ISO37002: An overview

October 12, 2023

Even though ISO37002 was first published in 2021, it wasn’t until a couple of years later that it started to attract interest. And just like other standards, it seems to be creating some confusion. We received a lot of questions from all sorts of organisations. How can we comply with ISO37002? Is SpeakUp® ISO37002 compliant? Can we get an ISO37002 certification? How does ISO37002 relate to the EU Whistleblower Protection Directive? Here is a summary of what you need to know.

ISO37002: What is it and who is it about?

The ISO37002 Type B management standard was first published in July 2021. Contrary to Type A standards, such as the ISO27001, Type B standards do not allow claiming conformance against. In other words, you cannot get ISO37002 certified.

Instead think of ISO37002 as a set of practical guidelines that can help enhance your Whistleblowing Management System (WMS). These guidelines apply to organisations of all types and sizes, regardless of the nature of their activities. The purpose of the standard is to accompany organisations throughout the entire process of implementing a WMS – planning, operating, reviewing, and improving. Organisations can implement ISO37002 independently or integrate it with other ISO standards, as it follows the same “harmonised structure” (terminology and clause sequence).

ISO37002 vs EU Whistleblower Protection Directive

The EU Whistleblower Protection Directive provides a European legal framework for what is required for both private and public organisations when it comes to whistleblower protection. This legal framework relates to confidentiality, data security, response times and the people handling whistleblowing cases. ISO37002, on the other hand, provides organisations aiming for an effective and best in class WMS with a practical set of guidelines on how to implement this legal framework.

Three main principles

The ISO37002 brings forward three main principles: trust, impartiality and protection. These are the principles you should focus on throughout the entire whistleblowing process. Consequently, you should primarily be considering are your current whistleblowing system and associated policies reinforcing these three elements? More importantly, how can company professionals responsible for handling whistleblowing help boost these principles?

How ISO37002-proof is your current WMS?

Here are 4 questions to help you get an initial idea of how ISO37002-proof your current WMS is.

1. Is your whistleblowing management system created around a commitment to trust, impartiality and protection?

Make sure that company professionals responsible for handling whistleblowing cases are trustworthy. Start with reviewing your hiring processes. Is an integrity assessment part of your selection process? Provide adequate training to ensure that everyone involved in whistleblowing management is effectively integrating trust, impartiality and protection. Company professionals can aim for active feedback and effective communication to build trust with those raising a concern. For this reason, it is crucial to work with a whistleblowing tool designed as a true dialogue mechanism, like SpeakUp.

In addition, remember to not neglect the security of your reporting channels. Ask yourself, are they as secure as they can be? Also, ask your whistleblowing provider about any assurances proving data security and the protection of the anonymity of the whistleblower. The presence of ISAE3000 Type II or SOC2, fortified with other relevant ISO standards, namely ISO 27001, 27002, and 27701 can help you assess the maturity level of your provider on the matter.

2. Do you address and investigate reports and unethical behaviour with impartiality?

Obviously those responsible for dealing with reports have the most influence on the matter. Are your case-handlers objective and fair decision-makers? Establish mechanisms in your internal case handling procedures to appropriately address potential conflicts of interest. Naturally, you should avoid biased processing at all costs. Let employees know that regardless of their position in the organisation your WMS processes all reports in the same way. Try to demonstrate and reinforce this impartial and open attitude throughout the entire organisation. One way to do this is by addressing the topic in your code of conduct and whistleblowing policy. You should also create awareness campaigns to promote speaking up against unethical behaviour.

Finally, you may opt for an anonymous and external reporting system like SpeakUp. This can help you pragmatically demonstrate impartiality and enhance trust. In our experience, employees feel more comfortable using an external whistleblowing system rather than internal channels. Solutions like dedicated e-mail addresses or confidants don’t seem to cut the chase. This is simply because these are perceived as a compromise of confidentiality. However, as an external provider, employees can consider us to be impartial experts, fully dedicated in providing the most secure and truly anonymous communication tool.

3. Do you support whistleblowers enough?

Evaluate how you currently support whistleblowers. Are you considering all parties equally? Support the whistleblower, but do not neglect the accused or anyone else who might be involved. The term support refers to emotional, financial, legal and reputational support. You can also emphasise the support offered in your code of conduct and speak up policy, or even in your employee handbook. After all, the goal is to ensure that your employees feel comfortable to ‘blow the whistle’ without fearing the consequences.

4. Have you established a speak up culture in all the stages of your WMS implementation process?

Seek to promote an open speak up culture in your organisation. How is top management helping enhance this culture with their conduct? It is their responsibility to establish, but also to sustain the culture. Moreover, it is crucial that they demonstrate strong leadership and dedication to the WMS. Consider asking management to help you promote ‘speaking up’ in trainings, policies, and other speak up awareness campaigns. In the meantime, make sure to publicly, but carefully, endorse whistleblowing. Think of appointing employees as ‘SpeakUp ambassadors’. They could promote whistleblowing by answering questions or demonstrating how your SpeakUp channel works. All things considered, you should always be careful not to expose anyone by revealing their identity.

Your next steps

As you can see, an ISO37002-proof WMS is a collective effort. It requires having the right tools supported by the right policies, all managed and safeguarded by the right people. SpeakUp® is a tool that can easily help you align your WMS with the ISO37002.

Ready to get started? We can help you launch SpeakUp, our all-encompassing whistleblowing and case management tool, quickly and smoothly. Get in touch for more information.

Note: This blog is not to be seen as an official guide on how to align with the ISO37002 Standard. For more information, please refer to ISO’s official website where you can find the official version of the standard. 

© 2023 SpeakUp