Whistleblowing management systems -- Guidelines

Systèmes de management des alertes -- Lignes directrices

Sistem vodenja prijavljanja nepravilnosti - Smernice

General Information

Status
Published
Publication Date
26-Jul-2021
Current Stage
5060 - Close of voting Proof returned by Secretariat
Start Date
22-Jun-2021
Completion Date
21-Jun-2021

Buy Standard

Standard
ISO 37002:2021
English language
40 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day
Standard
ISO 37002:2021 - Whistleblowing management systems -- Guidelines
English language
33 pages
sale 15% off
Preview
sale 15% off
Preview
Standard
ISO 37002:2021 - Systèmes de management des alertes -- Lignes directrices
French language
35 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
ISO/FDIS 37002:Version 18-apr-2021 - Whistleblowing management systems -- Guidelines
English language
32 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

SLOVENSKI STANDARD
SIST ISO 37002:2021
01-december-2021
Sistem vodenja prijavljanja nepravilnosti - Smernice
Whistleblowing management systems - Guidelines
Systèmes de management des alertes - Lignes directrices
Ta slovenski standard je istoveten z: ISO 37002:2021
ICS:
03.100.01 Organizacija in vodenje Company organization and
podjetja na splošno management in general
03.100.02 Upravljanje in etika Governance and ethics
03.100.70 Sistemi vodenja Management systems
SIST ISO 37002:2021 en,fr

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST ISO 37002:2021
---------------------- Page: 2 ----------------------
SIST ISO 37002:2021
INTERNATIONAL ISO
STANDARD 37002
First edition
2021-07
Whistleblowing management
systems — Guidelines
Systèmes de management des alertes — Lignes directrices
Reference number
ISO 37002:2021(E)
ISO 2021
---------------------- Page: 3 ----------------------
SIST ISO 37002:2021
ISO 37002:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2021

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2021 – All rights reserved
---------------------- Page: 4 ----------------------
SIST ISO 37002:2021
ISO 37002:2021(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Context of the organization ....................................................................................................................................................................... 7

4.1 Understanding the organization and its context ....................................................................................................... 7

4.2 Understanding the needs and expectations of interested parties .............................................................. 8

4.3 Determining the scope of the whistleblowing management system ....................................................... 8

4.4 Whistleblowing management system ................................................................................................................................. 9

5 Leadership .................................................................................................................................................................................................................. 9

5.1 Leadership and commitment ..................................................................................................................................................... 9

5.1.1 Governing body ................................................................................................................................................................. 9

5.1.2 Top management ..........................................................................................................................................................10

5.2 Whistleblowing policy ...................................................................................................................................................................10

5.3 Roles, responsibilities and authorities ............................................................................................................................11

5.3.1 Top management and governing body .................. .....................................................................................11

5.3.2 Whistleblowing management function .....................................................................................................12

5.3.3 Delegated decision-making .................................................................................................................................12

6 Planning ......................................................................................................................................................................................................................13

6.1 Actions to address risks and opportunities ................................................................................................................13

6.2 Whistleblowing management system objectives and planning to achieve them .......................13

6.3 Planning of changes .........................................................................................................................................................................14

7 Support ........................................................................................................................................................................................................................14

7.1 Resources ..................................................................................................................................................................................................14

7.2 Competence ............................................................................................................................................................................................14

7.3 Awareness ................................................................................................................................................................................................15

7.3.1 General...................................................................................................................................................................................15

7.3.2 Personnel training and awareness measures ......................................................................................15

7.3.3 Training for leaders and other specific roles ........................................................................................16

7.4 Communication ...................................................................................................................................................................................17

7.5 Documented information ............................................................................................................................................................18

7.5.1 General...................................................................................................................................................................................18

7.5.2 Creating and updating documented information .............................................................................18

7.5.3 Control of documented information ............................................................................................................18

7.5.4 Data protection ...................................................................... .........................................................................................19

7.5.5 Confidentiality ................................................................................................................................................................19

8 Operation ..................................................................................................................................................................................................................20

8.1 Operational planning and control .......................................................................................................................................20

8.2 Receiving reports of wrongdoing .........................................................................................................................................22

8.3 Assessing reports of wrongdoing ........................................................................................................................................23

8.3.1 Assessing the reported wrongdoing ............................................................................................................23

8.3.2 Assessing and preventing risks of detrimental conduct .............................................................24

8.4 Addressing reports of wrongdoing.....................................................................................................................................25

8.4.1 Addressing the reported wrongdoing ........................................................................................................25

8.4.2 Protecting and supporting the whistleblower ....................................................................................26

8.4.3 Addressing detrimental conduct.....................................................................................................................26

8.4.4 Protecting the subject(s) of a report .................. ..........................................................................................27

8.4.5 Protecting relevant interested parties .......................................................................................................27

8.5 Concluding whistleblowing cases ........................................................................................................................................27

9 Performance evaluation ............................................................................................................................................................................28

© ISO 2021 – All rights reserved iii
---------------------- Page: 5 ----------------------
SIST ISO 37002:2021
ISO 37002:2021(E)

9.1 Monitoring, measurement, analysis and evaluation ............................................................................................28

9.1.1 General...................................................................................................................................................................................28

9.1.2 Indicators for evaluation ........................................................................................................................................28

9.1.3 Information sources ...................................................................................................................................................29

9.2 Internal audit .........................................................................................................................................................................................30

9.2.1 General...................................................................................................................................................................................30

9.2.2 Internal audit programme ....................................................................................................................................30

9.3 Management review ........................................................................................................................................................................30

9.3.1 General...................................................................................................................................................................................30

9.3.2 Management review inputs .................................................................................................................................30

9.3.3 Management review results ................................................................................................................................31

10 Improvement .........................................................................................................................................................................................................31

10.1 Continual improvement ...............................................................................................................................................................31

10.2 Nonconformity and corrective action ..............................................................................................................................31

Bibliography .............................................................................................................................................................................................................................33

iv © ISO 2021 – All rights reserved
---------------------- Page: 6 ----------------------
SIST ISO 37002:2021
ISO 37002:2021(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO’s adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

iso/ foreword .html.

This document was prepared by Technical Committee ISO/TC 309, Governance of organizations.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO 2021 – All rights reserved v
---------------------- Page: 7 ----------------------
SIST ISO 37002:2021
ISO 37002:2021(E)
Introduction

Whistleblowing is the act of reporting suspected wrongdoing or risk of wrongdoing. Studies and

experience demonstrate that a large proportion of wrongdoing comes to the attention of the affected

organization via reports from persons within or close to the organization.

Organizations are increasingly considering introducing or improving internal whistleblowing policies

and processes in response to regulation or on a voluntary basis.

This document provides guidance to organizations for establishing, implementing, maintaining and

improving a whistleblowing management system, with the following outcomes:
a) encouraging and facilitating reporting of wrongdoing;

b) supporting and protecting whistleblowers and other interested parties involved;

c) ensuring reports of wrongdoing are dealt with in a proper and timely manner;
d) improving organizational culture and governance;
e) reducing the risks of wrongdoing.
Potential benefits for the organization include:

— allowing the organization to identify and address wrongdoing at the earliest opportunity;

— helping prevent or minimize loss of assets and aiding recovery of lost assets;

— ensuring compliance with organizational policies, procedures, and legal and social obligations;

— attracting and retaining personnel committed to the organization’s values and culture;

— demonstrating sound, ethical governance practices to society, markets, regulators, owners and

other interested parties.

An effective whistleblowing management system will build organizational trust by:

— demonstrating leadership commitment to preventing and addressing wrongdoing;
— encouraging people to come forward early with reports of wrongdoing;

— reducing and preventing detrimental treatment of whistleblowers and others involved;

— encouraging a culture of openness, transparency, integrity and accountability.

This document provides guidance for organizations to create a whistleblowing management system

based on the principles of trust, impartiality and protection. It is adaptable, and its use will vary with the

size, nature, complexity and jurisdiction of the organization’s activities. It can assist an organization to

improve its existing whistleblowing policy and procedures, or to comply with applicable whistleblowing

legislation.

This document adopts the “harmonized structure” (i.e. clause sequence, common text and common

terminology) developed by ISO to improve alignment among International Standards for management

systems. Organizations may adopt this document as stand-alone guidance for their organization or along

with other management system standards, including to address whistleblowing-related requirements

in other ISO management systems.

Figure 1 is a conceptual overview of a recommended whistleblowing management system showing how

the principles of trust, impartiality and protection overlay all elements of such a system.

vi © ISO 2021 – All rights reserved
---------------------- Page: 8 ----------------------
SIST ISO 37002:2021
ISO 37002:2021(E)
Figure 1 — Overview of a whistleblowing management system
© ISO 2021 – All rights reserved vii
---------------------- Page: 9 ----------------------
SIST ISO 37002:2021
---------------------- Page: 10 ----------------------
SIST ISO 37002:2021
INTERNATIONAL STANDARD ISO 37002:2021(E)
Whistleblowing management systems — Guidelines
1 Scope

This document gives guidelines for establishing, implementing and maintaining an effective

whistleblowing management system based on the principles of trust, impartiality and protection in the

following four steps:
a) receiving reports of wrongdoing;
b) assessing reports of wrongdoing;
c) addressing reports of wrongdoing;
d) concluding whistleblowing cases.

The guidelines of this document are generic and intended to be applicable to all organizations,

regardless of type, size, nature of activity, and whether in the public, private or not-for profit sectors.

The extent of application of these guidelines depends on the factors specified in 4.1, 4.2 and 4.3. The

whistleblowing management system can be stand-alone or can be used as part of an overall management

system.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
management system

set of interrelated or interacting elements of an organization (3.2) to establish policies (3.7) and

objectives (3.25), as well as processes (3.27) to achieve those objectives

Note 1 to entry: A management system can address a single discipline or several disciplines.

Note 2 to entry: The management system elements include the organization’s structure, roles and responsibilities,

planning and operation.

Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for

ISO management system standards.
© ISO 2021 – All rights reserved 1
---------------------- Page: 11 ----------------------
SIST ISO 37002:2021
ISO 37002:2021(E)
3.2
organization

person or group of people that has its own functions with responsibilities, authorities and relationships

to achieve its objectives (3.25)

Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,

enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated

or not, public or private.

Note 2 to entry: If the organization is part of a larger entity, the term “organization” refers only to the part of the

larger entity that is within the scope of the whistleblowing (3.10) management system (3.1).

Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for

ISO management system standards.
3.3
personnel

organization’s (3.2) directors, officers, employees, temporary staff or workers, and volunteers

[SOURCE: ISO 37001:2016, 3.25, modified — Notes 1 and 2 to entry have been deleted.]

3.4
interested party (preferred term)
stakeholder (admitted term)

person or organization (3.2) that can affect, be affected by, or perceive itself to be affected by a decision

or activity

Note 1 to entry: An interested party can be internal or external to the organization.

Note 2 to entry: Interested parties can include, but are not limited to, those who make reports, any subjects

of those reports, witnesses, personnel (3.3), worker representatives, suppliers, third parties, public, media,

regulators and the organization as a whole.

Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for

ISO management system standards. The original definition has been modified by adding Notes 1 and 2 to entry.

3.5
top management

person or group of people who directs and controls an organization (3.2) at the highest level

Note 1 to entry: Top management has the power to delegate authority and provide resources within the

organization.

Note 2 to entry: If the scope of the management system (3.1) covers only part of an organization, then top

management refers to those who direct and control that part of the organization.

Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for

ISO management system standards.
3.6
governing body

person or group of people who have ultimate accountability (3.30) for the whole organization (3.2)

Note 1 to entry: Every organizational entity has one governing body, whether or not it is explicitly established.

Note 2 to entry: A governing body can include, but is not limited to, a board of directors, committees of the board,

a supervisory board or trustees.

[SOURCE: ISO/IEC 38500:2015, 2.9, modified — The words “have ultimate accountability for” have

replaced “accountable for the performance and conformance of” and Notes 1 and 2 to entry have been

added.]
2 © ISO 2021 – All rights reserved
---------------------- Page: 12 ----------------------
SIST ISO 37002:2021
ISO 37002:2021(E)
3.7
policy

intentions and direction of an organization (3.2) as formally expressed by its top management (3.5)

Note 1 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for

ISO management system standards.
3.8
wrongdoing
action(s) or omission(s) that can cause harm
Note 1 to entry: Wrongdoing can include, but is not limited to, the following:

— breach of law (national or international), such as fraud, corruption including bribery;

— breach of the organization’s (3.2) or other relevant code of conduct, breach of organization policies (3.7);

— gross negligence, bullying, harassment, discrimination, unauthorized use of funds or resources, abuse of

authority, conflict of interest, gross waste or mismanagement;

— actions or omissions resulting in damage or risk of harm to human rights, the environment, public health and

safety, safe work-practices or the public interest.

Note 2 to entry: Wrongdoing or the resulting harm can have happened in the past, is currently happening or can

happen in the future.

Note 3 to entry: Potential harm can be determined by reference to a single event or series of events.

3.9
whistleblower

person who reports suspected or actual wrongdoing (3.8), and has reasonable belief that the information

is true at the time of reporting

Note 1 to entry: Reasonable belief is a belief held by an individual based on observation, experience or information

known to that individual, which would also be held by a person in the same circumstances.

Note 2 to entry: Examples of whistleblowers include, but are not limited to, the following:

— personnel (3.3) within an organization (3.2);

— personnel within external parties, including legal persons, with whom the organization has established, or

plans to establish, some form of business relationship including, but not limited to, clients, customers, joint

ventures, joint venture partners, consortium partners, outsourcing providers, contractors, consultants, sub-

contractors, suppliers, vendors, advisors, agents, distributors, representatives, intermediaries and investors;

— other persons such as union representatives;
— any person formerly or prospectively in a position set out in this definition.
3.10
whistleblowing
reporting of suspected or actual wrongdoing (3.8) by a whistleblower (3.9)

Note 1 to entry: A report of wrongdoing can be verbal, in person, in writing or in an electronic or digital format.

Note 2 to entry: It is common to distinguish:

— open whistleblowing, where the whistleblower discloses information without withholding their identity or

requiring that their identity be kept secret;

— confidential whistleblowing, where the identity of the whistleblower and any information that can identify

them is known by the recipient but is not disclosed to anyone beyond a need to know basis without the

whistleblower’s consent, unless required by law;

— anonymous whistleblowing, where information is received without the whistleblower disclosing their

identity.
© ISO 2021 – All rights reserved 3
---------------------- Page: 13 ----------------------
SIST ISO 37002:2021
ISO 37002:2021(E)

Note 3 to entry: Organizations (3.2) can use an alternative term such as “speak up” or “raise a concern”, or an

equivalent.
3.11
whistleblowing management function

person(s) with the responsibility and authority for the operation of the whistleblowing (3.10)

management system (3.1)
3.12
triage

assessment of the initial report of wrongdoing (3.8) for the purposes of categorization, taking

preliminary measures, prioritization and assignment for further handling

Note 1 to entry: The following factors can be considered: likelihood and severity of impact of wrongdoing or

suspected wrongdoing on the personnel (3.3), organization (3.2) and interested party (3.4), including reputational,

financial, environmental, human or other damages.
3.13
detrimental conduct

threatened, proposed or actual, direct or indirect act or omission that can result in harm to a

whistleblower (3.9) or other relevant interested party (3.4), related to whistleblowing (3.10)

Note 1 to entry: Harm includes any adverse consequence, whether work-related or personal, including, but not

limited to, dismissal, suspension, demotion, transfer, change in duties, alteration of working conditions, adverse

performance (3.26) ratings, disciplinary proceedings, reduced opportunity for advancement, denial of services,

blacklisting, boycotting, damage to reputation, disclosing the whistleblower’s identity, financial loss, prosecution

or legal action, harassment, isolation, imposition of any form of physical or psychological harm.

Note 2 to entry: Detrimental conduct includes retaliation, reprisal, retribution, deliberate action or omissions,

done knowingly or recklessly to cause harm to a whistleblower or other relevant parties.

Note 3 to entry: Detrimental conduct also includes the failure to prevent or to minimize harm by fulfilling a

reasonable standard of care at any step of the whistleblowing process (3.27).

Note 4 to entry: Action to deal with a whistleblower’s own wrongdoing (3.8), performance or management,

unrelated to their role in whistleblowing, is not detrimental conduct for the purposes of this document.

Note 5 to entry: Other relevant interested parties can include prospective or perceived whistl

...

INTERNATIONAL ISO
STANDARD 37002
First edition
2021-07
Whistleblowing management
systems — Guidelines
Systèmes de management des alertes — Lignes directrices
Reference number
ISO 37002:2021(E)
ISO 2021
---------------------- Page: 1 ----------------------
ISO 37002:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2021

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2021 – All rights reserved
---------------------- Page: 2 ----------------------
ISO 37002:2021(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Context of the organization ....................................................................................................................................................................... 7

4.1 Understanding the organization and its context ....................................................................................................... 7

4.2 Understanding the needs and expectations of interested parties .............................................................. 8

4.3 Determining the scope of the whistleblowing management system ....................................................... 8

4.4 Whistleblowing management system ................................................................................................................................. 9

5 Leadership .................................................................................................................................................................................................................. 9

5.1 Leadership and commitment ..................................................................................................................................................... 9

5.1.1 Governing body ................................................................................................................................................................. 9

5.1.2 Top management ..........................................................................................................................................................10

5.2 Whistleblowing policy ...................................................................................................................................................................10

5.3 Roles, responsibilities and authorities ............................................................................................................................11

5.3.1 Top management and governing body .................. .....................................................................................11

5.3.2 Whistleblowing management function .....................................................................................................12

5.3.3 Delegated decision-making .................................................................................................................................12

6 Planning ......................................................................................................................................................................................................................13

6.1 Actions to address risks and opportunities ................................................................................................................13

6.2 Whistleblowing management system objectives and planning to achieve them .......................13

6.3 Planning of changes .........................................................................................................................................................................14

7 Support ........................................................................................................................................................................................................................14

7.1 Resources ..................................................................................................................................................................................................14

7.2 Competence ............................................................................................................................................................................................14

7.3 Awareness ................................................................................................................................................................................................15

7.3.1 General...................................................................................................................................................................................15

7.3.2 Personnel training and awareness measures ......................................................................................15

7.3.3 Training for leaders and other specific roles ........................................................................................16

7.4 Communication ...................................................................................................................................................................................17

7.5 Documented information ............................................................................................................................................................18

7.5.1 General...................................................................................................................................................................................18

7.5.2 Creating and updating documented information .............................................................................18

7.5.3 Control of documented information ............................................................................................................18

7.5.4 Data protection ...................................................................... .........................................................................................19

7.5.5 Confidentiality ................................................................................................................................................................19

8 Operation ..................................................................................................................................................................................................................20

8.1 Operational planning and control .......................................................................................................................................20

8.2 Receiving reports of wrongdoing .........................................................................................................................................22

8.3 Assessing reports of wrongdoing ........................................................................................................................................23

8.3.1 Assessing the reported wrongdoing ............................................................................................................23

8.3.2 Assessing and preventing risks of detrimental conduct .............................................................24

8.4 Addressing reports of wrongdoing.....................................................................................................................................25

8.4.1 Addressing the reported wrongdoing ........................................................................................................25

8.4.2 Protecting and supporting the whistleblower ....................................................................................26

8.4.3 Addressing detrimental conduct.....................................................................................................................26

8.4.4 Protecting the subject(s) of a report .................. ..........................................................................................27

8.4.5 Protecting relevant interested parties .......................................................................................................27

8.5 Concluding whistleblowing cases ........................................................................................................................................27

9 Performance evaluation ............................................................................................................................................................................28

© ISO 2021 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO 37002:2021(E)

9.1 Monitoring, measurement, analysis and evaluation ............................................................................................28

9.1.1 General...................................................................................................................................................................................28

9.1.2 Indicators for evaluation ........................................................................................................................................28

9.1.3 Information sources ...................................................................................................................................................29

9.2 Internal audit .........................................................................................................................................................................................30

9.2.1 General...................................................................................................................................................................................30

9.2.2 Internal audit programme ....................................................................................................................................30

9.3 Management review ........................................................................................................................................................................30

9.3.1 General...................................................................................................................................................................................30

9.3.2 Management review inputs .................................................................................................................................30

9.3.3 Management review results ................................................................................................................................31

10 Improvement .........................................................................................................................................................................................................31

10.1 Continual improvement ...............................................................................................................................................................31

10.2 Nonconformity and corrective action ..............................................................................................................................31

Bibliography .............................................................................................................................................................................................................................33

iv © ISO 2021 – All rights reserved
---------------------- Page: 4 ----------------------
ISO 37002:2021(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO’s adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

iso/ foreword .html.

This document was prepared by Technical Committee ISO/TC 309, Governance of organizations.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO 2021 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO 37002:2021(E)
Introduction

Whistleblowing is the act of reporting suspected wrongdoing or risk of wrongdoing. Studies and

experience demonstrate that a large proportion of wrongdoing comes to the attention of the affected

organization via reports from persons within or close to the organization.

Organizations are increasingly considering introducing or improving internal whistleblowing policies

and processes in response to regulation or on a voluntary basis.

This document provides guidance to organizations for establishing, implementing, maintaining and

improving a whistleblowing management system, with the following outcomes:
a) encouraging and facilitating reporting of wrongdoing;

b) supporting and protecting whistleblowers and other interested parties involved;

c) ensuring reports of wrongdoing are dealt with in a proper and timely manner;
d) improving organizational culture and governance;
e) reducing the risks of wrongdoing.
Potential benefits for the organization include:

— allowing the organization to identify and address wrongdoing at the earliest opportunity;

— helping prevent or minimize loss of assets and aiding recovery of lost assets;

— ensuring compliance with organizational policies, procedures, and legal and social obligations;

— attracting and retaining personnel committed to the organization’s values and culture;

— demonstrating sound, ethical governance practices to society, markets, regulators, owners and

other interested parties.

An effective whistleblowing management system will build organizational trust by:

— demonstrating leadership commitment to preventing and addressing wrongdoing;
— encouraging people to come forward early with reports of wrongdoing;

— reducing and preventing detrimental treatment of whistleblowers and others involved;

— encouraging a culture of openness, transparency, integrity and accountability.

This document provides guidance for organizations to create a whistleblowing management system

based on the principles of trust, impartiality and protection. It is adaptable, and its use will vary with the

size, nature, complexity and jurisdiction of the organization’s activities. It can assist an organization to

improve its existing whistleblowing policy and procedures, or to comply with applicable whistleblowing

legislation.

This document adopts the “harmonized structure” (i.e. clause sequence, common text and common

terminology) developed by ISO to improve alignment among International Standards for management

systems. Organizations may adopt this document as stand-alone guidance for their organization or along

with other management system standards, including to address whistleblowing-related requirements

in other ISO management systems.

Figure 1 is a conceptual overview of a recommended whistleblowing management system showing how

the principles of trust, impartiality and protection overlay all elements of such a system.

vi © ISO 2021 – All rights reserved
---------------------- Page: 6 ----------------------
ISO 37002:2021(E)
Figure 1 — Overview of a whistleblowing management system
© ISO 2021 – All rights reserved vii
---------------------- Page: 7 ----------------------
INTERNATIONAL STANDARD ISO 37002:2021(E)
Whistleblowing management systems — Guidelines
1 Scope

This document gives guidelines for establishing, implementing and maintaining an effective

whistleblowing management system based on the principles of trust, impartiality and protection in the

following four steps:
a) receiving reports of wrongdoing;
b) assessing reports of wrongdoing;
c) addressing reports of wrongdoing;
d) concluding whistleblowing cases.

The guidelines of this document are generic and intended to be applicable to all organizations,

regardless of type, size, nature of activity, and whether in the public, private or not-for profit sectors.

The extent of application of these guidelines depends on the factors specified in 4.1, 4.2 and 4.3. The

whistleblowing management system can be stand-alone or can be used as part of an overall management

system.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
management system

set of interrelated or interacting elements of an organization (3.2) to establish policies (3.7) and

objectives (3.25), as well as processes (3.27) to achieve those objectives

Note 1 to entry: A management system can address a single discipline or several disciplines.

Note 2 to entry: The management system elements include the organization’s structure, roles and responsibilities,

planning and operation.

Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for

ISO management system standards.
© ISO 2021 – All rights reserved 1
---------------------- Page: 8 ----------------------
ISO 37002:2021(E)
3.2
organization

person or group of people that has its own functions with responsibilities, authorities and relationships

to achieve its objectives (3.25)

Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,

enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated

or not, public or private.

Note 2 to entry: If the organization is part of a larger entity, the term “organization” refers only to the part of the

larger entity that is within the scope of the whistleblowing (3.10) management system (3.1).

Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for

ISO management system standards.
3.3
personnel

organization’s (3.2) directors, officers, employees, temporary staff or workers, and volunteers

[SOURCE: ISO 37001:2016, 3.25, modified — Notes 1 and 2 to entry have been deleted.]

3.4
interested party (preferred term)
stakeholder (admitted term)

person or organization (3.2) that can affect, be affected by, or perceive itself to be affected by a decision

or activity

Note 1 to entry: An interested party can be internal or external to the organization.

Note 2 to entry: Interested parties can include, but are not limited to, those who make reports, any subjects

of those reports, witnesses, personnel (3.3), worker representatives, suppliers, third parties, public, media,

regulators and the organization as a whole.

Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for

ISO management system standards. The original definition has been modified by adding Notes 1 and 2 to entry.

3.5
top management

person or group of people who directs and controls an organization (3.2) at the highest level

Note 1 to entry: Top management has the power to delegate authority and provide resources within the

organization.

Note 2 to entry: If the scope of the management system (3.1) covers only part of an organization, then top

management refers to those who direct and control that part of the organization.

Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for

ISO management system standards.
3.6
governing body

person or group of people who have ultimate accountability (3.30) for the whole organization (3.2)

Note 1 to entry: Every organizational entity has one governing body, whether or not it is explicitly established.

Note 2 to entry: A governing body can include, but is not limited to, a board of directors, committees of the board,

a supervisory board or trustees.

[SOURCE: ISO/IEC 38500:2015, 2.9, modified — The words “have ultimate accountability for” have

replaced “accountable for the performance and conformance of” and Notes 1 and 2 to entry have been

added.]
2 © ISO 2021 – All rights reserved
---------------------- Page: 9 ----------------------
ISO 37002:2021(E)
3.7
policy

intentions and direction of an organization (3.2) as formally expressed by its top management (3.5)

Note 1 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for

ISO management system standards.
3.8
wrongdoing
action(s) or omission(s) that can cause harm
Note 1 to entry: Wrongdoing can include, but is not limited to, the following:

— breach of law (national or international), such as fraud, corruption including bribery;

— breach of the organization’s (3.2) or other relevant code of conduct, breach of organization policies (3.7);

— gross negligence, bullying, harassment, discrimination, unauthorized use of funds or resources, abuse of

authority, conflict of interest, gross waste or mismanagement;

— actions or omissions resulting in damage or risk of harm to human rights, the environment, public health and

safety, safe work-practices or the public interest.

Note 2 to entry: Wrongdoing or the resulting harm can have happened in the past, is currently happening or can

happen in the future.

Note 3 to entry: Potential harm can be determined by reference to a single event or series of events.

3.9
whistleblower

person who reports suspected or actual wrongdoing (3.8), and has reasonable belief that the information

is true at the time of reporting

Note 1 to entry: Reasonable belief is a belief held by an individual based on observation, experience or information

known to that individual, which would also be held by a person in the same circumstances.

Note 2 to entry: Examples of whistleblowers include, but are not limited to, the following:

— personnel (3.3) within an organization (3.2);

— personnel within external parties, including legal persons, with whom the organization has established, or

plans to establish, some form of business relationship including, but not limited to, clients, customers, joint

ventures, joint venture partners, consortium partners, outsourcing providers, contractors, consultants, sub-

contractors, suppliers, vendors, advisors, agents, distributors, representatives, intermediaries and investors;

— other persons such as union representatives;
— any person formerly or prospectively in a position set out in this definition.
3.10
whistleblowing
reporting of suspected or actual wrongdoing (3.8) by a whistleblower (3.9)

Note 1 to entry: A report of wrongdoing can be verbal, in person, in writing or in an electronic or digital format.

Note 2 to entry: It is common to distinguish:

— open whistleblowing, where the whistleblower discloses information without withholding their identity or

requiring that their identity be kept secret;

— confidential whistleblowing, where the identity of the whistleblower and any information that can identify

them is known by the recipient but is not disclosed to anyone beyond a need to know basis without the

whistleblower’s consent, unless required by law;

— anonymous whistleblowing, where information is received without the whistleblower disclosing their

identity.
© ISO 2021 – All rights reserved 3
---------------------- Page: 10 ----------------------
ISO 37002:2021(E)

Note 3 to entry: Organizations (3.2) can use an alternative term such as “speak up” or “raise a concern”, or an

equivalent.
3.11
whistleblowing management function

person(s) with the responsibility and authority for the operation of the whistleblowing (3.10)

management system (3.1)
3.12
triage

assessment of the initial report of wrongdoing (3.8) for the purposes of categorization, taking

preliminary measures, prioritization and assignment for further handling

Note 1 to entry: The following factors can be considered: likelihood and severity of impact of wrongdoing or

suspected wrongdoing on the personnel (3.3), organization (3.2) and interested party (3.4), including reputational,

financial, environmental, human or other damages.
3.13
detrimental conduct

threatened, proposed or actual, direct or indirect act or omission that can result in harm to a

whistleblower (3.9) or other relevant interested party (3.4), related to whistleblowing (3.10)

Note 1 to entry: Harm includes any adverse consequence, whether work-related or personal, including, but not

limited to, dismissal, suspension, demotion, transfer, change in duties, alteration of working conditions, adverse

performance (3.26) ratings, disciplinary proceedings, reduced opportunity for advancement, denial of services,

blacklisting, boycotting, damage to reputation, disclosing the whistleblower’s identity, financial loss, prosecution

or legal action, harassment, isolation, imposition of any form of physical or psychological harm.

Note 2 to entry: Detrimental conduct includes retaliation, reprisal, retribution, deliberate action or omissions,

done knowingly or recklessly to cause harm to a whistleblower or other relevant parties.

Note 3 to entry: Detrimental conduct also includes the failure to prevent or to minimize harm by fulfilling a

reasonable standard of care at any step of the whistleblowing process (3.27).

Note 4 to entry: Action to deal with a whistleblower’s own wrongdoing (3.8), performance or management,

unrelated to their role in whistleblowing, is not detrimental conduct for the purposes of this document.

Note 5 to entry: Other relevant interested parties can include prospective or perceived whistleblowers, relatives,

associates of a whistleblower, persons who have provided support to a whistleblower, and any person involved in

a whistleblowing process, including a legal entity.
3.14
investigation

systematic, independent and documented process (3.27) for establishing facts and evaluating them

objectively to determine if wrongdoing (3.8) has occurred, is occurring or is likely to occur, and its

extent

Note 1 to entry: An investigation can be an internal investigation or an external investigation. It can be a

combined investigation.

Note 2 to entry: An internal investigation is conducted by the organization (3.2) itself, or by an external party on

its behalf.

Note 3 to entry: An investigation can also be imposed on the organization by external parties.

3.15
audit

systematic and independent process (3.27) for obtaining evidence and evaluating it objectively to

determine the extent to which the audit criteria are fulfilled

Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second p

...

NORME ISO
INTERNATIONALE 37002
Première édition
2021-07
Systèmes de management des
alertes — Lignes directrices
Whistleblowing management systems — Guidelines
Numéro de référence
ISO 37002:2021(F)
ISO 2021
---------------------- Page: 1 ----------------------
ISO 37002:2021(F)
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO 2021

Tous droits réservés. Sauf prescription différente ou nécessité dans le contexte de sa mise en œuvre, aucune partie de cette

publication ne peut être reproduite ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique,

y compris la photocopie, ou la diffusion sur l’internet ou sur un intranet, sans autorisation écrite préalable. Une autorisation peut

être demandée à l’ISO à l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.

ISO copyright office
Case postale 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Genève
Tél.: +41 22 749 01 11
E-mail: copyright@iso.org
Web: www.iso.org
Publié en Suisse
ii © ISO 2021 – Tous droits réservés
---------------------- Page: 2 ----------------------
ISO 37002:2021(F)
Sommaire Page

Avant-propos ................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Domaine d’application ................................................................................................................................................................................... 1

2 Références normatives ................................................................................................................................................................................... 1

3 Termes et définitions ....................................................................................................................................................................................... 1

4 Contexte de l’organisme ................................................................................................................................................................................ 7

4.1 Compréhension de l’organisme et de son contexte ................................................................................................. 7

4.2 Compréhension des besoins et attentes des parties intéressées ................................................................ 8

4.3 Détermination du périmètre d’application du système de management des alertes ................ 8

4.4 Système de management des alertes ................................................................................................................................... 9

5 Leadership ...............................................................................................................................................................................................................10

5.1 Leadership et engagement.........................................................................................................................................................10

5.1.1 Organe de gouvernance ..........................................................................................................................................10

5.1.2 Direction...............................................................................................................................................................................10

5.2 Politique d’alerte ................................................................................................................................................................................11

5.3 Rôles, responsabilités et autorités au sein de l’organisme ............................................................................12

5.3.1 Direction et organe de gouvernance ............................................................................................................12

5.3.2 Fonction de management des alertes .........................................................................................................12

5.3.3 Délégation de la prise de décision .................................................................................................................13

6 Planification ...........................................................................................................................................................................................................13

6.1 Actions à mettre en œuvre face aux risques et opportunités ......................................................................13

6.2 Objectifs du système de management des alertes et planification des actions pour

les atteindre ............................................................................................................................................................................................14

6.3 Planification des changements ..............................................................................................................................................15

7 Soutien .........................................................................................................................................................................................................................15

7.1 Ressources ...............................................................................................................................................................................................15

7.2 Compétences ..........................................................................................................................................................................................15

7.3 Sensibilisation ......................................................................................................................................................................................16

7.3.1 Généralités .........................................................................................................................................................................16

7.3.2 Formation et mesures de sensibilisation du personnel ..............................................................16

7.3.3 Formation pour les dirigeants et autres rôles spécifiques .......................................................17

7.4 Communication ...................................................................................................................................................................................18

7.5 Informations documentées .......................................................................................................................................................19

7.5.1 Généralités .........................................................................................................................................................................19

7.5.2 Création et mise à jour des informations documentées .............................................................19

7.5.3 Maîtrise des informations documentées ..................................................................................................19

7.5.4 Protection des données ...........................................................................................................................................20

7.5.5 Confidentialité .................................................................................................................................................................20

8 Réalisation des activités opérationnelles ................................................................................................................................21

8.1 Planification et maîtrise opérationnelles ......................................................................................................................21

8.2 Réception des signalements d’actes répréhensibles ...........................................................................................24

8.3 Évaluation des signalements d’actes répréhensibles .........................................................................................25

8.3.1 Évaluation de l’acte répréhensible signalé .............................................................................................25

8.3.2 Évaluation et prévention des risques de mesures de représailles .....................................26

8.4 Traitement des signalements d’actes répréhensibles ........................................................................................27

8.4.1 Traitement de l’acte répréhensible signalé ............................................................................................27

8.4.2 Protection et soutien du lanceur d’alerte ................................................................................................28

8.4.3 Traitement des mesures de représailles ..................................................................................................28

8.4.4 Protection de la ou des personnes faisant l’objet d’un signalement ................................29

8.4.5 Protection des parties intéressées concernées ..................................................................................29

8.5 Clôture des cas d’alertes ..............................................................................................................................................................29

© ISO 2021 – Tous droits réservés iii
---------------------- Page: 3 ----------------------
ISO 37002:2021(F)

9 Évaluation des performances ...............................................................................................................................................................30

9.1 Surveillance, mesure, analyse et évaluation ...............................................................................................................30

9.1.1 Généralités .........................................................................................................................................................................30

9.1.2 Indicateurs d’évaluation .........................................................................................................................................31

9.1.3 Sources d’information ..............................................................................................................................................31

9.2 Audit interne ..........................................................................................................................................................................................32

9.2.1 Généralités .........................................................................................................................................................................32

9.2.2 Programme d’audit interne .................................................................................................................................32

9.3 Revue de direction ............................................................................................................................................................................33

9.3.1 Généralités .........................................................................................................................................................................33

9.3.2 Entrées de la revue de direction ......................................................................................................................33

9.3.3 Résultats de la revue de direction ..................................................................................................................33

10 Amélioration ..........................................................................................................................................................................................................33

10.1 Amélioration continue ...................................................................................................................................................................33

10.2 Non-conformité et actions correctives ............................................................................................................................34

Bibliographie ...........................................................................................................................................................................................................................35

iv © ISO 2021 – Tous droits réservés
---------------------- Page: 4 ----------------------
ISO 37002:2021(F)
Avant-propos

L’ISO (Organisation internationale de normalisation) est une fédération mondiale d’organismes

nationaux de normalisation (comités membres de l’ISO). L’élaboration des Normes internationales est

en général confiée aux comités techniques de l’ISO. Chaque comité membre intéressé par une étude

a le droit de faire partie du comité technique créé à cet effet. Les organisations internationales,

gouvernementales et non gouvernementales, en liaison avec l’ISO participent également aux travaux.

L’ISO collabore étroitement avec la Commission électrotechnique internationale (IEC) en ce qui

concerne la normalisation électrotechnique.

Les procédures utilisées pour élaborer le présent document et celles destinées à sa mise à jour sont

décrites dans les Directives ISO/IEC, Partie 1. Il convient, en particulier, de prendre note des différents

critères d’approbation requis pour les différents types de documents ISO. Le présent document a été

rédigé conformément aux règles de rédaction données dans les Directives ISO/IEC, Partie 2 (voir www

.iso .org/ directives).

L’attention est attirée sur le fait que certains des éléments du présent document peuvent faire l’objet de

droits de propriété intellectuelle ou de droits analogues. L’ISO ne saurait être tenue pour responsable

de ne pas avoir identifié de tels droits de propriété et averti de leur existence. Les détails concernant

les références aux droits de propriété intellectuelle ou autres droits analogues identifiés lors de

l’élaboration du document sont indiqués dans l’Introduction et/ou dans la liste des déclarations de

brevets reçues par l’ISO (voir www .iso .org/ brevets).

Les appellations commerciales éventuellement mentionnées dans le présent document sont données

pour information, par souci de commodité, à l’intention des utilisateurs et ne sauraient constituer un

engagement.

Pour une explication de la nature volontaire des normes, la signification des termes et expressions

spécifiques de l’ISO liés à l’évaluation de la conformité, ou pour toute information au sujet de l’adhésion

de l’ISO aux principes de l’Organisation mondiale du commerce (OMC) concernant les obstacles

techniques au commerce (OTC), voir www .iso .org/ avant -propos.

Le présent document a été élaboré par le comité technique ISO/TC 309, Gouvernance des organisations.

Il convient que l’utilisateur adresse tout retour d’information ou toute question concernant le présent

document à l’organisme national de normalisation de son pays. Une liste exhaustive desdits organismes

se trouve à l’adresse www .iso .org/ fr/ members .html.
© ISO 2021 – Tous droits réservés v
---------------------- Page: 5 ----------------------
ISO 37002:2021(F)
Introduction

L’alerte est l’acte qui consiste à signaler un acte répréhensible présumé ou un risque d’acte

répréhensible. Les études et l’expérience montrent qu’une grande partie des actes répréhensibles est

portée à l’attention de l’organisme concerné par le biais de signalements émanant de personnes au sein

ou proches de l’organisme.

Les organismes envisagent de plus en plus de mettre en place ou d’améliorer des politiques et des

processus d’alerte internes en réponse à la réglementation ou sur la base du volontariat.

Le présent document fournit des recommandations aux organismes pour établir, mettre en œuvre, tenir

à jour et améliorer un système de management des alertes, avec les résultats suivants:

a) encourager et faciliter le signalement des actes répréhensibles;

b) soutenir et protéger les lanceurs d’alerte et les autres parties intéressées impliquées;

c) veiller à ce que les signalements d’actes répréhensibles soient traités de manière appropriée et dans

les meilleurs délais;
d) améliorer la culture de l’organisme et la gouvernance;
e) réduire les risques d’actes répréhensibles.
Les avantages potentiels pour l’organisme sont notamment les suivants:

— permettre à l’organisme d’identifier et de traiter les actes répréhensibles le plus tôt possible;

— aider à prévenir ou à réduire le plus possible la perte d’actifs et faciliter la récupération des actifs

perdus;

— assurer le respect des politiques et procédures de l’organisme, ainsi que des obligations légales et

sociales;

— attirer et retenir le personnel attaché aux valeurs et à la culture de l’organisme;

— faire la démonstration de pratiques de gouvernance saines et éthiques à la société, aux marchés, aux

organismes de réglementation et de contrôle aux propriétaires et aux autres parties intéressées.

Un système efficace de management des alertes permet d’instaurer la confiance au sein de l’organisme

en:

— démontrant l’engagement des dirigeants à prévenir et à traiter les actes répréhensibles;

— encourageant tout un chacun à se manifester sans tarder pour signaler les actes répréhensibles;

— réduisant et prévenant les préjudices subis par les lanceurs d’alerte et les autres personnes

impliquées;

— favorisant une culture d’ouverture, de transparence, d’intégrité et de redevabilité.

Le présent document fournit des recommandations aux organismes pour créer un système de

management des alertes, fondé sur les principes de confiance, d’impartialité et de protection. Il

est adaptable, et son utilisation variera en fonction de la taille, de la nature, de la complexité et de

la juridiction des activités de l’organisme. Il peut aider un organisme à améliorer sa politique et ses

procédures d’alerte existantes, ou à se conformer à la législation applicable aux lanceurs d’alerte.

Le présent document adopte la «structure harmonisée» (c’est-à-dire succession des articles, texte

commun et terminologie commune) élaborée par l’ISO afin d’améliorer l’alignement entre les Normes

internationales de systèmes de management. Les organismes peuvent adopter le présent document

comme guide autonome pour leur organisation ou en même temps que d’autres normes de systèmes de

vi © ISO 2021 – Tous droits réservés
---------------------- Page: 6 ----------------------
ISO 37002:2021(F)

management, notamment pour répondre aux exigences relatives aux alertes dans d’autres systèmes de

management ISO.

La Figure 1 est une représentation conceptuelle d’un système recommandé de management des alertes,

montrant comment les principes de confiance, d’impartialité et de protection couvrent tous les éléments

d’un tel système.
Figure 1 — Vue d’ensemble d’un système de management des alertes
© ISO 2021 – Tous droits réservés vii
---------------------- Page: 7 ----------------------
NORME INTERNATIONALE ISO 37002:2021(F)
Systèmes de management des alertes — Lignes directrices
1 Domaine d’application

Le présent document fournit des lignes directrices pour établir, mettre en œuvre et tenir à jour un

système de management des alertes efficace, fondé sur les principes de confiance, d’impartialité et de

protection et comprenant les quatre étapes suivantes:
a) réception des signalements d’actes répréhensibles;
b) évaluation des signalements d’actes répréhensibles;
c) traitement des signalements d’actes répréhensibles;
d) clôture des cas d’alertes.

Les lignes directrices du présent document sont génériques et destinées à s’appliquer à tous les

organismes, indépendamment du type, de la taille et de la nature de l’activité, qu’ils évoluent dans le

secteur public, privé ou à but non lucratif.

L’étendue de l’application de ces lignes directrices dépend des facteurs décrits en 4.1, 4.2 et 4.3. Le

système de management des alertes peut être autonome ou peut être utilisé dans le cadre d’un système

de management global.
2 Références normatives
Le présent document ne contient aucune référence normative.
3 Termes et définitions

Pour les besoins du présent document, les termes et définitions suivants s’appliquent.

L’ISO et l’IEC tiennent à jour des bases de données terminologiques destinées à être utilisées en

normalisation, consultables aux adresses suivantes:

— ISO Online browsing platform: disponible à l’adresse https:// www .iso .org/ obp

— IEC Electropedia: disponible à l’adresse http:// www .electropedia .org/
3.1
système de management

ensemble d’éléments corrélés ou en interaction d’un organisme (3.2), utilisés pour établir des politiques

(3.7) et des objectifs (3.25), ainsi que des processus (3.27) de façon à atteindre lesdits objectifs

Note 1 à l'article: Un système de management peut traiter d’un seul ou de plusieurs domaines.

Note 2 à l'article: Les éléments du système de management comprennent la structure, les rôles et responsabilités,

la planification et le fonctionnement de l’organisme.

Note 3 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure

harmonisée des normes de systèmes de management ISO.
© ISO 2021 – Tous droits réservés 1
---------------------- Page: 8 ----------------------
ISO 37002:2021(F)
3.2
organisme

personne ou groupe de personnes ayant un rôle avec les responsabilités, l’autorité et les relations lui

permettant d’atteindre ses objectifs (3.25)

Note 1 à l'article: Le concept d’organisme englobe, sans toutefois s’y limiter, les travailleurs indépendants,

les compagnies, les sociétés, les firmes, les entreprises, les administrations, les partenariats, les organisations

caritatives ou les institutions, ou bien une partie ou une combinaison des entités précédentes, à responsabilité

limitée ou ayant un autre statut, de droit public ou privé.

Note 2 à l'article: Si l’organisme fait partie d’une entité plus grande, le terme «organisme» fait uniquement

référence à la partie de cette entité faisant partie intégrante du périmètre du système de management (3.1) des

alertes (3.10).

Note 3 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure

harmonisée des normes de systèmes de management ISO.
3.3
personnel

directeurs, agents, employés, contractuels ou personnel intérimaire et bénévoles de l’organisme (3.2)

[SOURCE: ISO 37001:2016, 3.25, modifiée — Les Notes 1 et 2 à l’article ont été supprimées.]

3.4
partie intéressée (terme recommandé)
partie prenante (terme admis)

personne ou organisme (3.2) qui peut soit influer sur une décision ou une activité, soit être influencé(e)

ou s’estimer influencé(e) par une décision ou une activité

Note 1 à l'article: Une partie intéressée peut être interne ou externe à l’organisme.

Note 2 à l'article: Les parties intéressées peuvent inclure, sans toutefois s’y limiter, les auteurs de signalements,

les personnes faisant l’objet de signalements, les témoins, le personnel (3.3), les représentants des travailleurs,

les fournisseurs, les tiers, le public, les médias, les organismes de réglementation et de contrôle et l’organisme

dans son ensemble.

Note 3 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure

harmonisée des normes de systèmes de management ISO. La définition originale a été modifiée par l’ajout des

Notes 1 et 2 à l’article.
3.5
direction

personne ou groupe de personnes qui oriente et dirige un organisme (3.2) au plus haut niveau

Note 1 à l'article: La direction a le pouvoir de déléguer son autorité et de fournir des ressources au sein de

l’organisme.

Note 2 à l'article: Si le périmètre du système de management (3.1) ne couvre qu’une partie de l’organisme, alors la

direction s’adresse à ceux qui orientent et dirigent cette partie de l’organisme.

Note 3 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure

harmonisée des normes de systèmes de management ISO.
3.6
organe de gouvernance

personne ou groupe de personnes qui détient la responsabilité (3.30) ultime de l’ensemble de l’organisme

(3.2)

Note 1 à l'article: Chaque entité organisationnelle dispose d’un organe de gouvernance, qu’il soit ou non

explicitement établi.

Note 2 à l'article: Un organe de gouvernance peut notamment comprendre un conseil d’administration, les

comités du conseil d’administration, un conseil de surveillance ou des administrateurs.

2 © ISO 2021 – Tous droits réservés
---------------------- Page: 9 ----------------------
ISO 37002:2021(F)

[SOURCE: ISO/IEC 38500:2015, 2.9, modifiée — Les mots «détient la responsabilité ultime» remplacent

«est responsable du fonctionnement et de la conformité de» et les Notes 1 et 2 à l’article ont été ajoutées.]

3.7
politique

intentions et orientations d’un organisme (3.2) telles qu’elles sont officiellement formulées par sa

direction (3.5)

Note 1 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure

harmonisée des normes de systèmes de management ISO.
3.8
acte répréhensible
action(s) ou omission(s) pouvant causer un préjudice

Note 1 à l'article: Les actes répréhensibles peuvent comprendre, sans toutefois s’y limiter, les pratiques suivantes:

— violation de la loi (nationale ou internationale), comme la fraude, la corruption, y compris les pots-de-vin;

— violation du code de conduite de l’organisme (3.2) ou d’un autre code de conduite pertinent, violation des

politiques de l’organisme (3.7);

— négligence grave, intimidation, harcèlement, discrimination, utilisation non autorisée de fonds ou de

ressources, abus d’autorité, conflit d’intérêts, gaspillage flagrant ou mauvaise gestion;

— les actions ou omissions entraînant un dommage ou un risque de préjudice pour les droits de l’homme,

l’environnement, la santé et la sécurité publiques, des pratiques de travail sûres ou l’intérêt public.

Note 2 à l'article: Un acte répréhensible ou le préjudice qui en résulte peut s’être produit dans le passé, être en

train de se produire ou peut se produire à l’avenir.

Note 3 à l'article: Le préjudice potentiel peut être déterminé par référence à un événement unique ou à une série

d’événements.
3.9
lanceur d’alerte

personne qui signale des actes répréhensibles (3.8) présumés ou réels et a des motifs raisonnables de

croire que les informations sont exactes au moment du signalement

Note 1 à l'article: Un motif raisonnable est une conviction d’un individu s’appuyant sur l’observation, l’expérience

ou des informations en sa possession qu’une personne dans les mêmes circonstances partagerait également.

Note 2 à l'article: Les exemples de lanceurs d’alerte incluent ce qui suit, sans toutefois s’y limiter:

— le personnel (3.3) d’un organisme (3.2);

— le personnel de parties externes, y compris les personnes morales, avec lesquelles l’organisme a, ou

prévoit d’établir, une certaine forme de relation d’affaires, y compris, sans toutefois s’y limiter, les clients,

les entreprises communes (ou joint-ventures), les partenaires d’entreprise commune, les partenaires

de consortium, les prestataires de services externalisés, les sous-traitants, les consultants, les sous-

contractants, les fournisseurs, les revendeurs, les conseillers, les agents, les distributeurs, les représentants,

les intermédiaires et les investisseurs;
— d’autres personnes comme les représentants syndicaux;

— toute personne ayant occupé ou devant occuper une fonction mentionnée dans cette définition.

3.10
alerte

signalement d’actes répréhensibles (3.8) présumés ou réels par un lanceur d’alerte (3.9)

Note 1 à l'article: Un signalement d’actes répréhensibles peut être verbal, en personne, par écrit ou sous forme

électronique ou numérique.
Note 2 à l'article: Il est courant de faire une distinction entre:
© ISO 2021 – Tous droits réservés 3
---------------------- Page: 10 ----------------------
ISO 37002:2021(F)

— une alerte transparente où le lanceur d’alerte divulgue des informations sans dissimuler son identité ou

exiger que son identité soit gardée secrète;

— une alerte confidentielle où l’identité et toute information pouvant permettre d’identifier le lanceur d’alerte

sont connues du destinataire mais ne sont pas divulguées sans le consentement du lanceur d’alerte, sauf si la

loi l’exige;

— une alerte anonyme où l’information est reçue sans que le lanceur d’alerte ne révèle son identité.

Note 3 à l'article: Les organismes (3.2) peuvent utiliser un autre terme tel que «procédure d’alerte», «alerte

interne», «alerte professionnelle» ou «whistleblowing» ou un équivalent.
3.11
fonction de management des alertes

personne(s) qui détien(nen)t la responsabilité et l’autorité du fonctionnement du système de management

(3.1) des alertes (3.10)
3.12
triage

évaluation du signalement initial d’actes répréhensibles (3.8) à des fins de catégorisation, de prise de

mesures préliminaires, de priorisation et d’affectation pour traitement ultérieur

Note 1 à l'article: Les facteurs suivants peuvent être pris en compte: la probabilité et la gravité de l’impact

des actes répréhensibles sur le personnel (3.3), l’organisme (3.2) et les parties intéressées (3.4), y compris les

dommages à la réputation, financiers, environnementaux, humains ou autres.
3.13
mesure de représailles

menace, intention, action ou omission, directe ou indirecte, susceptible de porter préjudice à un lanceur

...

FINAL
INTERNATIONAL ISO/FDIS
DRAFT
STANDARD 37002
ISO/TC 309
Whistleblowing management
Secretariat: BSI
systems — Guidelines
Voting begins on:
2021­04­26
Systèmes de management des alertes — Lignes directrices
Voting terminates on:
2021­06­21
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
ISO/FDIS 37002:2021(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN­
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS. ISO 2021
---------------------- Page: 1 ----------------------
ISO/FDIS 37002:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2021

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH­1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2021 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/FDIS 37002:2021(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Context of the organization ....................................................................................................................................................................... 7

4.1 Understanding the organization and its context ....................................................................................................... 7

4.2 Understanding the needs and expectations of interested parties .............................................................. 8

4.3 Determining the scope of the whistleblowing management system ....................................................... 8

4.4 Whistleblowing management system ................................................................................................................................. 9

5 Leadership .................................................................................................................................................................................................................. 9

5.1 Leadership and commitment ..................................................................................................................................................... 9

5.1.1 Governing body ................................................................................................................................................................. 9

5.1.2 Top management ..........................................................................................................................................................10

5.2 Whistleblowing policy ...................................................................................................................................................................10

5.3 Roles, responsibilities and authorities ............................................................................................................................11

5.3.1 Top management and governing body .................. .....................................................................................11

5.3.2 Whistleblowing management function .....................................................................................................12

5.3.3 Delegated decision­making .................................................................................................................................12

6 Planning ......................................................................................................................................................................................................................13

6.1 Actions to address risks and opportunities ................................................................................................................13

6.2 Whistleblowing management system objectives and planning to achieve them .......................13

6.3 Planning of changes .........................................................................................................................................................................14

7 Support ........................................................................................................................................................................................................................14

7.1 Resources ..................................................................................................................................................................................................14

7.2 Competence ............................................................................................................................................................................................14

7.3 Awareness ................................................................................................................................................................................................15

7.3.1 General...................................................................................................................................................................................15

7.3.2 Personnel training and awareness measures ......................................................................................15

7.3.3 Training for leaders and other specific roles ........................................................................................16

7.4 Communication ...................................................................................................................................................................................17

7.5 Documented information ............................................................................................................................................................18

7.5.1 General...................................................................................................................................................................................18

7.5.2 Creating and updating documented information .............................................................................18

7.5.3 Control of documented information ............................................................................................................18

7.5.4 Data protection ...................................................................... .........................................................................................19

7.5.5 Confidentiality ................................................................................................................................................................19

8 Operation ..................................................................................................................................................................................................................20

8.1 Operational planning and control .......................................................................................................................................20

8.2 Receiving reports of wrongdoing .........................................................................................................................................22

8.3 Assessing reports of wrongdoing ........................................................................................................................................23

8.3.1 Assessing the reported wrongdoing ............................................................................................................23

8.3.2 Assessing and preventing risks of detrimental conduct .............................................................24

8.4 Addressing reports of wrongdoing.....................................................................................................................................25

8.4.1 Addressing the reported wrongdoing ........................................................................................................25

8.4.2 Protecting and supporting the whistleblower ....................................................................................26

8.4.3 Addressing detrimental conduct.....................................................................................................................26

8.4.4 Protecting the subject(s) of a report .................. ..........................................................................................27

8.4.5 Protecting relevant interested parties .......................................................................................................27

8.5 Concluding whistleblowing cases ........................................................................................................................................27

9 Performance evaluation ............................................................................................................................................................................28

© ISO 2021 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/FDIS 37002:2021(E)

9.1 Monitoring, measurement, analysis and evaluation ............................................................................................28

9.1.1 General...................................................................................................................................................................................28

9.1.2 Indicators for evaluation ........................................................................................................................................28

9.1.3 Information sources ...................................................................................................................................................29

9.2 Internal audit .........................................................................................................................................................................................30

9.2.1 General...................................................................................................................................................................................30

9.2.2 Internal audit programme ....................................................................................................................................30

9.3 Management review ........................................................................................................................................................................30

9.3.1 General...................................................................................................................................................................................30

9.3.2 Management review inputs .................................................................................................................................30

9.3.3 Management review results ................................................................................................................................31

10 Improvement .........................................................................................................................................................................................................31

10.1 Continual improvement ...............................................................................................................................................................31

10.2 Nonconformity and corrective action ..............................................................................................................................31

Bibliography .............................................................................................................................................................................................................................32

iv © ISO 2021 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/FDIS 37002:2021(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non­governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO’s adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

iso/ foreword .html.

This document was prepared by Technical Committee ISO/TC 309, Governance of organizations.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO 2021 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/FDIS 37002:2021(E)
Introduction

Whistleblowing is the act of reporting suspected wrongdoing or risk of wrongdoing. Studies and

experience demonstrate that a large proportion of wrongdoing comes to the attention of the affected

organization via reports from persons within or close to the organization.

Organizations are increasingly considering introducing or improving internal whistleblowing policies

and processes in response to regulation or on a voluntary basis.

This document provides guidance to organizations for establishing, implementing, maintaining and

improving a whistleblowing management system, with the following outcomes:
a) encouraging and facilitating reporting of wrongdoing;

b) supporting and protecting whistleblowers and other interested parties involved;

c) ensuring reports of wrongdoing are dealt with in a proper and timely manner;
d) improving organizational culture and governance;
e) reducing the risks of wrongdoing.
Potential benefits for the organization include:

— allowing the organization to identify and address wrongdoing at the earliest opportunity;

— helping prevent or minimize loss of assets and aiding recovery of lost assets;

— ensuring compliance with organizational policies, procedures, and legal and social obligations;

— attracting and retaining personnel committed to the organization’s values and culture;

— demonstrating sound, ethical governance practices to society, markets, regulators, owners and

other interested parties.

An effective whistleblowing management system will build organizational trust by:

— demonstrating leadership commitment to preventing and addressing wrongdoing;
— encouraging people to come forward early with reports of wrongdoing;

— reducing and preventing detrimental treatment of whistleblowers and others involved;

— encouraging a culture of openness, transparency, integrity and accountability.

This document provides guidance for organizations to create a whistleblowing management system

based on the principles of trust, impartiality and protection. It is adaptable, and its use will vary with the

size, nature, complexity and jurisdiction of the organization’s activities. It can assist an organization to

improve its existing whistleblowing policy and procedures, or to comply with applicable whistleblowing

legislation.

This document adopts the “harmonized structure” (i.e. clause sequence, common text and common

terminology) developed by ISO to improve alignment among International Standards for management

systems. Organizations may adopt this document as stand-alone guidance for their organization or along

with other management system standards, including to address whistleblowing-related requirements

in other ISO management systems.

Figure 1 is a conceptual overview of a recommended whistleblowing management system showing how

the principles of trust, impartiality and protection overlay all elements of such a system.

vi © ISO 2021 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/FDIS 37002:2021(E)
Figure 1 — Overview of a whistleblowing management system
© ISO 2021 – All rights reserved vii
---------------------- Page: 7 ----------------------
FINAL DRAFT INTERNATIONAL STANDARD ISO/FDIS 37002:2021(E)
Whistleblowing management systems — Guidelines
1 Scope

This document gives guidelines for establishing, implementing and maintaining an effective

whistleblowing management system based on the principles of trust, impartiality and protection in the

following four steps:
a) receiving reports of wrongdoing;
b) assessing reports of wrongdoing;
c) addressing reports of wrongdoing;
d) concluding whistleblowing cases.

The guidelines of this document are generic and intended to be applicable to all organizations,

regardless of type, size, nature of activity, and whether in the public, private or not-for profit sectors.

The extent of application of these guidelines depends on the factors specified in 4.1, 4.2 and 4.3.

The whistleblowing management system can be stand-alone or can be used as part of an overall

management system.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
management system

set of interrelated or interacting elements of an organization (3.2) to establish policies (3.7) and

objectives (3.25), as well as processes (3.27) to achieve those objectives

Note 1 to entry: A management system can address a single discipline or several disciplines.

Note 2 to entry: The management system elements include the organization’s structure, roles and responsibilities,

planning and operation.

Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for

ISO management system standards.
© ISO 2021 – All rights reserved 1
---------------------- Page: 8 ----------------------
ISO/FDIS 37002:2021(E)
3.2
organization

person or group of people that has its own functions with responsibilities, authorities and relationships

to achieve its objectives (3.25)

Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,

enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated

or not, public or private.

Note 2 to entry: If the organization is part of a larger entity, the term “organization” refers only to the part of the

larger entity that is within the scope of the whistleblowing (3.10) management system (3.1).

Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for

ISO management system standards.
3.3
personnel

organization’s (3.2) directors, officers, employees, temporary staff or workers, and volunteers

[SOURCE: ISO 37001:2016, 3.25, modified — Notes 1 and 2 to entry have been deleted.]

3.4
interested party (preferred term)
stakeholder (admitted term)

person or organization (3.2) that can affect, be affected by, or perceive itself to be affected by a decision

or activity

Note 1 to entry: An interested party can be internal or external to the organization.

Note 2 to entry: Interested parties can include, but are not limited to, those who make reports, any subjects

of those reports, witnesses, personnel (3.3), worker representatives, suppliers, third parties, public, media,

regulators and the organization as a whole.

Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for

ISO management system standards. The original definition has been modified by adding Notes 1 and 2 to entry.

3.5
top management

person or group of people who directs and controls an organization (3.2) at the highest level

Note 1 to entry: Top management has the power to delegate authority and provide resources within the

organization.

Note 2 to entry: If the scope of the management system (3.1) covers only part of an organization, then top

management refers to those who direct and control that part of the organization.

Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for

ISO management system standards.
3.6
governing body

person or group of people who have ultimate accountability (3.30) for the whole organization (3.2)

Note 1 to entry: Every organizational entity has one governing body, whether or not it is explicitly established.

Note 2 to entry: A governing body can include, but is not limited to, a board of directors, committees of the board,

a supervisory board or trustees.

[SOURCE: ISO/IEC 38500:2015, 2.9, modified — The words “have ultimate accountability for” have

replaced “accountable for the performance and conformance of” and Notes 1 and 2 to entry have

been added.]
2 © ISO 2021 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/FDIS 37002:2021(E)
3.7
policy

intentions and direction of an organization (3.2) as formally expressed by its top management (3.5)

Note 1 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for

ISO management system standards.
3.8
wrongdoing
action(s) or omission(s) that can cause harm
Note 1 to entry: Wrongdoing can include, but is not limited to, the following:

— breach of law (national or international), such as fraud, corruption including bribery;

— breach of the organization’s (3.2) or other relevant code of conduct, breach of organization policies (3.7),

discrimination;

— gross negligence, bullying, harassment, unauthorized use of funds or resources, abuse of authority, conflict

of interest, gross waste or mismanagement;

— actions or omissions resulting in damage or risk of harm to human rights, the environment, public health and

safety, safe work-practices or the public interest.

Note 2 to entry: Wrongdoing or the resulting harm can have happened in the past, is currently happening or can

happen in the future.

Note 3 to entry: Potential harm can be determined by reference to a single event or series of events.

3.9
whistleblower

person who reports suspected or actual wrongdoing (3.8) and has reasonable belief that the information

is true at the time of reporting

Note 1 to entry: Reasonable belief is a belief held by an individual based on observation, experience or information

known to that individual, which would also be held by a person in the same circumstances.

Note 2 to entry: Examples of whistleblowers include, but are not limited to, the following:

— personnel (3.3) within an organization (3.2);

— external parties, including legal persons, with whom the organization has established, or plans to establish,

some form of business relationship including, but not limited to, clients, customers, joint ventures, joint

venture partners, consortium partners, outsourcing providers, contractors, consultants, sub­contractors,

suppliers, vendors, advisors, agents, distributors, representatives, intermediaries and investors;

— other persons such as union representatives;
— any person formerly or prospectively in a position set out in this definition.
3.10
whistleblowing
reporting of suspected or actual wrongdoing (3.8) by a whistleblower (3.9)

Note 1 to entry: A report of wrongdoing can be verbal, in person, in writing or in an electronic or digital format.

Note 2 to entry: It is common to distinguish:

— open whistleblowing, where the whistleblower discloses information without withholding their identity or

requiring that their identity be kept secret;

— confidential whistleblowing, where the identity of the whistleblower and any information that can identify

them is known by the recipient but is not disclosed to anyone beyond a need to know basis without the

whistleblower’s consent, unless required by law;
© ISO 2021 – All rights reserved 3
---------------------- Page: 10 ----------------------
ISO/FDIS 37002:2021(E)

— anonymous whistleblowing, where information is received without the whistleblower disclosing their

identity.

Note 3 to entry: Organizations (3.2) can use an alternative term such as “speak up” or “raise a concern”, or an

equivalent.
3.11
whistleblowing management function

person(s) with the responsibility and authority for the operation of the whistleblowing (3.10)

management system (3.1)
3.12
triage

assessment of the initial report of wrongdoing (3.8) for the purposes of categorization, taking

preliminary measures, prioritization and assignment for further handling

Note 1 to entry: The following factors can be considered: likelihood and severity of impact of wrongdoing or

suspected wrongdoing on the personnel (3.3), organization (3.2) and interested party (3.4), including reputational,

financial, environmental, human or other damages.
3.13
detrimental conduct

threatened, proposed or actual, direct or indirect act or omission that can result in harm to a

whistleblower (3.9) or other relevant interested party (3.4), related to whistleblowing (3.10)

Note 1 to entry: Harm includes any adverse consequence, whether work-related or personal, including dismissal,

suspension, demotion, transfer, change in duties, alteration of working conditions, adverse performance (3.26)

ratings, disciplinary proceedings, reduced opportunity for advancement, denial of services, blacklisting,

boycotting, damage to reputation, disclosing the whistleblower’s identity, financial loss, prosecution or legal

action, harassment, isolation, imposition of any form of physical or psychological harm.

Note 2 to entry: Detrimental conduct includes retaliation, reprisal, retribution, deliberate action or omissions,

done knowingly or recklessly to cause harm to a whistleblower or other relevant parties.

Note 3 to entry: Detrimental conduct also includes the failure to prevent or to minimize harm by fulfilling a

reasonable standard of care at any step of the whistleblowing process (3.27).

Note 4 to entry: Action to deal with a whistleblower’s own wrongdoing (3.8), performance or management,

unrelated to their role in whistleblowing, is not detrimental conduct for the purposes of this document.

Note 5 to entry: Other relevant interested parties can include prospective or perceived whistleblowers, relatives,

associates of a whistleblower, persons who have provided support to a whistleblower, and any person involved in

a whistleblowing process, including a legal entity.
3.14
investigation

systematic, independent and documented process (3.27) for establishing facts and evaluating them

objectively to determine if wrongdoing (3.8) has occurred, is occurring or is likely to occur, and its extent

Note 1 to entry: An investigatio
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.