How can I purchase ISO 37002:2021?

You can purchase ISO 37002:2021 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of ISO standards.

ISO 37002:2021 - Whistleblowing management systems

Whistleblowing management systems — Guidelines

This document gives guidelines for establishing, implementing and maintaining an effective whistleblowing management system based on the principles of trust, impartiality and protection in the following four steps: a) receiving reports of wrongdoing; b) assessing reports of wrongdoing; c) addressing reports of wrongdoing; d) concluding whistleblowing cases. The guidelines of this document are generic and intended to be applicable to all organizations, regardless of type, size, nature of activity, and whether in the public, private or not-for profit sectors. The extent of application of these guidelines depends on the factors specified in 4.1, 4.2 and 4.3. The whistleblowing management system can be stand-alone or can be used as part of an overall management system.

Systèmes de management des alertes — Lignes directrices

Le présent document fournit des lignes directrices pour établir, mettre en œuvre et tenir à jour un système de management des alertes efficace, fondé sur les principes de confiance, d’impartialité et de protection et comprenant les quatre étapes suivantes: a) réception des signalements d’actes répréhensibles; b) évaluation des signalements d’actes répréhensibles; c) traitement des signalements d’actes répréhensibles; d) clôture des cas d’alertes. Les lignes directrices du présent document sont génériques et destinées à s’appliquer à tous les organismes, indépendamment du type, de la taille et de la nature de l’activité, qu’ils évoluent dans le secteur public, privé ou à but non lucratif. L’étendue de l’application de ces lignes directrices dépend des facteurs décrits en 4.1, 4.2 et 4.3. Le système de management des alertes peut être autonome ou peut être utilisé dans le cadre d’un système de management global.

Sistem vodenja prijavljanja nepravilnosti - Smernice

General Information

Status

Published

Publication Date

26-Jul-2021

ICS

03.100.01 - Company organization and management in general

03.100.02 - Governance and ethics

03.100.70 - Management systems

Technical Committee

ISO/TC 309 - Governance of organizations

Drafting Committee

ISO/TC 309 - Governance of organizations

Current Stage

6060 - International Standard published

Start Date

27-Jul-2021

Due Date

11-Jun-2021

Completion Date

27-Jul-2021

Ref Project

SIST ISO 37002:2021 - Whistleblowing management systems - Guidelines

Standard

ISO 37002:2021

English language

40 pages

sale 10% off

Preview

sale 10% off

Preview

e-Library read for

AI-Chat

1 day

Create e-Library subscription and get permanent access to the document. Subscriptions are available for: 03 03.100 03.100.01 03.100.02 03.100.70

ISO 37002:2021 - Whistleblowing management systems -- Guidelines

Standard

ISO 37002:2021 - Whistleblowing management systems -- Guidelines

English language

33 pages

sale 15% off

Preview

sale 15% off

Preview

ISO 37002:2021 - Systèmes de management des alertes -- Lignes directrices

Standard

ISO 37002:2021 - Systèmes de management des alertes -- Lignes directrices

French language

35 pages

sale 15% off

Preview

sale 15% off

Preview

Standard

ISO 37002:2021 - Whistleblowing management systems -- Guidelines

Spanish language

35 pages

sale 15% off

Preview

sale 15% off

Preview

Standards Content (Sample)

SLOVENSKI STANDARD
01-december-2021
Sistem vodenja prijavljanja nepravilnosti - Smernice
Whistleblowing management systems - Guidelines
Systèmes de management des alertes - Lignes directrices
Ta slovenski standard je istoveten z: ISO 37002:2021
ICS:
03.100.01 Organizacija in vodenje Company organization and
podjetja na splošno management in general
03.100.02 Upravljanje in etika Governance and ethics
03.100.70 Sistemi vodenja Management systems
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

INTERNATIONAL ISO
STANDARD 37002
First edition
2021-07
Whistleblowing management
systems — Guidelines
Systèmes de management des alertes — Lignes directrices
Reference number
©
ISO 2021
© ISO 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2021 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization . 7
4.1 Understanding the organization and its context . 7
4.2 Understanding the needs and expectations of interested parties . 8
4.3 Determining the scope of the whistleblowing management system . 8
4.4 Whistleblowing management system . 9
5 Leadership . 9
5.1 Leadership and commitment . 9
5.1.1 Governing body . 9
5.1.2 Top management .10
5.2 Whistleblowing policy .10
5.3 Roles, responsibilities and authorities .11
5.3.1 Top management and governing body . .11
5.3.2 Whistleblowing management function .12
5.3.3 Delegated decision-making .12
6 Planning .13
6.1 Actions to address risks and opportunities .13
6.2 Whistleblowing management system objectives and planning to achieve them .13
6.3 Planning of changes .14
7 Support .14
7.1 Resources .14
7.2 Competence .14
7.3 Awareness .15
7.3.1 General.15
7.3.2 Personnel training and awareness measures .15
7.3.3 Training for leaders and other specific roles .16
7.4 Communication .17
7.5 Documented information .18
7.5.1 General.18
7.5.2 Creating and updating documented information .18
7.5.3 Control of documented information .18
7.5.4 Data protection . .19
7.5.5 Confidentiality .19
8 Operation .20
8.1 Operational planning and control .20
8.2 Receiving reports of wrongdoing .22
8.3 Assessing reports of wrongdoing .23
8.3.1 Assessing the reported wrongdoing .23
8.3.2 Assessing and preventing risks of detrimental conduct .24
8.4 Addressing reports of wrongdoing.25
8.4.1 Addressing the reported wrongdoing .25
8.4.2 Protecting and supporting the whistleblower .26
8.4.3 Addressing detrimental conduct.26
8.4.4 Protecting the subject(s) of a report . .27
8.4.5 Protecting relevant interested parties .27
8.5 Concluding whistleblowing cases .27
9 Performance evaluation .28
9.1 Monitoring, measurement, analysis and evaluation .28
9.1.1 General.28
9.1.2 Indicators for evaluation .28
9.1.3 Information sources .29
9.2 Internal audit .30
9.2.1 General.30
9.2.2 Internal audit programme .30
9.3 Management review .30
9.3.1 General.30
9.3.2 Management review inputs .30
9.3.3 Management review results .31
10 Improvement .31
10.1 Continual improvement .31
10.2 Nonconformity and corrective action .31
Bibliography .33
iv © ISO 2021 – All rights reserved

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO’s adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Technical Committee ISO/TC 309, Governance of organizations.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
Introduction
Whistleblowing is the act of reporting suspected wrongdoing or risk of wrongdoing. Studies and
experience demonstrate that a large proportion of wrongdoing comes to the attention of the affected
organization via reports from persons within or close to the organization.
Organizations are increasingly considering introducing or improving internal whistleblowing policies
and processes in response to regulation or on a voluntary basis.
This document provides guidance to organizations for establishing, implementing, maintaining and
improving a whistleblowing management system, with the following outcomes:
a) encouraging and facilitating reporting of wrongdoing;
b) supporting and protecting whistleblowers and other interested parties involved;
c) ensuring reports of wrongdoing are dealt with in a proper and timely manner;
d) improving organizational culture and governance;
e) reducing the risks of wrongdoing.
Potential benefits for the organization include:
— allowing the organization to identify and address wrongdoing at the earliest opportunity;
— helping prevent or minimize loss of assets and aiding recovery of lost assets;
— ensuring compliance with organizational policies, procedures, and legal and social obligations;
— attracting and retaining personnel committed to the organization’s values and culture;
— demonstrating sound, ethical governance practices to society, markets, regulators, owners and
other interested parties.
An effective whistleblowing management system will build organizational trust by:
— demonstrating leadership commitment to preventing and addressing wrongdoing;
— encouraging people to come forward early with reports of wrongdoing;
— reducing and preventing detrimental treatment of whistleblowers and others involved;
— encouraging a culture of openness, transparency, integrity and accountability.
This document provides guidance for organizations to create a whistleblowing management system
based on the principles of trust, impartiality and protection. It is adaptable, and its use will vary with the
size, nature, complexity and jurisdiction of the organization’s activities. It can assist an organization to
improve its existing whistleblowing policy and procedures, or to comply with applicable whistleblowing
legislation.
This document adopts the “harmonized structure” (i.e. clause sequence, common text and common
terminology) developed by ISO to improve alignment among International Standards for management
systems. Organizations may adopt this document as stand-alone guidance for their organization or along
with other management system standards, including to address whistleblowing-related requirements
in other ISO management systems.
Figure 1 is a conceptual overview of a recommended whistleblowing management system showing how
the principles of trust, impartiality and protection overlay all elements of such a system.
vi © ISO 2021 – All rights reserved

Figure 1 — Overview of a whistleblowing management system
INTERNATIONAL STANDARD ISO 37002:2021(E)
Whistleblowing management systems — Guidelines
1 Scope
This document gives guidelines for establishing, implementing and maintaining an effective
whistleblowing management system based on the principles of trust, impartiality and protection in the
following four steps:
a) receiving reports of wrongdoing;
b) assessing reports of wrongdoing;
c) addressing reports of wrongdoing;
d) concluding whistleblowing cases.
The guidelines of this document are generic and intended to be applicable to all organizations,
regardless of type, size, nature of activity, and whether in the public, private or not-for profit sectors.
The extent of application of these guidelines depends on the factors specified in 4.1, 4.2 and 4.3. The
whistleblowing management system can be stand-alone or can be used as part of an overall management
system.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
management system
set of interrelated or interacting elements of an organization (3.2) to establish policies (3.7) and
objectives (3.25), as well as processes (3.27) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
Note 2 to entry: The management system elements include the organization’s structure, roles and responsibilities,
planning and operation.
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.2
organization
person or group of people that has its own functions with responsibilities, authorities and relationships
to achieve its objectives (3.25)
Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated
or not, public or private.
Note 2 to entry: If the organization is part of a larger entity, the term “organization” refers only to the part of the
larger entity that is within the scope of the whistleblowing (3.10) management system (3.1).
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.3
personnel
organization’s (3.2) directors, officers, employees, temporary staff or workers, and volunteers
[SOURCE: ISO 37001:2016, 3.25, modified — Notes 1 and 2 to entry have been deleted.]
3.4
interested party (preferred term)
stakeholder (admitted term)
person or organization (3.2) that can affect, be affected by, or perceive itself to be affected by a decision
or activity
Note 1 to entry: An interested party can be internal or external to the organization.
Note 2 to entry: Interested parties can include, but are not limited to, those who make reports, any subjects
of those reports, witnesses, personnel (3.3), worker representatives, suppliers, third parties, public, media,
regulators and the organization as a whole.
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards. The original definition has been modified by adding Notes 1 and 2 to entry.
3.5
top management
person or group of people who directs and controls an organization (3.2) at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the
organization.
Note 2 to entry: If the scope of the management system (3.1) covers only part of an organization, then top
management refers to those who direct and control that part of the organization.
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.6
governing body
person or group of people who have ultimate accountability (3.30) for the whole organization (3.2)
Note 1 to entry: Every organizational entity has one governing body, whether or not it is explicitly established.
Note 2 to entry: A governing body can include, but is not limited to, a board of directors, committees of the board,
a supervisory board or trustees.
[SOURCE: ISO/IEC 38500:2015, 2.9, modified — The words “have ultimate accountability for” have
replaced “accountable for the performance and conformance of” and Notes 1 and 2 to entry have been
added.]
2 © ISO 2021 – All rights reserved

3.7
policy
intentions and direction of an organization (3.2) as formally expressed by its top management (3.5)
Note 1 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.8
wrongdoing
action(s) or omission(s) that can cause harm
Note 1 to entry: Wrongdoing can include, but is not limited to, the following:
— breach of law (national or international), such as fraud, corruption including bribery;
— breach of the organization’s (3.2) or other relevant code of conduct, breach of organization policies (3.7);
— gross negligence, bullying, harassment, discrimination, unauthorized use of funds or resources, abuse of
authority, conflict of interest, gross waste or mismanagement;
— actions or omissions resulting in damage or risk of harm to human rights, the environment, public health and
safety, safe work-practices or the public interest.
Note 2 to entry: Wrongdoing or the resulting harm can have happened in the past, is currently happening or can
happen in the future.
Note 3 to entry: Potential harm can be determined by reference to a single event or series of events.
3.9
whistleblower
person who reports suspected or actual wrongdoing (3.8), and has reasonable belief that the information
is true at the time of reporting
Note 1 to entry: Reasonable belief is a belief held by an individual based on observation, experience or information
known to that individual, which would also be held by a person in the same circumstances.
Note 2 to entry: Examples of whistleblowers include, but are not limited to, the following:
— personnel (3.3) within an organization (3.2);
— personnel within external parties, including legal persons, with whom the organization has established, or
plans to establish, some form of business relationship including, but not limited to, clients, customers, joint
ventures, joint venture partners, consortium partners, outsourcing providers, contractors, consultants, sub-
contractors, suppliers, vendors, advisors, agents, distributors, representatives, intermediaries and investors;
— other persons such as union representatives;
— any person formerly or prospectively in a position set out in this definition.
3.10
whistleblowing
reporting of suspected or actual wrongdoing (3.8) by a whistleblower (3.9)
Note 1 to entry: A report of wrongdoing can be verbal, in person, in writing or in an electronic or digital format.
Note 2 to entry: It is common to distinguish:
— open whistleblowing, where the whistleblower discloses information without withholding their identity or
requiring that their identity be kept secret;
— confidential whistleblowing, where the identity of the whistleblower and any information that can identify
them is known by the recipient but is not disclosed to anyone beyond a need to know basis without the
whistleblower’s consent, unless required by law;
— anonymous whistleblowing, where information is received without the whistleblower disclosing their
identity.
Note 3 to entry: Organizations (3.2) can use an alternative term such as “speak up” or “raise a concern”, or an
equivalent.
3.11
whistleblowing management function
person(s) with the responsibility and authority for the operation of the whistleblowing (3.10)
management system (3.1)
3.12
triage
assessment of the initial report of wrongdoing (3.8) for the purposes of categorization, taking
preliminary measures, prioritization and assignment for further handling
Note 1 to entry: The following factors can be considered: likelihood and severity of impact of wrongdoing or
suspected wrongdoing on the personnel (3.3), organization (3.2) and interested party (3.4), including reputational,
financial, environmental, human or other damages.
3.13
detrimental conduct
threatened, proposed or actual, direct or indirect act or omission that can result in harm to a
whistleblower (3.9) or other relevant interested party (3.4), related to whistleblowing (3.10)
Note 1 to entry: Harm includes any adverse consequence, whether work-related or personal, including, but not
limited to, dismissal, suspension, demotion, transfer, change in duties, alteration of working conditions, adverse
performance (3.26) ratings, disciplinary proceedings, reduced opportunity for advancement, denial of services,
blacklisting, boycotting, damage to reputation, disclosing the whistleblower’s identity, financial loss, prosecution
or legal action, harassment, isolation, imposition of any form of physical or psychological harm.
Note 2 to entry: Detrimental conduct includes retaliation, reprisal, retribution, deliberate action or omissions,
done knowingly or recklessly to cause harm to a whistleblower or other relevant parties.
Note 3 to entry: Detrimental conduct also includes the failure to prevent or to minimize harm by fulfilling a
reasonable standard of care at any step of the whistleblowing process (3.27).
Note 4 to entry: Action to deal with a whistleblower’s own wrongdoing (3.8), performance or management,
unrelated to their role in whistleblowing, is not detrimental conduct for the purposes of this document.
Note 5 to entry: Other relevant interested parties can include prospective or perceived whistleblowers, relatives,
associates of a whistleblower, persons who have provided support to a whistleblower, and any person involved in
a whistleblowing process, including a legal entity.
3.14
investigation
systematic, independent and documented process (3.27) for establishing facts and evaluating them
objectively to determine if wrongdoing (3.8) has occurred, is occurring or is likely to occur, and its
extent
Note 1 to entry: An investigation can be an internal investigation or an external investigation. It can be a
combined investigation.
Note 2 to entry: An internal investigation is conducted by the organization (3.2) itself, or by an external party on
its behalf.
Note 3 to entry: An investigation can also be imposed on the organization by external parties.
3.15
audit
systematic and independent process (3.27) for obtaining evidence and evaluating it objectively to
determine the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party),
and it can be a combined audit (combining two or more disciplines).
4 © ISO 2021 – All rights reserved

Note 2 to entry: An internal audit is conducted by the organization (3.2) itself, or by an external party on its
behalf.
Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.
Note 4 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.16
competence
ability to apply knowledge and skills to achieve intended results
Note 1 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.17
conformity
fulfilment of a requirement (3.28)
Note 1 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.18
nonconformity
non-fulfilment of a requirement (3.28)
Note 1 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.19
corrective action
action to eliminate the cause of a nonconformity (3.18) and to prevent recurrence
Note 1 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.20
continual improvement
recurring activity to enhance performance (3.26)
Note 1 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.21
documented information
information required to be controlled and maintained by an organization (3.2) and the medium on
which it is contained
Note 1 to entry: Documented information can be in any format and media, and from any source.
Note 2 to entry: Documented information can refer to:
— the management system (3.1), including related processes (3.27);
— information created in order for the organization to operate (documentation);
— evidence of results achieved (records).
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.22
effectiveness
extent to which planned activities are realized and planned results are achieved
Note 1 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.23
measurement
process (3.27) to determine a value
Note 1 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.24
monitoring
determining the status of a system, a process (3.27) or an activity
Note 1 to entry: To determine the status, there can be a need to check, supervise or critically observe.
Note 2 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.25
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical or operational.
Note 2 to entry: Objectives can relate to different disciplines (such as finance, health and safety and environment)
They can be, for example, organization-wide or specific to a project, product, service or process (3.27).
Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended result, a purpose, an operational
criterion, as a whistleblowing (3.10) objective, or by the use of other words with similar meaning (e.g. aim, goal,
or target).
Note 4 to entry: In the context of whistleblowing management systems (3.1), whistleblowing objectives are set by
the organization (3.2), consistent with the whistleblowing policy (3.7), to achieve specific results.
Note 5 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.26
performance
measurable result
Note 1 to entry: Performance can relate either to quantitative or qualitative findings.
Note 2 to entry: Performance can relate to managing activities, processes (3.27), products, services, systems or
organizations (3.2).
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.27
process
set of interrelated or interacting activities that uses or transforms inputs to deliver a result
Note 1 to entry: Whether the result of a process is called output, product or service depends on the context of the
reference.
Note 2 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
6 © ISO 2021 – All rights reserved

3.28
requirement
need or expectation that is stated, generally implied or obligatory
Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization (3.2) and
interested parties (3.4) that the need or expectation under consideration is implied.
Note 2 to entry: A specified requirement is one that is stated, e.g. in documented information (3.21).
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.29
risk
effect of uncertainty on objectives (3.25)
Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.
Note 3 to entry: Risk is often characterized by reference to potential events (as defined in ISO Guide 73) and
consequences (as defined in ISO Guide 73), or a combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including
changes in circumstances) and the associated likelihood (as defined in ISO Guide 73) of occurrence.
Note 5 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards. The original definition has been modified by adding “on objectives” to the
definition.
3.30
accountability
obligation to another for the fulfilment of a responsibility
4 Context of the organization
4.1 Understanding the organization and its context
The organization should determine external and internal issues that are relevant to its purpose and
that affect its ability to achieve the intended result(s) of its whistleblowing management system.
These issues may include, but are not limited to, the following factors:
a) the size and structure of the organization;
b) the locations and sectors in which the organization operates or anticipates operating;
c) the nature, culture, scale and complexity of the organization’s activities and operations;
d) the nature and needs of personnel;
e) the organization’s business model;
f) the entities over which the organization has control and entities which exercise control over the
organization, including beneficial owner(s) of the organization;
g) the organization’s business associates;
h) the organization’s exposure to public interest obligations or issues;
i) applicable statutory, regulatory, contractual and other obligations and duties.
NOTE An organization has control over another organization if it directly or indirectly controls the
management of the organization.
4.2 Understanding the needs and expectations of interested parties
The organization should determine:
a) the interested parties that are relevant to the whistleblowing management system;
b) the relevant requirements of these interested parties;
c) which of these requirements will be addressed through the whistleblowing management system.
4.3 Determining the scope of the whistleblowing management system
The organization should determine the boundaries and applicability of the whistleblowing management
system to establish its scope.
When determining this scope, the organization should consider:
a) the external and internal issues referred to in 4.1;
b) the requirements referred to in 4.2;
c) who can report (internal/external interested parties), from where (regions/geographic) and what
types of wrongdoing are covered by the system (see Figure 2);
d) the outcomes of any compliance risk assessment or equivalent, as available.
Organizations can reference ISO 37301 for compliance risk assessment and ISO 31000 for risk
management.
The types of wrongdoing that can be addressed through the whistleblowing management system, if
reported, are important to its scope. Not all reports made to the whistleblowing management system
will be within its scope, and a single report can include information about multiple types of wrongdoing,
some within scope and others outside of scope. The organization should identify what other processes,
existing or planned, will be used to resolve reported wrongdoing that is not within the scope of the
whistleblowing management system (e.g. complaints, grievances) and how this will be coordinated.
This is illustrated in Figure 2.
The scope should be available as documented information.
Figure 2 — Relationship between the whistleblowing management system and other
organizational processes and systems
8 © ISO 2021 – All rights reserved

4.4 Whistleblowing management system
The organization should establish, implement, maintain and continually improve a whistleblowing
management system, including the processes needed and their interactions, in accordance with the
recommendations of this document.
The whistleblowing management system should apply the principles of trust, impartiality and
protection, and should ensure appropriate feedback throughout the entire process. The whistleblowing
management system should support all steps of the whistleblowing process.
a) Receiving reports of wrongdoing: the whistleblowing management system should specify how
reports can be made and received, taking into consideration the factors included in 4.3.
b) Assessing reports of wrongdoing (triage): the whistleblowing management system should specify
the process of assessing received reports, including aspects such as priority, completeness and
relevance of the information. At the same time, the whistleblowing management system should
provide for an assessment of the risk of detriment to and the level of protection and support
required for whistleblowers and others involved.
c) Addressing reports of wrongdoing: the whistleblowing management system should provide for an
impartial and timely investigation, as well as effective and timely protective and support measures
and monitoring as appropriate for the whistleblower and others involved, including those who are
subject of the report. Those protective measures can prevent and contain, as well as remediate
detriment.
d) Concluding whistleblowing cases: the whistleblowing management system should provide
a mechanism to close investigations and take action in response to recommendations and
decisions based on the outcomes of the addressing step. It should also ensure that protective and
support measures can continue and will be monitored as appropriate. Outcomes may be used for
management reporting, organizational learning and other actions (e.g. mitigation remedies).
The steps of the whistleblowing process are specified in 8.2 to 8.5.
5 Leadership
5.1 Leadership and commitment
5.1.1 Governing body
The governing body should:
a) set objectives for an effective whistleblowing management system and monitor top management
with respect to these;
b) approve the organization’s whistleblowing policy and communicate clear messages about its
existence, importance and use;
c) demonstrate that commitment by embracing the policy and the whistleblowing management
system;
d) at planned intervals, receive and review information about the content and operation of the
organization’s whistleblowing management system;
e) ensure that adequate and appropriate resources needed for effective operation of the
whistleblowing management system are allocated and assigned;
f) exercise adequate oversight of the implementation, integrity and improvement of the organization’s
whistleblowing management system.
5.1.2 Top management
Top management should demonstrate leadership and commitment with respect to the whistleblowing
management system by:
a) ensuring that the whistleblowing policy and whistleblowing management system objectives
are established and are compatible with the values, objectives and strategic direction of the
organization;
b) approving the organization’s whistleblowing policy;
c) ensuring the accessibility of the whistleblowing management system and encouraging its use;
d) ensuring the integration of the whistleblowing management system requirements into the
organization’s business processes, including management systems;
e) ensuring that the resources needed for the whistleblowing management system are available,
adequate, appropriate and deployed;
f) communicating the importance of effective whistleblowing management and of conforming to the
organization’s established whistleblowing management system requirements;
g) communicating the
...

INTERNATIONAL ISO
STANDARD 37002
First edition
2021-07
Whistleblowing management
systems — Guidelines
Systèmes de management des alertes — Lignes directrices
Reference number
©
ISO 2021
© ISO 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2021 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization . 7
4.1 Understanding the organization and its context . 7
4.2 Understanding the needs and expectations of interested parties . 8
4.3 Determining the scope of the whistleblowing management system . 8
4.4 Whistleblowing management system . 9
5 Leadership . 9
5.1 Leadership and commitment . 9
5.1.1 Governing body . 9
5.1.2 Top management .10
5.2 Whistleblowing policy .10
5.3 Roles, responsibilities and authorities .11
5.3.1 Top management and governing body . .11
5.3.2 Whistleblowing management function .12
5.3.3 Delegated decision-making .12
6 Planning .13
6.1 Actions to address risks and opportunities .13
6.2 Whistleblowing management system objectives and planning to achieve them .13
6.3 Planning of changes .14
7 Support .14
7.1 Resources .14
7.2 Competence .14
7.3 Awareness .15
7.3.1 General.15
7.3.2 Personnel training and awareness measures .15
7.3.3 Training for leaders and other specific roles .16
7.4 Communication .17
7.5 Documented information .18
7.5.1 General.18
7.5.2 Creating and updating documented information .18
7.5.3 Control of documented information .18
7.5.4 Data protection . .19
7.5.5 Confidentiality .19
8 Operation .20
8.1 Operational planning and control .20
8.2 Receiving reports of wrongdoing .22
8.3 Assessing reports of wrongdoing .23
8.3.1 Assessing the reported wrongdoing .23
8.3.2 Assessing and preventing risks of detrimental conduct .24
8.4 Addressing reports of wrongdoing.25
8.4.1 Addressing the reported wrongdoing .25
8.4.2 Protecting and supporting the whistleblower .26
8.4.3 Addressing detrimental conduct.26
8.4.4 Protecting the subject(s) of a report . .27
8.4.5 Protecting relevant interested parties .27
8.5 Concluding whistleblowing cases .27
9 Performance evaluation .28
9.1 Monitoring, measurement, analysis and evaluation .28
9.1.1 General.28
9.1.2 Indicators for evaluation .28
9.1.3 Information sources .29
9.2 Internal audit .30
9.2.1 General.30
9.2.2 Internal audit programme .30
9.3 Management review .30
9.3.1 General.30
9.3.2 Management review inputs .30
9.3.3 Management review results .31
10 Improvement .31
10.1 Continual improvement .31
10.2 Nonconformity and corrective action .31
Bibliography .33
iv © ISO 2021 – All rights reserved

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO’s adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Technical Committee ISO/TC 309, Governance of organizations.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
Introduction
Whistleblowing is the act of reporting suspected wrongdoing or risk of wrongdoing. Studies and
experience demonstrate that a large proportion of wrongdoing comes to the attention of the affected
organization via reports from persons within or close to the organization.
Organizations are increasingly considering introducing or improving internal whistleblowing policies
and processes in response to regulation or on a voluntary basis.
This document provides guidance to organizations for establishing, implementing, maintaining and
improving a whistleblowing management system, with the following outcomes:
a) encouraging and facilitating reporting of wrongdoing;
b) supporting and protecting whistleblowers and other interested parties involved;
c) ensuring reports of wrongdoing are dealt with in a proper and timely manner;
d) improving organizational culture and governance;
e) reducing the risks of wrongdoing.
Potential benefits for the organization include:
— allowing the organization to identify and address wrongdoing at the earliest opportunity;
— helping prevent or minimize loss of assets and aiding recovery of lost assets;
— ensuring compliance with organizational policies, procedures, and legal and social obligations;
— attracting and retaining personnel committed to the organization’s values and culture;
— demonstrating sound, ethical governance practices to society, markets, regulators, owners and
other interested parties.
An effective whistleblowing management system will build organizational trust by:
— demonstrating leadership commitment to preventing and addressing wrongdoing;
— encouraging people to come forward early with reports of wrongdoing;
— reducing and preventing detrimental treatment of whistleblowers and others involved;
— encouraging a culture of openness, transparency, integrity and accountability.
This document provides guidance for organizations to create a whistleblowing management system
based on the principles of trust, impartiality and protection. It is adaptable, and its use will vary with the
size, nature, complexity and jurisdiction of the organization’s activities. It can assist an organization to
improve its existing whistleblowing policy and procedures, or to comply with applicable whistleblowing
legislation.
This document adopts the “harmonized structure” (i.e. clause sequence, common text and common
terminology) developed by ISO to improve alignment among International Standards for management
systems. Organizations may adopt this document as stand-alone guidance for their organization or along
with other management system standards, including to address whistleblowing-related requirements
in other ISO management systems.
Figure 1 is a conceptual overview of a recommended whistleblowing management system showing how
the principles of trust, impartiality and protection overlay all elements of such a system.
vi © ISO 2021 – All rights reserved

Figure 1 — Overview of a whistleblowing management system
INTERNATIONAL STANDARD ISO 37002:2021(E)
Whistleblowing management systems — Guidelines
1 Scope
This document gives guidelines for establishing, implementing and maintaining an effective
whistleblowing management system based on the principles of trust, impartiality and protection in the
following four steps:
a) receiving reports of wrongdoing;
b) assessing reports of wrongdoing;
c) addressing reports of wrongdoing;
d) concluding whistleblowing cases.
The guidelines of this document are generic and intended to be applicable to all organizations,
regardless of type, size, nature of activity, and whether in the public, private or not-for profit sectors.
The extent of application of these guidelines depends on the factors specified in 4.1, 4.2 and 4.3. The
whistleblowing management system can be stand-alone or can be used as part of an overall management
system.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
management system
set of interrelated or interacting elements of an organization (3.2) to establish policies (3.7) and
objectives (3.25), as well as processes (3.27) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
Note 2 to entry: The management system elements include the organization’s structure, roles and responsibilities,
planning and operation.
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.2
organization
person or group of people that has its own functions with responsibilities, authorities and relationships
to achieve its objectives (3.25)
Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated
or not, public or private.
Note 2 to entry: If the organization is part of a larger entity, the term “organization” refers only to the part of the
larger entity that is within the scope of the whistleblowing (3.10) management system (3.1).
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.3
personnel
organization’s (3.2) directors, officers, employees, temporary staff or workers, and volunteers
[SOURCE: ISO 37001:2016, 3.25, modified — Notes 1 and 2 to entry have been deleted.]
3.4
interested party (preferred term)
stakeholder (admitted term)
person or organization (3.2) that can affect, be affected by, or perceive itself to be affected by a decision
or activity
Note 1 to entry: An interested party can be internal or external to the organization.
Note 2 to entry: Interested parties can include, but are not limited to, those who make reports, any subjects
of those reports, witnesses, personnel (3.3), worker representatives, suppliers, third parties, public, media,
regulators and the organization as a whole.
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards. The original definition has been modified by adding Notes 1 and 2 to entry.
3.5
top management
person or group of people who directs and controls an organization (3.2) at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the
organization.
Note 2 to entry: If the scope of the management system (3.1) covers only part of an organization, then top
management refers to those who direct and control that part of the organization.
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.6
governing body
person or group of people who have ultimate accountability (3.30) for the whole organization (3.2)
Note 1 to entry: Every organizational entity has one governing body, whether or not it is explicitly established.
Note 2 to entry: A governing body can include, but is not limited to, a board of directors, committees of the board,
a supervisory board or trustees.
[SOURCE: ISO/IEC 38500:2015, 2.9, modified — The words “have ultimate accountability for” have
replaced “accountable for the performance and conformance of” and Notes 1 and 2 to entry have been
added.]
2 © ISO 2021 – All rights reserved

3.7
policy
intentions and direction of an organization (3.2) as formally expressed by its top management (3.5)
Note 1 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.8
wrongdoing
action(s) or omission(s) that can cause harm
Note 1 to entry: Wrongdoing can include, but is not limited to, the following:
— breach of law (national or international), such as fraud, corruption including bribery;
— breach of the organization’s (3.2) or other relevant code of conduct, breach of organization policies (3.7);
— gross negligence, bullying, harassment, discrimination, unauthorized use of funds or resources, abuse of
authority, conflict of interest, gross waste or mismanagement;
— actions or omissions resulting in damage or risk of harm to human rights, the environment, public health and
safety, safe work-practices or the public interest.
Note 2 to entry: Wrongdoing or the resulting harm can have happened in the past, is currently happening or can
happen in the future.
Note 3 to entry: Potential harm can be determined by reference to a single event or series of events.
3.9
whistleblower
person who reports suspected or actual wrongdoing (3.8), and has reasonable belief that the information
is true at the time of reporting
Note 1 to entry: Reasonable belief is a belief held by an individual based on observation, experience or information
known to that individual, which would also be held by a person in the same circumstances.
Note 2 to entry: Examples of whistleblowers include, but are not limited to, the following:
— personnel (3.3) within an organization (3.2);
— personnel within external parties, including legal persons, with whom the organization has established, or
plans to establish, some form of business relationship including, but not limited to, clients, customers, joint
ventures, joint venture partners, consortium partners, outsourcing providers, contractors, consultants, sub-
contractors, suppliers, vendors, advisors, agents, distributors, representatives, intermediaries and investors;
— other persons such as union representatives;
— any person formerly or prospectively in a position set out in this definition.
3.10
whistleblowing
reporting of suspected or actual wrongdoing (3.8) by a whistleblower (3.9)
Note 1 to entry: A report of wrongdoing can be verbal, in person, in writing or in an electronic or digital format.
Note 2 to entry: It is common to distinguish:
— open whistleblowing, where the whistleblower discloses information without withholding their identity or
requiring that their identity be kept secret;
— confidential whistleblowing, where the identity of the whistleblower and any information that can identify
them is known by the recipient but is not disclosed to anyone beyond a need to know basis without the
whistleblower’s consent, unless required by law;
— anonymous whistleblowing, where information is received without the whistleblower disclosing their
identity.
Note 3 to entry: Organizations (3.2) can use an alternative term such as “speak up” or “raise a concern”, or an
equivalent.
3.11
whistleblowing management function
person(s) with the responsibility and authority for the operation of the whistleblowing (3.10)
management system (3.1)
3.12
triage
assessment of the initial report of wrongdoing (3.8) for the purposes of categorization, taking
preliminary measures, prioritization and assignment for further handling
Note 1 to entry: The following factors can be considered: likelihood and severity of impact of wrongdoing or
suspected wrongdoing on the personnel (3.3), organization (3.2) and interested party (3.4), including reputational,
financial, environmental, human or other damages.
3.13
detrimental conduct
threatened, proposed or actual, direct or indirect act or omission that can result in harm to a
whistleblower (3.9) or other relevant interested party (3.4), related to whistleblowing (3.10)
Note 1 to entry: Harm includes any adverse consequence, whether work-related or personal, including, but not
limited to, dismissal, suspension, demotion, transfer, change in duties, alteration of working conditions, adverse
performance (3.26) ratings, disciplinary proceedings, reduced opportunity for advancement, denial of services,
blacklisting, boycotting, damage to reputation, disclosing the whistleblower’s identity, financial loss, prosecution
or legal action, harassment, isolation, imposition of any form of physical or psychological harm.
Note 2 to entry: Detrimental conduct includes retaliation, reprisal, retribution, deliberate action or omissions,
done knowingly or recklessly to cause harm to a whistleblower or other relevant parties.
Note 3 to entry: Detrimental conduct also includes the failure to prevent or to minimize harm by fulfilling a
reasonable standard of care at any step of the whistleblowing process (3.27).
Note 4 to entry: Action to deal with a whistleblower’s own wrongdoing (3.8), performance or management,
unrelated to their role in whistleblowing, is not detrimental conduct for the purposes of this document.
Note 5 to entry: Other relevant interested parties can include prospective or perceived whistleblowers, relatives,
associates of a whistleblower, persons who have provided support to a whistleblower, and any person involved in
a whistleblowing process, including a legal entity.
3.14
investigation
systematic, independent and documented process (3.27) for establishing facts and evaluating them
objectively to determine if wrongdoing (3.8) has occurred, is occurring or is likely to occur, and its
extent
Note 1 to entry: An investigation can be an internal investigation or an external investigation. It can be a
combined investigation.
Note 2 to entry: An internal investigation is conducted by the organization (3.2) itself, or by an external party on
its behalf.
Note 3 to entry: An investigation can also be imposed on the organization by external parties.
3.15
audit
systematic and independent process (3.27) for obtaining evidence and evaluating it objectively to
determine the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party),
and it can be a combined audit (combining two or more disciplines).
4 © ISO 2021 – All rights reserved

Note 2 to entry: An internal audit is conducted by the organization (3.2) itself, or by an external party on its
behalf.
Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.
Note 4 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.16
competence
ability to apply knowledge and skills to achieve intended results
Note 1 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.17
conformity
fulfilment of a requirement (3.28)
Note 1 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.18
nonconformity
non-fulfilment of a requirement (3.28)
Note 1 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.19
corrective action
action to eliminate the cause of a nonconformity (3.18) and to prevent recurrence
Note 1 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.20
continual improvement
recurring activity to enhance performance (3.26)
Note 1 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.21
documented information
information required to be controlled and maintained by an organization (3.2) and the medium on
which it is contained
Note 1 to entry: Documented information can be in any format and media, and from any source.
Note 2 to entry: Documented information can refer to:
— the management system (3.1), including related processes (3.27);
— information created in order for the organization to operate (documentation);
— evidence of results achieved (records).
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.22
effectiveness
extent to which planned activities are realized and planned results are achieved
Note 1 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.23
measurement
process (3.27) to determine a value
Note 1 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.24
monitoring
determining the status of a system, a process (3.27) or an activity
Note 1 to entry: To determine the status, there can be a need to check, supervise or critically observe.
Note 2 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.25
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical or operational.
Note 2 to entry: Objectives can relate to different disciplines (such as finance, health and safety and environment)
They can be, for example, organization-wide or specific to a project, product, service or process (3.27).
Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended result, a purpose, an operational
criterion, as a whistleblowing (3.10) objective, or by the use of other words with similar meaning (e.g. aim, goal,
or target).
Note 4 to entry: In the context of whistleblowing management systems (3.1), whistleblowing objectives are set by
the organization (3.2), consistent with the whistleblowing policy (3.7), to achieve specific results.
Note 5 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.26
performance
measurable result
Note 1 to entry: Performance can relate either to quantitative or qualitative findings.
Note 2 to entry: Performance can relate to managing activities, processes (3.27), products, services, systems or
organizations (3.2).
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.27
process
set of interrelated or interacting activities that uses or transforms inputs to deliver a result
Note 1 to entry: Whether the result of a process is called output, product or service depends on the context of the
reference.
Note 2 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
6 © ISO 2021 – All rights reserved

3.28
requirement
need or expectation that is stated, generally implied or obligatory
Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization (3.2) and
interested parties (3.4) that the need or expectation under consideration is implied.
Note 2 to entry: A specified requirement is one that is stated, e.g. in documented information (3.21).
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.29
risk
effect of uncertainty on objectives (3.25)
Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.
Note 3 to entry: Risk is often characterized by reference to potential events (as defined in ISO Guide 73) and
consequences (as defined in ISO Guide 73), or a combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including
changes in circumstances) and the associated likelihood (as defined in ISO Guide 73) of occurrence.
Note 5 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards. The original definition has been modified by adding “on objectives” to the
definition.
3.30
accountability
obligation to another for the fulfilment of a responsibility
4 Context of the organization
4.1 Understanding the organization and its context
The organization should determine external and internal issues that are relevant to its purpose and
that affect its ability to achieve the intended result(s) of its whistleblowing management system.
These issues may include, but are not limited to, the following factors:
a) the size and structure of the organization;
b) the locations and sectors in which the organization operates or anticipates operating;
c) the nature, culture, scale and complexity of the organization’s activities and operations;
d) the nature and needs of personnel;
e) the organization’s business model;
f) the entities over which the organization has control and entities which exercise control over the
organization, including beneficial owner(s) of the organization;
g) the organization’s business associates;
h) the organization’s exposure to public interest obligations or issues;
i) applicable statutory, regulatory, contractual and other obligations and duties.
NOTE An organization has control over another organization if it directly or indirectly controls the
management of the organization.
4.2 Understanding the needs and expectations of interested parties
The organization should determine:
a) the interested parties that are relevant to the whistleblowing management system;
b) the relevant requirements of these interested parties;
c) which of these requirements will be addressed through the whistleblowing management system.
4.3 Determining the scope of the whistleblowing management system
The organization should determine the boundaries and applicability of the whistleblowing management
system to establish its scope.
When determining this scope, the organization should consider:
a) the external and internal issues referred to in 4.1;
b) the requirements referred to in 4.2;
c) who can report (internal/external interested parties), from where (regions/geographic) and what
types of wrongdoing are covered by the system (see Figure 2);
d) the outcomes of any compliance risk assessment or equivalent, as available.
Organizations can reference ISO 37301 for compliance risk assessment and ISO 31000 for risk
management.
The types of wrongdoing that can be addressed through the whistleblowing management system, if
reported, are important to its scope. Not all reports made to the whistleblowing management system
will be within its scope, and a single report can include information about multiple types of wrongdoing,
some within scope and others outside of scope. The organization should identify what other processes,
existing or planned, will be used to resolve reported wrongdoing that is not within the scope of the
whistleblowing management system (e.g. complaints, grievances) and how this will be coordinated.
This is illustrated in Figure 2.
The scope should be available as documented information.
Figure 2 — Relationship between the whistleblowing management system and other
organizational processes and systems
8 © ISO 2021 – All rights reserved

4.4 Whistleblowing management system
The organization should establish, implement, maintain and continually improve a whistleblowing
management system, including the processes needed and their interactions, in accordance with the
recommendations of this document.
The whistleblowing management system should apply the principles of trust, impartiality and
protection, and should ensure appropriate feedback throughout the entire process. The whistleblowing
management system should support all steps of the whistleblowing process.
a) Receiving reports of wrongdoing: the whistleblowing management system should specify how
reports can be made and received, taking into consideration the factors included in 4.3.
b) Assessing reports of wrongdoing (triage): the whistleblowing management system should specify
the process of assessing received reports, including aspects such as priority, completeness and
relevance of the information. At the same time, the whistleblowing management system should
provide for an assessment of the risk of detriment to and the level of protection and support
required for whistleblowers and others involved.
c) Addressing reports of wrongdoing: the whistleblowing management system should provide for an
impartial and timely investigation, as well as effective and timely protective and support measures
and monitoring as appropriate for the whistleblower and others involved, including those who are
subject of the report. Those protective measures can prevent and contain, as well as remediate
detriment.
d) Concluding whistleblowing cases: the whistleblowing management system should provide
a mechanism to close investigations and take action in response to recommendations and
decisions based on the outcomes of the addressing step. It should also ensure that protective and
support measures can continue and will be monitored as appropriate. Outcomes may be used for
management reporting, organizational learning and other actions (e.g. mitigation remedies).
The steps of the whistleblowing process are specified in 8.2 to 8.5.
5 Leadership
5.1 Leadership and commitment
5.1.1 Governing body
The governing body should:
a) set objectives for an effective whistleblowing management system and monitor top management
with respect to these;
b) approve the organization’s whistleblowing policy and communicate clear messages about its
existence, importance and use;
c) demonstrate that commitment by embracing the policy and the whistleblowing management
system;
d) at planned intervals, receive and review information about the content and operation of the
organization’s whistleblowing management system;
e) ensure that adequate and appropriate resources needed for effective operation of the
whistleblowing management system are allocated and assigned;
f) exercise adequate oversight of the implementation, integrity and improvement of the organization’s
whistleblowing management system.
5.1.2 Top management
Top management should demonstrate leadership and commitment with respect to the whistleblowing
management system by:
a) ensuring that the whistleblowing policy and whistleblowing management system objectives
are established and are compatible with the values, objectives and strategic direction of the
organization;
b) approving the organization’s whistleblowing policy;
c) ensuring the accessibility of the whistleblowing management system and encouraging its use;
d) ensuring the integration of the whistleblowing management system requirements into the
organization’s business processes, including management systems;
e) ensuring that the resources needed for the whistleblowing management system are available,
adequate, appropriate and deployed;
f) communicating the importance of effective whistleblowing management and of conforming to the
organization’s established whistleblowing management system requirements;
g) communicating the whistleblowing policy internally and externally (see 7.4);
h) ensuring that the whistleblowing management system achieves its intended result(s) (see 6.1);
i) directing and supporting persons to contribute to the effectiveness of the whistleblowing
management system;
j) promoting continual improvement;
k) supporting other relevant roles to demonstrate their leadership as it applies to their areas of
responsibility;
l) committing to, promoting and practising a speak-up/listen-up culture within the organization,
e.g. by actively participating in relevant staff training sessions and, with their consent, publicly
commending organization’s whistleblowers;
m) ensuring that whistleblowers and others involved will not suffer detriment by the organization in
relation to whistleblowing;
n) at planned intervals, receiving and reviewing reports on the operation, and performance of, the
whistleblowing management system;
o) ensuring an impartial investigation of matters reported using the system, regardless of the identity
of the whistleblower, the subject of the report and the implications of the issues identified.
NOTE 1 Reference to “business” in t
...

NORME ISO
INTERNATIONALE 37002
Première édition
2021-07
Systèmes de management des
alertes — Lignes directrices
Whistleblowing management systems — Guidelines
Numéro de référence
©
ISO 2021
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO 2021
Tous droits réservés. Sauf prescription différente ou nécessité dans le contexte de sa mise en œuvre, aucune partie de cette
publication ne peut être reproduite ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique,
y compris la photocopie, ou la diffusion sur l’internet ou sur un intranet, sans autorisation écrite préalable. Une autorisation peut
être demandée à l’ISO à l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.
ISO copyright office
Case postale 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Genève
Tél.: +41 22 749 01 11
E-mail: copyright@iso.org
Web: www.iso.org
Publié en Suisse
ii © ISO 2021 – Tous droits réservés

Sommaire Page
Avant-propos .v
Introduction .vi
1 Domaine d’application . 1
2 Références normatives . 1
3 Termes et définitions . 1
4 Contexte de l’organisme . 7
4.1 Compréhension de l’organisme et de son contexte . 7
4.2 Compréhension des besoins et attentes des parties intéressées . 8
4.3 Détermination du périmètre d’application du système de management des alertes . 8
4.4 Système de management des alertes . 9
5 Leadership .10
5.1 Leadership et engagement.10
5.1.1 Organe de gouvernance .10
5.1.2 Direction.10
5.2 Politique d’alerte .11
5.3 Rôles, responsabilités et autorités au sein de l’organisme .12
5.3.1 Direction et organe de gouvernance .12
5.3.2 Fonction de management des alertes .12
5.3.3 Délégation de la prise de décision .13
6 Planification .13
6.1 Actions à mettre en œuvre face aux risques et opportunités .13
6.2 Objectifs du système de management des alertes et planification des actions pour
les atteindre .14
6.3 Planification des changements .15
7 Soutien .15
7.1 Ressources .15
7.2 Compétences .15
7.3 Sensibilisation .16
7.3.1 Généralités .16
7.3.2 Formation et mesures de sensibilisation du personnel .16
7.3.3 Formation pour les dirigeants et autres rôles spécifiques .17
7.4 Communication .18
7.5 Informations documentées .19
7.5.1 Généralités .19
7.5.2 Création et mise à jour des informations documentées .19
7.5.3 Maîtrise des informations documentées .19
7.5.4 Protection des données .20
7.5.5 Confidentialité .20
8 Réalisation des activités opérationnelles .21
8.1 Planification et maîtrise opérationnelles .21
8.2 Réception des signalements d’actes répréhensibles .24
8.3 Évaluation des signalements d’actes répréhensibles .25
8.3.1 Évaluation de l’acte répréhensible signalé .25
8.3.2 Évaluation et prévention des risques de mesures de représailles .26
8.4 Traitement des signalements d’actes répréhensibles .27
8.4.1 Traitement de l’acte répréhensible signalé .27
8.4.2 Protection et soutien du lanceur d’alerte .28
8.4.3 Traitement des mesures de représailles .28
8.4.4 Protection de la ou des personnes faisant l’objet d’un signalement .29
8.4.5 Protection des parties intéressées concernées .29
8.5 Clôture des cas d’alertes .29
9 Évaluation des performances .30
9.1 Surveillance, mesure, analyse et évaluation .30
9.1.1 Généralités .30
9.1.2 Indicateurs d’évaluation .31
9.1.3 Sources d’information .31
9.2 Audit interne .32
9.2.1 Généralités .32
9.2.2 Programme d’audit interne .32
9.3 Revue de direction .33
9.3.1 Généralités .33
9.3.2 Entrées de la revue de direction .33
9.3.3 Résultats de la revue de direction .33
10 Amélioration .33
10.1 Amélioration continue .33
10.2 Non-conformité et actions correctives .34
Bibliographie .35
iv © ISO 2021 – Tous droits réservés

Avant-propos
L’ISO (Organisation internationale de normalisation) est une fédération mondiale d’organismes
nationaux de normalisation (comités membres de l’ISO). L’élaboration des Normes internationales est
en général confiée aux comités techniques de l’ISO. Chaque comité membre intéressé par une étude
a le droit de faire partie du comité technique créé à cet effet. Les organisations internationales,
gouvernementales et non gouvernementales, en liaison avec l’ISO participent également aux travaux.
L’ISO collabore étroitement avec la Commission électrotechnique internationale (IEC) en ce qui
concerne la normalisation électrotechnique.
Les procédures utilisées pour élaborer le présent document et celles destinées à sa mise à jour sont
décrites dans les Directives ISO/IEC, Partie 1. Il convient, en particulier, de prendre note des différents
critères d’approbation requis pour les différents types de documents ISO. Le présent document a été
rédigé conformément aux règles de rédaction données dans les Directives ISO/IEC, Partie 2 (voir www
.iso .org/ directives).
L’attention est attirée sur le fait que certains des éléments du présent document peuvent faire l’objet de
droits de propriété intellectuelle ou de droits analogues. L’ISO ne saurait être tenue pour responsable
de ne pas avoir identifié de tels droits de propriété et averti de leur existence. Les détails concernant
les références aux droits de propriété intellectuelle ou autres droits analogues identifiés lors de
l’élaboration du document sont indiqués dans l’Introduction et/ou dans la liste des déclarations de
brevets reçues par l’ISO (voir www .iso .org/ brevets).
Les appellations commerciales éventuellement mentionnées dans le présent document sont données
pour information, par souci de commodité, à l’intention des utilisateurs et ne sauraient constituer un
engagement.
Pour une explication de la nature volontaire des normes, la signification des termes et expressions
spécifiques de l’ISO liés à l’évaluation de la conformité, ou pour toute information au sujet de l’adhésion
de l’ISO aux principes de l’Organisation mondiale du commerce (OMC) concernant les obstacles
techniques au commerce (OTC), voir www .iso .org/ avant -propos.
Le présent document a été élaboré par le comité technique ISO/TC 309, Gouvernance des organisations.
Il convient que l’utilisateur adresse tout retour d’information ou toute question concernant le présent
document à l’organisme national de normalisation de son pays. Une liste exhaustive desdits organismes
se trouve à l’adresse www .iso .org/ fr/ members .html.
Introduction
L’alerte est l’acte qui consiste à signaler un acte répréhensible présumé ou un risque d’acte
répréhensible. Les études et l’expérience montrent qu’une grande partie des actes répréhensibles est
portée à l’attention de l’organisme concerné par le biais de signalements émanant de personnes au sein
ou proches de l’organisme.
Les organismes envisagent de plus en plus de mettre en place ou d’améliorer des politiques et des
processus d’alerte internes en réponse à la réglementation ou sur la base du volontariat.
Le présent document fournit des recommandations aux organismes pour établir, mettre en œuvre, tenir
à jour et améliorer un système de management des alertes, avec les résultats suivants:
a) encourager et faciliter le signalement des actes répréhensibles;
b) soutenir et protéger les lanceurs d’alerte et les autres parties intéressées impliquées;
c) veiller à ce que les signalements d’actes répréhensibles soient traités de manière appropriée et dans
les meilleurs délais;
d) améliorer la culture de l’organisme et la gouvernance;
e) réduire les risques d’actes répréhensibles.
Les avantages potentiels pour l’organisme sont notamment les suivants:
— permettre à l’organisme d’identifier et de traiter les actes répréhensibles le plus tôt possible;
— aider à prévenir ou à réduire le plus possible la perte d’actifs et faciliter la récupération des actifs
perdus;
— assurer le respect des politiques et procédures de l’organisme, ainsi que des obligations légales et
sociales;
— attirer et retenir le personnel attaché aux valeurs et à la culture de l’organisme;
— faire la démonstration de pratiques de gouvernance saines et éthiques à la société, aux marchés, aux
organismes de réglementation et de contrôle aux propriétaires et aux autres parties intéressées.
Un système efficace de management des alertes permet d’instaurer la confiance au sein de l’organisme
en:
— démontrant l’engagement des dirigeants à prévenir et à traiter les actes répréhensibles;
— encourageant tout un chacun à se manifester sans tarder pour signaler les actes répréhensibles;
— réduisant et prévenant les préjudices subis par les lanceurs d’alerte et les autres personnes
impliquées;
— favorisant une culture d’ouverture, de transparence, d’intégrité et de redevabilité.
Le présent document fournit des recommandations aux organismes pour créer un système de
management des alertes, fondé sur les principes de confiance, d’impartialité et de protection. Il
est adaptable, et son utilisation variera en fonction de la taille, de la nature, de la complexité et de
la juridiction des activités de l’organisme. Il peut aider un organisme à améliorer sa politique et ses
procédures d’alerte existantes, ou à se conformer à la législation applicable aux lanceurs d’alerte.
Le présent document adopte la «structure harmonisée» (c’est-à-dire succession des articles, texte
commun et terminologie commune) élaborée par l’ISO afin d’améliorer l’alignement entre les Normes
internationales de systèmes de management. Les organismes peuvent adopter le présent document
comme guide autonome pour leur organisation ou en même temps que d’autres normes de systèmes de
vi © ISO 2021 – Tous droits réservés

management, notamment pour répondre aux exigences relatives aux alertes dans d’autres systèmes de
management ISO.
La Figure 1 est une représentation conceptuelle d’un système recommandé de management des alertes,
montrant comment les principes de confiance, d’impartialité et de protection couvrent tous les éléments
d’un tel système.
Figure 1 — Vue d’ensemble d’un système de management des alertes
NORME INTERNATIONALE ISO 37002:2021(F)
Systèmes de management des alertes — Lignes directrices
1 Domaine d’application
Le présent document fournit des lignes directrices pour établir, mettre en œuvre et tenir à jour un
système de management des alertes efficace, fondé sur les principes de confiance, d’impartialité et de
protection et comprenant les quatre étapes suivantes:
a) réception des signalements d’actes répréhensibles;
b) évaluation des signalements d’actes répréhensibles;
c) traitement des signalements d’actes répréhensibles;
d) clôture des cas d’alertes.
Les lignes directrices du présent document sont génériques et destinées à s’appliquer à tous les
organismes, indépendamment du type, de la taille et de la nature de l’activité, qu’ils évoluent dans le
secteur public, privé ou à but non lucratif.
L’étendue de l’application de ces lignes directrices dépend des facteurs décrits en 4.1, 4.2 et 4.3. Le
système de management des alertes peut être autonome ou peut être utilisé dans le cadre d’un système
de management global.
2 Références normatives
Le présent document ne contient aucune référence normative.
3 Termes et définitions
Pour les besoins du présent document, les termes et définitions suivants s’appliquent.
L’ISO et l’IEC tiennent à jour des bases de données terminologiques destinées à être utilisées en
normalisation, consultables aux adresses suivantes:
— ISO Online browsing platform: disponible à l’adresse https:// www .iso .org/ obp
— IEC Electropedia: disponible à l’adresse http:// www .electropedia .org/
3.1
système de management
ensemble d’éléments corrélés ou en interaction d’un organisme (3.2), utilisés pour établir des politiques
(3.7) et des objectifs (3.25), ainsi que des processus (3.27) de façon à atteindre lesdits objectifs
Note 1 à l'article: Un système de management peut traiter d’un seul ou de plusieurs domaines.
Note 2 à l'article: Les éléments du système de management comprennent la structure, les rôles et responsabilités,
la planification et le fonctionnement de l’organisme.
Note 3 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure
harmonisée des normes de systèmes de management ISO.
3.2
organisme
personne ou groupe de personnes ayant un rôle avec les responsabilités, l’autorité et les relations lui
permettant d’atteindre ses objectifs (3.25)
Note 1 à l'article: Le concept d’organisme englobe, sans toutefois s’y limiter, les travailleurs indépendants,
les compagnies, les sociétés, les firmes, les entreprises, les administrations, les partenariats, les organisations
caritatives ou les institutions, ou bien une partie ou une combinaison des entités précédentes, à responsabilité
limitée ou ayant un autre statut, de droit public ou privé.
Note 2 à l'article: Si l’organisme fait partie d’une entité plus grande, le terme «organisme» fait uniquement
référence à la partie de cette entité faisant partie intégrante du périmètre du système de management (3.1) des
alertes (3.10).
Note 3 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure
harmonisée des normes de systèmes de management ISO.
3.3
personnel
directeurs, agents, employés, contractuels ou personnel intérimaire et bénévoles de l’organisme (3.2)
[SOURCE: ISO 37001:2016, 3.25, modifiée — Les Notes 1 et 2 à l’article ont été supprimées.]
3.4
partie intéressée (terme recommandé)
partie prenante (terme admis)
personne ou organisme (3.2) qui peut soit influer sur une décision ou une activité, soit être influencé(e)
ou s’estimer influencé(e) par une décision ou une activité
Note 1 à l'article: Une partie intéressée peut être interne ou externe à l’organisme.
Note 2 à l'article: Les parties intéressées peuvent inclure, sans toutefois s’y limiter, les auteurs de signalements,
les personnes faisant l’objet de signalements, les témoins, le personnel (3.3), les représentants des travailleurs,
les fournisseurs, les tiers, le public, les médias, les organismes de réglementation et de contrôle et l’organisme
dans son ensemble.
Note 3 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure
harmonisée des normes de systèmes de management ISO. La définition originale a été modifiée par l’ajout des
Notes 1 et 2 à l’article.
3.5
direction
personne ou groupe de personnes qui oriente et dirige un organisme (3.2) au plus haut niveau
Note 1 à l'article: La direction a le pouvoir de déléguer son autorité et de fournir des ressources au sein de
l’organisme.
Note 2 à l'article: Si le périmètre du système de management (3.1) ne couvre qu’une partie de l’organisme, alors la
direction s’adresse à ceux qui orientent et dirigent cette partie de l’organisme.
Note 3 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure
harmonisée des normes de systèmes de management ISO.
3.6
organe de gouvernance
personne ou groupe de personnes qui détient la responsabilité (3.30) ultime de l’ensemble de l’organisme
(3.2)
Note 1 à l'article: Chaque entité organisationnelle dispose d’un organe de gouvernance, qu’il soit ou non
explicitement établi.
Note 2 à l'article: Un organe de gouvernance peut notamment comprendre un conseil d’administration, les
comités du conseil d’administration, un conseil de surveillance ou des administrateurs.
2 © ISO 2021 – Tous droits réservés

[SOURCE: ISO/IEC 38500:2015, 2.9, modifiée — Les mots «détient la responsabilité ultime» remplacent
«est responsable du fonctionnement et de la conformité de» et les Notes 1 et 2 à l’article ont été ajoutées.]
3.7
politique
intentions et orientations d’un organisme (3.2) telles qu’elles sont officiellement formulées par sa
direction (3.5)
Note 1 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure
harmonisée des normes de systèmes de management ISO.
3.8
acte répréhensible
action(s) ou omission(s) pouvant causer un préjudice
Note 1 à l'article: Les actes répréhensibles peuvent comprendre, sans toutefois s’y limiter, les pratiques suivantes:
— violation de la loi (nationale ou internationale), comme la fraude, la corruption, y compris les pots-de-vin;
— violation du code de conduite de l’organisme (3.2) ou d’un autre code de conduite pertinent, violation des
politiques de l’organisme (3.7);
— négligence grave, intimidation, harcèlement, discrimination, utilisation non autorisée de fonds ou de
ressources, abus d’autorité, conflit d’intérêts, gaspillage flagrant ou mauvaise gestion;
— les actions ou omissions entraînant un dommage ou un risque de préjudice pour les droits de l’homme,
l’environnement, la santé et la sécurité publiques, des pratiques de travail sûres ou l’intérêt public.
Note 2 à l'article: Un acte répréhensible ou le préjudice qui en résulte peut s’être produit dans le passé, être en
train de se produire ou peut se produire à l’avenir.
Note 3 à l'article: Le préjudice potentiel peut être déterminé par référence à un événement unique ou à une série
d’événements.
3.9
lanceur d’alerte
personne qui signale des actes répréhensibles (3.8) présumés ou réels et a des motifs raisonnables de
croire que les informations sont exactes au moment du signalement
Note 1 à l'article: Un motif raisonnable est une conviction d’un individu s’appuyant sur l’observation, l’expérience
ou des informations en sa possession qu’une personne dans les mêmes circonstances partagerait également.
Note 2 à l'article: Les exemples de lanceurs d’alerte incluent ce qui suit, sans toutefois s’y limiter:
— le personnel (3.3) d’un organisme (3.2);
— le personnel de parties externes, y compris les personnes morales, avec lesquelles l’organisme a, ou
prévoit d’établir, une certaine forme de relation d’affaires, y compris, sans toutefois s’y limiter, les clients,
les entreprises communes (ou joint-ventures), les partenaires d’entreprise commune, les partenaires
de consortium, les prestataires de services externalisés, les sous-traitants, les consultants, les sous-
contractants, les fournisseurs, les revendeurs, les conseillers, les agents, les distributeurs, les représentants,
les intermédiaires et les investisseurs;
— d’autres personnes comme les représentants syndicaux;
— toute personne ayant occupé ou devant occuper une fonction mentionnée dans cette définition.
3.10
alerte
signalement d’actes répréhensibles (3.8) présumés ou réels par un lanceur d’alerte (3.9)
Note 1 à l'article: Un signalement d’actes répréhensibles peut être verbal, en personne, par écrit ou sous forme
électronique ou numérique.
Note 2 à l'article: Il est courant de faire une distinction entre:
— une alerte transparente où le lanceur d’alerte divulgue des informations sans dissimuler son identité ou
exiger que son identité soit gardée secrète;
— une alerte confidentielle où l’identité et toute information pouvant permettre d’identifier le lanceur d’alerte
sont connues du destinataire mais ne sont pas divulguées sans le consentement du lanceur d’alerte, sauf si la
loi l’exige;
— une alerte anonyme où l’information est reçue sans que le lanceur d’alerte ne révèle son identité.
Note 3 à l'article: Les organismes (3.2) peuvent utiliser un autre terme tel que «procédure d’alerte», «alerte
interne», «alerte professionnelle» ou «whistleblowing» ou un équivalent.
3.11
fonction de management des alertes
personne(s) qui détien(nen)t la responsabilité et l’autorité du fonctionnement du système de management
(3.1) des alertes (3.10)
3.12
triage
évaluation du signalement initial d’actes répréhensibles (3.8) à des fins de catégorisation, de prise de
mesures préliminaires, de priorisation et d’affectation pour traitement ultérieur
Note 1 à l'article: Les facteurs suivants peuvent être pris en compte: la probabilité et la gravité de l’impact
des actes répréhensibles sur le personnel (3.3), l’organisme (3.2) et les parties intéressées (3.4), y compris les
dommages à la réputation, financiers, environnementaux, humains ou autres.
3.13
mesure de représailles
menace, intention, action ou omission, directe ou indirecte, susceptible de porter préjudice à un lanceur
d’alerte (3.9) ou à une autre partie intéressée (3.4), en lien avec l’alerte (3.10)
Note 1 à l'article: Le préjudice comprend toute conséquence négative, qu’elle soit professionnelle ou personnelle,
y compris, sans toutefois s’y limiter, le licenciement, la suspension, la rétrogradation, le transfert, le changement
de fonctions, la modification des conditions de travail, les mauvaises notes de performance (3.26), des mesures
disciplinaires, la réduction des possibilités d’avancement, le refus de services, l’inscription sur une liste noire,
le boycottage, l’atteinte à la réputation, la divulgation de l’identité du lanceur d’alerte, la perte financière, les
poursuites ou les actions en justice, le harcèlement, l’isolement ou toute forme de préjudice physique ou
psychologique.
Note 2 à l'article: Les mesures de représailles comprennent les représailles, les sanctions, les actions ou omissions
délibérées, faites sciemment ou par négligence pour porter préjudice à un lanceur d’alerte ou à d’autres parties
concernées.
Note 3 à l'article: Les mesures de représailles comprennent également l’incapacité à prévenir ou à réduire le plus
possible le préjudice en assurant un degré de diligence raisonnable à chaque étape du processus d’alerte (3.27).
Note 4 à l'article: Les actions visant à traiter les propres actes répréhensibles (3.8), les performances ou la gestion
d’un lanceur d’alerte, indépendamment de son rôle dans le signalement, ne constituent pas une mesure de
représailles au regard du présent document.
Note 5 à l'article: Les autres parties intéressées concernées peuvent inclure les lanceurs d’alerte potentiels ou
présumés, les proches, les associés d’un lanceur d’alerte, des personnes qui ont apporté leur soutien à un lanceur
d’alerte, et toute personne impliquée dans un processus d’alerte, y compris les personnes morales.
3.14
enquête
processus (3.27) méthodique, indépendant et documenté, permettant d’établir des faits et de les évaluer
de manière objective pour déterminer si des actes répréhensibles (3.8) ont eu lieu, ont lieu ou risquent
d’avoir lieu et dans quelle mesure
Note 1 à l'article: Une enquête peut être interne ou externe. Il peut s’agir d’une enquête combinée.
Note 2 à l'article: Une enquête interne est menée par l’organisme (3.2) lui-même ou par une partie externe pour le
compte de celui-ci.
4 © ISO 2021 – Tous droits réservés

Note 3 à l'article: Une enquête peut également être imposée à l’organisme par des parties externes.
3.15
audit
processus (3.27) méthodique et indépendant, permettant d’obtenir des preuves et de les évaluer de
manière objective pour déterminer dans quelle mesure les critères d’audit sont satisfaits
Note 1 à l'article: Un audit peut être interne (de première partie) ou externe (de seconde ou tierce partie), et il
peut être combiné (s’il associe deux domaines ou plus).
Note 2 à l'article: Un audit interne est réalisé par l’organisme (3.2) lui-même ou par une partie externe pour le
compte de celui-ci.
Note 3 à l'article: Les termes «preuves d’audit» et «critères d’audit» sont définis dans l’ISO 19011.
Note 4 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure
harmonisée des normes de systèmes de management ISO.
3.16
compétence
aptitude à mettre en pratique des connaissances et des savoir-faire pour obtenir les résultats escomptés
Note 1 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure
harmonisée des normes de systèmes de management ISO.
3.17
conformité
satisfaction d’une exigence (3.28)
Note 1 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure
harmonisée des normes de systèmes de management ISO.
3.18
non-conformité
non-satisfaction d’une exigence (3.28)
Note 1 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure
harmonisée des normes de systèmes de management ISO.
3.19
action corrective
action visant à éliminer la cause d’une non-conformité (3.18) et à éviter qu’elle ne réapparaisse
Note 1 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure
harmonisée des normes de systèmes de management ISO.
3.20
amélioration continue
activité récurrente menée pour améliorer les performances (3.26)
Note 1 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure
harmonisée des normes de systèmes de management ISO.
3.21
information documentée
information devant être maîtrisée et tenue à jour par un organisme (3.2) ainsi que le support sur lequel
elle figure
Note 1 à l'article: Les informations documentées peuvent se présenter sous n’importe quel format et sur tous
supports et peuvent provenir de toute source.
Note 2 à l'article: Les informations documentées peuvent se rapporter:
— au système de management (3.1), y compris les processus (3.27) connexes;
— aux informations créées en vue du fonctionnement de l’organisme (documentation);
— aux preuves des résultats obtenus (enregistrements).
Note 3 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure
harmonisée des normes de systèmes de management ISO.
3.22
efficacité
niveau de réalisation des activités planifiées et d’obtention des résultats escomptés
Note 1 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure
harmonisée des normes de systèmes de management ISO.
3.23
mesure
processus (3.27) visant à déterminer une valeur
Note 1 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure
harmonisée des normes de systèmes de management ISO.
3.24
surveillance
détermination de l’état d’un système, d’un processus (3.27) ou d’une activité
Note 1 à l'article: Pour déterminer cet état, il peut être nécessaire de vérifier, de superviser ou d’observer d’un
point de vue critique.
Note 2 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure
harmonisée des normes de systèmes de management ISO.
3.25
objectif
résultat à atteindre
Note 1 à l'article: Un objectif peut être stratégique, tactique ou opérationnel.
Note 2 à l'article: Les objectifs peuvent se rapporter à différents domaines (tels que finance, santé, sécurité,
et environnement) et peuvent s’appliquer, par exemple, à un niveau concernant l’organisme dans son ensemble
ou spécifique à un projet, un produit ou un processus (3.27).
Note 3 à l'article: Un objectif peut être exprimé de différentes manières, par exemple par un résultat escompté,
un besoin, un critère opérationnel, en tant qu’objectif en matière d’alertes (3.10) ou par l’utilisation d’autres
termes ayant la même signification (par exemple finalité, but ou cible).
Note 4 à l'article: Dans le contexte des systèmes de management des alertes (3.1), les objectifs en matière d’alertes
sont fixés par l’organisme (3.2), en cohérence avec sa politique d’alerte (3.7), en vue d’obtenir des résultats
spécifiques.
Note 5 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure
harmonisée des normes de systèmes de management ISO.
3.26
performance
résultat mesurable
Note 1 à l'article: Les performances peuvent être liées à des résultats quantitatifs ou qualitatifs.
Note 2 à l'article: Les performances peuvent concerner le management d’activités, de processus (3.27), de
produits, services, de systèmes ou d’organismes (3.2).
Note 3 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure
harmonisée des normes de systèmes de management ISO.
6 © ISO 2021 – Tous droits réservés

3.27
processus
ensemble d’activités corrélées ou en interaction qui transforme des éléments d’entrée en résultat
Note 1 à l'article: Le fait que le résultat d’un processus soit appelé élément de sortie, produit ou service dépend du
contexte de la référence.
Note 2 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure
harmonisée des normes de systèmes de management ISO.
3.28
exigence
besoin ou attente formulé(e), généralement implicite ou obligatoire
Note 1 à l'article: «Généralement implicite» signifie qu’il est habituel ou courant, pour l’organisme (3.2) et les
parties intéressées (3.4), que le besoin ou l’attente en question soit implicite.
Note 2 à l'article: Une exigence spécifiée est une exigence formulée, par exemple une information documentée
(3.21).
Note 3 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure
harmonisée des normes de systèmes de management ISO.
3.29
risque
effet de l’incertitude sur les objectifs (3.25)
Note 1 à l'article: Un effet est un écart, positif ou négatif, par rapport à une attente.
Note 2 à l'article: L’incertitude est l’état, même partiel, de manque d’information qui entrave la compréhension ou
la connaissance d’un événement, de ses conséquences ou de sa vraisemblance.
Note 3 à l'article: Un risque est souvent caractérisé par référence à des événements potentiels (tels que définis
dans le Guide ISO 73) et à des conséquences également potentielles (telles que définies dans le Guide ISO 73), ou
par référence à une combinaison des deux.
Note 4 à l'article: Un risque est souvent exprimé en termes de combinaison des conséquences d’un événement
(y compris des changements de circonstances) et de la vraisemblance de son occurrence (telle que définie dans
le Guide ISO 73).
Note 5 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure
harmonisée des normes de systèmes de management ISO. La définition originale a été modifiée en y ajoutant
«sur les objectifs».
3.30
redevabilité
obligation vis-à-vis d’autrui concernant l’accomplissement d’une responsabilité
4 Contexte de l’organisme
4.1 Compréhension de l’organisme et de son contexte
Il convient que l’organisme détermine les enjeux externes et internes pertinents par rapport à sa finalité,
et qui influent sur sa capacité à atteindre le ou les résultats attendus de son système de management
des alertes.
Ces enjeux peuvent comprendre, sans s’y limiter, les facteurs suivants:
a) la taille et la structure de l’organisme;
b) les lieux et les secteurs dans lesquels l’organisme opère ou prévoit d’opérer;
c) la nature, la culture, l’échelle et la complexité des activités et des opérations de l’organisme;
d) la nature et les besoins du personnel;
e) le modèle économique de l’organisme;
f) les entités sur lesquelles l’organisme exerce un contrôle et les entités exerçant un contrôle sur
l’organisme, y compris le ou les propriétaires bénéficiaires de l’organisme;
g) les partenaires commerciaux de l’organisme;
h) l’exposition de l’organisme aux obligations et enjeux de l’intérêt public;
i) les obligations et devoirs statutaires, réglementaires, contractuels et autres applicables.
NOTE Un organisme exerce un contrôle sur une autre entité s’il contrôle directement ou indirectement la
gestion de l’entité.
4.2 Compréhension des besoins et attentes des parties intéressées
Il convient que l’organisme détermine:
a) les parties intéressées qui sont pertinentes dans le cadre du système de management des alertes;
b) les exigences pertinentes de ces parties intéressées;
c) les exigences parmi celles-ci qui seront prises en considération par le système de management des
alertes.
4.3 Détermination du périmètre d’application du système de management des alertes
Il convient que l’organisme détermine les limites et l’applicabilité du système de management des
alertes afin d’établir son périmètre.
Lorsque l’organisme établit ce périmètre, il est recommandé qu’il prenne en compte:
a) les enjeux externes et internes auxquels il est fait référence en 4.1;
b) les exigences auxquelles il est fait référence en 4.2;
c) qui peut faire un signalement (parties intéressées internes / externes), depuis où (régions / zone
géographique) et quels types d’actes répréhensibles sont couverts par le système (voir Figure 2);
d) les résultats de toute évaluation des risques liés à la conformité ou l’équivalent, suivant le cas.
Les organismes peuvent se référer à l’ISO 37301 pour l’évaluation des risques liés à la conformité et
à l’ISO 31000 pour le management du risque.
Les types d’actes répréhensibles qui peuvent être traités par le système de management des alertes,
dans le cas où un signalement est effectué, sont importants au regard de son périmètre d’application.
Tous les signalements effectués par l’intermédiaire du système de management des alertes ne feront
pas partie de son périmètre et un signalement unique peut inclure des informations concernant
plusieurs types d’actes répréhensibles, certains faisant partie de son périmètre et d’autres non. Il
convient que l’organisme identifie les autres processus, existants ou prévus, qui pourraient être utilisés
pour résoudre les signalements d’actes répréhensibles ne faisant pas partie du périmètre du système
de management des alertes (par exemple, plaintes, doléances) et comment il convient de les coordonner.
Ceci est illustré à la Figure 2.
Il convient que le périmètre d’application soit disponible sous la forme d’une information documentée.
8 © ISO 2021 – Tous droits réservés

Figure 2 — Relation entre le système de management des alertes et les autres processus
et systèmes de l’organisme
4.4 Système de management des alertes
Il convient que l’organisme établisse, mette en œuvre, tienne à jour et améliore en continu un système
de management des alertes, y compris les processus nécessaires et leurs interactions, conformément
aux recommandations du présent document.
Il convient que le système de management des alertes applique les principes de confiance, d’impartialité
et de protection, et assure un retour d’information approprié tout au long du processus. Il convient que
le système de management des alertes soutienne toutes les étapes du processus d’alerte.
a) Réception des signalements d’actes répréhensibles: il convient que le système de management des
alertes précise comment les signalements peuvent être faits et reçus en tenant compte des facteurs
mentionnés en 4.3.
b) Évaluation des signalements d’actes répréhensibles (triage): il convient que le système de
management des alertes spécifie le processus d’évaluation des signalemen
...

NORMA ISO
INTERNACIONAL 37002
Traducción oficial
Primera edición
2021-07
Official translation
Traduction officielle
Sistemas de gestión de la denuncia de
irregularidades — Directrices
Whistleblowing management systems — Guidelines
Systèmes de management des alertes — Lignes directrices
Publicado por la Secretaría Central de ISO en Ginebra, Suiza, como
traducción oficial en español avalada por el Grupo de Trabajo Spanish
Translation Task Force (STTF), que ha certificado la conformidad en
relación con las versiones inglesa y francesa.
Número de referencia
DOCUMENTO PROTEGIDO POR COPYRIGHT
© ISO 2021
Reservados los derechos de reproducción. Salvo prescripción diferente, no podrá reproducirse ni utilizarse ninguna parte de
esta publicación bajo ninguna forma y por ningún medio, electrónico o mecánico, incluidos el fotocopiado, o la publicación en
Internet o una Intranet, sin la autorización previa por escrito. La autorización puede solicitarse a ISO en la siguiente dirección o al
organismo miembro de ISO en el país solicitante.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Publicado en Suiza
Traducción oficial/Official translation/Traduction officielle
ii
Índice Página
Prólogo .v
Prólogo de la versión en español. vi
Introducción .vii
1 Objeto y campo de aplicación . 1
2 Referencias normativas . 1
3 Términos y definiciones .1
4 Contexto de la organización . 8
4.1 Comprensión de la organización y su contexto . 8
4.2 Comprensión de las necesidades y expectativas de las partes interesadas . 8
4.3 Determinación del alcance del sistema de gestión de la denuncia de irregularidades . 8
4.4 Sistema de gestión de la denuncia de irregularidades . 9
5 Liderazgo .10
5.1 Liderazgo y compromiso . 10
5.1.1 Órgano de gobierno . 10
5.1.2 Alta dirección . 10
5.2 Política de denuncia de irregularidades . 11
5.3 Roles, responsabilidades y autoridades .12
5.3.1 Alta dirección y órgano de gobierno .12
5.3.2 Función de gestión de la denuncia de irregularidades .13
5.3.3 Toma de decisiones delegada . 13
6 Planificación .14
6.1 Acciones para abordar riesgos y oportunidades . 14
6.2 Objetivos del sistema de gestión de la denuncia de irregularidades y planificación
para alcanzarlos . 14
6.3 Planificación de cambios . 15
7 Apoyo .15
7.1 Recursos . 15
7.2 Competencia . 16
7.3 Toma de conciencia . 16
7.3.1 Generalidades . 16
7.3.2 Medidas de formación y toma de conciencia del personal . 17
7.3.3 Formación para líderes y otros roles específicos . 18
7.4 Comunicación. 18
7.5 Información documentada . 19
7.5.1 Generalidades . 19
7.5.2 Creación y actualización de la información documentada . 19
7.5.3 Control de la información documentada. 20
7.5.4 Protección de datos .20
7.5.5 Confidencialidad . 21
8 Operación .22
8.1 Planificación y control operacional . 22
8.2 Recepción de denuncias de irregularidades . 24
8.3 Evaluación de denuncias de irregularidades . 25
8.3.1 Evaluación de la irregularidad denunciada . 25
8.3.2 Evaluación y prevención de riesgos de conducta perjudicial .26
8.4 Tratamiento de las denuncias de irregularidades . 27
8.4.1 Tratamiento de las irregularidades denunciadas . 27
8.4.2 Protección y apoyo al denunciante .28
8.4.3 Tratamiento de la conducta perjudicial .28
8.4.4 Protección de los sujetos de la denuncia .29
8.4.5 Protección de las partes interesadas pertinentes .29
Traducción oficial/Official translation/Traduction officielle
iii
8.5 Conclusión de casos de denuncia de irregularidades.29
9 Evaluación del desempeño .30
9.1 Seguimiento, medición, análisis y evaluación .30
9.1.1 Generalidades .30
9.1.2 Indicadores de evaluación .30
9.1.3 Fuentes de información . 31
9.2 Auditoría interna . 32
9.2.1 Generalidades . 32
9.2.2 Programa de auditoría interna . 32
9.3 Revisión por la dirección . 32
9.3.1 Generalidades . 32
9.3.2 Entradas para la revisión por la dirección . 33
9.3.3 Resultados de la revisión por la dirección . 33
10 Mejora .33
10.1 Mejora continua . 33
10.2 No conformidades y acciones correctivas . 33
Bibliografía.35
Traducción oficial/Official translation/Traduction officielle
iv
Prólogo
ISO (Organización Internacional de Normalización) es una federación mundial de organismos
nacionales de normalización (organismos miembros de ISO). El trabajo de elaboración de las Normas
Internacionales se lleva a cabo normalmente a través de los comités técnicos de ISO. Cada organismo
miembro interesado en una materia para la cual se haya establecido un comité técnico, tiene el derecho
de estar representado en dicho comité. Las organizaciones internacionales, gubernamentales y no
gubernamentales, vinculadas con ISO, también participan en el trabajo. ISO colabora estrechamente
con la Comisión Electrotécnica Internacional (IEC) en todos los temas de normalización electrotécnica.
En la Parte 1 de las Directivas ISO/IEC se describen los procedimientos utilizados para desarrollar este
documento y aquellos previstos para su mantenimiento posterior. En particular debería tomarse nota
de los diferentes criterios de aprobación necesarios para los distintos tipos de documentos ISO. Este
documento ha sido redactado de acuerdo con las reglas editoriales de la Parte 2 de las Directivas ISO/
IEC (véase www.iso.org/directives).
Se llama la atención sobre la posibilidad de que algunos de los elementos de este documento puedan
estar sujetos a derechos de patente. ISO no asume la responsabilidad por la identificación de alguno
o todos los derechos de patente. Los detalles sobre cualquier derecho de patente identificado durante
el desarrollo de este documento se indicarán en la Introducción y/o en la lista ISO de declaraciones de
patente recibidas (véase www.iso.org/patents).
Cualquier nombre comercial utilizado en este documento es información que se proporciona para
comodidad del usuario y no constituye una recomendación.
Para una explicación de la naturaleza voluntaria de las normas, el significado de los términos específicos
de ISO y las expresiones relacionadas con la evaluación de la conformidad, así como la información
acerca de la adhesión de ISO a los principios de la Organización Mundial del Comercio (OMC) respecto a
los Obstáculos Técnicos al Comercio (OTC), véase www.iso.org/iso/foreword.html.
Este documento ha sido elaborado por el Comité Técnico ISO/TC 309, Gobernanza de las organizaciones.
Cualquier comentario o pregunta sobre este documento deberían dirigirse al organismo nacional de
normalización del usuario. En www.iso.org/members.html se puede encontrar un listado completo de
estos organismos.
Traducción oficial/Official translation/Traduction officielle
v
Prólogo de la versión en español
Este documento ha sido traducido por el Grupo de Trabajo Spanish Translation Task Force (STTF) del
Comité Técnico ISO/TC 309, Gobernanza de las organizaciones, en el que participan representantes de
los organismos nacionales de normalización y representantes del sector empresarial de los siguientes
países:
Argentina, Bolivia, Chile, Colombia, Costa Rica, Ecuador, El Salvador, España, Guatemala, Panamá, Perú,
Uruguay.
Esta traducción es parte del resultado del trabajo que el Grupo ISO/TC 309/STTF, viene desarrollando
desde su creación en el año 2021 para lograr la unificación de la terminología en lengua española en el
ámbito de la denuncia de irregularidades.
Traducción oficial/Official translation/Traduction officielle
vi
Introducción
La denuncia de irregularidades es el acto de informar sobre sospechas de irregularidades o riesgo de
irregularidades. Los estudios y la experiencia demuestran que una gran proporción de irregularidades
llega al conocimiento de la organización afectada a través de la información que proporcionan personas
de dentro de la organización o cercanas a la misma.
Las organizaciones están considerando cada vez más la posibilidad de introducir o mejorar políticas y
procesos internos de denuncia de irregularidades en respuesta a la regulación o de forma voluntaria.
Este documento proporciona orientación a las organizaciones para establecer, implementar, mantener
y mejorar un sistema de gestión de la denuncia de irregularidades, con los siguientes resultados:
a) alentar y facilitar la denuncia de irregularidades;
b) apoyar y proteger a los denunciantes y otras partes interesadas involucradas;
c) asegurar que las denuncias de irregularidades se traten de manera adecuada y oportuna;
d) mejorar la cultura organizacional y la gobernanza;
e) reducir los riesgos de irregularidades.
Los beneficios potenciales para la organización incluyen:
— permitir que la organización identifique y aborde las irregularidades lo antes posible;
— ayudar a prevenir o minimizar la pérdida de activos y ayudar a la recuperación de activos perdidos;
— asegurar el cumplimiento de las políticas y los procedimientos organizacionales y las obligaciones
legales y sociales;
— atraer y retener al personal comprometido con los valores y la cultura de la organización;
— demostrar la aplicación de prácticas de gobernanza sólidas y éticas a la sociedad, los mercados, los
reguladores, los propietarios y otras partes interesadas.
Un sistema de gestión de la denuncia de irregularidades eficaz generará confianza organizacional al:
— demostrar el compromiso de los líderes para prevenir y tratar las irregularidades;
— alentar a las personas a presentar denuncias de irregularidades de manera temprana;
— reducir y prevenir el trato perjudicial a los denunciantes y otras personas implicadas;
— fomentar una cultura de apertura, transparencia, integridad y de rendición de cuentas.
Este documento proporciona orientación para que las organizaciones creen un sistema de gestión
de la denuncia de irregularidades basado en los principios de confianza, imparcialidad y protección.
Es adaptable y su uso variará con el tamaño, la naturaleza, la complejidad y la jurisdicción de las
actividades de la organización. Puede ayudar a una organización a mejorar su política y procedimientos
de denuncia de irregularidades, existentes, o a cumplir con la legislación aplicable en materia de
denuncia de irregularidades.
Este documento adopta la “estructura armonizada” (es decir, secuencia de capítulos, un texto
común y una terminología común) desarrollada por ISO para mejorar la alineación entre las Normas
Internacionales para los sistemas de gestión. Las organizaciones pueden adoptar este documento como
guía independiente o de forma conjunta con otras normas de sistemas de gestión, o incluso para abordar
los requisitos relacionados con la denuncia de irregularidades en otros sistemas de gestión de ISO.
Traducción oficial/Official translation/Traduction officielle
vii
La Figura 1 es una descripción general conceptual de un sistema de gestión de la denuncia de
irregularidades recomendado, que muestra cómo los principios de confianza, imparcialidad y protección
se superponen a todos los elementos de dicho sistema.
Figura 1 — Descripción general de un sistema de gestión de la denuncia de irregularidades
Traducción oficial/Official translation/Traduction officielle
viii
NORMA INTERNACIONAL ISO 37002:2021 (traducción oficial)
Sistemas de gestión de la denuncia de irregularidades —
Directrices
1 Objeto y campo de aplicación
Este documento proporciona directrices para establecer, implementar y mantener un sistema de
gestión de la denuncia de irregularidades eficaz basado en los principios de confianza, imparcialidad y
protección en los siguientes cuatro pasos:
a) recepción de las denuncias de irregularidades;
b) evaluación de las denuncias de irregularidades;
c) tratamiento de las denuncias de irregularidades;
d) conclusión de los casos de denuncia de irregularidades.
Las directrices de este documento son genéricas y están destinadas a ser aplicables a todas las
organizaciones, independientemente del tipo, tamaño, naturaleza de la actividad, y ya sea en los
sectores público, privado o sin fines de lucro.
El alcance de la aplicación de estas directrices depende de los factores especificados en los apartados
4.1, 4.2 y 4.3. El sistema de gestión de la denuncia de irregularidades puede ser independiente o puede
utilizarse como parte de un sistema de gestión general.
2 Referencias normativas
No hay referencias normativas en este documento.
3 Términos y definiciones
Para los fines de este documento, se aplican los términos y definiciones siguientes.
ISO e IEC mantienen bases de datos terminológicas para su utilización en normalización en las siguientes
direcciones:
— Plataforma de búsqueda en línea de ISO: disponible en https:// www .iso .org/ obp
— Electropedia de IEC: disponible en https:// www .electropedia .org/
3.1
sistema de gestión
conjunto de elementos de una organización (3.2) interrelacionados o que interactúan para establecer
políticas (3.7) y objetivos (3.25), así como procesos (3.27) para lograr estos objetivos
Nota 1 a la entrada: Un sistema de gestión puede abordar una sola disciplina o varias disciplinas.
Nota 2 a la entrada: Los elementos del sistema de gestión incluyen la estructura, los roles y responsabilidades, la
planificación y el funcionamiento de la organización.
Nota 3 a la entrada: Este constituye uno de los términos comunes y definiciones básicas de la estructura
armonizada para las normas de sistemas de gestión de ISO.
Traducción oficial/Official translation/Traduction officielle
3.2
organización
persona o grupo de personas que tiene sus propias funciones con responsabilidades, autoridades y
relaciones para lograr sus objetivos (3.25)
Nota 1 a la entrada: El concepto de organización incluye, pero no se limita a, comerciante individual, compañía,
corporación, firma, empresa, autoridad, asociación, organización benéfica o institución, o una parte o
combinación de estas, estén constituidas o no, públicas o privadas.
Nota 2 a la entrada: Si la organización es parte de una entidad más grande, el término "organización" se refiere
solo a la parte de la entidad más grande que está dentro del alcance del sistema de gestión (3.1) de la denuncia de
irregularidades (3.10).
Nota 3 a la entrada: Este constituye uno de los términos comunes y definiciones esenciales de la estructura
armonizada para las normas de sistemas de gestión de ISO.
3.3
personal
directores, funcionarios, empleados, personal temporal o trabajadores y voluntarios de la organización
(3.2)
[FUENTE: ISO 37001:2016, 3.25, modificada — Se han eliminado las Notas 1 y 2 a la entrada.]
3.4
parte interesada
persona u organización (3.2) que pueda afectar, verse afectado o percibirse como afectado por una
decisión o actividad
Nota 1 a la entrada: Una parte interesada puede ser interna o externa a la organización.
Nota 2 a la entrada: Las partes interesadas pueden incluir, pero no se limitan a, aquellos que realizan denuncias,
cualquier sujeto de esas denuncias, testigos, personal (3.3), representantes de los trabajadores, proveedores,
terceras partes, público, medios de comunicación, reguladores y la organización en su conjunto.
Nota 3 a la entrada: Este constituye uno de los términos comunes y definiciones esenciales de la estructura
armonizada para las normas de sistemas de gestión de ISO. La definición original ha sido modificada agregando
las Notas 1 y 2 a la entrada.
3.5
alta dirección
persona o grupo de personas que dirige y controla una organización (3.2) al más alto nivel
Nota 1 a la entrada: La alta dirección tiene el poder de delegar autoridad y proporcionar recursos dentro de la
organización.
Nota 2 a la entrada: Si el alcance del sistema de gestión (3.1) comprende solo una parte de una organización,
entonces la alta dirección se refiere a aquellos que dirigen y controlan esa parte de la organización.
Nota 3 a la entrada: Este constituye uno de los términos comunes y definiciones esenciales de la estructura
armonizada para las normas de sistemas de gestión de ISO.
3.6
órgano de gobierno
persona o grupo de personas que tiene que rendir cuentas (3.30) en última instancia en nombre de toda
la organización (3.2)
Nota 1 a la entrada: Cada entidad organizacional tiene un órgano de gobierno, esté o no establecido explícitamente.
Nota 2 a la entrada: Un órgano de gobierno puede incluir, pero no está limitado a, un consejo directivo, comités de
control, consejo de control o administradores.
Traducción oficial/Official translation/Traduction officielle
[FUENTE: ISO/IEC 38500:2015, 2.9, modificado — Las palabras “tienen que rendir cuentas en última
instancia en nombre de” han reemplazado a “responsable del desempeño y conformidad con” y se han
agregado las Notas 1 y 2 a la entrada.]
3.7
política
intenciones y dirección de una organización (3.2) según lo expresado formalmente por su alta dirección
(3.5)
Nota 1 a la entrada: Este constituye uno de los términos comunes y definiciones esenciales de la estructura
armonizada para las normas de sistemas de gestión de ISO.
3.8
irregularidad
acción u omisión que puede causar daño
Nota 1 a la entrada: Las irregularidades pueden incluir, entre otras, las siguientes:
— incumplimiento de la ley (nacional o internacional), como fraude, corrupción, incluido el soborno;
— incumplimiento del código de conducta la organización (3.2) o de otro código de conducta pertinente,
incumplimiento de las políticas (3,7) de la organización;
— negligencia grave, intimidación, acoso, discriminación, uso no autorizado de fondos o recursos, abuso de
autoridad, conflicto de intereses, despilfarro o mala administración;
— acciones u omisiones que resulten en daño o riesgo de daño a los derechos humanos, el medio ambiente, la
salud y la seguridad pública, las prácticas laborales seguras o el interés público.
Nota 2 a la entrada: Las irregularidades o el daño resultante pueden haber ocurrido en el pasado, estar sucediendo
actualmente u ocurrir en el futuro.
Nota 3 a la entrada: El daño potencial se puede determinar por referencia a un solo evento o una serie de eventos.
3.9
denunciante
persona que informa sobre sospechas de irregularidades (3.8) o sobre irregularidades reales y tiene una
creencia razonable de que la información es verdadera en el momento de informar
Nota 1 a la entrada: Una creencia razonable es una creencia sostenida por un individuo basada en la observación,
experiencia o información conocida por ese individuo, que también sería sostenida por otra persona en las
mismas circunstancias.
Nota 2 a la entrada: Los ejemplos de denunciantes incluyen, entre otros, los siguientes:
— personal 3.3) dentro de una organización (3.2);
— personal de partes externas, incluidas las personas jurídicas, con las que la organización ha establecido,
o planea establecer, alguna forma de relación de negocios, incluidos, entre otros, clientes, consumidores,
alianzas empresariales, socios de empresas conjuntas, socios de consorcios, proveedores de subcontratación,
contratistas, consultores, subcontratistas, proveedores, vendedores, asesores, agentes, distribuidores,
representantes, intermediarios e inversores;
— otras personas como representantes sindicales;
— cualquier persona que haya desempeñado o vaya a desempeñar un puesto de los establecidos en esta
definición.
3.10
denuncia de irregularidades
información sobre sospechas de irregularidades (3.8) o irregularidades reales aportada por un
denunciante (3.9)
Nota 1 a la entrada: Una denuncia de irregularidades puede presentarse de forma verbal, en persona, por escrito
o en formato electrónico o digital.
Traducción oficial/Official translation/Traduction officielle
Nota 2 a la entrada: Es común distinguir:
— denuncia de irregularidades abierta, en la que el denunciante revela información sin ocultar su identidad o
exigir que su identidad se mantenga en secreto;
— denuncia de irregularidades confidencial, en la que el destinatario conoce la identidad del denunciante y
cualquier información que pueda identificarlo, pero no se revela a nadie, más allá de que se trate de un caso
de estricta necesidad, sin el consentimiento del denunciante, a menos que lo exija la ley;
— denuncia de irregularidades anónima, en la que se recibe información sin que el denunciante revele su
identidad.
Nota 3 a la entrada: Las organizaciones (3.2) pueden utilizar un término alternativo como "hablar" o "plantear
una inquietud", o un equivalente.
3.11
función de gestión de la denuncia de irregularidades
personas con la responsabilidad y autoridad para el funcionamiento del sistema de gestión (3.1) de la
denuncia de irregularidades (3.10)
3.12
evaluación de las denuncias de irregularidades (triaje)
evaluación inicial de las denuncias de irregularidades (3.8) para los propósitos de categorización,
adopción de medidas preliminares, priorización y asignación para su manejo posterior
Nota 1 a la entrada: Se pueden considerar los siguientes factores: probabilidad y gravedad del impacto de las
irregularidades o sospechas de irregularidades en el personal (3.3), organización (3.2) y parte interesada (3.4),
incluidos los daños a la reputación, daños financieros, ambientales, humanos o de otro tipo.
3.13
conducta perjudicial
acto u omisión bajo amenaza, propuesto o real, directo o indirecto que pueda resultar en daño a un
denunciante (3.9) u otra parte interesada (3.4) pertinente, relacionado con la denuncia de irregularidades
(3.10)
Nota 1 a la entrada: Daño incluye cualquier consecuencia adversa, ya sea relacionada con el trabajo o personal,
incluyendo, pero no se limita a, despido, suspensión, degradación, transferencia, cambio de funciones, alteración
de las condiciones laborales, calificaciones de desempeño (3.26) adverso, procedimientos disciplinarios,
oportunidad reducida de ascenso, denegación de servicios, inclusión en listas negras, boicot, daño a la reputación,
revelación de la identidad del denunciante, pérdida financiera, procesamiento o acción legal, acoso, aislamiento,
imposición de cualquier forma de daño físico o psicológico.
Nota 2 a la entrada: La conducta perjudicial incluye retaliación, represalias, retribución, acciones u omisiones
deliberadas, realizadas a sabiendas o imprudentemente, para causar daño a un denunciante u otras partes
pertinentes.
Nota 3 a la entrada: La conducta perjudicial también incluye no prevenir o no minimizar el daño mediante el
cumplimiento de un estándar de atención razonable en cualquier paso del proceso (3.27) de denuncia de
irregularidades.
Nota 4 a la entrada: Las acciones que se tomen para tratar la propia irregularidad (3.8) del denunciante, su
desempeño o gestión, que no estén relacionadas con su papel en la denuncia de irregularidades, no constituyen
una conducta perjudicial para los fines de este documento.
Nota 5 a la entrada: Otras partes interesadas pertinentes pueden incluir a los potenciales o presuntos
denunciantes, familiares, asociados de un denunciante, personas que han brindado apoyo a un denunciante y
cualquier persona involucrada en un proceso de denuncia de irregularidades, incluida una entidad legal.
Traducción oficial/Official translation/Traduction officielle
3.14
investigación
proceso (3.27) sistemático, independiente y documentado para establecer los hechos y evaluarlos
objetivamente para determinar si hubo irregularidades (3.8), están ocurriendo o es probable que
ocurran y su alcance
Nota 1 a la entrada: Una investigación puede ser interna, externa o combinada.
Nota 2 a la entrada: Una investigación interna se lleva a cabo por la propia organización (3.2) o por una parte
externa en su nombre.
Nota 3 a la entrada: Partes externas también pueden imponer una investigación a la organización.
3.15
auditoría
proceso (3.27) sistemático e independiente para obtener evidencia y evaluarla objetivamente para
determinar en qué medida se cumplen los criterios de auditoría
Nota 1 a la entrada: Una auditoría puede ser interna (de primera parte), o externa (de segunda o tercera parte), y
puede ser combinada (combinando dos o más disciplinas).
Nota 2 a la entrada: Una auditoría interna es la que se lleva a cabo por la propia organización (3.2) o por una parte
externa en su nombre.
Nota 3 a la entrada: “Evidencia de auditoría” y “criterios de auditoría” se definen en la Norma ISO 19011.
Nota 4 a la entrada: Este constituye uno de los términos comunes y definiciones esenciales de la estructura
armonizada para las normas de sistemas de gestión ISO.
3.16
competencia
capacidad para aplicar conocimientos y habilidades para lograr los resultados previstos
Nota 1 a la entrada: Este constituye uno de los términos comunes y definiciones esenciales de la estructura
armonizada para las normas de sistemas de gestión ISO.
3.17
conformidad
cumplimiento de un requisito (3.28)
Nota 1 a la entrada: Este constituye uno de los términos comunes y definiciones esenciales de la estructura
armonizada para las normas de sistemas de gestión ISO.
3.18
no conformidad
incumplimiento de un requisito (3.28)
Nota 1 a la entrada: Este constituye uno de los términos comunes y definiciones esenciales de la estructura
armonizada para las normas de sistemas de gestión ISO.
3.19
acción correctiva
acción para eliminar la causa de una no conformidad (3.18) y para prevenir la recurrencia
Nota 1 a la entrada: Este constituye uno de los términos comunes y definiciones esenciales de la estructura
armonizada para las normas de sistemas de gestión ISO.
3.20
mejora continua
actividad recurrente para mejorar el desempeño (3.26)
Nota 1 a la entrada: Este constituye uno de los términos comunes y definiciones esenciales de la estructura
armonizada para las normas de sistemas de gestión ISO.
Traducción oficial/Official translation/Traduction officielle
3.21
información documentada
información que una organización (3.2) tiene que controlar y mantener, y el medio que la contiene
Nota 1 a la entrada: La información documentada puede estar en cualquier formato y medio y puede provenir de
cualquier fuente.
Nota 2 a la entrada: La información documentada puede referirse a:
— el sistema de gestión (3.1), incluidos los procesos (3.27) relacionados;
— información generada para que la organización opere (documentación);
— evidencia de los resultados alcanzados (registros).
Nota 3 a la entrada: Este constituye uno de los términos comunes y definiciones esenciales de la estructura
armonizada para las normas del sistema de gestión ISO.
3.22
eficacia
medida en que se realizan las actividades planificadas y se logran los resultados planificados
Nota 1 a la entrada: Este constituye uno de los términos comunes y definiciones esenciales de la estructura
armonizada para las normas de sistemas de gestión de ISO.
3.23
medición
proceso (3.27) para determinar un valor
Nota 1 a la entrada: Este constituye uno de los términos comunes y definiciones esenciales de la estructura
armonizada para las normas de sistemas de gestión de ISO.
3.24
seguimiento
determina el estado de un sistema, un proceso (3.27) o una actividad
Nota 1 a la entrada: Para determinar el estado, puede ser necesario verificar, supervisar u observar críticamente.
Nota 2 a la entrada: Este constituye uno de los términos comunes y definiciones esenciales de la estructura
armonizada para las normas de sistemas de gestión de ISO.
3.25
objetivo
resultado a lograr
Nota 1 a la entrada: Un objetivo puede ser estratégico, táctico u operativo.
Nota 2 a la entrada: Los objetivos pueden referirse a diferentes disciplinas (tales como objetivos financieros, de
salud y seguridad, y ambientales) Pueden ser, por ejemplo, de toda la organización o específicos de un proyecto,
producto, servicio o proceso (3.27).
Nota 3 a la entrada: Un objetivo puede expresarse de otras maneras, por ejemplo, como un resultado previsto,
un propósito, un criterio operativo, como un objetivo de denuncia de irregularidades (3.10), o mediante el uso de
otras palabras con un significado similar (por ejemplo, fin, objetivo, o meta).
Nota 4 a la entrada: En el contexto de los sistemas de gestión (3.1) de la denuncia de irregularidades, los objetivos
de denuncia de irregularidades los establece la organización (3.2), en consonancia con la política (3.7) de denuncia
de irregularidades, para lograr resultados específicos.
Nota 5 a la entrada: Este constituye uno de los términos comunes y definiciones esenciales de la estructura
armonizada para las normas de sistemas de gestión de ISO.
Traducción oficial/Official translation/Traduction officielle
3.26
desempeño
resultado medible
Nota 1 a la entrada: El desempeño se puede relacionar con hallazgos cuantitativos o cualitativos.
Nota 2 a la entrada: El desempeño se puede relacionar con actividades de gestión, procesos (3.27), productos,
servicios, sistemas u organizaciones (3.2).
Nota 3 a la entrada: Este constituye uno de los términos comunes y definiciones esenciales de la estructura
armonizada para las normas de sistemas de gestión de ISO.
3.27
proceso
conjunto de actividades interrelacionadas o que interactúan, que emplean o transforman elementos de
entrada para obtener resultados
Nota 1 a la entrada: El hecho de que el resultado de un proceso se llame salida, producto o servicio depende del
contexto de la referencia.
Nota 2 a la entrada: Este constituye uno de los términos comunes y definiciones esenciales de la estructura
armonizada para las normas de sistemas de gestión de ISO.
3.28
requisito
necesidad o expectativa establecida, generalmente implícita u obligatoria
Nota 1 a la entrada: “Generalmente implícito” significa que es una costumbre o práctica común para la
organización (3.2) y para las partes interesadas (3.4), que la necesidad o expectativa esté implícita.
Nota 2 a la entrada: Un requisito especificado es aquel que está establecido, por ejemplo, en información
documentada (3.21).
Nota 3 a la entrada: Este constituye uno de los términos comunes y definiciones esenciales de la estructura
armonizada para las normas de sistemas de gestión de ISO.
3.29
riesgo
efecto de la incertidumbre sobre los objetivos (3.25)
Nota 1 a la entrada: Un efecto es una desviación de lo esperado, ya sea positivo o negativo.
Nota 2 a la entrada: Incertidumbre es el estado, incluso parcial, de deficiencia de información relacionada con la
comprensión o conocimiento de un evento, su consecuencia o su probabilidad.
Nota 3 a la entrada: Con frecuencia, el riesgo se caracteriza por referencia a eventos potenciales (como se define
en la Guía ISO 73) y consecuencias (como se define en la Guía ISO 73) , o a una combinación de estos.
Nota 4 a la entrada: Con frecuencia, el riesgo se expresa en términos de una combinación de las consecuencias
de un evento (incluidos los cambios en las circunstancias) y la probabilidad (como se define en la Guía ISO 73)
asociada de que ocurra.
Nota 5 a la entrada: Este constituye uno de los términos comunes y definiciones esenciales de la estructura
armonizada para las normas de sistemas de gestión de ISO. La definición original ha sido modificada agregando
“sobre los objetivos” a la definición.
3.30
rendición de cuentas
obligación hacia otro por el cumplimiento de una responsabilidad
Traducción oficial/Official translation/Traduction officielle
4 Contexto de la organización
4.1 Comprensión de la organización y su contexto
La organización debería determinar las cuestiones externas e internas que sean pertinentes para su
propósito y que afectan a su capacidad para lograr los resultados previstos de su sistema de gestión de
la denuncia de irregularidades.
Estas cuestiones pueden incluir, pero no se limitan a, los siguientes factores:
a) el tamaño y la estructura de la organización;
b) las ubicaciones y sectores en los que la organización opera o planea operar;
c) la naturaleza, cultura, escala y complejidad de las actividades y operaciones de la organización;
d) la naturaleza y necesidades del personal;
e) el modelo de negocio de la organización;
f) las entidades sobre las que la organización tiene control y las entidades que ejercen control sobre la
organización, incluidos los beneficiarios finales de la organización;
g) los socios de negocio de la organización;
h) la exposición de la organización a obligaciones o cuestiones de interés público;
i) obligaciones y deberes legales, reglamentarios, contractuales y de otra índole, aplicables.
NOTA Una organización tiene control sobre otra organización si controla directa o indirectamente la gestión
de la organización.
4.2 Comprensión de las necesidades y expectativas de las partes interesadas
La organización debería determinar:
a) las partes interesadas que sean pertinentes para el sistema de gestión de la denuncia de
irregularidades;
b) los requisitos pertinentes de estas partes interesadas;
c) cuáles de estos requisitos se abordarán a través del sistema de gestión de la denuncia de
irregularidades.
4.3 Determinación del alcance del sistema de gestión de la denuncia de irregularidades
La organización debería determinar los límites y la aplicabilidad del sistema de gestión de la denuncia
de irregularidades para establecer su alcance.
Cuando se determine este alcance, la organización debería considerar:
a) las cuestiones externas e internas indicadas en el apartado 4.1;
b) los requisitos indicados en el apartado 4.2;
c) quién puede presentar denuncias (partes interesadas internas/externas), de dónde pueden
proceder las denuncias (regiones/geografía) y qué tipos de irregularidades están cubiertas por el
sistema (véase la Figura 2);
d) los resultados de cualquier evaluación de riesgo de compliance o equivalente, según esté disponible.
Traducción oficial/Official translation/Traduction officielle
Las organizaciones pueden hac
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...

Whistleblowing management systems — Guidelines

Systèmes de management des alertes — Lignes directrices

Sistem vodenja prijavljanja nepravilnosti - Smernice

General Information

Standards Content (Sample)

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You