ISO 37002:  Building up a whistleblowing management system with Ethicontrol

ISO 37002:2021 is an international standard that provides guidelines for establishing, implementing, and maintaining a whistleblowing management system.

Designed to help organizations handle reports of wrongdoing effectively, ISO 37002 is based on three fundamental principles: trust, impartiality, and protection.

For what: By following these guidelines, organizations can create a safe environment for whistleblowers, ensure reports are managed properly, and mitigate misconduct-related risks.

For whom: The standard applies to all organizations, regardless of size, sector, or jurisdiction. It supports compliance with legal requirements, enhances ethical governance, and fosters a culture of transparency.

Implementing ISO 37002 strengthens internal reporting mechanisms and reassures employees and stakeholders that their concerns will be addressed fairly.

Key principles of ISO 37002

The effectiveness of a whistleblowing management system depends on its adherence to the core principles outlined in ISO 37002:

• Trust: The system must inspire confidence among potential whistleblowers that their reports will be taken seriously, handled confidentially, and lead to appropriate action.

• Impartiality: Organizations must ensure that reports are assessed fairly, free from bias or conflict of interest. Investigations should be conducted independently and objectively.

• Protection: Whistleblowers and other involved parties should be safeguarded from retaliation, ensuring they do not suffer negative consequences for speaking up.

These principles underpin all aspects of the whistleblowing process, from receiving reports and assessing their validity to investigating and taking corrective action.

Organizations must ensure that whistleblowing procedures are accessible to all relevant stakeholders and that training is provided to employees and management on their roles in the process.

Key components of ISO 37002 include

• Receiving reports of wrongdoing – Organizations must establish accessible and secure channels for whistleblowers to report concerns confidentially.

• Assessing and investigating reports – Each report should be reviewed fairly, considering potential risks, with procedures in place for thorough, impartial investigations.

• Protecting whistleblowers – Organizations must implement measures to prevent retaliation and ensure the safety of whistleblowers and other affected parties.

• Concluding and learning from cases – Findings should lead to corrective actions, policy improvements, and ongoing monitoring to enhance the whistleblowing framework.

Ethicontrol complies with ISO 37002

Secure and accessible reporting channels

Requirement		Comment
Provide multiple confidential and anonymous reporting options (e.g., hotline, web platform, email, mobile apps).		Ethicontrol provides multiple channels for whistleblowers: web platform, hotline, email, web call, etc. Each channel has an anonymity option.
Ensure that at least one reporting channel is independent of management to prevent conflicts of interest.		All our reporting channels are independent of the company's management.
Maintain accessibility for different languages and disabilities​		The web portal offers support for multiple languages that are appropriate for the company's areas of operation.

 

Data protection and confidentiality

Implement strong encryption of communication channels		Ethicontrol does not collect or provide any information about reporters (tracking cookies, IP addresses, digital footprints) that can be used to trace or reveal their identity.
Access control to case details to protect whistleblower identities		Only employees involved in the investigation will see the case information. Others who are not involved will not see any details about this case or even know about its existence. For simplified rights management, the platform includes an intuitive interface for assigning and managing user roles and permissions.
Ensure whistleblower data is stored securely, with strict access restrictions.		Reporting channels are physically separated from case management. The intake portal and web room are located in a demilitarized zone, while case management can be protected with additional layers of security. In addition to internal controls, we undergo regular third-party penetration testing to assess and strengthen system security.
Comply with data protection regulations, including GDPR, if applicable.		We comply with GDPR, ISO 27001 Information security, and ISO 27701 Privacy management

 

Whistleblower protection measures

Prevent retaliation against whistleblowers through built-in monitoring and escalation mechanisms.		The escalation process allows the platform to bypass individuals who are part of the response team or hold top management positions in case they are accused of a violation.
Allow anonymous communication between whistleblowers and investigators.		Reporters can contact the investigation team anonymously in the web room.
Provide options for whistleblowers to track the progress of their reports​		Reporters can track the status of their report in the web room.

 

Reporting and documentation

Maintain detailed logs of all whistleblowing reports while ensuring confidentiality.		All user actions within the system are securely recorded in a detailed audit log, which can be filtered by key parameters such as date, case ID, lead investigator, category, or organizational unit.  To support compliance and oversight, we provide a dedicated auditor role with read-only access, allowing auditors to review cases without the ability to alter any data. Our platform also supports regular audits, ensuring alignment with both internal policies and external regulatory requirements.
Allow organizations to generate audit trails for compliance reviews.
Implement regular system audits to ensure effectiveness and compliance​		Ethicontrol offers comprehensive analytics for internal audits and ESG evaluations.

 

ISO 37002 compliance minimizes risks and protects the company

Implementing an ISO 37002-compliant whistleblowing system is more than just meeting regulations—it’s a strategic move to safeguard your company.

Here’s how compliance with ISO 37002 benefits your business.

Prevent financial and reputational damage

Early detection of fraud, corruption, and misconduct is critical for minimizing risk and protecting an organization’s financial health. Avoid substantial monetary losses, legal penalties, and operational disruptions. 

Save resources on investigations

A centralized, automated whistleblowing system eliminates inefficiencies in manual reporting and case tracking, freeing up resources.

Protect against retaliation claims

Clear policies and protective measures shield whistleblowers from retaliation, safeguarding organizations from costly employment disputes.

Improve transparency for investors and regulators

Demonstrating compliance with ISO 37002 reassures investors, regulatory bodies, and stakeholders that the organization follows best practices.

Better reputation & public trust

Demonstrate corporate responsibility and commitment to ethical business practices, strengthening brand credibility.