ISO 37002 - Whistleblowing management system

Most bad acts at work are found through internal reports. They aren't found by audits or regulators. People close to the work see things that auditors miss. They speak up when they feel safe to do so. The EU Whistleblower Directive (2019/1937) made this a legal duty across the EU. However, it didn't tell firms how to run a good system. ISO 37002:2021 was built to fill that gap. It's the guide that helps firms meet the legal floor.

What ISO 37002 actually is, and what it isn't

ISO 37002:2021 is a guide for managing whistleblowers. It was released on 27 July 2021. It tells firms how to run a trusted system. You can't get a certificate for it. The related ISO 37301 is the one you can get certified for. ISO 37002 works for any firm of any size. It's voluntary, but many regulators now ask for it.

There's a big difference between guides and rules. A guide tells you how to do something. It doesn't give auditors a checklist to use against you. ISO 37002 is the core guide that firms use to build a strong compliance system. Even though it's not certifiable, it provides the backbone for those that are.

This standard uses the same structure as ISO 9001 and other common rules. It has ten parts in a set order. This includes scope, leadership, planning, and more. If you've used an ISO system before, you'll know the layout. If not, you'll find it easy to fit into what you already have.

ISO 37002 works for any sector or size of firm. It applies to any type of activity. This includes public, private, and non-profit groups. It's voluntary, but some partners may require you to follow it to win contracts.

Trust, impartiality, protection: the three load-bearing principles

Three words are key to this standard: trust, impartiality, and protection. The rules say your system must use these three ideas. You must also give feedback throughout the process. Every part of the standard links back to these three pillars.

Trust is how people see your firm. The standard says trust depends on whether staff believe bosses are committed to the rules. This means leaders must show they care. They must build a "speak-up" culture. They must also make it easy for staff to report issues without fear of losing their jobs.

Impartiality means being fair. The rules say those who handle cases must be skilled. They must be fair to the firm, the whistleblower, and the person being reported. If you can't be fair internally, use an outside expert. Decision-makers must not have any conflicts of interest. Their power must be clearly written down.

Protection covers many areas. It stops retaliation and keeps IDs safe. It also offers support like counseling or job changes. A key rule says that if a whistleblower was harmed, they must be "restored" to their old state. Protection doesn't end when the case closes. The system must watch for any later issues.

The four-step operational playbook (clause 8)

Clause 8 is the heart of ISO 37002. It splits the work into four steps: Receive, Assess, Address, and Conclude. It tells you how to do each step well. If you skip a step, the system will fail. You must use all four phases for a complete cycle.

Receiving is about how you get reports. This can be by phone, web, or in person. The standard says these channels must be easy to find and secure. They must be separate from normal managers. This way, a report about a boss doesn't go to that boss. You must respond fast. The rules suggest an auto-reply right away. Then, send a personal note within three days. The EU law gives you seven days, but ISO wants you to be faster.

Assessing is when you decide what to do next. You sort each report by how serious it is. You must write down your choice. You check if the report fits your rules. You also see if you need to tell the police. You must check if the person who spoke up is at risk.

Addressing is the investigation step. You must assume people are innocent until proven otherwise. You must protect the reporter, the subject, and any witnesses. Investigations must be fair and keep secrets. Securing evidence is a key part of protecting everyone involved.

Concluding is the step most firms skip. It includes finding out what happened and taking action. You must talk to the whistleblower. You also check if they are still safe. Then, you learn from the case to make the system better. Every closure must be written down. You can see how this works in a real whistleblowing procedure.

Where ISO 37002 fills the gaps the Directive leaves

The EU Directive sets the basic legal rules. It covers who is protected and how fast you must respond. However, it doesn't tell you "how" to do the work. ISO 37002 fills that gap. It gives details on anonymous reports, staff skills, and what counts as harm.

On anonymous reports, the standard is clear. Firms can allow them, but they must warn staff of the risks. It's harder to investigate or protect someone if you don't know who they are. The rules help you set up ways to talk to them while keeping their ID secret. The standard doesn't force you to allow it; it just tells you how to do it right.

On staff skills, the rules list eight key traits. These include trust, integrity, and good judgment. These aren't just empty words. They are used to pick the right people to handle sensitive reports. Only the best staff should know a whistleblower's identity.

On harm, the standard uses a broad definition. It covers much more than just firing someone. It includes demotions, bad reviews, or even just ignoring someone. This stops firms from arguing that a "bad workplace" isn't retaliation. The rules are very clear to protect staff.

Integrating 37002 with 37001 and 37301

ISO 37002 is part of a three-step stack. It links with ISO 37001 (bribery) and ISO 37301 (compliance). All three use the same structure. This means a firm can use all of them without wasting time. The new ISO 37001 rules now point to 37002 for whistleblowing.

The 2025 ISO 37001 standard says you need a good reporting system to stop bribery. ISO 37002 also links to rules on risk and data security. It's not just an "HR task." It's a key part of how you run your firm safely.

If you are starting from scratch, start with ISO 37002. Use it to build the core system. Then, add ISO 37301 to get certified. Don't just aim for a certificate first. If you do, you'll have lots of paper but a system that doesn't work.

What 2025 benchmarks and enforcement actions reveal

Many EU systems aren't working well yet. Reports show that EU retaliation rates are double those in North America. It also takes 69 days to close a case in the EU, compared to just 19 in the US. In 2025, the EU court fined five states €38 million for being slow to follow the rules.

EU firms get fewer reports than those in the US. More of these reports are anonymous. EU staff also wait longer before they speak up. This shows that there is still a lack of trust in the system.

These numbers show that trust is the main issue. ISO 37002 helps solve this. It has rules for leaders to communicate better. EU laws are strong, but the actual work is too slow. The standard's metrics help boards see where the gaps are. They can then fix them to make the system better.

Rules are getting tougher. In March 2025, the EU court fined five states for being late. Germany was fined €34 million. Other states like Estonia and Hungary were also fined. All states now have laws in place, but many aren't fully compliant yet. You can track this in our European country list.

ISO 37002 is voluntary, but it's very helpful. It doesn't replace the law. Instead, it helps you turn legal rules into a system that works. It ensures you get useful reports and that investigations are fair. It builds a system that people actually trust. The choice to follow it is yours, but the data shows it's the best way to succeed.