iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO/AWI TS 37008

(Main)

Internal investigations of organizations — Guidance

Internal investigations of organizations — Guidance

This proposal is for an ISO technical specification with guidance on internal investigations of organizations. It will help: • make better use of investigative resources (human, financial and other resources) • establish the policy and procedures to implement and conduct investigations • enhance the investigative capacity of investigators • report the investigative results internally and externally, and • effectively mitigate risk exposures It will provide guidance to identify: • what happened • why it happened (root cause) • who will conduct the investigation • how to conduct investigations (investigative strategy and tactics) • what are the issues and risks • what can be done (remedial actions, including the treatment of secondary risks) • what and how to report • how to prohibit retaliation It will be applicable to all organizations in the public, private, and voluntary sectors.

Enquêtes internes des organisations — Recommandations

General Information

Status
Not Published
ICS
03.100.02 - Governance and ethics
Technical Committee
ISO/TC 309 - Governance of organizations
Drafting Committee
ISO/TC 309 - Governance of organizations
Current Stage
5000 - FDIS registered for formal approval
Completion Date
18-Jan-2023
Ref Project

Buy Standard

REDLINE ISO/DTS 37008 - Internal investigations of organizations — Guidance Released:2/14/2023REDLINE ISO/DTS 37008 - Internal investigations of organizations — Guidance Released:2/14/2023
PreviousNext
Draft
REDLINE ISO/DTS 37008 - Internal investigations of organizations — Guidance Released:2/14/2023
English language
24 pages
sale 15% off
Preview
sale 15% off
Preview
ISO/DTS 37008 - Internal investigations of organizations — Guidance Released:2/14/2023ISO/DTS 37008 - Internal investigations of organizations — Guidance Released:2/14/2023
PreviousNext
Draft
ISO/DTS 37008 - Internal investigations of organizations — Guidance Released:2/14/2023
English language
24 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

© ISO 2023 – All rights reserved
ISO/DTS 37008:202x 2023(E)
ISO TC 309/WG 7
Date: 2023-01-1602-14
ISO TC 309
Secretariat: BSI
Internal investigations of organizations — Guidance
Enquêtes internes des organisations — Recommandations
DTS stage
Warning for WDs and CDs

This document is not an ISO International Standard. It is distributed for review and comment. It is subject to

change without notice and may not be referred to as an International Standard.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of

which they are aware and to provide supporting documentation.
---------------------- Page: 1 ----------------------
ISO/DTS 37008:2023(E)
© ISO 2023

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of

this publication may be reproduced or utilized otherwise in any form or by any means, electronic or

mechanical, including photocopying, or posting on the internet or an intranet, without prior written

permission. Permission can be requested from either ISO at the address below or ISO’s member body in the

country of the requester.
ISO Copyright Office
CP 401 • CH-1214 Vernier, Geneva
Phone: + 41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland.
ii © ISO 2023 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/DTS 37008:2023(E)
Contents

Foreword .......................................................................................................................................................................... v

Introduction................................................................................................................................................................... vi

1 Scope ........................................................................................................................................................................... 1

2 Normative references ............................................................................................................................................ 1

3 Terms and definitions ........................................................................................................................................... 1

4 Principles ................................................................................................................................................................... 3

4.1 Independent .......................................................................................................................................................... 3

4.2 Confidential ........................................................................................................................................................... 3

4.3 Competent and professional ........................................................................................................................... 3

4.4 Objective and impartial .................................................................................................................................... 3

4.5 Legal and lawful ................................................................................................................................................... 3

5 Support for internal investigations .................................................................................................................. 4

5.1 Resources ............................................................................................................................................................... 4

5.2 Leadership and commitment .......................................................................................................................... 4

6 Establishment of investigation policy or procedure .................................................................................. 4

7 Safety and protection measures ........................................................................................................................ 5

7.1 Preserving and securing evidence ................................................................................................................ 5

7.2 Protection of and support to personnel involved in investigations ................................................. 5

7.3 Anti-retaliation .................................................................................................................................................... 5

7.4 Safeguarding ......................................................................................................................................................... 5

8 Investigative process ............................................................................................................................................. 6

8.1 Investigation team .............................................................................................................................................. 6

8.1.1 Appointment of the investigation team ...................................................................................................... 6

8.1.2 Investigation reporting line ............................................................................................................................ 6

8.2 Preliminary assessment ................................................................................................................................... 6

8.3 Determining the scope of the investigation ............................................................................................... 6

8.3.1 Scope ........................................................................................................................................................................ 6

8.3.2 Scope changes ....................................................................................................................................................... 7

8.3.3 Determination elements ................................................................................................................................... 7

8.4 Investigation planning ...................................................................................................................................... 7

8.5 Maintaining confidentiality ............................................................................................................................. 8

8.6 Liability caution to deter disclosure ............................................................................................................ 8

8.6.1 Written caution notice ...................................................................................................................................... 8

8.6.2 Verbal caution notice ......................................................................................................................................... 8

8.7 No interference .................................................................................................................................................... 8

8.8 Evidence ................................................................................................................................................................. 9

8.8.1 Document collection and review ................................................................................................................... 9

8.8.2 Electronic data collection, preservation, analysis and review ........................................................... 9

8.9 Interviews .............................................................................................................................................................. 9

8.9.1 Preparations ......................................................................................................................................................... 9

8.9.2 Conducting an interview................................................................................................................................ 10

8.9.3 Keeping records of an interview ................................................................................................................ 10

8.10 Finalization process ........................................................................................................................................ 10

8.11 Investigation report ........................................................................................................................................ 11

9 Potential remedial measures or improvements ...................................................................................... 11

9.1 Proposal of remedial measures and improvements ........................................................................... 11

9.2 Interim remedial measures .......................................................................................................................... 11

9.3 A final plan for post-investigation remedial measures ...................................................................... 11

© ISO 2023 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/DTS 37008:2023(E)

9.4 Proportionality of remediation and improvement measures ......................................................... 12

9.5 Monitoring and enforcement of remedial measures .......................................................................... 12

10 Interaction with stakeholders ...................................................................................................................... 12

10.1 General ................................................................................................................................................................. 12

10.2 Planning ............................................................................................................................................................... 12

10.3 Measures for the communication process .............................................................................................. 12

10.4 Effective communication channels ............................................................................................................ 12

10.5 Government and regulator communication ........................................................................................... 13

10.6 Self-disclosure to the authorities ............................................................................................................... 13

11 Disciplinary actions .......................................................................................................................................... 13

Annex A (informative) Guidance on the use of this document .................................................................. 14

Bibliography ................................................................................................................................................................. 26

iv © ISO 2023 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/DTS 37008:2023(E)
Foreword

ISO (the International organizationOrganization for Standardization) is a worldwide federation of

national standards bodies (ISO member bodies). The work of preparing International Standards is

normally carried out through ISO technical committees. Each member body interested in a subject for

which a technical committee has been established has the right to be represented on that committee.

International organizations, governmental and non-governmental, in liaison with ISO, also take part in

the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all

matters of electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shouldshall not be held responsible for identifying any or all such patent rights. Details

of any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www.iso.org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO’s adherence to the World

Trade organizationOrganization (WTO) principles in the Technical Barriers to Trade (TBT), see

www.iso.org/iso/foreword.html.

This document was prepared by Technical Committee ISO/TC 309, Governance of organizations.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www.iso.org/members.html.
© ISO 2023 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/DTS 37008:2023(E)
Introduction

Internal investigation is an integral part of organizational management. Internal investigation is a

professional fact-finding process, initiated by or for an organization, to establish facts in relation to

alleged or suspected wrongdoing, misconduct, or noncompliance (such as bribery, fraudulent activities,

harassment, violence or discrimination). Internal investigations enable an organization to:

— make informed decisions if laws, regulations, industry codes, internal policies, procedures, processes,

corporate compliance policy and/or the organization’s values and ethics have been breached;

— understand the cause(s) that lead to the above-mentioned breaches;
— determine if an allegation or concern is substantiated or unsubstantiated;
— assess the financial loss of an organization;
— mitigate liability of the organization and/or its management;

— put in place and implement the necessary mitigation measures to prevent similar conduct from

occurring;
— strengthen the organization’s compliance and ethics culture;

— make external reporting to relevant authorities (law enforcement, judicial bodies, regulators or other

bodies prescribed by law or regulation) or relevant interested parties when necessary; and

— make decisions on sanctions of management and/or employees and debarment of working with third

parties involved in unethical conducts.

Civil actions, whistleblower reports and external investigations by regulators couldcan be reasons for

internal investigation as well so that the concerned organizations couldcan find out what triggered the

actions, reports and external investigations, then take appropriate measures.

Internal investigation is part of a compliance management system. This standarddocument can be used

to help with the implementation of other standards such as ISO 37301, ISO 37001, and ISO 37002. It can

also be a useful tool for an organization to identify risks. With risk clearly identified, an organization can

analyse the root causes of noncompliance and design measures to control the risks.

Not having the capabilities to conduct internal investigations and/or failing to conduct internal

investigation couldinvestigations can have adverse effects on an organization such as compromising the

effectiveness of the compliance management system, failing to protect theits reputation, and failing to

detect and counter wrongdoing.

This document gives guidance for organizations to implement internal investigations based on the

following principles: “independent”, “confidential”, “competent and professional”, “objective and

impartial”, as well as and “legal and lawful”. It is applicable to all organizations regardless of type, size,

location, structure or purpose.

Figure 1 is a conceptual overview of the investigative process showing the whole picture of internal

investigation and the possible post-investigation actions.
vi © ISO 2023 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/DTS 37008:2023(E)
© ISO 2023 – All rights reserved vii
---------------------- Page: 7 ----------------------
ISO/DTS 37008:2023(E)
Figure 1 – — Overview of the investigative process
viii © ISO 2023 – All rights reserved
---------------------- Page: 8 ----------------------
DRAFT TECHNICAL SPECIFICATION ISO/DTS 37008:2023(E)
Internal investigations of organizations –— Guidance
1 Scope

This document providesgives guidance on internal investigations within organizations, including:

— the principles;
— support for investigations;

— establishment of the policy, procedures, processes and standards for carrying out and reporting on

an investigation;
— the reporting of investigation results; and
— the application of remedial measures.

This document appliesis applicable to all organizations regardless of type, size, location, structure or

purpose.
NOTE See Annex A.1 for guidance on the use of this document.
2 Normative references
There are no normative references in this document.
NOTE See A.2 for guidance.

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 37001, Anti-bribery management systems — Requirements with guidance for use
ISO 37002, Whistleblowing management systems — Guidelines
ISO 37301, Compliance management systems — Requirements with guidance for use
3 Terms and definitions

For the purposepurposes of this document, the terms and definitions are given in ISO 37001, ISO 37002,

ISO 37301 and the following appliesapply.

ISO and IEC maintain terminologicalterminology databases for use in standardization at the following

addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at https://www.electropedia.org/
3.1
internal investigation
© ISO 2023 – All rights reserved 1
---------------------- Page: 9 ----------------------
ISO/DTS 37008:2023(E)

professional fact-finding process, initiated by or for an organization (3.3), to establish facts in relation to

alleged or suspected wrongdoing, misconduct, or noncompliance
3.2
risk
effect of uncertainty on objectives
[SOURCE: ISO 31000:2018, 3.1, modified –— Notes to entry have been deleted.]
3.3
organization

person or group of people that has its own functions with responsibilities, authorities and relationships

to achieve its objectives

Note 1 to entry: The concept of an organization includes, but is not limited to, sole-trader, company, corporation,

firm, enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated

or not, public or private.
[SOURCE: ISO 37301:2021, 3.1, modified –— Note 2 to entry has been deleted.]
3.4
need to know

legitimate requirement to know or have an access to a minimum amount of sensitive information

[SOURCE: ISO 19650-5:2020, 3.4, modified — “of a prospective recipient of information” deleted, “or have

access to” replaced “to access, or to possess”, and “a minimum amount of” added to the definition.]

3.5
investigator
person(s) appointed to manage or carry out an investigation
3.6
lead investigator
person leading an investigation
3.7
stakeholder

person or organization (3.3) that can affect, be affected by, or perceive itself to be affected by a decision

or activity

[SOURCE: ISO 37301:2021, 3.2, modified – The term— “interested party” has been deleted as the

preferred term.]
3.8
internal investigation function
person(s) with the organizational responsibility for investigations
3.9
compliance function

person or group of persons with responsibility and authority for the operation of the compliance

management system
[SOURCE: ISO 37301:2021, 3.23, modified –— Note 1 to entry has been deleted.]
3.10
governing body
2 © ISO 2023 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/DTS 37008:2023(E)

person or group of persons that has the ultimate responsibility and authority for an organization’s (3.3)

activities, governance and policies and to which top management (3.11) reports and by which top

management is held accountable.
[SOURCE: ISO 37301:2021, 3.21, modified –— Notes to entry have been deleted.]
3.11
top management

person or group of people who directs and controls an organization (3.3) at the highest level.

[SOURCE: ISO 37301:2021, 3.3, modified –— Notes to entry have been deleted.]
4 Principles
4.1 Independent

An internal investigation should not be influenced or controlled by other people, events, or incentives in

relation to the subject matter that is being investigated.
NOTE See A.3.1 for guidance.
4.2 Confidential

All documents and information gathered in the context of an investigation, including records, evidence,

and reports, should be treated in a confidential and sensitive manner. The documents and information

should only be revealed on a “need to know” basis and investigators should be aware of applicable

statutory laws and regulatory requirements.
4.3 Competent and professional

An internal investigation should be conducted by investigators who have professional skills, knowledge,

experience, attitude and capacity to ensure the quality of their work.

An internal investigation should be conducted with integrity, fairness, truthfulness, tenacity, trust,

emotional intelligence, good judgmentjudgement and diligence, and completed in a timely manner.

NOTE See A.3.2 for guidance.
4.4 Objective and impartial

An internal investigation should be free from conflict of interest, conducted objectively and based on

factual evidence. The investigation should not be influenced by personal feelings, interpretations, or

prejudice.
NOTE See A.3.3 for guidance.
4.5 Legal and lawful

Those establishing or conducting an internal investigation should identify the regulations and applicable

statutes and legislation in all applicable jurisdictions to ensure the legality of the investigation.

NOTE See A.3.4 for guidance.
© ISO 2023 – All rights reserved 3
---------------------- Page: 11 ----------------------
ISO/DTS 37008:2023(E)
5 Support for internal investigations
5.1 Resources

The governing body should support the establishment, implementation, maintenance and continual

improvement of internal investigations, for which top management of the organization should provide

adequate resources.

Resources can include but are not limited to personnel, financial, technical and organizational

infrastructure. These resources can be provided internally or externally.
NOTE See A.4.1 for guidancemore information.
5.2 Leadership and Commitmentcommitment

The governing body, top management and others in the appropriate positions should demonstrate

leadership and commitment to an independent, objective, impartial and confidential internal

investigation.

The governing body, top management and others in the appropriate positions should be reasonably

informed, according to the agreed communication plan, the internal guidelines and policies preset, or as

investigators deem necessary.
NOTE See A.4.2 for guidance.
6 Establishment of investigation policy or procedure

The organization should establish and implement an investigation policy and procedures that:

— define the investigation scope, process, responsibilities and capabilities of internal investigators;

— make a clear link to the organization’s “whistleblower” or “speak up” procedures;

— require timely and appropriate action every time when a concern is raised;

— ensure the investigation is carried out with respect to the rights of the persons involved;

— empower and enable investigators to carry out investigation work;
— require cooperation in the investigation by all personnel;

— ensure the investigation is carried out by, and reported to, the personnel who are independent of the

investigation;

— require the output of the investigation, including any limitation, challenge or any other concern of

the investigation, to be appropriately documented, reviewed and reported;

— require that investigation is carried out confidentially and information is only shared with people

who need to know;

— require that the organization should have policies or processes in place to stop unlawful actions

immediately, also during an ongoing investigation;

— require that lessons learned or recommendations arising from investigations are used to prevent the

recurrence of wrongdoing; and
4 © ISO 2023 – All rights reserved
---------------------- Page: 12 ----------------------
ISO/DTS 37008:2023(E)

— require that the policies and procedures are regularly updated with learning from internal

investigations.
NOTE See Clause A.5 for guidance.
7 Safety and protection measures
7.1 Preserving and securing evidence

From the beginning of the process, investigators should start to identify where relevant evidence can be

stored.

An investigator should work with the relevant functions in the organization to establish whether any key

witness or investigated personnel are already in the process of leaving the organization, for whatever

reason.

The organization should have policies or processes to prevent anyone from tampering with witnesses

and from intentionally or unintentionally deleting, destroying, altering, transferring or concealing any

form of information, data or records, which can be used as evidence, and subject the person to

disciplinary measures as a breach of code of conduct.

The organization should also set protective measures to prevent information acquired in the course of

the investigation from being given to persons without a need -to -know.
NOTE See A.6.1 for guidance.
7.2 Protection of and support to personnel involved in investigations
The organization should take measures to ensure that:

— all investigation activities, including interviews, are carried out in the absence of any form of threat,

promise, inducement or oppression;

— inquiries and interviews are conducted in a discreet manner and reasonable level of privacy;

— the evidence given by the witnesses is kept confidential.
NOTE See A.6.2 for guidance.
7.3 Anti-retaliation

The organization should adopt measures to ensure that witnesses, whistleblowers, investigators,

interviewees, subjects of investigation, and the personnel taking decisions on remedial measures and

disciplinary actions have protection from any form of pressure, intimidation, threat, and harassment and

any other harmful conducts.
NOTE See A.6.3 for guidance.
7.4 Safeguarding

The organization should protect the physical and psychological wellbeingwell-being of anyone

participating in the investigation.
© ISO 2023 – All rights reserved 5
---------------------- Page: 13 ----------------------
ISO/DTS 37008:2023(E)
8 Investigative process
8.1 Investigation Teamteam
8.1.1 Appointment of the investigation team

The topTop management or the governing body should appoint or authorize a person or team to conduct

an investigation unless an existing investigation charter pre-sets the process of the appointment. In case

the current management has a conflict of interest, the management of the next level should make such an

appointment or authorization. An investigation couldcan be assigned to external investigators.

NOTE See A.7.1.1 for guidancemore information.
8.1.2 Investigation reporting line

The governing body, top management or other people in the appropriate position according to the

organization’s internal policies should appoint an investigation reporting line who will be responsible for

applying sanctions and recommending further follow up actions to the investigation.

The investigation team should keep the investigation reporting line including roles, responsibilities and

authorities updated regularly or at defined intervals, and submit the investigation report for review.

The responsibilities of the investigation reporting line include but are not limited to:

— assessment of the nature of the allegation(s);
— checking any possible conflict of interest;

— reviewing the possibility of future interactions with authorities and other stakeholders regarding the

investigation results;
— consideration of the severity or the seriousness of the issue; and

— assessment of the potential financial, reputational or regulatory risk to the organization.

8.2 Preliminary assessment

The investigation team should conduct a preliminary assessment of the allegation.

The investigation team should consider the seriousness and credibility of the allegation presented and

whether the allegations are sufficiently specific to start an investigation.

Where possible, the investigation team should consider reaching out to the whistleblower and ask for

additional details in relation to the allegations, then evaluate whether a full-scale investigation is needed

and use the assessment results to plan the investigation.

The results from the preliminary assessment should be documented clearly. In cases where further

investigations are required, it should be reflected by a documented
...

FINAL
TECHNICAL ISO/DTS
DRAFT
SPECIFICATION 37008
ISO/TC 309
Internal investigations of
Secretariat: BSI
organizations — Guidance
Voting begins on:
2023-02-28
Enquêtes internes des organisations — Recommandations
Voting terminates on:
2023-04-25
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
ISO/DTS 37008:2023(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN-
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS. © ISO 2023
---------------------- Page: 1 ----------------------
ISO/DTS 37008:2023(E)
FINAL
TECHNICAL ISO/DTS
DRAFT
SPECIFICATION 37008
ISO/TC 309
Internal investigations of
Secretariat: BSI
organizations — Guidance
Voting begins on:
Enquêtes internes des organisations — Recommandations
Voting terminates on:
COPYRIGHT PROTECTED DOCUMENT
© ISO 2023

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on

the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below

or ISO’s member body in the country of the requester.
RECIPIENTS OF THIS DRAFT ARE INVITED TO
ISO copyright office
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
CP 401 • Ch. de Blandonnet 8
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
CH-1214 Vernier, Geneva
DOCUMENTATION.
Phone: +41 22 749 01 11
IN ADDITION TO THEIR EVALUATION AS
Reference number
Email: copyright@iso.org
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
ISO/DTS 37008:2023(E)
Website: www.iso.org
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
Published in Switzerland
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN­
DARDS TO WHICH REFERENCE MAY BE MADE IN
© ISO 2023 – All rights reserved
NATIONAL REGULATIONS. © ISO 2023
---------------------- Page: 2 ----------------------
ISO/DTS 37008:2023(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction .............................................................................................................................................................................................................................. vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ..................................................................................................................................................................................... 1

3 Terms and definitions .................................................................................................................................................................................... 1

4 Principles ..................................................................................................................................................................................................................... 3

4.1 Independent .............................................................................................................................................................................................. 3

4.2 Confidential ............................................................................................................................................................................................... 3

4.3 Competent and professional ....................................................................................................................................................... 3

4.4 Objective and impartial .................................................................................................................................................................. 3

4.5 Legal and lawful .................................................................................................................................................................................... 3

5 Support for internal investigations ................................................................................................................................................. 3

5.1 Resources .................................................................................................................................................................................................... 3

5.2 Leadership and commitment ..................................................................................................................................................... 4

6 Establishment of investigation policy or procedure ..................................................................................................... 4

7 Safety and protection measures ......................................................................................................................................................... 4

7.1 Preserving and securing evidence ........................................................................................................................................ 4

7.2 Protection of and support to personnel involved in investigations ........................................................ 5

7.3 Anti­retaliation ...................................................................................................................................................................................... 5

7.4 Safeguarding ............................................................................................................................................................................................ 5

8 Investigative process.......................................................................................................................................................................................5

8.1 Investigation team .............................................................................................................................................................................. 5

8.1.1 Appointment of the investigation team ......................................................................................................... 5

8.1.2 Investigation reporting line ..................................................................................................................................... 5

8.2 Preliminary assessment ................................................................................................................................................................. 6

8.3 Determining the scope of the investigation ................................................................................................................. 6

8.3.1 Scope ............................................................................................................................................................................................. 6

8.3.2 Scope changes ....................................................................................................................................................................... 6

8.3.3 Determination elements .............................................................................................................................................. 6

8.4 Investigation planning ..................................................................................................................................................................... 7

8.5 Maintaining confidentiality ........................................................................................................................................................ 7

8.6 Liability caution to deter disclosure ................................................................................................................................... 8

8.6.1 Written caution notice .................................................................................................................................................. 8

8.6.2 Verbal caution notice ...................................................................................................................................................... 8

8.7 No interference ........................................................................................................................................... ............................................ 8

8.8 Evidence ....................................................................................................................................................................................................... 8

8.8.1 Document collection and review ......................................................................................................................... 8

8.8.2 Electronic data collection, preservation, analysis and review ................................................. 8

8.9 Interviews ................................................................................................................................................................................................... 9

8.9.1 Preparations ........................................................................................................................................................................... 9

8.9.2 Conducting an interview ............................................................................................................................................. 9

8.9.3 Keeping records of an interview ....................................................................................................................... 10

8.10 Finalization process ........................................................................................................................................................................ 10

8.11 Investigation report ........................................................................................................................................................................ 10

9 Potential remedial measures or improvements .............................................................................................................10

9.1 Proposal of remedial measures and improvements .......................................................................................... 10

9.2 Interim remedial measures...................................................................................................................................................... 11

9.3 A final plan for post-investigation remedial measures ................................................................................... 11

9.4 Proportionality of remediation and improvement measures ................................................................... 11

9.5 Monitoring and enforcement of remedial measures ......................................................................................... 11

iii
© ISO 2023 – All rights reserved
---------------------- Page: 3 ----------------------
ISO/DTS 37008:2023(E)

10 Interaction with stakeholders ...........................................................................................................................................................11

10.1 General ........................................................................................................................................................................................................ 11

10.2 Planning ..................................................................................................................................................................................................... 11

10.3 Measures for the communication process ..................................................................................................................12

10.4 Effective communication channels ...................................................................................................................................12

10.5 Government and regulator communication ..............................................................................................................12

10.6 Self­disclosure to the authorities ........................................................................................................................................12

11 Disciplinary actions .......................................................................................................................................................................................12

Annex A (informative) Guidance on the use of this document ..............................................................................................13

Bibliography .............................................................................................................................................................................................................................24

© ISO 2023 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/DTS 37008:2023(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non­governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www.iso.org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO’s adherence to

the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see

www.iso.org/iso/foreword.html.

This document was prepared by Technical Committee ISO/TC 309, Governance of organizations.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www.iso.org/members.html.
© ISO 2023 – All rights reserved
---------------------- Page: 5 ----------------------
ISO/DTS 37008:2023(E)
Introduction

Internal investigation is an integral part of organizational management. Internal investigation is a

professional fact-finding process, initiated by or for an organization, to establish facts in relation to

alleged or suspected wrongdoing, misconduct or noncompliance (such as bribery, fraudulent activities,

harassment, violence or discrimination). Internal investigations enable an organization to:

— make informed decisions if laws, regulations, industry codes, internal policies, procedures,

processes, corporate compliance policy and/or the organization’s values and ethics have been

breached;
— understand the cause(s) that lead to the above­mentioned breaches;
— determine if an allegation or concern is substantiated or unsubstantiated;
— assess the financial loss of an organization;
— mitigate liability of the organization and/or its management;

— put in place and implement the necessary mitigation measures to prevent similar conduct from

occurring;
— strengthen the organization’s compliance and ethics culture;

— make external reporting to relevant authorities (law enforcement, judicial bodies, regulators or

other bodies prescribed by law or regulation) or relevant interested parties when necessary;

— make decisions on sanctions of management and/or employees and debarment of working with

third parties involved in unethical conducts.

Civil actions, whistleblower reports and external investigations by regulators can be reasons for

internal investigation as well so that the concerned organizations can find out what triggered the

actions, reports and external investigations, then take appropriate measures.

Internal investigation is part of a compliance management system. This document can be used to help

with the implementation of other standards such as ISO 37301, ISO 37001 and ISO 37002. It can also

be a useful tool for an organization to identify risks. With risk clearly identified, an organization can

analyse the root causes of noncompliance and design measures to control the risks.

Not having the capabilities to conduct internal investigations and/or failing to conduct internal

investigations can have adverse effects on an organization such as compromising the effectiveness of

the compliance management system, failing to protect its reputation, and failing to detect and counter

wrongdoing.

This document gives guidance for organizations to implement internal investigations based on the

following principles: independent, confidential, competent and professional, objective and impartial,

and legal and lawful.

Figure 1 is a conceptual overview of the investigative process showing the whole picture of internal

investigation and the possible post­investigation actions.
© ISO 2023 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/DTS 37008:2023(E)
Figure 1 — Overview of the investigative process
vii
© ISO 2023 – All rights reserved
---------------------- Page: 7 ----------------------
TECHNICAL SPECIFICATION ISO/DTS 37008:2023(E)
Internal investigations of organizations — Guidance
1 Scope

This document gives guidance on internal investigations within organizations, including:

— the principles;
— support for investigations;

— establishment of the policy, procedures, processes and standards for carrying out and reporting on

an investigation;
— the reporting of investigation results;
— the application of remedial measures.

This document is applicable to all organizations regardless of type, size, location, structure or purpose.

NOTE See Annex A for guidance on the use of this document.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 37001, Anti-bribery management systems — Requirements with guidance for use
ISO 37002, Whistleblowing management systems — Guidelines
ISO 37301, Compliance management systems — Requirements with guidance for use
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO 37001, ISO 37002, ISO 37301

and the following apply.

ISO and IEC maintain terminology databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
internal investigation

professional fact-finding process, initiated by or for an organization (3.3), to establish facts in relation

to alleged or suspected wrongdoing, misconduct or noncompliance
3.2
risk
effect of uncertainty on objectives
[SOURCE: ISO 31000:2018, 3.1, modified — Notes to entry deleted.]
© ISO 2023 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/DTS 37008:2023(E)
3.3
organization

person or group of people that has its own functions with responsibilities, authorities and relationships

to achieve its objectives

Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,

enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated

or not, public or private.
[SOURCE: ISO 37301:2021, 3.1, modified — Note 2 to entry deleted.]
3.4
need to know

legitimate requirement to know or have access to a minimum amount of sensitive information

[SOURCE: ISO 19650-5:2020, 3.4, modified — “of a prospective recipient of information” deleted, “or

have access to” replaced “to access, or to possess”, and “a minimum amount of” added to the definition.]

3.5
investigator
person(s) appointed to manage or carry out an investigation
3.6
lead investigator
person leading an investigation
3.7
stakeholder

person or organization (3.3) that can affect, be affected by, or perceive itself to be affected by a decision

or activity

[SOURCE: ISO 37301:2021, 3.2, modified — “interested party” deleted as the preferred term.]

3.8
internal investigation function
person(s) with the organizational responsibility for investigations
3.9
compliance function

person or group of persons with responsibility and authority for the operation of the compliance

management system
[SOURCE: ISO 37301:2021, 3.23, modified — Note 1 to entry deleted.]
3.10
governing body

person or group of persons that has the ultimate responsibility and authority for an organization’s

(3.3) activities, governance and policies and to which top management (3.11) reports and by which top

management is held accountable
[SOURCE: ISO 37301:2021, 3.21, modified — Notes to entry deleted.]
3.11
top management

person or group of people who directs and controls an organization (3.3) at the highest level

[SOURCE: ISO 37301:2021, 3.3, modified — Notes to entry deleted.]
© ISO 2023 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/DTS 37008:2023(E)
4 Principles
4.1 Independent

An internal investigation should not be influenced or controlled by other people, events or incentives in

relation to the subject matter that is being investigated.
NOTE See A.3.1 for guidance.
4.2 Confidential

All documents and information gathered in the context of an investigation, including records, evidence

and reports, should be treated in a confidential and sensitive manner. The documents and information

should only be revealed on a “need to know” basis and investigators should be aware of applicable

statutory laws and regulatory requirements.
4.3 Competent and professional

An internal investigation should be conducted by investigators who have professional skills, knowledge,

experience, attitude and capacity to ensure the quality of their work.

An internal investigation should be conducted with integrity, fairness, truthfulness, tenacity, trust,

emotional intelligence, good judgement and diligence, and completed in a timely manner.

NOTE See A.3.2 for guidance.
4.4 Objective and impartial

An internal investigation should be free from conflict of interest, conducted objectively and based on

factual evidence. The investigation should not be influenced by personal feelings, interpretations or

prejudice.
NOTE See A.3.3 for guidance.
4.5 Legal and lawful

Those establishing or conducting an internal investigation should identify the regulations and applicable

statutes and legislation in all applicable jurisdictions to ensure the legality of the investigation.

NOTE See A.3.4 for guidance.
5 Support for internal investigations
5.1 Resources

The governing body should support the establishment, implementation, maintenance and continual

improvement of internal investigations, for which top management of the organization should provide

adequate resources.

Resources can include but are not limited to personnel, financial, technical and organizational

infrastructure. These resources can be provided internally or externally.
NOTE See A.4.1 for more information.
© ISO 2023 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/DTS 37008:2023(E)
5.2 Leadership and commitment

The governing body, top management and others in the appropriate positions should demonstrate

leadership and commitment to an independent, objective, impartial and confidential internal

investigation.

The governing body, top management and others in the appropriate positions should be reasonably

informed, according to the agreed communication plan, the internal guidelines and policies preset, or

as investigators deem necessary.
NOTE See A.4.2 for guidance.
6 Establishment of investigation policy or procedure

The organization should establish and implement an investigation policy and procedures that:

— define the investigation scope, process, responsibilities and capabilities of internal investigators;

— make a clear link to the organization’s “whistleblower” or “speak up” procedures;

— require timely and appropriate action every time when a concern is raised;

— ensure the investigation is carried out with respect to the rights of the persons involved;

— empower and enable investigators to carry out investigation work;
— require cooperation in the investigation by all personnel;

— ensure the investigation is carried out by, and reported to, the personnel who are independent of the

investigation;

— require the output of the investigation, including any limitation, challenge or any other concern of

the investigation, to be appropriately documented, reviewed and reported;

— require that investigation is carried out confidentially and information is only shared with people

who need to know;

— require that the organization should have policies or processes in place to stop unlawful actions

immediately, also during an ongoing investigation;

— require that lessons learned or recommendations arising from investigations are used to prevent

the recurrence of wrongdoing;

— require that the policies and procedures are regularly updated with learning from internal

investigations.
NOTE See Clause A.5 for guidance.
7 Safety and protection measures
7.1 Preserving and securing evidence

From the beginning of the process, investigators should start to identify where relevant evidence can

be stored.

An investigator should work with the relevant functions in the organization to establish whether

any key witness or investigated personnel are already in the process of leaving the organization, for

whatever reason.

The organization should have policies or processes to prevent anyone from tampering with witnesses

and from intentionally or unintentionally deleting, destroying, altering, transferring or concealing

© ISO 2023 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/DTS 37008:2023(E)

any form of information, data or records, which can be used as evidence, and subject the person to

disciplinary measures as a breach of code of conduct.

The organization should also set protective measures to prevent information acquired in the course of

the investigation from being given to persons without a need to know.
NOTE See A.6.1 for guidance.
7.2 Protection of and support to personnel involved in investigations
The organization should take measures to ensure that:

— all investigation activities, including interviews, are carried out in the absence of any form of threat,

promise, inducement or oppression;

— inquiries and interviews are conducted in a discreet manner and reasonable level of privacy;

— the evidence given by the witnesses is kept confidential.
NOTE See A.6.2 for guidance.
7.3 Anti-retaliation

The organization should adopt measures to ensure that witnesses, whistleblowers, investigators,

interviewees, subjects of investigation, and the personnel taking decisions on remedial measures and

disciplinary actions have protection from any form of pressure, intimidation, threat, harassment and

any other harmful conducts.
NOTE See A.6.3 for guidance.
7.4 Safeguarding

The organization should protect the physical and psychological well-being of anyone participating in

the investigation.
8 Investigative process
8.1 Investigation team
8.1.1 Appointment of the investigation team

Top management or the governing body should appoint or authorize a person or team to conduct an

investigation unless an existing investigation charter pre-sets the process of the appointment. In case

the current management has a conflict of interest, the management of the next level should make such

an appointment or authorization. An investigation can be assigned to external investigators.

NOTE See A.7.1 for more information.
8.1.2 Investigation reporting line
The governing body, top management or other people in the appropriate position
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO 37000:2021(Main)
Governance of organizations — Guidance
SIST ISO 37000:2021

This document gives guidance on the governance of organizations. It provides principles and key aspects of practices to guide governing bodies and governing groups on how to meet their responsibilities so that the organizations they govern can fulfil their purpose. It is also intended for stakeholders involved in, or impacted by, the organization and its governance. It is applicable to all organizations regardless of type, size, location, structure or purpose.

  • Standard
    36 pages
    English language
    sale 15% off
  • Standard
    44 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    40 pages
    French language
    sale 15% off
  • Standard
    40 pages
    French language
    sale 15% off
  • Draft
    36 pages
    English language
    sale 15% off
ISO
ISO 37002:2021(Main)
Whistleblowing management systems — Guidelines
SIST ISO 37002:2021

This document gives guidelines for establishing, implementing and maintaining an effective whistleblowing management system based on the principles of trust, impartiality and protection in the following four steps: a) receiving reports of wrongdoing; b) assessing reports of wrongdoing; c) addressing reports of wrongdoing; d) concluding whistleblowing cases. The guidelines of this document are generic and intended to be applicable to all organizations, regardless of type, size, nature of activity, and whether in the public, private or not-for profit sectors. The extent of application of these guidelines depends on the factors specified in 4.1, 4.2 and 4.3. The whistleblowing management system can be stand-alone or can be used as part of an overall management system.

  • Standard
    40 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    33 pages
    English language
    sale 15% off
  • Standard
    35 pages
    French language
    sale 15% off
  • Standard
    35 pages
    Spanish language
    sale 15% off
  • Draft
    32 pages
    English language
    sale 15% off
ISO
ISO 37301:2021(Main)
Compliance management systems — Requirements with guidance for use
SIST ISO 37301:2021

This document specifies requirements and provides guidelines for establishing, developing, implementing, evaluating, maintaining and improving an effective compliance management system within an organization. This document is applicable to all types of organizations regardless of the type, size and nature of the activity, as well as whether the organization is from the public, private or non-profit sector. All requirements specified in this document that refer to a governing body apply to top management in cases where an organization does not have a governing body as a separate function.

  • Standard
    48 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    40 pages
    English language
    sale 15% off
  • Standard
    44 pages
    French language
    sale 15% off
  • Standard
    44 pages
    French language
    sale 15% off
  • Standard
    44 pages
    Spanish language
    sale 15% off
  • Draft
    40 pages
    English language
    sale 15% off
ISO
ISO 37001:2016(Main)
Anti-bribery management systems — Requirements with guidance for use
SIST ISO 37001:2016

ISO 37001:2016 specifies requirements and provides guidance for establishing, implementing, maintaining, reviewing and improving an anti-bribery management system. The system can be stand-alone or can be integrated into an overall management system. ISO 37001:2016 addresses the following in relation to the organization's activities: · bribery in the public, private and not-for-profit sectors; · bribery by the organization; · bribery by the organization's personnel acting on the organization's behalf or for its benefit; · bribery by the organization's business associates acting on the organization's behalf or for its benefit; · bribery of the organization; · bribery of the organization's personnel in relation to the organization's activities; · bribery of the organization's business associates in relation to the organization's activities; · direct and indirect bribery (e.g. a bribe offered or accepted through or by a third party). ISO 37001:2016 is applicable only to bribery. It sets out requirements and provides guidance for a management system designed to help an organization to prevent, detect and respond to bribery and comply with anti-bribery laws and voluntary commitments applicable to its activities. ISO 37001:2016 does not specifically address fraud, cartels and other anti-trust/competition offences, money-laundering or other activities related to corrupt practices, although an organization can choose to extend the scope of the management system to include such activities. The requirements of ISO 37001:2016 are generic and are intended to be applicable to all organizations (or parts of an organization), regardless of type, size and nature of activity, and whether in the public, private or not-for-profit sectors. The extent of application of these requirements depends on the factors specified in 4.1, 4.2 and 4.5.

  • Standard
    53 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    47 pages
    English language
    sale 15% off
  • Standard
    51 pages
    French language
    sale 15% off
  • Standard
    51 pages
    Spanish language
    sale 15% off
ISO
ISO/IEC TS 17021-13:2021(Main)
Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 13: Competence requirements for auditing and certification of compliance management systems

This document specifies the competence requirements for personnel involved in the audit and certification process for compliance management systems (CMS). It complements the existing requirements of ISO/IEC 17021‑1.

  • Technical specification
    5 pages
    French language
    sale 15% off
  • Technical specification
    5 pages
    French language
    sale 15% off
ISO
ISO 37000:2021(Main)
Governance of organizations — Guidance
SIST ISO 37000:2021

This document gives guidance on the governance of organizations. It provides principles and key aspects of practices to guide governing bodies and governing groups on how to meet their responsibilities so that the organizations they govern can fulfil their purpose. It is also intended for stakeholders involved in, or impacted by, the organization and its governance. It is applicable to all organizations regardless of type, size, location, structure or purpose.

  • Standard
    36 pages
    English language
    sale 15% off
  • Standard
    44 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    40 pages
    French language
    sale 15% off
  • Standard
    40 pages
    French language
    sale 15% off
  • Draft
    36 pages
    English language
    sale 15% off
ISO
ISO 37002:2021(Main)
Whistleblowing management systems — Guidelines
SIST ISO 37002:2021

This document gives guidelines for establishing, implementing and maintaining an effective whistleblowing management system based on the principles of trust, impartiality and protection in the following four steps: a) receiving reports of wrongdoing; b) assessing reports of wrongdoing; c) addressing reports of wrongdoing; d) concluding whistleblowing cases. The guidelines of this document are generic and intended to be applicable to all organizations, regardless of type, size, nature of activity, and whether in the public, private or not-for profit sectors. The extent of application of these guidelines depends on the factors specified in 4.1, 4.2 and 4.3. The whistleblowing management system can be stand-alone or can be used as part of an overall management system.

  • Standard
    40 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    33 pages
    English language
    sale 15% off
  • Standard
    35 pages
    French language
    sale 15% off
  • Standard
    35 pages
    Spanish language
    sale 15% off
  • Draft
    32 pages
    English language
    sale 15% off
ISO
ISO 37301:2021(Main)
Compliance management systems — Requirements with guidance for use
SIST ISO 37301:2021

This document specifies requirements and provides guidelines for establishing, developing, implementing, evaluating, maintaining and improving an effective compliance management system within an organization. This document is applicable to all types of organizations regardless of the type, size and nature of the activity, as well as whether the organization is from the public, private or non-profit sector. All requirements specified in this document that refer to a governing body apply to top management in cases where an organization does not have a governing body as a separate function.

  • Standard
    48 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    40 pages
    English language
    sale 15% off
  • Standard
    44 pages
    French language
    sale 15% off
  • Standard
    44 pages
    French language
    sale 15% off
  • Standard
    44 pages
    Spanish language
    sale 15% off
  • Draft
    40 pages
    English language
    sale 15% off
ISO
ISO/TS 26030:2019(Main)
Social responsibility and sustainable development — Guidance on using ISO 26000:2010 in the food chain

This document provides guidance on using ISO 26000:2010 in the food chain by focusing on the major aspects from its seven core subjects, namely organizational governance, human rights, labour practices, environment, fair operating practices, consumer issues and community involvement and development The main objective is to help organizations in the food chain, regardless of their size or location, to draw up a list of recommendations and move towards a more socially responsible behaviour.

  • Technical specification
    40 pages
    English language
    sale 15% off
  • Technical specification
    42 pages
    French language
    sale 15% off
ISO
IWA 26:2017(Main)
Using ISO 26000:2010 in management systems

IWA 26:2017 provides guidance on using ISO 26000:2010 to organizations that have implemented one or more ISO management system standards (MSS). It also provides guidance on how to apply a management system approach when using ISO 26000:2010. It can be used in full or in part by an organization that has implemented a management system and/or that is using ISO 26000:2010.

  • Standard
    21 pages
    English language
    sale 15% off