Guidance Not certifiable Consulting & Training

ISO 37002 Whistleblowing Management Systems

Establish a trusted speak-up system. Confidential intake, fair investigations, zero retaliation, measurable outcomes.

8–12 week rollout
Multinational ready
Works with ISO 37301/37001
Get a Quote Speak to an Expert

Executive overview

ISO 37002 provides guidelines for implementing, managing, evaluating, maintaining and improving a robust whistleblowing management system. It is based on the principles of trust, impartiality and protection and offers voluntary guidance rather than certifiable requirements. A well-designed system covers policy, reporting channels, intake, triage, investigation, outcome management and anti-retaliation measures.

AEC delivers policy-to-practice implementation: we design governance models, multilingual speak-up channels, investigation SOPs, evidence handling and reporting dashboards. Our programmes integrate with ISO 37301 compliance and ISO 37001 anti-bribery systems, ensuring alignment across ethics, legal and risk functions.

What ISO 37002 covers

Principles & Scope

  • Principles: trust, impartiality and protection
  • Scope: policy framework, roles, confidentiality, anonymity options, non-retaliation and accessibility

ISO 37002 encourages organisations to provide safe channels and protection to whistleblowers so they can report wrongdoing without fear of retaliation.

Intake & Triage

  • Multiple reporting channels: hotline, web, email, in-person, postal; 24/7, multi-language, anonymous options
  • Triage and risk-based prioritisation: assess severity, people risk, legal exposure and evidence availability

Investigations & Outcomes

  • Investigation standards: planning, evidence handling, interviews, documentation, fairness and escalation
  • Outcome management: substantiation, remediation, discipline and lessons learned

Monitoring & Interfaces

  • Monitoring and continual improvement: KPIs, audits and management reviews
  • Interfaces with HR, Legal, Compliance, Internal Audit, Security and Data Protection functions

Who needs ISO 37002?

ISO 37002 is flexible and can be adapted to organisations of any size or sector. It is voluntary guidance but may become a contractual requirement in some industries. Triggers indicating a need for a formal whistleblowing management system include:

Operating model & governance

Ownership & Oversight

Whistleblowing programmes can be led by Compliance, Legal or blended with Internal Audit, with board audit/ethics committee oversight. Ownership should ensure independence from operational management and provide clear lines of accountability.

Adopt the three-lines model: first-line managers encourage speak-up culture, second-line compliance/legal teams run the programme and third-line internal audit provides assurance.

Roles & RACI

Define a RACI for intake, triage, investigation, closure and retaliation monitoring. Establish independence and conflict safeguards with recusal rules. Provide an external channel for contractors and suppliers to report concerns.

Process blueprint (intake → closure)

Intake & Acknowledgement

Provide multiple reporting channels – hotline, web portal, email, in-person and postal. Offer 24/7 availability, multi-language support and anonymous options. Send an acknowledgement with a protection notice to the reporter.

Triage & Safeguards

Assess severity, people risk, legal or regulatory exposure and evidence availability. Identify immediate safeguards and assign investigators based on independence and expertise.

Investigation

Prepare an investigation plan, define roles, maintain a chain of custody and conduct interviews. Capture digital evidence with confidentiality flags and document all steps in the case record.

Outcome & Feedback

Classify cases as substantiated or unsubstantiated. Implement corrective actions, HR measures and control fixes. Provide structured updates to the reporter within defined timelines and track retaliation for 6–12 months.

Lessons Learned & Reporting

Update control libraries and training based on findings. Produce dashboards and reports to management and the board, highlighting trends, root causes and improvement actions.

Deliverables

Policies & Procedures

  • Whistleblowing Policy, Investigation Protocol, Anti-Retaliation Policy and Case Confidentiality SOP
  • Intake form, triage rubric, investigation plan template, interview protocols, evidence log, decision memo and closure report

Registers & Controls

  • Case register, retaliation monitoring log and conflict-of-interest log
  • Controls library: privacy controls, access segregation, data retention schedule and secure archives

Governance & Communication

  • Governance pack: charter, committee terms of reference, RACI matrix and escalation pathways
  • Communications: speak-up campaign plan, posters, intranet content and FAQs for employees and managers

Training & Metrics

  • Training content: e-learning deck, investigator toolkit and manager briefing pack
  • Metrics pack: KPI dictionary, dashboard mock-ups and quarterly board report template
  • Vendor due-diligence checklist for hotline/case-management providers

Timeline & approach

Typical timeline: 8–12 weeks to go-live for a single-country rollout; 12–16 weeks for multi-country. Our approach is phased to manage risk and build capability.

Phases

Dependencies: hotline/case-management tool selection, data protection/IT approvals and union or staff council consultations where applicable.

KPIs & targets

  • Speak-up volume and rate per 100 FTE
  • Channel mix and language coverage
  • Triage SLA (e.g., 5 business days)
  • Investigation cycle time to closure
  • Substantiation rate by allegation type
  • Retaliation incidents (reported and confirmed)
  • Remediation completion time and recurrence
  • Awareness scores from pulse surveys

Training catalogue

Awareness

60–90 minute e-learning module for all staff covering speak-up principles, channels and protection from retaliation.

Manager briefing

Practical training for managers on handling disclosures, anti-retaliation duties and escalation paths.

Investigator certification

2–3 day course on case handling, interviewing techniques, evidence management and report writing.

Case manager masterclass

Advanced training on triage, prioritisation, KPI tracking and board reporting for programme leads.

Train-the-trainer

Programme to enable internal rollout of awareness and manager briefings by your own trainers.

Leadership workshop

Interactive session for executives on tone-from-the-top, governance responsibilities and building a speak-up culture.

Technology stack (tool-agnostic guidance)

Hotline & Web Portal

24/7, multi-language, anonymous whistleblower portals with ticketing functionality; support via phone and web forms to maximise accessibility.

Case Management

Role-based access, encryption, retention controls, audit trails and analytics capabilities.

Identity & Privacy

Access controls, DPIA templates, data residency options and cross-border routing. Ensure lawful basis and minimisation for personal data processing.

Integration & Vendor Criteria

Integration with HRIS, email and SIEM/DLP tools for evidence capture. Evaluate vendors on uptime, ISO 27001/27701 posture, sub-processor transparency, translations and telephony reach.

Risk & controls library (examples)

Industry tailoring

Financial services

Address regulator reporting timelines, market abuse rules and conduct risk. Support multi-currency and cross-border channels.

Healthcare & pharma

Ensure patient safety and clinical research integrity with secure evidence handling and privacy compliance.

Public sector & SOEs

Meet procurement integrity rules, provide ombudsman links and adhere to transparency mandates.

Energy & resources

Support remote sites, contractor channels and community interfaces while managing operational risks.

Manufacturing & supply chain

Enable supplier reporting, protect temporary workers from retaliation and align with supply chain ethics programmes.

Business case

  • Reduce legal and regulatory exposure through early detection of wrongdoing
  • Improve culture and retention via trust and protection of reporters
  • Demonstrate board-level oversight to investors, regulators and customers
  • Harmonise global policy and reduce local fragmentation across jurisdictions
  • Analytics drive control improvements and fewer repeat incidents

Services & packaging

Starter (single-country)

Policy and channels design, core SOPs and investigator training. 8–10 weeks.

Multinational core

Global policy with local addenda, multilingual intake, DPIA and investigation playbook. 12–16 weeks.

Assurance

Annual programme review, test incidents, KPI audit and board reporting support.

Managed service (optional)

External intake & triage, case QA and quarterly analytics. Pricing on request based on size, countries/languages, tool choice and training volume.

Comparison within the compliance family

Standard Type Purpose Certifiable
ISO 37002 Whistleblowing management system Guidance on speak-up programmes based on trust, impartiality and protection No
ISO 37301 Compliance management system Requirements with guidance for establishing, developing, implementing and improving a compliance framework Yes
ISO 37001 Anti-bribery management system Requirements and guidance for preventing, detecting and addressing bribery Yes
ISO/IEC 27001 & 27701 Security & privacy management Controls for information security and privacy management systems Yes

Frequently asked questions

Is ISO 37002 certifiable?

No. ISO 37002 is a guidance standard. It provides recommendations for implementing a whistleblowing management system and is not intended for certification.

Do we need a hotline?

Multiple reporting channels are required. A hotline and web portal provide scalability, language coverage and anonymity options for reporters.

How is anonymity handled?

Unique case codes and encrypted mailboxes protect identity. Systems should avoid caller ID logging and enforce strict access controls.

How do we prevent retaliation?

Adopt an anti-retaliation policy, train managers, build HR workflow flags and monitor retaliation incidents for 6–12 months.

What about unions or works councils?

Consult employee representatives early. Align on privacy and process transparency to build trust and secure buy-in.

How does this interact with privacy laws?

Conduct Data Protection Impact Assessments (DPIAs), apply data minimisation, define retention schedules and establish lawful bases for processing. Consider cross-border routing and data residency.

Who should own investigations?

Assignment is case-by-case. Avoid conflicts of interest; Legal or Compliance teams typically lead with Internal Audit assurance.

How quickly must we respond?

Define service levels. Acknowledge within 7 days and provide updates within three months; tighten timelines for high-risk cases.

Resources

This page is informational and not legal advice. For data processing details regarding speak-up channels, see our privacy notice.

Related standards

Ready to build trust through a world-class speak-up programme?

Reduce regulatory exposure, enhance culture and demonstrate ethical leadership with ISO 37002 guidance tailored to your organisation.

Get Implementation Quote Schedule a 30-minute advisory call Request the policy template

Free consultation • Global implementation support • Proven expertise across regulated industries

Family alignment

Governance, Compliance & Ethics family

Related standards: ISO 37301 (Compliance, certifiable), ISO 37001 (Anti-bribery, certifiable), ISO/IEC 27001 (Security) and ISO/IEC 27701 (Privacy)