ISO 37002 whistleblowing standard – what organisations need to know

ISO 37002 provides guidance for organisations to create a whistleblowing management system based on trust, impartiality and protection.
EQS Editorial Team

ISO 37002, the new whistleblowing management system standard was published in July 2021. ISO 37002:2021 aims to provide guidelines for implementing, managing, evaluating, maintaining and improving robust and effective whistleblowing management systems. The guideline is applicable to all organizations, regardless of their type, size, nature of activity, and whether in the public, private or not-for profit sectors.

The guideline aims to support and protect whistleblowers and other interested parties involved, ensure that reports of wrongdoing are dealt with in a proper and timely manner and looks at improving organizational culture and governance. Most importantly, the guideline aims to provide guidance for organisations to create a whistleblowing management system based on the principles of trust, impartiality and protection.

ISO 37002 notepad |

While its use will vary depending on the size, nature, complexity and jurisdiction of the activities of individual organisations, the guideline can assist an organisation to improve its existing whistleblowing policy and procedures, or to comply with applicable whistleblowing legislation.

Unlike the EU Whistleblower Protection Directive (Directive 2019/1937) that required EU Member States to transpose it into their national laws by the end of 2021, organisations may adopt ISO 37002 standard as a stand-alone guidance or along with other compliance management system standards (IS0 37301).

We sat down virtually with working group members and originators Wim Vandekerckhove (Professor of Business Ethics at the University of Greenwich) and Andrew Samuels (CEO of WislPort) to discuss what it does, what it doesn’t do and who it is relevant for.

1. Why did you feel that whistleblowing channels needed an ISO standard?

Wim Vandekerckhove (WV): There were already a number of national standards and guidelines, for example in Australia, Great Britain, Japan, Canada and France. When we compared these, they weren’t necessarily contradicting each other, but each set of guidelines had its own blind spots, its own style and distinctive emphasis. For this reason it made sense to create an international standard.

Andrew Samuels (AS): The time was right because we have seen a lot of scandals over the last decade. Organisations are starting to see the need for internal channels through which people can safely and accurately report wrongdoing. Social media has made it much easier for people to speak up and deliver damaging messages that could have or should have been handled internally. An international standard also provides a framework that is applicable in all regions and across different regulatory jurisdictions which is particularly necessary due to the number of organisations which now operate globally.

2. How can ISO 37002 lead to more acceptance and practical relevance of whistleblowing?

AS: I think it will make it easier for organisations to understand that establishing an effective whistleblowing programme isn’t an onerous task and will also remove organisational excuses for not doing it. It’s like in previous areas, such as health and safety. It takes time for people to understand the benefits and to shift their mindsets. Having a global standard in this space is paving the way for how organisations can run effective whistleblower programs. A global standard makes it more accepted and normal.

WV: There’s a huge variation in terms of the quality of the speak-up systems provided by organisations. There are some companies doing amazing work. There are also companies that just don’t want it. But the majority of companies actually really want to get this right. They see the value of it and they also need to meet the requirements set out in the legislation. These companies often say that they don’t have access to the best practice. This is where the ISO standard can really help.

3. So does following the ISO 37002 standard guarantee an effective whistleblowing system?

WV: There seems to be a myth that as long as you get more people to report wrongdoing, you’re going to improve your business. I think that’s a very incomplete picture because it’s not just about people reporting wrongdoing, it is also essential that these reports are handled effectively. If they are not, you have a demotivated employee, you have wrongdoing that escalates and you have scandals. The ISO standard is really about how organisations handle their reports. This was the missing piece in the whole puzzle.

AS: Having a whistleblowing system is like having a high performance car. In the wrong hands it is dangerous, but in the right hands it’s a fantastic piece of kit. ISO 37002 tells you how to fine tune your system, how to drive it safely, to know when to break, to know when to accelerate, to know when to look under the bonnet and make sure that your engine is still running because, like in all areas of life, you will always need to replace parts at some point to keep it running smoothly.

4. What are the similarities and differences between the new ISO 37002 standard and the EU Directive?

WV: The EU Directive says you need to have an internal whistleblowing policy and channels for confidential reporting. The ISO standard gives you guidance on how you actually operate the whistleblowing system and what good practice looks like.

AS: Exactly, they’re complementary rather than different. The EU Directive actually lists three speak-up channels where whistleblowers are protected – internally, to a regulator or to the media. But I would argue that an organisation would prefer people to speak up internally first. By following the standard and setting up a system that builds trust over time, people will feel safe to speak up internally first rather than going to a regulator or media. By following the ISO 37002 standard, organisations will not just meet the letter of law laid down in the EU Directive, but also the spirit of what it’s trying to achieve.

5. Will the new standard be certified, similar to ISO 37301 or IDW PS 980?

WV: Not at the moment, although it can easily be used in conjunction with the anti-bribery and compliance standards, both of which are certification standards. The whistleblowing standard is written as guidance. It is possible that a regulator in a particular country may decide to take certain elements of the standard and make them mandatory. But that is not something the working group or ISO decides.

6. Is the standard only for large corporations or is it also suitable for SMEs?

AS: I’d say it’s as applicable for smaller and midsized companies to follow. What you often find with smaller companies is that one of the reasons they haven’t set up whistleblowing management is because they think it is difficult to set-up and maintain. The standard is non-prescriptive which makes it quite simple and straightforward for organisations.

SMEs are particularly at risk here because organizations of 50+ employees fall under the Whistleblowing Directive so they need to do something. But the challenge with doing something is that if you do the wrong thing, you actually expose yourself to more risk. ISO 37002 can really provide some good returns and some great protection.

7. What is the ISO 37002 standard's position on anonymous reporting?

AS: Anonymity was one of those hot topics and different countries have different perspectives. The standard does not provide an opinion as it aims to be non-prescriptive. We outline all of the options but ultimately we leave it to organisations to make that choice.

WV: It is important to say that the ISO standard is not going to overrule legislation. Ultimately organisations have to be realistic. Even if a company says it won’t accept anonymous reports, that does not mean that people won’t send any! And if it is good information, it might not be wise to discard that report.

8. Why are whistleblowers important for companies and why should reporting channels be established?

WV: Whistleblowers are early warning systems for organisations. If you look at the ACFE reports, they indicate internal reports are actually the most effective way for organisations to identify fraud.

AS: We believe whistleblowers are the first line of defence in any organisation because they are the eyes and ears on the ground. They detect things much sooner than a computerised system would and they detect things that algorithms do not, such as shifty behaviour. As a result, substantiation rates of reports which come through whistleblowing channels are fairly high. Fraud detection systems, on the other hand, can deliver false positive rates as high as 99.96. When it comes to return on investment, organisations with effective whistleblowing systems on average have a 2.8 percent increase on return on assets, a 20.4 percent reduction in settlements and 6.9 percent fewer material lawsuits (according to George Washington School of Business).

Learn more: 

Whistleblowing Report

A comprehensive study on whistleblowing in European companies

About the interview partners

Andrew Samuels contact image |

Andrew Samuels, CEO | WislPort

Andrew Samuels is the founder and CEO of WislPort and is widely recognised as a thought leader in Whistleblowing operations. A regular media commentator on whistleblowing, Andrew has contributed his expertise to the United Nations Office on Drugs and Crime (UNODC), the International Olympic Committee (IOC), The UK All Party Parliamentary Group on Whistleblowing and the Cambridge Symposium on Economic Crime amongst other engagement in the private, charity and public sectors.

Since 2016 he has been actively involved as subject matter expert to the British Standards Institute (BSI) on Whistleblowing and since 2017 has represented BSI to the International Standards Organisation (ISO) for ISO37002, the international standard for whistleblowing management systems, in which he has played a key role in the development of this global standard.

Prior to founding WislPort, Andrew has over 20 years of experience delivering large scale complex programmes in the financial services, telecoms and media sectors in the UK, North America and AsiaPac, with the last decade specialising in regulatory and compliance programmes including Whistleblowing, anti-money laundering and financial crime.

Wim Vandekerchove contact image |

Prof Wim Vandekerckhove, Professor of Business Ethics | University of Greenwich

Wim Vandekerckhove holds a Phd in Applied Ethics from Ghent University. He is now Professor of Business Ethics at the University of Greenwich. He was a visiting scholar at the University of Oslo in 2007 (Centre for Development and the Environment SUM), and a visiting fellow at Griffith University in 2020 (Centre for Governance and Public Policy).

His books include Whistleblowing and Organisational Social Responsibility (Ashgate/Routledge), and The Whistleblowing Guide: Speak-Up Arrangements, Challenges, and Best Practices (2019, Wiley, with Kate Kenny and Marianna Fotaki).

Wim has provided expertise on whistleblowing to various organisations, including Council of Europe, European Commission DG Justice, Transparency International, Public Concern at Work, Public Services International, the Whistleblower Advice Centre in the Netherlands, the UK Department of Health, the UK Financial Conduct Authority, the British Standards Institute, the Association of Chartered and Certified Accountants (ACCA), the UNODC and the International Olympic Committee (IOC). He is currently the convenor of a working group within the International Organisation for Standardization (ISO TC309/WG3), developing the international standard for whistleblowing arrangements.

Wim is also Co-Director of the Centre of Research on Employment and Work (CREW) at the University of Greenwich and Editor-in-Chief of Philosophy of Management (Springer).

Share this blog post on

EQS Editorial Team contact image |
EQS Editorial Team
Praise, criticism or topic suggestions? The editorial team of EQS Group is looking forward to your message.