These channels should be designed to ensure the confidentiality and, if desired, anonymity of the whistleblower, and to protect the information provided.

4. Define roles and responsibilities

Clearly define the roles and responsibilities of individuals involved in managing the WMS, including:

Whistleblowing coordinator or committee
Investigators
Senior management
Board of directors

Ensure that these individuals have the necessary skills, training, and resources to effectively carry out their duties.

5. Implement robust investigation procedures

Establish well-defined procedures for assessing, investigating, and addressing reports of wrongdoing in a proper and timely manner. This should involve:

Trained and impartial personnel
Consistent investigation protocols
Documentation and reporting requirements
Corrective action and follow-up measures

6. Protect whistleblowers from retaliation

Put in place strong measures to protect whistleblowers from any form of retaliation, discrimination, or harassment as a result of their reporting. This may include:

Confidentiality and anonymity provisions
Anti-retaliation policies and procedures
Disciplinary action against those who engage in retaliatory behavior

Regularly communicate these protections to employees and demonstrate the organisation's commitment to supporting whistleblowers.

7. Provide training and communication

Develop and deliver regular training and communication programs to ensure that all employees and relevant stakeholders understand:

The importance of reporting wrongdoing
How to make a report
Their rights and protections as whistleblowers
The organisation's commitment to ethical behavior

Training should be tailored to different roles and responsibilities within the organisation and reinforced through ongoing awareness campaigns.

8. Monitor, review, and improve

Continuously monitor the performance of your whistleblowing system and conduct regular reviews to identify areas for improvement. This may involve:

Analysing reporting data and trends
Seeking feedback from whistleblowers and other stakeholders
Conducting internal audits or assessments
Benchmarking against industry best practices

Use these insights to make necessary adjustments and enhancements to your WMS, ensuring that it remains effective and aligned with ISO 37002 guidelines.

By following these steps and adhering to the principles of trust, impartiality, and protection, organisations can establish a robust and effective WMS that encourages the reporting of wrongdoing, protects whistleblowers, and promotes a culture of integrity and ethical behavior.

How Elker can help your organisation align with the ISO 37002 standard

Elker is a whistleblowing system featuring the highest grade security, consistent with ISO 27001 standards. Elker features:

Anonymous reporting tools: encourage employees to report concerns with encrypted messaging
Pulse surveys: collect anonymous employee feedback
Response templates and guidance: assessing critical disclosures without compromising the identity of the reporter
Comprehensive case management tools: small companies to large corporations can efficiently manage cases
Real-time analytics and reporting dashboard: identify trends and risks in real-time
Compliance regulations: For Australian organisations, Elker assists with compliance with the Corporations Act 2001, Sex Discrimination Act 1984 (positive duty), Fair Work Act 2009, the new Aged Care Act and more.

By partnering with Elker, organisations can streamline the implementation of an effective whistleblowing system that meets the ISO 37002 standard.

For more information how Elker can assist your organisation, send us a message. For a look at all the features on offer, book a demonstration of the platform.

Frequently asked questions

What is ISO 37002?

ISO 37002 is a voluntary standard developed by the International Organization for Standardization (ISO) Technical Committee 309, providing guidelines for effective whistleblowing management systems based on the principles of trust, impartiality and protection.

Who developed ISO 37002?

ISO 37002 was proposed and developed by International Organization for Standardization Technical Committee 309 for the Governance of Organizations. Created in 2016, the committee oversees standardisation in the governance, accountability, sustainability and control of organizations.

When was ISO 37002 published?

ISO 37002 was published on July 14, 2021.

How can I get ISO 37002 certification?

ISO 37002 certification is not possible because it is a Type B (guidance) standard, meaning that it provides guidance on whistleblowing systems without the purpose of certification. More information about the type of standards can be found here.

What is the cost of ISO 37002?

The cost of obtaining the ISO 37002 standard document can vary depending on factors such as your location, the distributor, and the format of the document (e.g., electronic or hard copy).

As of April 2024, the cost of ISO 37002:2021 from the Standards Australia website is $159.48 AUD or from ISO directly for 151 Swiss Francs.

Is there an ISO 37002 PDF free download?

Unfortunately, there is no ISO 37002 PDF free download as it is not publicly available. To ensure accuracy and effectiveness, purchase the official document from ISO or an authorised distributor.

What are the benefits of ISO 37002?

Implementing ISO 37002 can have a positive impact on organizational culture. By establishing secure and anonymous reporting channels, businesses can detect and address misconduct, fraud, and harassment more effectively. Adhering to ISO 37002 demonstrates a commitment to ethical practices and whistleblower protections, enhances trust among stakeholders, and leads to improved risk management within the organisation. The standard is adaptable for organisations of any type, size, or nature, from large corporations to organisations in the not-for-profit sectors.

How do you get ISO certified?

ISO does not perform certification. There are a number of certification bodies, external to ISO, that assess and certify organisations. The certification bodies adhere to the standards of assessment.

What laws protect whistleblowers?

In the European Union, the EU Whistleblowing Directive mandates the use of internal reporting channels for large organisations as well as providing comprehensive protections for whistleblowers. In Australia, the Corporations Act has broad whistleblower protections. More recently, changes to the Sex Discrimination Act in the Respect at Work Bill protect anyone who reports sexual harassment, discrimination and other misconduct internally.