Skip to content

Whistleblowing regulation ISO 37002 - a milestone for 2021?



Another update and opportunity from ISO (International Organization for Standardization) — a complete guide on whistleblowing management systems 37002. What's inside, and is it worth buying?

a guy in a pink shirt shows a large file from a folder

The world of compliance is already acquainted with ISO standards, and it is well known for whistleblowing regulation as well. Still, it is only now that ISO follows best practices in whistleblowing laws worldwide and can offer a holistic approach for any company. We'll break it down for you from the beginning till the end: the purpose of ISO 37002, content, evaluation, and recommendations.


A promising line from ISO 37001 says that the standard is adjustable to a company of any size, sector, location, and business model. And it might be a good start since ISO 37002 has a clear direction toward values and corporate culture as primary goals - things we always advocate for in Ethicontrol. What will ISO 37002 help you to achieve?


  • Whistleblowing promotion - encourage and educate your employees
  • Protection from wrongdoings
  • Minimization of losses
  • Ethical governance demonstration
  • Timely and adequate reaction to any raised concerns

What's inside ISO 37002? 


Focus on Values

A guy in a pink shirt and tie stands next to a large shield

ISO 37002 isn't stuffed with as many technical details and schemes as we could expect. In contrast, much space is given to the foundation of whistleblowing in the company and the values that determine your organization's path. Three main values can be located: trust, impartiality, and whistleblower protection. If one is missing, the triad falls apart.

Leadership and management


The most important role in the whistleblowing system setup is assigned to management and leadership. However, regardless of the task, their objectives will always fit into a plan-do-check-act scheme. Among the primary functions and obligations are understanding the organization's context, mapping the scope of the whistleblowing management system, and understanding the needs and expectations of interested parties. A girl in a pink blouse is talking on the phone and her chat is visualized next to her

Just as in EU Whistleblowing Directive, ISO 37002 defines what whistleblowing is and who can qualify as a whistleblower. If your goal is to comply with the Directive and get certified, ISO 37002 is a good fit. The main benefits of the standard are a precise focus and thorough checkup of your company for compliance with all the requirements.

Is your organization new in compliance, or do you need an additional check? ISO offers a plan and strategy of communication, the scope of the whistleblowing system, guides you on the limitations of whistleblowing and hints at the most important internal and external controls.



ISO 37002 is also about being consistent in various aspects of the life of an organization. Just a few examples: competence, continual improvement, monitoring, focus on the process, and documented information is named among vital details of any corporate structure. 



The biggest question for any organization which decides on a whistleblowing management system is the scope of concerns it can address. WMS can't and shouldn't be the only tool that resolves multiple corporate issues (unless the company's size doesn't allow other solutions).

Specific complaints should be directed to the HR department, audit, and board members directly - it depends on the nature of the complaint and the company's hierarchy. ISO 37002 does give guidance on this problem and stresses that both concerns derived from WMS and other sources have to be properly addressed if the WMS can't cover those.


Whistleblowers are important

The guy rates something 4 stars out of five and explains why

The whistleblower protection strategy isn't so new but worth remembering. ISO 37002 is watching the interests of whistleblowers and introduces these key factors:

  • Accessible and user-friendly channels
  • Speak-up culture promotion
  • Protection from retaliation (and prevention of retaliation)
  • Impartial investigation
  • Sufficient resources for the functioning of WMS
  • Demonstration of leadership and support for whistleblowers

Management role


A Whistleblowing management system requires competent personnel to work with it and be involved in its development in the first stages. We'll share one insight from ISO 37002 – the investigation process and whistleblower protection should always be delivered independently. In addition to that, management has to treat WMS as a live system with possible flaws and look for improvement: one of the tasks is to track the progress regularly and constantly provide advice and guidance to the personnel.

Follow the objectives


Continuing on the role of WMS management and decision-makers of the company, ISO advises establishing WMS in line with the existing procedures and policies of the company (and values, of course). Without conflicts of interest! 

The main task of an organization is to be a strategist and foresee the challenges which might result from WMS, and overall: dedicated personnel should plan on how the company will address the risks and opportunities. And, finally, a few words about whistleblowing system objectives.

Once established, the company has to evaluate and measure them, also update and document them. Only in this case, the objectives can be achieved. What is vital is that each objective has to include a responsible person, a specific deadline and results (which later are evaluated).


More and more reports


The way you deal with the reports shows your employees how much they can trust the process and motivate them to report. ISO foresees that and gives the following guidelines to increase the quality and the number of reports from employees:

A guy in pink pants talks about the three layers next to him

Reports should always go through a Receive-Assess-Address-Conclude procedure. But there is more:

  • Obligatory feedback 
  • Updates on the status of a report
  • Information about the next steps of the investigation
  • Timely acknowledgment of the receipt
  • Thorough documentation, record-keeping, and data protection
  • Confidentiality is a priority
  • Trained personnel


It is only a tiny summary of what ISO 37002 highlights – we recommend following this standard if certification in compliance is essential for your organization and you didn't have a WMS before. Nevertheless, you can always begin with addressing the EU WB Directive, which also offers guidance but free of charge - ISO 37002 has many similarities, and the main concepts in both do look alike.