ISO 37002 Whistleblowing Standards

ISO 37002:2021, published in July 2021, provides international guidelines for establishing, implementing, maintaining, and improving whistleblowing management systems.

Developed by ISO Technical Committee 309 (Governance of Organizations), the ISO 37002:2021 standard offers comprehensive guidance helping organisations create effective whistleblowing arrangements based on three core principles: trust, impartiality, and protection. Unlike mandatory regulatory frameworks such as the EU Whistleblowing Directive, ISO 37002 is a voluntary guidance standard that organisations can adopt to demonstrate a commitment to ethical governance and to support compliance with applicable regulatory requirements.

For compliance officers navigating complex whistleblowing obligations, ISO 37002 provides valuable structure complementing legal requirements. The standard is applicable to all organisations regardless of type, size, nature of activity, or sector – public, private, or not-for-profit. Organisations can implement ISO 37002 as stand-alone guidance or integrate it with other ISO management system standards including ISO 37001 (Anti-bribery) and ISO 37301 (Compliance management).

For context on EU Directive compliance obligations, see our EU Whistleblowing Directive Compliance Hub.

What Is ISO 37002?

ISO 37002 is a Type B standard, meaning it provides guidelines rather than certifiable requirements. Organisations cannot achieve ISO 37002 “certification” as they can with ISO 37001 (anti-bribery) or ISO 37301 (compliance management). Instead, ISO 37002 offers best practice guidance that organisations apply according to their specific circumstances, size, complexity, and risk profile.

The standard addresses the complete whistleblowing lifecycle through four key steps:

Receiving reports of wrongdoing: Establishing accessible, secure channels enabling individuals to report suspected wrongdoing or risks. The standard emphasises that at least one reporting channel should connect to an authority outside the normal management hierarchy, ensuring independence.

Assessing reports of wrongdoing: Implementing clear, consistent processes for assessing received reports. Assessment must be impartial, well-documented, and conducted by individuals with appropriate expertise and authority.

Addressing reports of wrongdoing: Taking appropriate action on substantiated concerns, which may include investigation, remediation, disciplinary measures, process improvements, or referral to appropriate authorities.

Concluding whistleblowing cases: Bringing cases to proper closure with appropriate feedback to whistleblowers, documentation of outcomes, and learning from cases to improve the system.

The Three Core Principles

ISO 37002 is built on three fundamental principles that should permeate every aspect of a whistleblowing management system:

Trust

Trust is essential for encouraging whistleblowers to come forward with information about misconduct. Without trust that reports will be handled appropriately and that protection will be genuine, employees remain silent or report externally to regulators or media. Building trust requires:

Accessible reporting channels that are genuinely available and easy to use
Clear communication about how reports are handled and what protection is available
Visible leadership commitment demonstrated through consistent action on concerns
Evidence that previous whistleblowers were protected, not victimised
Transparent processes enabling whistleblowers to understand what happens to their reports

Research consistently demonstrates that greater employee trust in the organisation increases likelihood of internal reporting. Conversely, when trust is absent, employees either remain silent or bypass internal channels, denying organisations the opportunity to address concerns before they escalate.

Impartiality

Impartiality ensures that reports are assessed and investigated fairly, without bias toward any party. This requires:

Independence from conflicts of interest in those handling reports
Objective assessment based on evidence rather than preconceptions
Fair treatment of both whistleblowers and subjects of allegations
Decisions based on facts rather than organisational politics or personal relationships
Consistent application of standards across all reports regardless of who is involved

In our 25 years supporting organisations with whistleblowing arrangements, we observe that impartiality is particularly challenging when concerns implicate senior management or challenge accepted practices. Professional independence – whether through external providers or properly structured internal functions – is essential for maintaining credible impartiality.

Protection

Protection addresses measures preventing and responding to retaliation against whistleblowers and supporting them throughout the process. Effective protection requires:

Confidentiality of whistleblower identity maintained throughout processes
Clear anti-retaliation policies with visible enforcement
Support mechanisms helping whistleblowers navigate the process
Ongoing monitoring to detect and prevent retaliation
Swift, decisive action when retaliation occurs

The EU Whistleblowing Directive mandates protection measures with reversed burden of proof on retaliation. ISO 37002 provides guidance on implementing protection that meets and exceeds these legal requirements. How can businesses protect whistleblowers from retaliation? examines protection measures in detail.

Why ISO 37002 Matters

Voluntary Best Practice

Whilst the EU Whistleblowing Directive creates legal obligations for organisations operating in Europe, ISO 37002 provides voluntary guidance enabling organisations to exceed minimum compliance. Organisations adopting ISO 37002 demonstrate commitment to ethical governance beyond what regulation requires.

Complements Regulatory Requirements

ISO 37002 helps organisations meet the “spirit” as well as the “letter” of whistleblowing legislation. The EU Directive lists three speak-up channels where whistleblowers are protected – internally, to regulators, or to media. Organisations naturally prefer internal reporting, as this enables them to address concerns before external disclosure. By following ISO 37002 and building systems based on trust, impartiality, and protection, organisations increase the likelihood employees will speak up internally rather than externally.

Integration with Other Standards

ISO 37002’s harmonised structure enables integration with other ISO management system standards:

ISO 37001 (Anti-bribery): Whistleblowing systems support anti-bribery programmes by enabling reporting of suspected bribery and corruption. How do whistleblowing systems help meet anti-corruption requirements? explores this integration.

ISO 37301 (Compliance management): Whistleblowing provides essential detection capability for compliance management systems, enabling identification of compliance failures before they escalate.

ISO 31000 (Risk management): Whistleblowing data informs risk assessments, highlighting areas requiring enhanced controls or process improvements.

Integration enables organisations to harmonise practices, reduce documentation burden, and improve communication across governance functions.

Stakeholder Confidence

Adopting ISO 37002 demonstrates to stakeholders – investors, customers, regulators, employees – that the organisation takes whistleblowing seriously. This builds confidence in governance quality and can provide competitive advantage in tenders, improved ESG ratings, and enhanced reputation. What is the role of whistleblowing in corporate compliance? examines broader governance benefits.

Relationship with Regulatory Frameworks

ISO 37002 is not legally mandatory, but it complements mandatory requirements:

EU Whistleblowing Directive

Organisations implementing ISO 37002 will automatically meet most EU Directive requirements. The standard’s guidance on reporting channels, assessment procedures, protection measures, and case management aligns with and often exceeds Directive minimum standards. However, organisations must still ensure compliance with Member State-specific requirements, which vary across the 27 EU countries.

UK PIDA Framework

Whilst UK PIDA legislation does not mandate internal reporting channels (except in regulated sectors), organisations voluntarily adopting ISO 37002 establish arrangements exceeding PIDA’s baseline protection requirements. This positions them well for potential UK reforms including the proposed Office of the Whistleblower Bill.

Sector-Specific Regulations

Regulated industries including financial services face additional requirements from sector regulators. ISO 37002 provides framework ensuring arrangements meet these heightened expectations whilst maintaining consistency across different regulatory domains.

Key Elements of ISO 37002 Implementation

Context of the Organisation

Organisations must understand their specific internal and external context, including size, complexity, geographic spread, regulatory environment, risk profile, and the needs and expectations of interested parties. This contextual understanding determines how ISO 37002 guidance is applied in a proportionate and effective manner.

For example, a multinational financial services firm will require a more complex whistleblowing management system than a small charity; however, both can apply the principles of trust, impartiality, and protection in a way that is appropriate to their context.

Leadership and Commitment

Top management, and where applicable the governing body, must demonstrate commitment to effective whistleblowing by establishing a whistleblowing policy, allocating adequate resources, ensuring independence, impartiality and protection, communicating the importance of whistleblowing across the organisation, and supporting the whistleblowing management function.

Without visible and sustained leadership commitment, whistleblowing systems fail to generate the trust necessary for their effectiveness.

Planning

Organisations must plan their whistleblowing management system by identifying risks and opportunities, setting objectives, and determining actions to achieve them. Planning includes defining the scope and operation of the system, such as the types of wrongdoing that can be reported, who is entitled to report (for example, employees only or broader stakeholder groups), the reporting channels available, how reports will be assessed and investigated, and what protection and support measures will be implemented. Planning should also take account of changes that may affect the effectiveness of the whistleblowing management system.

Operation

Operational elements of the whistleblowing management system include:

Receiving reports: Provision of multiple accessible reporting channels (e.g. telephone, online, written), clear communication on how to report concerns, multilingual capability where relevant, confidentiality and data protection controls, and anonymous reporting options where appropriate.

Assessing reports: Initial triage to determine seriousness and urgency, assessment of risks of detrimental conduct, assignment to independent and competent functions for investigation, documentation of assessment decisions, and timely acknowledgement of receipt to whistleblowers.

Addressing reports: Proportionate and impartial investigation procedures, gathering and evaluating relevant evidence, implementation of remedial actions where concerns are substantiated, disciplinary measures where appropriate, protection and support for whistleblowers and other affected parties, and process improvements to prevent recurrence.

Concluding cases: Communication of outcomes to whistleblowers where appropriate, formal documentation of case conclusions, and capture of lessons learned to support continual improvement of the whistleblowing management system.

Performance Evaluation

Organisations should monitor, measure, analyse, and evaluate the effectiveness of the whistleblowing management system. This includes using relevant qualitative and quantitative metrics such as report volumes and trends, reporting channel usage patterns, timeliness of responses, substantiation rates, and feedback from employees and other stakeholders on awareness, confidence, and trust in the system. Performance evaluation should also include internal audits and management review to ensure the whistleblowing management system remains effective, appropriate, and continually improved.

What is the role of whistleblowing in corporate compliance? discusses effectiveness measurement in detail.

Improvement

Continual improvement is fundamental to ISO 37002. Organisations should regularly review the effectiveness of their whistleblowing management system, identify opportunities for enhancement, and implement improvements based on performance evaluation results, lessons learned from whistleblowing cases, changing legal and regulatory requirements, and feedback from whistleblowers and other interested parties. Where nonconformities are identified, corrective actions should be taken to prevent recurrence and strengthen the system.

Benefits of ISO 37002 Adoption

Organisations implementing ISO 37002-based whistleblowing management systems benefit from:

Early wrongdoing detection: Systematic approaches to receiving and assessing reports enable identification of misconduct before it escalates into serious liability or reputational damage.

Improved governance: Demonstrating robust whistleblowing arrangements to boards, audit committees, regulators, and investors provides assurance about governance quality.

Regulatory compliance: Whilst voluntary, ISO 37002 helps organisations exceed mandatory requirements under the EU Directive, sector-specific regulations, and national legislation.

Reduced liability: Early detection and appropriate action on concerns reduces employment liability, regulatory fines, civil claims, and criminal prosecution risks. How can whistleblowing services help reduce workplace liability? examines liability reduction through effective whistleblowing.

Cultural improvement: Implementing systems based on trust, impartiality, and protection contributes to ethical organisational culture where speaking up is encouraged and wrongdoing is addressed appropriately.

Stakeholder confidence: Demonstrable commitment to ISO 37002 principles builds confidence among employees, investors, customers, and regulators.

What are the benefits of ISO-compliant whistleblowing systems? explores these advantages comprehensively.

Challenges in ISO 37002 Implementation

Organisations commonly encounter several challenges:

Resource allocation: Implementing comprehensive whistleblowing management systems requires investment in channels, training, investigation capability, and ongoing monitoring. Smaller organisations may struggle to justify resources, though the standard’s flexibility enables proportionate implementation.

Independence requirements: Maintaining impartiality and independence can be challenging, particularly in smaller organisations or when concerns implicate senior management. External providers can supplement in-house capability, providing independence when needed.

Cultural resistance: Some organisational cultures view whistleblowing negatively. Shifting culture to embrace speaking up as positive contribution to governance requires sustained leadership commitment and visible action demonstrating that whistleblowers are valued and protected.

Integration complexity: Organisations with existing compliance, ethics, or risk management programmes must integrate whistleblowing appropriately without creating bureaucratic duplication or confusion about which channel serves which purpose.

How Safecall Supports ISO 37002 Implementation

Safecall’s whistleblowing services align with ISO 37002 principles and requirements:

Trust

Safecall supports trust in whistleblowing arrangements by providing a consistent, professional reporting experience at the point concerns are raised. Reports are received 24/7 by trained specialists with extensive experience in handling sensitive disclosures, enabling them to ask appropriate clarifying questions and accurately document concerns in a calm and professional manner.

Safecall’s role is limited to receiving and documenting reports. Quality assurance is applied to ensure information is captured clearly, completely, and neutrally before being securely transferred to the organisation. Responsibility for assessing, investigating, and addressing concerns remains with the organisation, supporting trust while preserving organisational accountability in line with ISO 37002.

Impartiality

As an external provider, Safecall provides independent whistleblowing intake, free from internal conflicts of interest. Safecall receives and documents reports, carrying out initial triage only to ensure appropriate routing, identify potential conflicts of interest, and capture complete and accurate information. Responsibility for managing, investigating, and resolving reports remains with the organisation.

Protection

Safecall supports whistleblower protection by ensuring confidentiality at the point of reporting and enabling anonymous reporting through secure systems that minimise the capture of identifying information. Telephone calls are not recorded, and technical identifiers such as IP addresses are not collected.

Safecall does not manage whistleblower protection on behalf of the organisation; responsibility for monitoring and responding to retaliation risks remains with the organisation. Safecall’s system enables organisations to document protection measures and demonstrate appropriate follow‑up.

Our case management software enables organisations to track protection measures, monitor whistleblowers’ situations, and demonstrate appropriate response to retaliation allegations.

Four-Step Process Support

Receiving: Our multichannel reporting provides telephone hotlines (24/7, 175+ languages), secure online reporting, and written submission options.

Assessing: Professional call handlers recognise serious concerns requiring immediate escalation whilst maintaining appropriate documentation standards.

Addressing: For complex cases, our independent investigation services provide expertise and objectivity meeting ISO 37002 expectations.

Concluding: Case management tools enable appropriate feedback to whistleblowers and documentation of outcomes supporting continuous improvement.

Integration with Broader Governance

ISO 37002 encourages organisations to view whistleblowing not as isolated compliance requirement but as integral governance mechanism. Effective integration requires:

Board-level oversight with regular reporting on whistleblowing metrics and themes
Connection to risk management enabling whistleblowing data to inform risk assessments
Links to compliance programmes where whistleblowing supports detection across multiple compliance domains
Coordination with internal audit providing intelligence supplementing audit planning
Alignment with ethics and culture initiatives reinforcing speak-up expectations

What is the role of whistleblowing in corporate compliance? examines these connections comprehensively.

Next Steps for Organisations

Organisations considering ISO 37002 adoption should:

Assess current arrangements against the standard’s guidance on principles, processes, and practices
Identify gaps where current systems fall short of ISO 37002 recommendations
Determine proportionate implementation appropriate to organisational size, complexity, and risk
Plan integration with existing management systems (compliance, anti-bribery, risk management)
Allocate resources for channels, training, investigation capability, and ongoing monitoring
Implement systematically following the Plan-Do-Check-Act cycle ISO 37002 recommends to drive continual improvement.
Monitor effectiveness using metrics aligned with ISO 37002 outcomes
Improve continuously based on experience, regulatory changes, and stakeholder feedback

For expert guidance on implementing whistleblowing management systems, contact Safecall on +44 (0) 191 516 7720 or visit our whistleblowing solutions page.