ISO 37002 - Whistleblowing management system
Most corporate wrongdoing is uncovered through internal reports, not through audits or external regulators. People close to the work see what auditors cannot, and they speak when there is something to speak into. The EU Whistleblower Directive (2019/1937) made the legal obligation explicit across the bloc. What it did not do is tell organisations how to actually run a system that earns those reports, processes them fairly, and protects the people who file them. ISO 37002:2021, published by ISO/TC 309 on 27 July 2021, is the international standard built to fill exactly that gap. It is the operating manual to the Directive's legal floor.
What ISO 37002 actually is, and what it isn't
ISO 37002:2021 is a guidance standard for whistleblowing management, published by ISO/TC 309 on 27 July 2021. It tells organisations how to run a credible system; it is not certifiable itself. The closely related ISO 37301 (compliance management) is the certifiable parent. ISO 37002 is sector-agnostic and size-agnostic, voluntary in itself but increasingly demanded by regulators and contracting authorities.
The distinction between guidance and requirements matters: a guidance standard tells you how something should be done, but does not give certification bodies a checklist to audit you against. ISO 37002 is the substantive guidance that an auditable compliance posture leans on, even though it cannot itself be certified.
The standard adopts the harmonised ISO management-system structure shared with ISO 9001, ISO 14001, ISO 45001 and the rest of the family. That means ten clauses in a fixed order: Scope, Normative references, Terms, Context, Leadership, Planning, Support, Operation, Performance evaluation, and Improvement. Anyone who has implemented an ISO management system before will recognise the skeleton; anyone who has not will find the structure makes the standard easier to integrate with whatever else the organisation already runs.
ISO 37002 is deliberately sector-agnostic and size-agnostic. The introduction states it can be applied by organisations regardless of type, size, nature of activity, and whether they sit in the public, private or non-profit sector. It is also voluntary in itself, although individual regulators or contracting authorities can make adherence a contractual condition.
Trust, impartiality, protection: the three load-bearing principles
Three words carry the weight of the entire standard: trust, impartiality, and protection. Clause 4.4 states that the whistleblowing management system should apply these principles and ensure appropriate feedback throughout the entire process. Every operational requirement in ISO 37002 traces back to one of these three; understanding them is understanding the standard.
Trust is defined as a perception that interested parties hold. Clause 5.1.2 puts it directly: "Trustworthiness of the whistleblowing management system depends on whether interested parties perceive that management is committed to the system and will follow procedures." That framing forces governing bodies and top management to demonstrate commitment visibly, build a speak-up / listen-up culture, and make multiple reporting channels accessible enough that an anxious employee does not have to choose between the channel and their job.
Impartiality runs through both assessment (clause 8.3) and investigation (clause 8.4). The standard requires that case handlers be qualified, fair to the business unit involved, fair to the subject of the report, and fair to the whistleblower. Where internal impartiality cannot be assured, ISO 37002 says investigations should be conducted by an independent capacity or external investigator. Decision-makers must be free of actual or potential conflicts of interest, with documented authority levels (clause 5.3.3).
Protection is the most layered of the three. It covers protection from detriment and retaliation, but also identity safeguarding, support measures (counselling, workplace adjustment, fair access to promotion and training), and a striking restitution principle in clause 8.4.3: where harm has already occurred, "the whistleblower should be restored to a situation that would have been theirs had they not suffered detriment." Protection continues after the case closes; the system is expected to monitor outcomes for the people who reported.
The four-step operational playbook (clause 8)
Clause 8 is the operational core of ISO 37002. It breaks whistleblowing operations into four sequential phases (Receive, Assess, Address, Conclude) and tells you what good practice looks like inside each. Programmes that skip any of the four either lose reports at intake or fail their reporters at closure; the four phases are not optional.
Receiving (8.2) covers the channels themselves: in-person, telephone, online, post, mobile app. The standard insists they be visible, accessible, and secure, and that they sit distinct from the normal management hierarchy so a report about a manager does not have to pass through that manager. Acknowledgement should be quick: clause 8.1 suggests "an immediate automated acknowledgement of receipt, followed by a personalised message within three working days." The Directive's seven-day window is the legal floor; ISO is asking you to do better.
Assessing (8.3), referred to as triage, is the phase that decides what happens next. Each report is sorted by likelihood and impact, with the decision documented. Assessors weigh whether the report falls inside the system's scope, whether external referral (police, regulator) is needed, whether evidence has to be preserved before notification, and whether the whistleblower faces an immediate risk of detriment.
Addressing (8.4) is the investigation phase, conducted under presumption of innocence and with three groups protected at once: the whistleblower, the subject of the report, and other relevant parties such as witnesses or family. Investigations must be impartial, adequately resourced, fair, robust, and confidential. The standard emphasises that securing and protecting evidence is itself a protection principle, not just an investigative technique.
Concluding (8.5) is the phase most weak whistleblowing programmes skip. It includes findings, any disciplinary action, communication back to the whistleblower, ongoing protection monitoring, feedback collection, and lessons learned that feed back into the next iteration of the system. Closure is documented, not implicit. For a worked example of how these four steps land in a real whistleblowing procedure, the framework is more useful than any single template.
Where ISO 37002 fills the gaps the Directive leaves
The EU Whistleblower Directive sets the legal floor: protected reporter categories, the seven-day acknowledgement, the three-month substantive feedback, prohibition of retaliation, reversal of the burden of proof. It is intentionally thin on the operational how. ISO 37002 supplies the how, on anonymous reporting, case-handler competencies, and the breadth of conduct that counts as detriment.
ISO 37002 supplies the how. On anonymous reporting, clause 7.5.5 takes a clear-eyed position: organisations may permit it, but they must make whistleblowers aware that "anonymous reporting can limit the ability to both investigate and protect the individual," and define mechanisms that still allow communication where possible. The standard does not pick anonymity for you; it tells you what an honest implementation looks like either way.
On case-handler competencies, clause 7.2 lists eight qualities that personnel responsible for protection, support and investigation must display: trustworthiness, emotional intelligence, diplomacy, impartiality, integrity, leadership, confidentiality, and sound judgement. These are not generic HR adjectives; they are screening criteria for who should be allowed near a whistleblower's identity in the first place.
On detriment, clause 3.13's definition is wider than colloquial retaliation. It covers dismissal, demotion, transfer, change in duties, adverse performance ratings, blacklisting, reputational damage, financial loss, prosecution, harassment, isolation, disclosure of identity, and the failure to prevent harm at any step of the process. The breadth is deliberate; it removes the room organisations otherwise have to argue that a hostile workplace was not technically retaliation.
Integrating 37002 with 37001 and 37301
ISO 37002 sits in a three-standard governance stack: ISO 37001 (anti-bribery), ISO 37301 (compliance management, certifiable), and ISO 37002 (whistleblowing). All three share the harmonised Annex SL clause structure, so an organisation that has already implemented one can slot the others in without duplicating infrastructure. The 2025 edition of ISO 37001 now explicitly references ISO 37002 for whistleblowing.
| Dimension | ISO 37002 | ISO 37001 | ISO 37301 |
|---|---|---|---|
| Scope | Whistleblowing management | Anti-bribery management | Compliance management |
| Certifiable | No (guidance) | Yes | Yes |
| Focus | Reports, investigations, reporter protection | Bribery prevention and response | Whole-of-organisation compliance |
| Published | 2021 | 2025 (revised) | 2021 |
The 2025 edition of ISO 37001 explicitly references 37002 for its whistleblowing requirements, recognising that a credible anti-bribery programme cannot exist without a credible reporting channel. The 37002 bibliography in turn cites ISO 31000 (risk management), ISO 19011 (auditing management systems), and ISO/IEC 27001 / 27018 (data security and privacy), positioning the standard at the intersection of governance, risk and information security, not as a standalone HR initiative.
For organisations implementing a whistleblowing system from scratch, the practical sequence usually runs the other way: start with 37002 to design the operational substance, then layer 37301 over it for the certifiable compliance management wrapper, with 37001 added if anti-bribery exposure is material. Skipping straight to certification without the operational substance produces audit-ready paperwork around an empty system.
What 2025 benchmarks and enforcement actions reveal
European whistleblowing programmes underperform on operational throughput. Industry benchmarks show European retaliation cases substantiated at 32% (almost double North America's 17%) and median case closure at 69 days (against 19 in North America). The Court of Justice imposed €38 million in lump-sum sanctions on five Member States in March 2025; non-conformity remains widespread.
The fuller benchmark picture: European organisations receive roughly 0.67 reports per 100 employees, against 1.75 in North America. 65% of European reports are anonymous, against 52% in North America. European employees also wait an average of 13 days before filing a report, versus 8 in North America.
Read these numbers together and the operational diagnosis writes itself. Higher anonymity and longer reporting delays both signal a trust deficit that ISO 37002's clause 5 leadership requirements and clause 7.4 communication requirements exist to close. Higher retaliation substantiation reflects the protective architecture European law has built around reporters; longer closure times reveal that European programmes have the legal posture without the operational throughput. The standard's clause 9 performance metrics, including time-to-acknowledge and time-to-close, give boards a basis to ask why and to fix it.
Regulatory pressure has only kept tightening. On 6 March 2025 the Court of Justice of the European Union imposed lump-sum sanctions on five Member States for late or absent transposition: Germany €34 million, the Czech Republic €2.3 million, Hungary €1.75 million, Luxembourg €375,000, and Estonia €500,000 plus a daily penalty until full compliance. Poland was sanctioned earlier, in April 2024. Every Member State has now passed transposing legislation, but the Commission's own assessment is that none can yet be considered fully compliant, with non-conformity issues identified in roughly half. The per-country picture is tracked in our whistleblower law across Europe country list.
The voluntary status of ISO 37002 sits inside this hardening regulatory frame. The standard cannot make you compliant with the Directive on its own, and it does not try to. What it does is translate the legal obligation an organisation already carries into a system that produces useful reports, defensible investigations, and protection that holds up after the case closes, rather than a documented hotline that nobody trusts. For an organisation weighing whether the voluntary work is worth doing, the answer sits in the gap European benchmarks are still measuring.
Legal advisor, specializes in business, commercial and intellectual property law. He is a legal and business advisor for companies in the e-commerce, IT and digital marketing industries.
